Upload
doantu
View
252
Download
5
Embed Size (px)
Citation preview
Going where no man has gone before!
These slides represent the work and opinions of the author and do not constitute official positions of any organization sponsoring the author’s work This material has not been peer reviewed and is presented here with the permission of the author.The author assumes no liability for any content or opinion expressed in this presentation and or use of content herein.
Developer (not system manager)◦ Quite a big differenceAccidentally ended up in our NOC◦ Hated BBThe birth of NSClient++ 2003◦ NSClient sucked (Broke Exchange)◦ NRPE_NT was to hard to useThe open source of NSClient++ 2004◦ “just for fun”The rebirth of NSClient++ 2007◦ A lot of users emailed me◦ Got a lot of hits on the webpage◦ Intense development lead to 0.3.0!The cleaning up of NSClient++ 2009◦ This year I have spent a lot of time polishing things
About NSClient++InstallingThe Basics◦ Using◦ Configuring◦ CheckingUsing from Nagios◦ check_nt◦ check_nrpe◦ NSCAThe not so basics◦ (depending on time and wishes we will cover…)◦ Eventlog◦ Scripting◦ WMI◦ <feel free to add your request here>
(no) handoutsUSB contains:◦ nscp
NSClient++ Installers (0.3.7)◦ scripts
Some sample scripts from a scripting workshop I did (and might do)
◦ toysTools and help utilities
◦ copy-filesText files with samples and such you can copy from
What is NSClient++
The idea behind NSClient++(and my philosophy in life)
◦ Don’t force other people to do somethingThis means:◦ NSClient++ is flexible◦ NSClient++ is pluggable◦ NSClient++ is extensible◦ NSClient++ is hard to use!And in other words:◦ There is always more then one way to skin a cat
Runs on windows◦ Windows NT4◦ Windows 2000◦ Windows XP◦ Windows Vista◦ …◦ Windows 2008 (issues with the installer)And;◦ Win32 (x86)◦ EMT64/AMD64 (x64)◦ IA64 (but no binaries)◦ Quite possibly a virtual machine on your beowulf
cluster…
Documentation!New features:◦ Argument support to NRPE Client ◦ Run checks from command lineImproved installer◦ Works on w2k8◦ "firewall exception“
Warning ticking this requires a firewall! ☺◦ “service tick-box”Fixed issues with:◦ “socket data buffer” (various things)◦ CheckExternalScripts and script_dir◦ CheckFile and paths◦ NSCA◦ CheckWMI
Added:◦ new options to NSCA module◦ support for changing name and description from command line◦ Filter operators to all numeric filters eq:, ne:, gt:, lt:◦ Support for numerical hit matching in the eventlog module◦ Support for 16bit to checkProcState.◦ New module A_DebugLogMetrics.dll to generate debug info (leaks)Improvements:◦ Installer!◦ A lot of bugfixes and improvements◦ Serious memory leak fixed◦ CheckFile2 (new option max-dir-depth, path, pattern)◦ CheckProcState code and it is not a lot better. ◦ build environment based upon boost build!!!◦ /about now shows a lot of useful(?) info. Unfeatures◦ Broke the CheckFile* commands
Installing NSClient++
Download the MSIRun the installerAnd you are done (sort of)
For the more advanced users;◦ The MSI can be customized and repackaged◦ Split configuration;
nsc.inidon’t touch (but add an include section)
<your company>.inicompany specific configuration
custom.ini Computer specific configuration (ie. edit this one)
ExperimentalWill not always workCan “sort of” be used to upgradeBUT only copies the settings mentionedGenerally nothing I would use
Basics of NSClient++
There is no GUI, no systray, no nothing.It is a command line application!Test mode:◦ Start like so:
nsclient++ /test◦ Exit like so:
exit◦ Use like so:
CheckCPU warn=80 crit=90 time=20m time=10s time=4
Demon (service)◦ Start like so:
nsclient++ /start◦ Exit like so:
nsclient++ /stop◦ Install
nsclient++ /install◦ Uninstall
nsclient++ /uninstallOther Commands:◦ nsclient++ /about
Show information about NSClient++ modules and compile environment◦ nsclient++ [-noboot] <ModuleName> <command>
Run commands from modules:NSClient++ -noboot CheckSystem debugpdhNSClient++ -noboot CheckSystem listpdhNSClient++ -noboot NRPEClient -H 192.168.0.1 -p 5666 -c check_something
starting/stopping/testing
nsclient++ /test◦ Type exit to exit…nsclient++ /helpnsclient++ /about (this is important)nsclient++ /startnsclient++ /stopnsclient++ /help (not really updated)nsclient++ /installnsclient++ /uninstallTry running a command in /test mode:◦ CheckCPU warn=80 crit=90 time=20m time=10s time=4
Configuration
Yes, I know it is 2009 (2010 almost)Yes, I know XML is popularBut INI files are still cool!◦ But don’t worry next version will support:
INIextended INIRegistryXml(lua?)<roll your own>
You can put the configuration in the registry◦ since 0.3.x◦ (but it is sort of not supported)
Protocols◦ NRPE (check_nrpe)◦ NSClient (check_nt)◦ NSCA (NSCA)Check◦ CheckXXXUtility◦ Logging, debugging, etc
[modules];# NSCLIENT++ MODULES;# A list with DLLs to load at startup.; You will need to enable some of these for NSClient++ to work.FileLogger.dllCheckSystem.dllCheckDisk.dllNSClientListener.dllNRPEListener.dll;SysTray.dllCheckEventLog.dllCheckHelpers.dll;CheckWMI.dllCheckExternalScripts.dll;NSCAAgent.dll;LUAScript.dll;NRPEClient.dll;CheckTaskSched.dll
[Settings];# PASSWORD; This is the password (-s) that is required
to access NSClient remotely. If you leave this blank everyone will be able to access the daemon remotly.
;password=secret-password;;# ALLOWED HOST ADDRESSES; This is a comma-delimited list of IP
address of hosts that are allowed to talk to the all daemons. If leave this blank anyone can access the deamon remotly(NSClient still requires a valid password).
; The syntax is host or ip/mask so 192.168.0.0/24 will allow anyone on that subnet access
allowed_hosts=192.168.0.1/24;;# USE THIS FILE; Use the INI file as opposed to the registry
if this is 0 and the use_reg in the registry is set to 1 the registry will be used instead.
use_file=1
; # USE SHARED MEMORY CHANNELS; This is the "new" way for using the system
tray based on an IPC framework on top shared memmory channels and events. It is brand new and (probably has bugs) so dontenable this unless for testing! If set to 1 shared channels will be created and system tray icons created and such and such...
;shared_session=0
[log];# LOG DEBUG; Set to 1 if you want debug message printed
in the log file (debug messages are always printed to stdout when run with -test)
debug=1;;# LOG FILE; The file to print log statements to;file=nsclient.log
; [includes];# The order when used is "reversed" thus the
last included file will be "first” Included files can include other files (be carefullonly do basic recursive checking)
; myotherfile.ini
[NSClient];# ALLOWED HOST ADDRESSES; This is a comma-delimited list of IP address of hosts
that are allowed to talk to NSClient deamon. If you leave this blank the global version will be used instead.
;allowed_hosts=;;# NSCLIENT PORT NUMBER; This is the port the NSClientListener.dll will listen
to.;port=12489;;# SOCKET TIMEOUT; Timeout when reading packets on incoming sockets. If
the data has not arrived withint this time we will bail out.
;socket_timeout=30
[NRPE];# NRPE PORT NUMBER; This is the port the NRPEListener.dll will listen to.;port=5666;;# COMMAND ARGUMENT PROCESSING; This option determines whether or not the NRPE daemon
will allow clients to specify arguments to commands that are executed.
;allow_arguments=0;
;# COMMAND ALLOW NASTY META CHARS; This option determines whether or not the NRPE daemon
will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
;allow_nasty_meta_chars=0;;# USE SSL SOCKET; This option controls if SSL should be used on the
socket.;use_ssl=1;;# ALLOWED HOST ADDRESSES; This is a comma-delimited list of IP address of hosts
that are allowed to talk to NRPE deamon.; If you leave this blank the global version will be
used instead.;allowed_hosts=;;# SOCKET TIMEOUT; Timeout when reading packets on incoming sockets. If
the data has not arrived withint this time we will bail out.
;socket_timeout=30
[Check System];# CPU BUFFER SIZE; Can be anything ranging from 1s (for 1 second) to 10w
for 10 weeks. Notice that a larger buffer will waste memory
; so don't use a larger buffer then you need (ie. the longest check you do +1).
;CPUBufferSize=1h;[External Script];# COMMAND TIMEOUT; This specifies the maximum number of seconds that the
NRPE daemon will allow plug-ins to finish executing before killing them off.
;command_timeout=60;;# COMMAND ARGUMENT PROCESSING; This option determines whether or not the NRPE daemon
will allow clients to specify arguments to commands that are executed.
;allow_arguments=0;;# COMMAND ALLOW NASTY META CHARS; This option determines whether or not the NRPE daemon
will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
;allow_nasty_meta_chars=0;
[External Scripts];check_es_long=scripts\long.bat;check_es_ok=scripts\ok.bat;check_es_nok=scripts\nok.bat;check_vbs_sample=cscript.exe //T:30 //NoLogo
scripts\check_vb.vbs;check_powershell_warn=cmd /c echo scripts\powershell.ps1
| powershell.exe -command -
[External Alias]alias_cpu=checkCPU warn=80 crit=90 time=5m time=1m
time=30salias_disk=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll
FilterType=FIXEDcheck_ok=CheckOK Everything is fine!
;# LUA SCRIPT SECTION; A list of all Lua scripts to load.;[LUA Scripts];scripts\test.lua
[NSCA Agent]
;# CHECK INTERVALL (in seconds)
; How often we should run the checks and submit the results.
;interval=5
;
;# ENCRYPTION METHOD
; This option determines the method by which the send_nsca client will encrypt the packets it sends to the nsca daemon. The encryption method you choose will be a balance between security and performance, as strong encryption methods consume more processor resources. You should evaluate your security needs when choosing an encryption method.
; Values:
; 0 = None (Do NOT use this option)
; 1 = Simple XOR (No security, just obfuscation, but very fast)
; 3 = 3DES (Triple DES)
; 14 = RIJNDAEL-128 (AES)
;encryption_method=14
;
;# ENCRYPTION PASSWORD
; This is the password/passphrase that should be used to encrypt the sent packets.
;password=
;
;# LOCAL HOST NAME
; The name of this host (if empty "computername" will be used.
;hostname=
;
;# NAGIOS SERVER ADDRESS
; The address to the nagios server to submit results to.
;nsca_host=192.168.0.1
;
;# NAGIOS SERVER PORT
; The port to the nagios server to submit results to.
;nsca_port=5667
;# CHECK COMMAND LIST
; The checks to run everytime we submit results back to nagios Any command(alias/key) starting with a host_ is sent as HOST_COMMAND others are sent as SERVICE_COMMANDS where the alias/key is used as service name.
;
[NSCA Commands]
;my_cpu_check=checkCPU warn=80 crit=90 time=20m time=10s time=4
;my_mem_check=checkMem MaxWarn=80% MaxCrit=90% ShowAll type=page
;my_svc_check=checkServiceState CheckAll exclude=wampmysqldexclude=MpfService
;host_check=check_ok
;# REMOTE NRPE PROXY COMMANDS
; A list of commands that check other hosts.
; Used by the NRPECLient module
[NRPE Client Handlers]
check_other=-H 192.168.0.1 -p 5666 -c remote_command -a arguments
Configuring it to listen
Go ahead, set it up…
…let me know when your done…
+�cmd�cd <nsclient++ install directory> �notepad nsc.ini�
<edit to your hearts content>�+�
[modules]FileLogger.dllNRPEListenerNSClientListenerCheckSystem.dllCheckDisk.dll…
[Settings]allowed_hosts=127.0.0.1
nsclient++ /startnsclient++ -noboot NRPEClient -H 127.0.0.1 -p 5666
Checking The System
CheckCPU◦ CPU Load (CheckCPU warn=80 crit=90 time=20m time=10s time=4)CheckUpTime◦ Server uptime (CheckUpTime MinWarn=1d MinCrit=12h)CheckServiceState◦ Windows Services (CheckServiceState MyService)CheckProcState◦ Running Processes (CheckProcState NSClient++.exe=started)CheckMem◦ System Memory (CheckMEM MaxWarn=80% MaxCrit=90%)CheckCounter◦ PDH Counters (CheckCounter "Counter:proc=\\Processor(_total)\\%
Processor Time" ShowAll MaxWarn=50 MaxCrit=80)
CheckFileSize◦ Check filesize◦ CheckFileSize MaxWarn=1024M MaxCrit=4096M File:_WIN=c:\WINDOWS\*.*
CheckDriveSize◦ Check drives and volumes◦ CheckDriveSize ShowAll MinWarnFree=10% MinCritFree=5% Drive=c:\
CheckFile◦ Deprecated don’t use!CheckFile2◦ Check various things about files◦ CheckFile2 path=c:\test pattern=*.txt MaxCrit=1 filter+written=gt:2h
CheckCPU ¶◦ CheckCPU is part of the CheckSystem module.◦ This check calculates an average of CPU usage for a
specified period of time. ◦ The data is always collected in the background and
the size and interval is configured from the CPUBufferSize and CheckResolution options. ◦ A request has one or more options described in the
table below.
Option Values Description warn load in % Load to go above to generate a warning.
crit load in % Load to go above to generate a critical state.
timetime with optionalprefix
The time to calculate average over.Multiple time= entries can be given - generating multiple CPU usage summaries and multiple warn/crits.
nsclient Flag to make the plug in run in NSClient compatibility mode
ShowAll none, long Add this option to show info even if no errors are detected. Set it to long to show detailed information.
Check that the CPU load for various times is below 80%: Sample Command:CheckCPU warn=80 crit=90 time=20m time=10s time=4OK: CPU Load ok. Nagios Configuration: define command {
command_name <<CheckCPU>>command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckCPU-a warn=$ARG1$ crit=$ARG2$ time=20m time=10s time=4
}<<CheckCPU>> 80!90 From Commandline (with NRPE):check_nrpe -H IP -p 5666 -c CheckCPU -a warn=80 crit=90 time=20m time=10s time=4
Checking the SystemPart 1: Getting there
In /test mode:CheckCPU warn=80 crit=90 time=20m time=10s time=4
From check_nrpe:nsclient++ -noboot NRPEClient-H 127.0.0.1 -p 5666 –c CheckCPU–a warn=80 crit=90 time=20m time=10s time=4
Try running the “server” in test mode.nsclient++ /stopstart nsclient++ /test
…nsclient++ -noboot NRPEClient-H 127.0.0.1 -p 5666 –c CheckCPU–a warn=80 crit=90 time=20m time=10s time=4
For this you need:◦ [modules]◦ CheckSystem.dll◦ NRPEListener.dll
◦ [System]◦ allowed_hosts=127.0.0.1
◦ [NRPE]◦ allow_arguments=1
How to debug “things”
1. NSClient++ /test◦ In test mode it is much easier to see errors
2. check_nrpe (or NSClient++ NRPEClient)◦ With NRPE it is much faster to try “another option”
1. Always start with “NSClient++” in /test mode2. Then run the service in the background
3. Then add it and try it from Nagios!◦ When everything works you only need on “change”
1. Always start with “NSClient++” in /test mode2. Then run the service in the background
All you got from NRPEClient was:◦ “unknown socket exception”Where as in the /test console you got:◦ Connection not allowed from…◦ Arguments not allowedAnd the reason is “security by obscurity”:◦ “no disclosure” (or less of it)
Checking the System -Part 2: Checking
something
MemoryA processA serviceA counterA diskA file…
Check the “NSClient++ Reference Manual.pdf”◦ (or the wiki)And remember:1. nsclient++ /test2. nsclient++ -noboot NRPEClient3. We wont add things to Nagios here
Memory◦ CheckMEM MaxWarn=80% MaxCrit=90% ShowAll type=page
A process◦ CheckProcState ShowAll NSClient++.exe=started
A service◦ CheckServiceState ShowAll NSClientpp=stopped
A counter◦ CheckCounter ShowAll "Counter:mutex=\\Objects\\Mutexes" MaxWarn=500 MaxCrit=1000
A disk◦ CheckDriveSize MinWarn=50% MinCrit=25% CheckAllFilterType=FIXED FilterType=REMOTE
A file◦ CheckFile2 path=c:\test pattern=*.txt MaxCrit=1 filter+written=gt:2h
Where do you want to go today?
EventLog◦ Some theory about windows eventlog and then
some simple hands on assignmentsScripts◦ A pretty extensive (feel free to end it at any time)
session on how to write scripts for NSClient++WMI◦ Introduction to WMI and some assignments
(requires a bit of googling)The End
Making sure windows is feeling good
The good:◦ Powerfull interfaceThe bad:◦ Hard to use!◦ Requires configuration◦ no out-of-the-box solution!
A lot of theory!◦ (please dont dispare)
Two different filtering strategies◦ Exclusive filtering (-filter=out)
If you want all errors (except…)◦ Inclusive filtering (-filter=in)
If you only want specific errors
◦ Remember (-filter=new)Dont forget this!
There is an “old” outdated syntax as wellThe old syntax is actually even more confusing!
Simplest to start withBy default:◦ Everything is an errorProduces a lot of noise◦ False positivesGood if you just want to be warned◦ But bad for your DBA or what not
Sample (all entries for last 2 days):◦ CheckEventLog file=application filter=new filter=out
MaxWarn=1 MaxCrit=1 filter-generated=>2d
For advanced useBy default:◦ Nothing is an errorEasy to make mistakes (and miss errors)◦ But less SMS:es for your DBAGood if you are only looking for specifics◦ Raid controllers, active directory, etc...
Sample (all entries for last 2 days):◦ CheckEventLog file=application filter=new filter=in
MaxWarn=1 MaxCrit=1 filter+generated=<2d
Filter rule◦ A rule to match against every single line in the
eventlogChain◦ A set of filter rules used when finding errors◦ Linear (when a rule matches chain is terminated)
Order is importantWorst case: ◦ number of records in eventlog <X> number of rulesAlways start with the rule that will discard the most items.filter-generated=>2d
Mode◦ If the filter is additive, subtractive or just “there”Type (keyword)◦ What to match
MessageEvent categoryEvent dateEtc...
Equal SignOperator◦ =, !=, > < etc...Value◦ The value to match
filter+ generated =< 2h
Consider The following rules:◦ filter-generated=2d
WRONG! (No equal sign)◦ filter-generated==2d
Correct!Always remember the “extra” equal sign!
equal sign operator
Type Description
eventType An event type (error, warning, info, auditSuccess or auditFailure)
eventSource The name of the source of the event (the program logging)
generated Time ago the message was generated (when it happened)
written Time ago the message was written to the log (don’t use)
message Filter strings in the message (NOT the entire message)
eventID Filter based on the event id of the log message (error code)
severity Filter based on event severity (success, informational, warning or error)
Option Descriptionfile The “eventlog file” to open.
Use multiple file-options to check multiple files.filter Set filter mode (out, in, old, new)MaxWarn Maximum hits before a warning state is issued.MaxCrit Maximum hits before a critical state is issued.warn More flexible way to do matching (NEW)
warn=5, (MaxWarn=5 same as warn=>4)crit More flexible way to do matching (NEW)<filter rules> A list of filter rules to be matched (in order)
Option Descriptiontruncate Length of returned data.
Since NRPE (and NSClient++) has a limited capacity this is important. Usually 1023 is a good value.
syntax How to format the return dataunique If set only “one of each” record will be returned.
(“count” (MaxWarn/MaxCrit) is not affected only the text)descriptions Set this if you plan on using the %message% syntax
option.(Will have sever negative performance impact)
CheckEventLog◦ file=application◦ filter=new◦ filter=out◦ MaxWarn=1◦ MaxCrit=1◦ filter-generated=>2d◦ filter-severity==success◦ filter-severity==informational◦ truncate=1023◦ unique◦ descriptions ◦ "syntax=%severity%: %source%: %message% (%count%)“
TimeGenerated◦ The time at which this entry was submitted. This time is measured in the number of
seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.TimeWritten◦ The time at which this entry was received by the service to be written to the log. This
time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.
EventID◦ The event identifier. The value is specific to the event source for the event, and is
used with source name to locate a description string in the message file for the event source. For more information, see Event Identifiers.
EventType◦ The type of event. This member can be one of the following values.
Error eventFailure Audit eventSuccess Audit eventInformation eventWarning event
EventCategory◦ The category for this event. The meaning of this value depends on the event source.
For more information, see Event Categories.
No “perfect way” to identify messages!◦ What I use:
SourceIf it is an application I care or don’t care about
IDIf it is a message I care or don’t care aboutBut this is flawed!
Multiple application can reuse the same ID
Monitor your eventlog…
Let me know when your done…
Start by using the supplied “suggested command”CheckEventLog file=application file=system filter=new filter=out MaxWarn=1 MaxCrit=1 filter-generated=>2d filter-severity==success filter-severity==informational truncate=1023 unique descriptions "syntax=%severity%: %source%: %message% (%count%)“Don’t like to type?◦ Its in the nsc.ini under alias_event_log
Well, remove the ones you don’t want:◦ First find them: (id is usually good)◦ Change the syntax:
"syntax=---%id%---: %source%: %message% (%count%)“◦ Remote messages:
filter-eventID==3013
EventLog◦ Some theory about windows eventlog and then
some simple hands on assignmentsScripts◦ A pretty extensive (feel free to end it at any time)
session on how to write scripts for NSClient++WMI◦ Introduction to WMI and some assignments
(requires a bit of googling)The End
Extending NSClient++ the easy way
External Scripts◦ Same as for unix◦ Can be written in:
BatchPerlVBA/VBScript... anything ?
Internal Scripts◦ A simple way to programmatically extend NSClient++◦ Can interact with internal commands◦ Can hold state◦ Is NOT compatible with “other” clients◦ Can be written in:
LuaFuture version will support WSH (VB, etc)
1. Enable the check module[modules]CheckExternalScripts.dll
◦ You can also use NRPEListener.dll (but it is less flexible)2. Each script requires a definition
[External Scripts]check_es_test=scripts\test.bat
3. Scripts require NRPE (or custom NSClient)[modules]NRPEListener.dll
4. Options disabled by default (for a reason)[External Script]allow_arguments=1
This is not the same as the one under [NRPE]!
1. Enable the check module[modules]LUAScript.dll
2. Each script requires a definition[LUA Scripts]scripts\test.lua
3. Scripts requires NRPE (or custom NSClient)[modules]NRPEListener.dll
Writing your first Scripts
Configuration:[modules]CheckExternalScripts.dll...[External Scripts]my_script=scripts\script.bat...<alias>=<script>
<alias> is the command from nrpe (nagios)<script> is the command to execute (the script)
Output:◦ Use: echo <text>◦ Don’t forget @echo off (or all commands will be echoed)Exit statuses:◦ Use: exit <code>
0 = OK1 = Warning2 = Critical3 = Unknown
NSC.ini syntax:[External Scripts]check_batch=scripts\test.batReference:◦ http://www.ss64.com/nt/Don’t let preconceptions fool you: batch can actually do a lot!
Turn off “echo” of all commands
Display the return message
Return a critical error to nagios
…\NSClient++\scripts>cmd /c test.batCRITICAL: Everything is not going to be fine
…\NSClient++\scripts>echo %ERRORLEVEL%2
Command
01#Playing with batch files
Write a script in batch (.bat) which will terminate all notepad instances◦ For extra credits:
Handle errorsUse an argument for the process name
script_kill.bat notepadscript_kill.bat explorer...
Look in the docs folder for a list of all batch commands.
Look in the docs folder for a list of all batch commands.There are three commands you can use:
KILLNeed the resource kit
PsKillNeed the PSTools package (in the toys folder)
TASKKILLShips with XP/*
@echo offSET PSKILL=..\..\toys\pstools\pskill
%PSKILL% %1 >NUL 2>NULIF %ERRORLEVEL% == 0 GOTO exitokGOTO exiterr
:exiterrecho CRITICAL: Failed to kill %1exit 2
:exitokecho OK: Process terminated: %1exit 0
02#Run this script from NSClient++
1. Save the script in the scripts folder2. Enable the external script module3. Add a script definition to external scripts4. Start NSClient++ in test mode5. Run the script
1. Save the script in the scripts folder1. NSClient++\scripts\...
2. Enable the external scripts module1. [modules]2. ExternalScripts.dll
3. Add a script definition to external scripts1. [External Scripts]2. lab1=scripts\lab1.bat
4. Start NSClient++ in test mode1. NSClient++ /test
5. Run the script1. lab1
Scripting other languages
Output:◦ Use: Wscript.StdOut.WriteLine <text>
Exit statuses:◦ Use: Wscript.Quit(<code>)
0 = OK1 = Warning2 = Critical3 = Unknown
NSC.ini syntax:[External Scripts]check_vbs=cscript.exe //T:30 //NoLogo scripts\check_vbs.vbs//T:30 Is the timeout and might need to be changed.
Reference:◦ http://msdn.microsoft.com/en-us/library/t0aew7h6(VS.85).aspx
Output:◦ Use: write-host <text>Exit statuses:◦ Use: exit <code>
0 = OK1 = Warning2 = Critical3 = Unknown
NSC.ini syntax:[External Scripts]check_ps1=cmd /c echo scripts\powershell.ps1; exit($lastexitcode) |
powershell.exe -command -
Reference:◦ http://www.ss64.com/ps/◦ http://www.microsoft.com/downloads/details.aspx?familyid=3b3f7ce4-43ea-4a21-
90cc-966a7fc6c6e8&displaylang=en&tm◦ http://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx ◦ http://msdn.microsoft.com/en-us/library/aa394570(VS.85).aspx
DEMO: Playing with PowerShell
03#Playing with PowerShell
Write a script in PowerShell (.PS1) which will verify that your keyboard is working!◦ For extra credits:
Handle errorsUse an argument to select which keyboard (if more then one)
Start by looking in Microsoft's list of WMI Classes (a link inside references.html)
Use the Status column from Win32_Keyboard in \\root\cimv2Use my earlier sample as a basis
$result = ""$code = 0$disks = Get-WmiObject -Class Win32_Keyboard | Select-
Object -Property Name,Status$disks | ForEach-Object -Process {
if ($_.Status -ne "OK") { $result = $result + $_.Name + ": Is broken :( "$code = 2
} else {$result = $result + $_.Name + ": Kicks ass! "
}}write-host $resultexit $code
Using Internal Scripts
Can be used to extend NSClient++Are pretty powerfulA good way to “alter” things you do not likeAre written in LuaWill be the base for all built-in commandsPossibly “Safe/Unsafe” (runs inside NSClient++)Sample ideas:◦ Modify the output of a built-in command◦ Custom configuration updater◦ Custom Passive protocol◦ Checks for various things◦ ...
Output:◦ Use: nscp.print(<text>)Exit statuses:◦ Use: return code, <message>, <performance data>
‘ok’ = OK‘warning’ = Warning‘critical’ = Critical‘unknown’ = Unknown
NSC.ini syntax:[Lua Scripts]Scripts\myscript.lua
Reference:◦ http://www.lua.org/docs.html
Lua scripts are different as they interact with NSClient++.◦ Register a command handler:
nscp.register('check_something', 'something')◦ Settings:
nscp.getSectionnscp.getSetting…
◦ Executing commands:nscp.execute(’command’, ’argument’)
DEMO: Playing with Lua
EventLog◦ Some theory about windows eventlog and then
some simple hands on assignmentsScripts◦ A pretty extensive (feel free to end it at any time)
session on how to write scripts for NSClient++WMI◦ Introduction to WMI and some assignments
(requires a bit of googling)The End
Windows Management Instrumentation (everything)
The purpose of WMI is to define a non-proprietary set of environment-independent specifications which allow management information to be shared between management applications.WMI prescribes enterprise management standards and related technologies that work with existing management standards, such as Desktop Management Interface (DMI) and SNMP.WMI complements these other standards by providing a uniform model. This model represents the managed environment through which management data from any source can be accessed in a common way.…In short: Like SNMP but “modern” ☺
Dangerous!◦ No security, allows access to *a lot* of things.Fairly “unexplored” in NSClient++Two commands:◦ CheckWMI
Check a result setNSClient++ does filteringGood for check if “more then n items...”
◦ CheckWMIValueCheck a specific valueWMI Does filtering
Object DescriptionWin32_Fan Represents the properties of a fan device in the computer system.Win32_TemperatureProbe Represents the properties of a temperature sensor (electronic thermometer).Win32_DiskDrive Represents a physical disk drive as seen by a computer running the Windows operating system.Win32_PhysicalMedia Represents any type of documentation or storage medium.Win32_TapeDrive Represents a tape drive on a computer system running Windows.Win32_BaseBoard Represents a baseboard (also known as a motherboard or system board).Win32_BIOS Represents the attributes of the computer system's basic input or output services (BIOS).Win32_IDEController Represents the capabilities of an Integrated Drive Electronics (IDE) controller device.Win32_MemoryArray Represents the properties of the computer system memory array and mapped addresses.Win32_OnBoardDevice Represents common adapter devices built into the motherboard (system board).Win32_Processor Represents a device capable of interpreting a sequence of machine instructions on the computer.Win32_SCSIController Represents a small computer system interface (SCSI) controller on a computer system running Windows.Win32_USBControllerDevice Relates a USB controller and the CIM_LogicalDevice instances connected to it.Win32_NetworkAdapter Represents a network adapter on a computer system running Windows.Win32_Battery Represents a battery connected to the computer system.Win32_PortableBattery Represents the properties of a portable battery, such as one used for a notebook computer.Win32_PowerManagementEvent Represents power management events resulting from power state changes.Win32_UninterruptiblePowerSupply Represents the capabilities and management capacity of an uninterruptible power supply (UPS).
Win32_PrinterRepresents a device connected to a computer system running Windows that is capable of reproducing a visual image on a medium.
Win32_PrintJob Represents a print job generated by a Windows‐based application.
Object DescriptionWin32_SystemDriver Represents the system driver for a base service.Win32_Directory Represents a directory entry on a computer system running Windows.Win32_DiskQuota Tracks disk space usage for NTFS file system volumes.Win32_LogicalDisk Represents a data source that resolves to an actual local storage device.Win32_Volume Represents an area of storage on a hard disk.Win32_PageFileUsage Represents the file used for handling virtual memory file swapping on a computer system running Windows.Win32_NetworkConnection Represents an active network connection in a Windows environment.Win32_NTDomain Represents a Windows NT domain.Win32_PingStatus Represents the values returned by the standard ping command.Win32_ComputerSystem Represents a computer system operating in a Windows environment.Win32_OperatingSystem Represents an operating system installed on a computer system running Windows.Win32_Process Represents a sequence of events on a computer system running Windows.Win32_ProcessStartup Represents the startup configuration of a computer system running Windows.Win32_ScheduledJob Represents a job scheduled using the Windows NT schedule service.Win32_BaseService Represents executable objects that are installed in a registry database maintained by the SCM.Win32_Service Represents a service on a computer system running Windows.Win32_LogonSession Describes the logon session or sessions associated with a user logged on to Windows 2000 or Windows NT.Win32_UserAccount Represents information about a user account on a computer system running Windows.Win32_UserInDomain Association classWin32_WindowsProductActivation Contains properties and methods related to WPA.Win32_NTEvent... Yes you can even check the eventlog!
WQL - WMI Query Language◦ Based upon SQL◦ Only select features (no update/insert/delete)“Tables” are called objects in WMI◦ An object usually correspond to a logical “type”.Example:◦ select * from win32_Processor
Retrieves everything from the win32_Processor ”object”.
Best way to startSimple to use...◦ ...if you know your WMIA sample query:◦ CheckWMIValue
"Query=Select * from win32_Processor“MaxWarn=80MaxCrit=90Check:CPU=LoadPercentageShowAll=long
◦ (a bit like CheckCPU)
Option DescriptionMaxWarn The maximum allowed value for the column(s).MaxCrit The maximum allowed value for the column(s).MinWarn The minimum allowed value for the column(s).MinCrit The minimum allowed value for the column(s).
ShowAllIf present will display information even if an item is not reporting a state. If set to long will display more information.
Query The WMI query to ask (not stackable, only one query at a time)
CheckA column name to check (if * all columns will be checked) (this is stackable, so you can compare any number of columns)
truncate The maximum length of the query‐result.AliasCol A column to be included (prefixed) in the alias for matching columns.
Monitor your applications☺
Let me know when your done…
Start by using the command line tools:nsclient++ -noboot CheckWMISelect * from win32_Processor
Slightly shorter output:nsclient++ -noboot CheckWMISelect Caption, LoadPercentage from win32_Processor
Then decide how the check shall look…
CheckWMIValue◦ "Query=Select * from win32_Processor“◦ MaxWarn=50 MaxCrit=80◦ Check:CPU=LoadPercentage
EventLog◦ Some theory about windows eventlog and then
some simple hands on assignmentsScripts◦ A pretty extensive (feel free to end it at any time)
session on how to write scripts for NSClient++WMI◦ Introduction to WMI and some assignments
(requires a bit of googling)The End
Questions/Thoughts/Ideas?
[email protected]://www.linkedin.com/in/mickem
http://www.medin.name
Information about NSClient++http://nsclient.org
Slides, and examples at:http://nsclient.org/nscp/conferances/omc-2009/