This document discusses NSClient++, a simple but powerful system monitoring agent. It provides examples of using filters to customize monitoring checks, including filtering by level, source, size, load, and other attributes. The document also outlines NSClient++ version history and support/funding options for the open source project.

1. Simplified

2. How many use NSClient++

3. How many like NSClient++?
..pdh collection thread not running…
ERROR: Missing argument exception
PdhCollectQueryData? failed: : 2147481643: No data to return.
Failed to query performance counters:
..pdh collection thread not running…
ERROR: Missing argument exception
PdhCollectQueryData? failed: : 2147481643: No data to return.
Failed to query performance counters:

4. How many thinks it’s simple?
CheckEventLog file=application
file=system MaxWarn=1
MaxCrit=1 "filter=generated gt
-2d AND severity NOT IN
('success', 'informational')
AND source != 'SideBySide'"
truncate=800 unique
descriptions
"syntax=%severity%: %source%:
%message% (%count%)"

5. What’s 3+8?

6. How many saw me last year?
Boring…
Get started
already!

7. dev not ops
worked in ops a long time ago
work with “soa” not, C/C++, nagios, …

10. 0.4.1: 2012-10-xx
0.4.2: 2013-10-xx?
0.4.3: 2014-02-xx?

12. one-man-band
no company
no commercial version
no paid time

13. Please don’t be angry!
Some times I am busy 

14. but…
sponsoring!
donations!
support!

17. Sockets:
Modernized:
New protocols:
Real-time checks:
Simplified:

18. Secure monitoring

19. Build 90 (2013-02-xx)
◦
◦
◦
◦
◦
◦
nsclient-full.ini
Reload from script
(re)added check_filesize (ie. Check_nt –v FILESIZE)
Encoding support for NRPE
New option: scan-range for CheckEventLog
Various minor bug fixes
Build 96 (2013-04-xx)
◦
◦
◦
◦
Reverted external script quoting issues
(re)added check_fileage (ie. Check_nt –v FILEAGE)
Added support for binding to both ipv6 and ipv4
Various minor bug fixes
Build 102 (2013-08-xx)
◦
◦
◦
◦
PDH improvements
Performance data: pass through
Encoding support through out
Various minor bug fixes and enhancements

25. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…

26. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” level = ’error’ ”

27. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1’ ”

28. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1 ”

29. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1’ or source = ’App3’ ”

30. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1’ or source = ’App3’
or level = ’error’ ”

31. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1’ or source = ’App3’
or level = ’error’ or level = ’warning’ ”

32. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” (source = ’App1’ or source = ’App3’
or level = ’error’ or level = ’warning’) and source != ’Excel’ ”

33. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” (source in (’App1’, ’App3’) or level in (’error’,
filter=” (source = ’App1’ or source = ’App3’
or level = ’error’ or level = ’warning’)!= ’Excel’ ” != ’Excel’ ”
’warning’)) and source and source

34. Core
Load
…
…
core1
5
…
…
core2
0
…
…
core3
0
…
…
core4
5
…
…
core5
0
…
…
core6
0
…
…
Total
2
…
…
filter=” load > 10 ”

35. Name
Size
…
…
Foo.txt
5k
…
…
Bar.txt
12k
…
…
Log.txt
0
…
…
Test.txt
123
…
…
Foobar.txt
1k
…
…
Testing.txt
2k
…
…
Barfoo.txt
24k
…
…
filter=” size > 10k ”

36. Name
Size
…
…
physical
8g
…
…
commited
12g
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
filter=” used > 80% ”

37. filter = (id NOT IN ('3', '4', '6', '11', '16', '23', '24', '27', '29', '36', '46', '47', '50', '56', '134', '142', '219', '267', '270', '1006', '1009', '1014', '1030', '1035', '1036', '1055', '1058', '1071', '1073',
'1085', '1102', '1110', '1111', '1112', '1131', '1291', '1500', '3095', '5719', '5722', '5783', '5788', '5789', '6008', '7000', '7001', '7003', '7005', '7009', '7011', '7022', '7023', '7024', '7026',
'7030', '7031', '7034', '7038', '7041', '9015', '9018', '9026', '9028', '10009', '10010', '10016', '10149', '12294', '15300', '15301', '24679', '36887', '36888', '40960', '40961', '45056') AND
level IN ('error', 'warning'))
OR (id IN ('3') AND source NOT IN ('FilterManager') AND level IN ('error', 'warning'))
OR (id IN ('4') AND source NOT IN ('q57','L2ND') AND level IN ('error', 'warning')) OR (id IN ('6') AND source NOT IN ('Security-Kerberos') AND level IN ('error', 'warning')) OR (id
IN ('11') AND source NOT IN ('Kerberos-Key-Distribution-Center') AND level IN ('error', 'warning')) OR (id IN ('16') AND source NOT IN ('WindowsUpdateClient') AND level IN ('error',
'warning')) OR (id IN ('23') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('24') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR
(id IN ('27') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('29') AND source NOT IN ('Kerberos-Key-Distribution-Center') AND level IN ('error', 'warning'))
OR (id IN ('36') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('46') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN
('47') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('50') AND source NOT IN ('TermDD','Time-Service') AND level IN ('error', 'warning')) OR (id IN
('56') AND source NOT IN ('TermDD') AND level IN ('error', 'warning')) OR (id IN ('134') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('142') AND
source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('219') AND source NOT IN ('Kernel-pnp') AND level IN ('error', 'warning')) OR (id IN ('267') AND source
NOT IN ('Storage-agents') AND level IN ('error', 'warning')) OR (id IN ('270') AND source NOT IN ('Storage-agents') AND level IN ('error', 'warning')) OR (id IN ('1006') AND source
NOT IN ('DNS Client Events','GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1009') AND source NOT IN ('picadm') AND level IN ('error', 'warning')) OR (id IN ('1014') AND
source NOT IN ('DNS Client Events') AND level IN ('error', 'warning')) OR (id IN ('1030') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1035') AND
source NOT IN ('TerminalServices-RemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1036') AND source NOT IN ('TerminalServices-RemoteConnectionManager')
AND level IN ('error', 'warning')) OR (id IN ('1055') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1058') AND source NOT IN ('GroupPolicy') AND
level IN ('error', 'warning')) OR (id IN ('1071') AND source NOT IN ('TerminalServices-RemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1073') AND source NOT
IN ('USER32') AND level IN ('error', 'warning')) OR (id IN ('1085') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1102') AND source NOT IN
('SNMP') AND level IN ('error', 'warning')) OR (id IN ('1110') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1111') AND source NOT IN ('Server Agents')
AND level IN ('error', 'warning')) OR (id IN ('1112') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1131') AND source NOT IN ('TerminalServicesRemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1291') AND source NOT IN ('NIC-agents') AND level IN ('error', 'warning')) OR (id IN ('1500') AND source
NOT IN ('SNMP') AND level IN ('error', 'warning')) OR (id IN ('3095') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5719') AND source NOT IN
('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5722') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5783') AND source NOT IN ('Netlogon')
AND level IN ('error', 'warning')) OR (id IN ('5788') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5789') AND source NOT IN ('Netlogon') AND level
IN ('error', 'warning')) OR (id IN ('6008') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('7000') AND source NOT IN ('service control manager') AND
level IN ('error', 'warning')) OR (id IN ('7001') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7003') AND source NOT IN ('service control
manager') AND level IN ('error', 'warning')) OR (id IN ('7005') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7009') AND source NOT IN
('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7011') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7022') AND
source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7023') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN
('7024') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7026') AND source NOT IN ('service control manager') AND level IN ('error',
'warning')) OR (id IN ('7030') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7031') AND source NOT IN ('service control manager') AND
strings not like 'citrix' AND level IN ('error', 'warning')) OR (id IN ('7034') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7038') AND source
NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7041') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN
('9015') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9018') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9026')
AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9028') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('10009') AND
source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10010') AND source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10016')
AND source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10149') AND source NOT IN ('WindowsRemoteManagement') AND level IN ('error', 'warning')) OR
(id IN ('12294') AND source NOT IN ('Directory-Services-SAM') AND level IN ('error', 'warning')) OR (id IN ('15300') AND source NOT IN ('HTTPEVENT') AND level IN ('error',
'warning')) OR (id IN ('15301') AND source NOT IN ('HTTPEVENT') AND level IN ('error', 'warning')) OR (id IN ('24679') AND source NOT IN ('Cissesrv') AND level IN ('error',
'warning')) OR (id IN ('36887') AND source NOT IN ('Schannel') AND level IN ('error', 'warning')) OR (id IN ('36888') AND source NOT IN ('Schannel') AND level IN ('error',
'warning')) OR (id IN ('40960') AND source NOT IN ('LSASRV') AND level IN ('error', 'warning')) OR (id IN ('40961') AND source NOT IN ('LSASRV') AND level IN ('error',
'warning')) OR (id IN ('45056') AND source NOT IN ('LSASRV') AND level IN ('error', 'warning'))

38. Key
Safe Key
Description
=
eq
Equals
!=
ne
Not equals
>
gt
Greater than
<
lt
Less than
>=
ge
Greater or equal than
<=
le
Less or equal than
in ( <LIST OF VALUES>)
In a given list
not in (…)
Not in a given list

39. Key
Safe Key
Description
=
eq
Equals
!=
ne
Not equals
>
gt
Greater than
<
lt
Less than
>=
ge
Greater or equal than
<=
le
Less or equal than
in ( <LIST OF VALUES>)
In a given list
not in (…)
Not in a given list
like
Substring matching
regexp
Regular expression
not like
Opposite of like
not regexp
Opposite of regexp

40. warning
filter
critical

41. Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
filter=” source = ’App1’ “
warn=” level = ’Warning’ “

42. Custom strings
Supports substitutions ${…}
top- and detail-syntax

43. detail-syntax=”s: ${source} “
top-syntax=“Hello: ${list}”
Hello: s: App1, s: App1, s: App3

47. defaults!

48. check_cpu
Just works!

50. check_cpu
check_mem
check_uptime
check_eventlog
check_updates
...
...
Monitoring Server
(Nagios)
Monitored Server
(Windows)

51. check_cpu
check_mem
check_uptime
check_eventlog
check_updates
...
...
Monitoring Server
(Nagios)
Monitored Server
(Windows)

52. Error detected in eventlog
Everything is ok
Monitoring Server
(Nagios)
Monitored Server
(Windows)

53. Zero overhead log-file checks
Composite checks
Stateful monitoring
Adaptive thresholds?
Correlation CEP

55. Two options:

58. check_service computer=192.168.0.1
check_disk drive=192.168.0.1c$
check_task_sched computer=192.168.0.1
check_wmi computer=192.168.0.1

59. Light weight remote deployable agent
Similar to psexec
check_cpu
check_memory
check_process
External scripts!

61. How many thinks it’s simple?
CheckEventLog file=application
file=system MaxWarn=1
MaxCrit=1 "filter=generated gt
-2d AND severity NOT IN
('success', 'informational')
AND source != 'SideBySide'"
truncate=800 unique
descriptions
"syntax=%severity%: %source%:
%message% (%count%)"

62. How many thinks it’s simple?
check_eventlog

64. Photo by Olga Berrios

65. Most images taken by me
whilst visiting the INTREPID
Information about NSClient++
http://nsclient.org
facebook.com/nsclient
Slides, and examples
http://nsclient.org/nscp/conferances/nwc/2013/
My Blog
http://blog.medin.name