| Version 2 (modified by mickem, 5 years ago) (diff) |
|---|
TracNav
Documentation
About...
Getting-Started...
Installation...
Configuration
Usage...
FAQ...
Guides...
Information...
Sponsoring...
Modules...
Donate...
Configuration
Configuration is fairly simple and straight forward. Open the configuration file in notepad (or you favorite editor) "notepad <installation path>\NSC.ini" and edit it accordingly. A longer description of the Configuration file is included in the following page.
The file has sections (denoted with section name in brackets) and key/value pairs (denoted by key=value). Thus it has the same syntax as pretty much any other INI file in windows.
The sections are described in short below. The default configuration file has a lot of examples and comments so make sure you change this before you use NSClient++ as some of the examples might be potential security issues.
The configuration can also be stored in the system registry (HKLM\Software\NSClient++) there is currently no UI to configure this so the simplest way is to maintain the configuration in the INI file and "Migrate that" to the registry. This is can be done via the [RemoteConfiguration] module but in short:
NSClient++ RemoteConfiguration ini2reg
Settings
This section has generic options for how NSCP will work, some of these settings (such as allowed_hosts) is inherited in sections below so it is probably a better idea to set them here.
The options you have available here are
| Option | Default value | Description |
| obfuscated_password | ... | An obfuscated version of password. For more details refer to the password option below. To create the obfuscated Password use: "NSClient++.exe /encrypt" |
| password | ... | The password used by various (presently only NSClient) daemons. If no password is set everyone will be able to use this service remotely. |
| allowed_hosts | 127.0.0.1 | A list (comma separated) with hosts that are allowed to connect and query data. If this is empty all hosts will be allowed to query data. BEWARE: NSClient++ will not resolve the IP address of DNS entries if the service is set to startup automatically. Use an IP address instead. |
Log
This section has options for how logging is performed. First off notice that for logging to make sense you need to enable the “FileLogger.dll” module that logs all log data to a text file in the same directory as the NSClient++ binary if you don’t enable any logging module nothing will be logged.
The options you have available here are
| Option | Default value | Description |
| debug | 0 | A Boolean value that toggles if debug information should be logged or not. This can be either 1 or 0. |
| file | nsclient.log | The file to write log data to. If no directory is used this is relative to the NSClient++ binary. |
| date_mask | %Y-%m-%d %H:%M:%S | The date format used when logging to a file |
Systray
This section configures the system tray module.
| Option | Default value | Description |
| defaultCommand | ... | A string that will be the default in the inject command dialog. |
NSClient
This is the NSClient module configuration options.
This is subject to change in the near future
| Option | Default value | Description |
| port | 12489 | The port to listen to |
| obfuscated_password | An obfuscated version of password. For more details refer to the password option below. | |
| password | The password that incoming client needs to authorize themselves by. This option will replace the one found under Settings for NSClient. If this is blank the option found under Settings will be used. If both are blank everyone will be granted access. | |
| allowed_hosts | A list (coma separated) with hosts that are allowed to poll information from NSClient++. This will replace the one found under Setting for NSClient if present. If not present the same option found under Settings will be used. If both are blank all hosts will be allowed to access the system. BEWARE: NSClient++ will not resolve the IP address of DNS entries if the service is set to startup automatically. Use an IP address instead. | |
| socket_back_log | Number of sockets to queue before starting to refuse new incomming connections. This can be used to tweak the ammount of simultanious sockets that the server accepts. This is an advanced option and should not be used. | |
| bind_to_address | The address to bind to when listening to sockets. |
NRPE
This is configuration for the NRPE module that controls how the NRPE listener operates.
| Option | Default value | Description |
| port | 5666 | The port to listen to |
| allowed_hosts | A list (coma separated) with hosts that are allowed to poll information from NRPE. This will replace the one found under Setting for NRPE if present. If not present the same option found under Settings will be used. If both are blank all hosts will be allowed to access the system | |
| use_ssl | 1 | Boolean value to toggle SSL encryption on the socket connection |
| socket_back_log | Number of sockets to queue before starting to refuse new incomming connections. This can be used to tweak the ammount of simultanious sockets that the server accepts. This is an advanced option and should not be used. | |
| bind_to_address | The address to bind to when listening to sockets. | |
| command_timeout | 60 | The maximum time in seconds that a command can execute. (if more then this execution will be aborted). NOTICE this only affects external commands not internal ones. |
| allow_arguments | 0 | A Boolean flag to determine if arguments are accepted on the incoming socket. If arguments are not accepted you can still use external commands that need arguments but you have to define them in the NRPE handlers below. This is similar to the NRPE "dont_blame_nrpe" option. |
| allow_nasty_meta_chars | 0 | Allow NRPE execution to have “nasty” meta characters that might affect execution of external commands (things like > “ etc). |
| performance_data | 1 | Send performance data back to nagios |
NRPE Handlers
This is a list of handlers for NRPE execution this can of course be used by any module (such as NSClient) but for historical reasons they are located in this section especially as NRPE plug-in is the one that does the actual execution.
The handlers can have two different syntaxes:
- command[my_command]=/some/executable
- my_command=/some/executable<br>The latter is the preferred way as it is shorter.
Check System
Here you can set various options to configure the System Check module.
| Option | Default value | Description |
| CPUBufferSize | 1h | The time to store CPU load. |
| CheckResolution? | 10 | Time between checks in 1/10 of seconds. |
| auto_detect_pdh | 1 | Set this to 0 to disable auto detect (counters.defs) PDH language and OS version. |
| MemoryCommitLimit? | \Memory\Commit Limit | Counter to use to check upper memory limit. |
| MemoryCommitByte? | \Memory\Committed Bytes | Counter to use to check current memory usage. |
| SystemSystemUpTime? | \System\System Up Time | Counter to use to check the uptime of the system. |
| SystemTotalProcessorTime? | \Processor(_total)\% Processor Time | Counter to use for CPU load. |
| ProcessEnumerationMethod? | auto | Set the PROCESS enumeration method (auto or TOOLHELP or PSAPI) |
modules
This is a list of modules to load at startup. All the modules included in this list has to be NSClient++ modules and located in the modules subdirectory. This is in effect the list of plug-ins that will be available as the service is running.
A good idea here is to disable all modules you don’t actually use for two reasons. One less code equals less potential security holes and two less modules means less resource drain.
Sample configuration
This is the default sample confiuration file
[modules]
;# NSCLIENT++ MODULES
;# A list with DLLs to load at startup.
; You will need to enable some of these for NSClient++ to work.
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
; * *
; * N O T I C E ! ! ! - Y O U H A V E T O E D I T T H I S *
; * *
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
;FileLogger.dll
;CheckSystem.dll
;CheckDisk.dll
;NSClientListener.dll
;NRPEListener.dll
;SysTray.dll
;CheckEventLog.dll
;CheckHelpers.dll
;
; CheckWMI IS AN EXTREM EARLY IDEA SO DONT USE FOR PRODUCTION ENVIROMNEMTS!
;CheckWMI.dll
[Settings]
;# OBFUSCATED PASSWORD
; This is the same as the password option but here you can store the password in an obfuscated manner.
; *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this file can still figure out the
; password. Its just a bit harder to do it at first glance.
;obfuscated_password=Jw0KAUUdXlAAUwASDAAB
;
;# PASSWORD
; This is the password (-s) that is required to access NSClient remotely. If you leave this blank everyone will be able to access the daemon remotly.
;password=secret-password
;
;# ALLOWED HOST ADDRESSES
; This is a comma-delimited list of IP address of hosts that are allowed to talk to the all daemons.
; If leave this blank anyone can access the deamon remotly (NSClient still requires a valid password).
;allowed_hosts=127.0.0.1
[log]
;# LOG DEBUG
; Set to 1 if you want debug message printed in the log file (debug messages are always printed to stdout when run with -test)
;debug=1
;
;# LOG FILE
; The file to print log statements to
;file=NSC.log
;
;# LOG DATE MASK
; The format to for the date/time part of the log entry written to file.
;date_mask=%Y-%m-%d %H:%M:%S
[NSClient]
;# NSCLIENT PORT NUMBER
; This is the port the NSClientListener.dll will listen to.
;port=12489
[Check System]
;# CPU BUFFER SIZE
; Can be anything ranging from 1s (for 1 second) to 10w for 10 weeks. Notice that a larger buffer will waste memory
; so don't use a larger buffer then you need (ie. the longest check you do +1).
;CPUBufferSize=1h
;
;# CHECK RESOLUTION
; The resolution to check values (currently only CPU).
; The value is entered in 1/10:th of a second and the default is 10 (which means ones every second)
;CheckResolution=10
[NRPE]
;# NRPE PORT NUMBER
; This is the port the NRPEListener.dll will listen to.
;port=5666
;
;# COMMAND TIMEOUT
; This specifies the maximum number of seconds that the NRPE daemon will allow plug-ins to finish executing before killing them off.
;command_timeout=60
;
;# COMMAND ARGUMENT PROCESSING
; This option determines whether or not the NRPE daemon will allow clients to specify arguments to commands that are executed.
;allow_arguments=0
;
;# COMMAND ALLOW NASTY META CHARS
; This option determines whether or not the NRPE daemon will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
;allow_nasty_meta_chars=0
;
;# USE SSL SOCKET
; This option controls if SSL should be used on the socket.
;use_ssl=1
[NRPE Handlers]
;# COMMAND DEFINITIONS
;# Command definitions that this daemon will run.
;# Can be either NRPE syntax:
;command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
;# Or simplified syntax:
;test=c:\test.bat foo $ARG1$ bar
;check_disk1=/usr/local/nagios/libexec/check_disk -w 5 -c 10
;# Or even loopback (inject) syntax (to run internal commands)
;# This is a way to run "NSClient" commands and other internal module commands such as check eventlog etc.
;check_cpu=inject checkCPU warn=80 crit=90 5 10 15
;check_eventlog=inject CheckEventLog Application warn.require.eventType=error warn.require.eventType=warning critical.require.eventType=error critical.exclude.eventType=info truncate=1024 descriptions
;check_disk_c=inject CheckFileSize ShowAll MaxWarn=1024M MaxCrit=4096M File:WIN=c:\ATI\*.*
;# But be careful:
; dont_check=inject dont_check This will "loop forever" so be careful with the inject command...
;# Check some escapings...
; check_escape=inject CheckFileSize ShowAll MaxWarn=1024M MaxCrit=4096M "File: foo \" WIN=c:\\WINDOWS\\*.*"
