Exposing Metrics to Prometheus
Goal: Let a Prometheus server scrape NSClient++'s built-in metrics (CPU, memory, uptime, network, temperature, predefined performance counters, …) so they appear alongside everything else in Grafana / Alertmanager.
This works the same on Windows and Linux — the same modules, endpoint, user/role setup and scrape configuration apply on both. The platforms differ only in which metric families they emit (see Available Metrics below).
This scenario is the inverse of the rest of the integration scenarios: NRPE/NSCA/NRDP/Icinga 2 send check results to a monitoring server, but Prometheus scrapes raw metrics on its own schedule. The two patterns are complementary — you can run both on the same agent.
How It Works
NSClient++'s WEBServer module exposes an OpenMetrics endpoint at:
GET https://<agent>:8443/api/v2/openmetrics
Authenticated requests return the current metrics one-per-line in OpenMetrics text format. Prometheus is configured to scrape that URL on its usual interval (15s, 30s, 1m, …).
flowchart LR
P[Prometheus] -->|HTTP scrape| W[NSClient++<br/>WEBServer<br/>/api/v2/openmetrics]
W --- CS[CheckSystem]
W --- CD[CheckDisk]
W --- PC[Predefined counters]
Metrics are aggregated by WEBServer from whichever modules happen to be
loaded — load CheckSystem to get CPU/memory/uptime/network, load CheckDisk
to add drive metrics, and so on.
Prerequisites
[/modules]
WEBServer = enabled ; serves the /api/v2/openmetrics endpoint
CheckSystem = enabled ; provides CPU / memory / uptime / network metrics
CheckDisk = enabled ; (optional) drive metrics
You also need:
- A reachable IP/hostname and TCP
8443open from the Prometheus server. - Credentials for the scrape (see Step 2 below).
Step 1 — Enable the Web Server
If you haven't already, run the helper:
nscp web install
This sets a password, opens 8443 from 127.0.0.1, and writes the role
configuration. Restart the service:
nsclient service --restart
For the full setup (TLS certificate, custom port, allowed hosts), see Web Interface — the Prometheus endpoint shares the same web server, so anything that page covers applies here too.
Step 2 — Create a Scrape User
Reading the OpenMetrics endpoint requires the openmetrics.list grant. The
built-in full role has * (everything), so the admin user can scrape
without further configuration — but a dedicated user with only the metrics
grant is better practice.
[/settings/WEB/server/roles]
prometheus = openmetrics.list,login.get
[/settings/WEB/server/users/prometheus]
role = prometheus
password = <strong-random-password>
Restart NSClient++ for the new role/user to take effect.
Step 3 — Verify the Endpoint
From the agent (or anywhere allowed to reach it):
curl -k -u prometheus:<password> https://<agent>:8443/api/v2/openmetrics
Expected output is one metric per line, <name> <value>. On a Windows host:
system_mem_commited.avail 12592123904
system_mem_commited.total 17175158784
system_mem_commited.% 73
system_cpu_total.idle 95
system_cpu_total.total 5
system_uptime_ticks.raw 84135
On a Linux host:
system_cpu_total.idle 97.8293
system_cpu_total.user 1.19519
system_cpu_total.kernel 0.975472
system_mem_physical.total 1.6554e+10
system_mem_physical.used 2.78311e+09
system_mem_swap.% 26
system_uptime_ticks.raw 434344
system_network_eth0.received 343
system_network_eth0.sent 131
If you get HTTP 401, the credentials or role grant are wrong; if you get a TLS error, see "TLS / self-signed certificate" below.
Step 4 — Configure Prometheus
Add a scrape job to prometheus.yml:
scrape_configs:
- job_name: nsclient
scrape_interval: 30s
metrics_path: /api/v2/openmetrics
scheme: https
tls_config:
# NSClient++ generates a self-signed cert by default. Either point
# `ca_file` at the CA you used for `nscp web install --certificate`,
# or set `insecure_skip_verify: true` for a quick start (not for
# production).
insecure_skip_verify: true
basic_auth:
username: prometheus
password: <strong-random-password>
static_configs:
- targets:
- win-server-01.example.com:8443
- linux-server-01.example.com:8443
Windows and Linux agents can share the same scrape job — the endpoint, port and authentication are identical.
Reload Prometheus and check Status → Targets — the job should go green within one scrape interval.
Available Metrics
The exact set depends on which modules are loaded and on the platform.
Available on both platforms from CheckSystem:
| Bundle | Examples |
|---|---|
system_cpu_* |
total.idle, total.user, total.kernel, plus per-core variants |
system_mem_* |
families differ per platform — see below |
system_uptime_* |
ticks.raw, boot.raw |
system_network_<nic>.* |
received, sent, total (bytes/s per interface) |
system_temperature_* |
thermal sensors (WMI/ACPI on Windows, sysfs thermal/hwmon on Linux) |
system_battery_* |
charge/health, on machines that have a battery |
system_cpu_frequency_* |
current/max clock per core, where exposed |
system_process_history_* |
per-executable times_seen / currently_running (opt-in, below) |
Add CheckDisk (either platform) and you also get disk_io_<device>.*
(throughput, IOPS, queue length, busy time) and disk_free_<drive>.*
(total/free/used and percentages).
Platform differences to be aware of:
- Memory families follow what the OS exposes: Windows publishes
commited/physical/page/virtual, Linux publishesphysical/cached/swap. - Per-core CPU naming: Linux normalises core names to
core_0,core_1, …; Windows names themcore 0(with a space), which is not a valid OpenMetrics identifier — strict parsers may drop the per-core lines there (thetotalaggregate is always parseable on both). - PDH counters (
system_metrics_*) are Windows-only: predefine them in[/settings/system/windows/counters/<name>](see Performance Counter (PDH) Monitoring) and they appear on the endpoint automatically. There is no Linux equivalent. - Process history is opt-in on both platforms — set
process history = trueunder[/settings/system/windows]or[/settings/system/unix]respectively. - Hardware metrics (temperature, battery, CPU frequency) depend on what the host exposes: virtual machines and WSL typically publish none, which is normal.
Common Gotchas
Metric names contain dots
NSClient++ emits names like system_mem_commited.avail. Strict OpenMetrics /
Prometheus identifiers should match [a-zA-Z_:][a-zA-Z0-9_:]*, which doesn't
include .. Recent Prometheus versions tolerate it; older ones may reject
the line. If your scrape drops metrics with dots, rewrite them with
metric_relabel_configs:
metric_relabel_configs:
- source_labels: [__name__]
regex: '(.*)\.(.*)'
target_label: __name__
replacement: '${1}_${2}'
TLS / self-signed certificate
Out of the box nscp web install generates a self-signed certificate.
Production options:
- Point Prometheus'
ca_fileat your internal CA and replace the cert with one signed by it (thenscp web install --certificate ...flag, or the cert-management UI in the web interface). - Or use
insecure_skip_verify: trueintls_config— fast to set up but doesn't authenticate the agent. Acceptable on a private network you trust; not on the open internet.
allowed hosts blocks the scrape
Without an explicit allow list, the WEBServer accepts only 127.0.0.1. If
Prometheus runs on a different host, add it:
[/settings/default]
allowed hosts = 127.0.0.1, 10.0.0.0/24
Or per-module under [/settings/WEB/server].
No # HELP / # TYPE lines
The endpoint emits only <name> <value> pairs — no metadata. Most metrics
are gauges; tag them as such on the Prometheus side if you need explicit
type metadata, or use metric_relabel_configs to project them into separate
series.
Strings are skipped
Some bundles include string-typed entries (e.g. system_uptime_uptime is the
human-readable "1d 12:30"). These don't appear on the OpenMetrics endpoint —
only numeric gauges do. Use the JSON /api/v2/metrics endpoint if you need
the strings.
Next Steps
- Web Interface — full WEBServer setup including TLS, port, and user/role management.
- Performance Counter (PDH) Monitoring — predefine custom PDH counters; they appear on the OpenMetrics endpoint automatically.
- REST API — the same web server also exposes
/api/v2/queries,/api/v2/metrics(JSON), logs, and module management. - Reference: WEBServer — every web server setting in detail.