News

May 15, 2026
9 min read

New permission system

The release has three big stories — a new core permission system with optional client-cert principals on NRPE, a PDH overhaul that fixes long-standing counter-collection crashes and adds counter functions, and a WEB hardening option that lets monitoring-only deployments expose the WEB UI without seeding a privileged admin account. Everything else is bug fixes, small features, and follow-ups around those three threads.

Highlights

Core permission system — opt-in policy layer that gates which caller can run which command. Configured under /settings/permissions. Disabled by default; existing installs keep working. See https://nsclient.org/docs/concepts/permissions/ for the model, identity table, and rollout recipe.
NRPE client identity from cert CN — when client identity source = cn is set on NRPEServer and the listener verifies the client cert, the CN is stamped as the policy principal so rules can be written per-cert ( NRPEServer:icinga-master = ...). Hard guardrail at module start refuses to load the module if the TLS verify mode would let the CN be attacker-supplied.
Global allow exec toggle — exec is now gated by a single on/off switch under /settings/permissions. The per-command rule table applies to queries only. Default true so enabling the policy system does not break exec callers.
PDH (performance counter) overhaul — fixes for service crashes when PDH misbehaves (#592, #547), counter retry when temporarily unavailable (#634), reliable English counter lookup (#652, #906), a resource leak in the counter-lookup path, and a refactor to smart-buffer-based PDH enumeration. Most users running CheckSystem on Windows should see meaningfully better reliability.
check_pdh counter scaling and functions (#281) — details-syntax and related rendering paths can now apply scaling and other functions, e.g. '${counter}'=${value:scale(/1024)}MB.
check_network — human-readable strings, scaling, speed, and percentages (#329); team-network statistics (#625). See https://nsclient.org/docs/reference/check/CheckNet.
Nagios range syntax in performance data (#748) — 1:10, ~:5, @10:20 etc. work in perfdata thresholds, matching the Nagios plugin spec.
disable admin user on WEBServer — monitoring-only deployments can expose the WEB UI without ever seeding the built-in admin (and previously seeded admin entries are ignored). Pairs naturally with the new permission system to lock down reconfiguration surfaces.
Path overrides moved to boot.ini + new --path-override CLI flag — path tokens (module-path, certificate-path, etc.) are now declared early in boot.ini so they take effect before the main config is loaded. Per-invocation overrides via --path-override KEY=VALUE. See https://nsclient.org/docs/concepts/settings.
NRPE startup is no longer fatal on listener failure — bad bind address / port already in use logs a clear error and leaves the module loaded so settings and commands stay usable for diagnostics.
Dual-stack listening fixed (#312) — v4 and v6 acceptors no longer trample each other's pending connection slot.
disable admin user, client identity source, allow exec, and the policy table are all documented in https://nsclient.org/docs/concepts/permissions/ and https://nsclient.org/docs/setup/securing. Treat those two as the starting point for any new install.

Detailed changes

Security and permissions

Core permission system A policy layer in the core decides whether a given caller may run a given command. Disabled by default; when enabled, rules form a strict allow-list.

[/settings/permissions]
enabled = true
log denials = true
log allows = false      ; noisy, only flip on while rolling out
allow exec = true       ; queries-only rule table; exec is a global toggle

[/settings/permissions/policies]
NRPEServer = CheckHelpers.*, CheckSystem.check_cpu
WEBServer:admin   = *
WEBServer:viewer  = CheckSystem.check_cpu, CheckSystem.check_drivesize
Scheduler = CheckHelpers.*, CheckSystem.*

Subject is module[:principal]; object is module.command. Wildcards (*, ?) supported. Rules combine additively. See https://nsclient.org/docs/concepts/permissions/ for the full identity model, the CheckHelpers identity-forwarding behaviour, and a step-by-step rollout recipe.

NRPE client cert CN as principal When two-way TLS is configured and verifying client certs against your CA, the Common Name is stamped as the policy principal:

[/settings/NRPE/server]
client identity source = cn        ; default: none
verify mode = peer-cert
ca = /etc/nsclient/ca.pem

[/settings/permissions/policies]
NRPEServer:icinga-master   = CheckHelpers.*, CheckSystem.*
NRPEServer:metrics-shipper = CheckSystem.check_cpu, CheckSystem.check_drivesize

Guardrails: the module refuses to start if client identity source = cn is configured without SSL, without verify_mode containing peer and fail-if-no-peer-cert (or the peer-cert alias), or without a non-empty ca path. The CN is logged at debug level on every accepted handshake for diagnostics. CN-only (not full DN) because INI key syntax uses = as the key/value separator and would corrupt DN-shaped policy keys; see the "Why CN-only" section of the permissions doc. See https://nsclient.org/docs/reference/client/NRPEServer.

Global allow exec toggle Per-command rules apply to queries only. The exec surface (WEB scripts UI, lua/python core:simple_exec(...), CLI exec) is gated by a single boolean:

[/settings/permissions]
allow exec = false   ; hard lockdown; default is true

When false and enabled = true, every exec call returns Permission denied: exec is globally disabled (/settings/permissions/allow exec = false). See "Why exec is a single toggle" in https://nsclient.org/docs/concepts/permissions/.

disable admin user on WEBServer For installations that expose the WEB UI for status/visualisation only and never want a remote-reconfiguration surface:

[/settings/WEB/server]
disable admin user = true

With this set, the built-in admin is not seeded on first boot, and any existing admin entry in the user settings is ignored at load time.

Security guide updates https://nsclient.org/docs/setup/securing was rewritten with concrete configurations for NRPE (with and without mTLS) and the WEB server. Read it before exposing either to a network you don't fully control.

Performance counters / PDH

The PDH subsystem (the Windows performance-counter collection backbone behind CheckSystem, check_cpu, check_pdh, check_network, etc.) got a substantial reliability pass. Most users running NSClient++ as a long-running service on Windows should see fewer crashes and more consistent results.

Service crashes when PDH misbehaves on a particular machine (#592, #547) — root-caused and fixed. Misbehaving counter registrations no longer take the service down.
Counter not retried if unavailable (#634) — counters that fail to bind at first sight now get retried on subsequent collection cycles, instead of being permanently unhealthy for the lifetime of the process.
English counter lookup improved (#652, #906) — addresses reading of localised counters by their canonical English names on non- English Windows installs.
Resource leak in PDH counter lookup fixed.
PDH enumeration refactored to smart buffers — clearer memory ownership across the enumeration path, fewer footguns for future changes.
check_pdh counter scaling and functions (#281) — all the details-syntax / rendering paths can now apply functions. Examples:
```
check_pdh "counter=\Processor(_Total)\% Processor Time" \
          "details-syntax=${counter} = ${value:round(2)}%"
```
See https://nsclient.org/docs/reference/check/CheckSystem for the function reference.

check_network

Human-readable strings, scaling, speed, and percentages (#329) — perfdata and message output now render numbers in a way operators actually want to read:

check_network 'filter=interface=Ethernet' \
              'top-syntax=${list}' \
              'detail-syntax=${interface}: ${total_rx_human}/s in, ${total_tx_human}/s out'

Team network statistics (#625) — aggregate stats across Windows NIC teams.

See https://nsclient.org/docs/check/CheckNet.

Performance data formatting

Nagios range syntax in performance data (#748) — the perfdata threshold fields now accept the standard Nagios range syntax: 5:10, ~:5, @10:20, etc. Brings NSClient++ into line with what Nagios consumers already expect.

Settings, paths, and CLI

Path overrides moved to boot.ini — path tokens (module-path, certificate-path, data-path, log-path, …) now live under [paths] in boot.ini (next to nscp.exe), not in nsclient.ini. Overrides take effect before the main config is loaded — including the bootstrap step that decides where the main config itself lives.
```
; boot.ini
[paths]
module-path = D:\monitoring\modules
certificate-path = D:\monitoring\certs
```
--path-override CLI flag — per-invocation override, repeatable. (Renamed from --path to avoid colliding with the nscp settings --path subcommand option.)
```
nscp client --path-override module-path=/build/modules --path-override log-path=. ...
```
See https://nsclient.org/docs/concepts/settings for the precedence rules and the migration note for installs that had a [/paths] section in nsclient.ini.

Aliases and command registration

CheckHelpers alias — aliases can now be defined under [/settings/check helpers/alias] and are registered by CheckHelpers directly, without requiring CheckExternalScripts to be loaded. This is the preferred place going forward; the legacy [/settings/external scripts/alias] is still honoured for backward compatibility.
API to list registered query aliases (#506) — programmatic introspection of the alias table, useful for tooling.
simple_command / simple_command_map — internal refactor that streamlines how modules register aliases. No user-visible behaviour change, but module authors may want to look at the new pattern.
Icinga client alias (7c49a3d3) — minor module-specific addition.

NRPEServer

Listener failure no longer kills the module — a bad bind to address that the resolver can't look up, or a port already in use, used to make the whole module fail to load. Now the failure is logged clearly, the listener stays down, and the module's settings and commands remain accessible for diagnostics and reconfiguration. Fix the config and reload — no service restart needed.
Dual-stack fixed (#312) — the v4 and v6 acceptors used to share a single pending-connection slot, which caused intermittent Already open errors on v6 once v4 accepted a client. Each family now owns its own slot.
Insecure mode produces an error-level log line — flipping insecure = true (for legacy check_nrpe interop) now surfaces as an ERROR so it shows up in monitoring dashboards, instead of silently disabling cert-based peer auth.

Plugin lifecycle

prepare_shutdown hook — modules can opt in to a first-phase shutdown pass before any plugin is unloaded. Used by the Scheduler and similar long-running submitters to finish in-flight work cleanly. Operators see fewer "submission failed during shutdown" lines during service stop.

Settings store

simpleini buffer NUL-termination fix — fixes a buffer allocation issue in the INI parser that could affect non-UTF-8 data paths.
cache allowed host is now a real boolean — previously parsed as a string with surprising truthiness; matches what the docs always claimed.

Modules and clean-ups

WMI module refactor — target handling and settings management cleaned up.
IcingaClient cleanup — removed unused command-handling code paths.
CheckLogFile config and descriptions — fixed misleading defaults and improved the help text.
Web UI improvements — more settings elements exposed under modules, simpler module configuration. Web dependencies refreshed.
Installer: UninstallString is now correct (#495) — removal via Windows "Apps & Features" works again.
Rust dependencies bumped.

Upgrade notes

Most installs can upgrade in place — defaults are preserved. Read the specific items below if any of them apply.

Permission system

The new policy layer is disabled by default. Existing installs continue to behave exactly as before until an operator opts in via /settings/permissions/enabled = true.

If you do opt in:

Per-command rules under /settings/permissions/policies apply to queries only. Any rules you might have written for exec command patterns will be silently ignored for the exec dispatch path — exec is gated by the single global allow exec boolean.
The default for allow exec is true, so enabling the policy will not silently break the WEB scripts UI, lua/python core:simple_exec(...), or CLI exec. Flip to false only if you want a hard exec lockdown.
Roll out with log allows = true first so you can inventory what your actual traffic looks like before tightening to a real allow-list. See the step-by-step recipe in https://nsclient.org/docs/concepts/permissions/.

NRPEServer

The new client identity source setting defaults to none, which matches the previous behaviour (subject is bare NRPEServer). Set to cn only when you want per-cert principals — and only after you've configured verify_mode = peer-cert and a ca path. The module will refuse to start with a clear error if you set cn without those.
Pin the ca path to your private monitoring CA. The system trust store (Windows root store / Linux distro bundle) accepts certs from every public CA on the planet and would let an attacker with a public cert choose their own CN. See "Pin to a private CA" in the permissions doc.

Path overrides

If you had a [/paths] section in nsclient.ini from an older NSClient++ install, those overrides moved to [paths] in boot.ini (note: same section name, different file). There is no automatic migration. Copy each key = value to a [paths] section in boot.ini (next to nscp.exe) and delete the old section from nsclient.ini.

WEB server

The new disable admin user = true setting is opt-in. Existing installs keep their admin and continue to work unchanged. Use this when you want to expose the WEB UI for status-only viewing and have no need to reconfigure the agent through the web.

NRPEServer startup robustness

A failed listener (bad bind address, port in use) used to make the whole NRPEServer module fail to load. It now logs an ERROR and leaves the module loaded with no active listener — so you can reconfigure via nscp settings --path /settings/NRPE/server --key ... --set ... and reload, without restarting the service. If you had monitoring on "module load failed" specifically, you may want to add "NRPE listener failed" as a separate signal.

`insecure = true` on NRPEServer

This option (for legacy check_nrpe interop) now logs at ERROR rather than DEBUG/INFO. Behaviour is unchanged; the message is louder so it shows up in dashboards. If your monitoring filters by severity, you may want to whitelist this specific message on agents that intentionally run in insecure mode.

`cache allowed host`

Previously parsed as a string with surprising truthiness; now a real boolean. If you had cache allowed host = yes or = on, switch to true. Numeric 1 / 0 still work.

Nagios range syntax in performance data

This is additive — existing perfdata that doesn't use range syntax continues to work. Plain numbers still parse as before. Only consumers that previously had to special-case NSClient++'s output may need adjusting, but most Nagios-ecosystem tools handle both forms.

Download

You can download the new version from GitHub

// Michael Medin

May 11, 2026
16 min read

0.12.3 Fixed almost all bugs :)

0.12.4 Fixes a few important regression issues, so please use that version.

What's Changed

This release rolls up everything since the last stable: five pre-releases (0.11.31, 0.11.32, 0.11.33, 0.12.1, 0.12.2) plus the latest in-development changes.

The headline themes are:

New monitoring scenarios — first-class Checkmk and Icinga 2 integration, plus a real check_net family.
A modern Web UI and REST API — events, metadata, settings DELETE, filterable lists, dedicated widgets for PDH counters and real-time filters.
Hardened by default — 0.12.2 is a security release that closes listener defaults that used to be silently permissive (empty allowed hosts, plaintext check_nt, query-string tokens, etc.).
Many long-standing check fixes — check_service, check_process, check_files, check_drivesize, check_uptime, CheckLogFile, and the shared filter/threshold engine all behave correctly now.

Read the Breaking changes section before upgrading — several long-standing-but-incorrect behaviours have been corrected and a number of listener defaults are now fail-closed. If you have an existing configuration, plan to review it.

TL;DR for end users

New scenario: Checkmk agent integration. Point a Checkmk site at port 6556 and you get a native-looking agent dump. See scenarios/check-mk.md.
New scenario: Icinga 2 passive submission. A new IcingaClient module submits passive results to Icinga 2's REST API as an alternative to NSCA / NRDP.
New scenario: NSCA-ng. A new hardened NSCAngClient with PSK and AEAD-first cipher selection.
Native cross-platform network checks: check_tcp, check_dns, check_http, check_ntp_offset, check_connections.
Native Windows registry checks: check_registry_key, check_registry_value.
HTTP proxy support for every HTTP-based client (NRDP, Elastic, Op5, Icinga, the configuration loader, ...).
Windows ROOT trust store auto-export — HTTPS-bound checks validate certificates against the system trust store automatically.
A modern Web UI with filterable lists, settings diff, dashboard, and dedicated CheckSystem widgets.
New REST endpoints: GET/DELETE /api/v2/events, GET /api/v2/metadata, DELETE /api/v2/settings/.... Covered in api/rest/.
Linux real-time metrics — the same background CPU/memory/disk/ network/load sampling that Windows has had for years.
Many bug fixes in check_service, check_process, check_files, CheckLogFile, the filter/threshold engine and the HTTP stack.

Major new features

Checkmk agent integration

NSClient++ can now serve a Checkmk-compatible agent dump on TCP port 6556. A real Checkmk site can register the host with tag_agent = cmk-agent, discover services, and run checks — no proxy, no NSCA gateway.

Enable it:

[/modules]
CheckMKServer = enabled
LUAScript = enabled
CheckSystem = enabled
CheckDisk = enabled
CheckHelpers = enabled

[/settings/check_mk/server]
port = 6556
allowed hosts = 127.0.0.1, <checkmk-site-ip>
submission ttl = 60          ; seconds, default 60
mrpe channel = check_mk-mrpe
local channel = check_mk-local

Out-of-the-box sections (no extra config):

Section	Contents
`<<<check_mk>>>`	Version, OS, hostname
`<<<systemtime>>>`	Unix epoch (Windows clock-skew check)
`<<<uptime>>>`	Seconds since boot (read from internal metrics store)
`<<<mem>>>`	`MemTotal:`/`MemFree:`/`SwapTotal:`/`SwapFree:` (from metrics store)
`<<<df>>>`	Per-volume size/used/free/mountpoint (Windows)
`<<<services>>>`	`name state/start_type display_name` per Windows service
`<<<ps>>>`	`(user,vsz_kb,rss_kb,cputime,pid) cmdline` per process

Expose any nscp check as a Checkmk service under <<<local>>>:

[/settings/check_mk/server/local]
CPU Load = command=check_cpu warn=load>80 crit=load>95
Disk C = command=check_drivesize drive=C: "warn=free<20%" "crit=free<10%"

MRPE relay under <<<mrpe>>>:

[/settings/check_mk/server/mrpe]
Uptime = command=check_uptime warn=uptime<2d
Memory = command=check_memory type=committed warn=used>80% crit=used>90%

Documentation: https://nsclient.org/docs/scenarios/check-mk.md`.

IcingaClient — Icinga 2 REST API submission

A new client module submits passive check results directly to an Icinga 2 master/satellite via the /v1/actions/process-check-result REST endpoint, as an alternative to NSCA or NRDP.

[/modules]
IcingaClient = enabled

[/settings/IcingaClient/targets/default]
address = https://icinga2.example.com:5665
username = nscp
password = secret
hostname = ${hostname}

nscp client --module IcingaClient \
            --command submit_icinga \
            --address https://icinga2.example.com:5665 \
            --username nscp --password secret \
            --command heartbeat \
            --result 0 \
            --message "Hello from NSClient++" \
            --ensure-objects

NSCA-ng client

A new NSCAngClient module ships a hardened NSCA-ng submission client with PSK support, AEAD-first cipher selection, and connection retry logic.

Native support for Windows CA-store

On startup NSClient++ now exports the machine's ROOT certificate store as a single PEM bundle, so any check that does TLS (check_http, IcingaClient, NRDP, ...) can validate certificates against the trust store the rest of Windows already uses.

check_http url=https://www.ibm.com
OK: https://www.ibm.com -> 303 ok (0B in 33ms)

check_http url=https://self-signed.badssl.com/
CRITICAL: https://self-signed.badssl.com/ -> 0 error: Failed to connect ... certificate verify failed

CheckNet — five new (cross-platform) checks

CheckNet graduated from a placeholder into a full network-check module. All five commands work over NRPE as well as locally:

check_tcp — open a TCP socket to one or more host/port pairs, optionally send a payload and require an expected substring.
check_dns — resolve a hostname and optionally assert which addresses come back.
check_http — fetch one or more URLs, check status code, response time and body content; supports custom headers and user-agent.
check_ntp_offset — query one or more NTP servers and alert on offset / stratum.
check_connections — Windows TCP/UDP connection table inspection (counts per protocol/family/state).

check_tcp host=smtp.gmail.com port=25 send="EHLO nsclient.org" expect="250"
check_dns host=google.com expected-address=172.217.20.174
check_http url=https://nsclient.org/ expected-body="NSClient" \
    "warn=time > 500 or code >= 400" \
    "crit=time > 2000 or code >= 500 or result != 'ok'"
check_ntp_offset "servers=0.pool.ntp.org,1.pool.ntp.org" timeout=2000
check_connections "filter=protocol = 'tcp' and state = 'TIME_WAIT'" \
    "warn=count > 200" "crit=count > 1000"

CheckSystem (Windows) — registry checks

Two new commands let you monitor the Windows registry directly from NSClient++ instead of relying on external scripts. They support recursion, exclude lists, 32/64-bit (WoW64) views, custom filters and the usual warn=/crit= expression syntax.

check_registry_key — verify that a key exists, count sub-keys/values, watch its last-write time.
check_registry_value — read a single value assert its type, size or content.

check_registry_key "key=HKLM\Software\NSClient" \
    "warn=age > 7d" "crit=age > 30d or not exists"

check_registry_key "key=HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" \
    recursive max-depth=1 exclude=KB5005463 exclude=KB5005539

check_registry_value "key=HKLM\System\CurrentControlSet\Services\W32Time\Config" \
    value=MaxPollInterval "warn=int_value > 14" "crit=int_value > 17"

CheckSystem — `check_os_updates` (Windows)

A new check using the Windows Update Agent (WUA) reports pending OS updates. By default any pending update returns warning; thresholds let you alert only on security/critical:

check_os_updates "warning=important > 0" "critical=security > 0 or critical > 0"

CheckSystem (Linux) — real-time metrics

The Linux build of CheckSystem now ships with the same real-time metric collection that has been available on Windows for a long time: CPU, memory, disk, network and load are sampled in the background and exposed both to dashboards/metrics and to real-time filters (filter=... rules that fire when a threshold is crossed). Existing real-time filter configuration just works on Linux now.

Real-time filter metrics

CheckSystem's real-time filters now publish per-filter match and error counts under system.realtime.<filter_name>.fired / system.realtime.<filter_name>.errors. Visible via:

The metrics REST endpoint (/api/v2/metrics + filter)
Prometheus scrape
The new Metrics() Lua API in default_check_mk.lua

Useful for spotting filters that never fire (typo in the where-clause) or filters that always error (broken expression).

CheckDisk — `check_single_file`

A focused variant of check_files for inspecting a single, known path. Compared to using check_files for the same job:

Only one required argument (file=<path>).
A clear error when the input is empty.
UNKNOWN: File not found: <path> when the file is missing — instead of the empty-set / "No files found" workflow.
A useful default detail-syntax so a no-threshold run is informative on its own.

check_single_file file=C:/windows/WindowsUpdate.log "warn=age > 5m" "crit=age > 1h"
CRITICAL: WindowsUpdate.log (size=276, age=917)

CheckDisk — filesystem filtering for `check_drivesize`

check_drivesize can now filter drives by filesystem type — useful for excluding tmpfs, nfs, etc.

check_drivesize drive=* "filter=fs = 'NTFS'"

`check_nscp_update`

A new check command queries the GitHub releases API (with caching) and reports whether the running NSClient++ is up to date.

HTTP proxy support across every HTTP client

NSClient++ can now route HTTP and HTTPS traffic through a corporate proxy. The same surface is used by every component built on the internal http::simple_client (NRDPClient, ElasticClient, Op5Client, IcingaClient, the remote boot.ini loader, ...).

For HTTPS targets the client opens a CONNECT tunnel to the proxy, validates the proxy's response, and only then performs the TLS handshake — so a single setting covers both http:// and https:// URLs.

Two new options on every HTTP client command and target:

Option	Purpose
`proxy`	Proxy URL — `scheme://[user:pass@]host[:port]/`. Empty value disables the proxy.
`no-proxy`	Comma-separated list of hosts that bypass the proxy. A leading `.` is a suffix match.

[/settings/NRDP/client/targets/nagios]
address = https://nagios.example.com/nrdp/
token = mytoken
proxy = http://proxy.corp.example:3128/
no proxy = localhost,127.0.0.1,.internal

Configuration loader (boot.ini):

[proxy]
url = http://proxy.corp.example:3128/
no_proxy = localhost,127.0.0.1,.internal

Notes / limits:

Only the http:// proxy scheme is supported. socks5:// / https:// proxies are not.
No automatic detection of system proxy settings (HTTP_PROXY env vars, WinINET / WPAD). The proxy must be configured explicitly.
On 407 Proxy Authentication Required the proxy's response body is captured in the error message.

Web UI / REST API expansion

New web routes:

Route	Method	Purpose
`/api/v2/events`	`GET`	List buffered real-time events
`/api/v2/events`	`DELETE`	Drain (returns + clears) the event buffer in one call
`/api/v2/metadata`	`GET`	Module/setting metadata index
`/api/v2/metadata/counters`	`GET`	List of available PDH counters
`/api/v2/metadata/channels`	`GET`	List of registered submission channels
`/api/v2/settings/<path>`	`DELETE`	Remove a settings key or path (staged delete; survives restart)

The settings store gained staged deletion: a DELETE is recorded so that subsequent reads of the deleted key/path return "not present" until the change is saved. Stops a deleted-but-not-yet-saved key from being re-resurrected by a concurrent read.

Web UI refresh

The bundled web interface has been heavily reworked:

Modern theme with active-navigation highlighting and a redesigned login page.
Filterable lists for Modules, Queries and Settings.
Settings diff dialog — the "settings changed" widget can now show exactly which keys changed.
CheckSystem settings UI got dedicated widgets for PDH counters and real-time filters: a counter picker that hits /api/v2/metadata/counters, "Add filter" / "Add counter" dialogs, and a live preview of metric values pulled from the metrics endpoint.

If you've been editing real-time filters in nsclient.ini by hand, the web UI is now a much faster way to do it.

SMTPClient rewrite

The SMTPClient module has been substantially rewritten with proper SMTP handling, integration tests, and a Python-based test harness.

Smaller features

nscp settings --sort — produce stable, sorted output, useful for diffing exported settings between hosts.
Performance threshold min/max bounds — perfdata threshold expressions can declare minimum and maximum bounds, propagated into emitted perfdata:
```
check_pdh "counter=\\Processor(_Total)\\% Processor Time" \
          "perf-config=*(minimum:0;maximum:100)"
```
Timezone-aware check_uptime and Schduler — applies a timezone cache on both Windows and Unix, so absolute boot-time output and cron expressions agree with the host's local time.
WEBServer cookie attribute support — Secure, HttpOnly, SameSite, Path, Domain, Expires, Max-Age.
WEBServer password hashing with constant-time verification — removes the timing oracle on the previous plaintext equality check.

WEBServer authentication rate limiter — per-source throttling of failed authentication attempts:

[/settings/WEB/server]
auth rate limit max failures   = 10   ; 0 disables the limiter
auth rate limit block seconds  = 60

Filter engine — stable summary thresholds

These changes touch the shared filter / threshold engine and therefore affect every modular check (check_files, check_service, check_process, check_eventlog, ...).

Stable `count` / `total` / `*_count` in `warn=` / `crit=`

warn= / crit= were evaluated during iteration. Summary variables such as count therefore exposed their running value instead of the final post-iteration value, so a mixed expression like

crit = state = 'hung' OR count < 5

mis-fired on the very first row (count == 1 < 5) regardless of how many rows ultimately matched. Per-row evaluation is now deferred: matched rows are recorded during iteration, and the warn/crit/ok engines run once the summary state is final.

Mixed `warn=` / `crit=` evaluated when no rows match

If a filter excluded every row, mixed expressions like crit = state = 'stopped' OR count = 0 were skipped entirely — leaving the check OK in the empty case. They are now evaluated with object-bound variables defaulting to false and summary variables at their final values, so the check correctly returns CRITICAL when the service is missing.

Quieter, more predictable expression evaluation

Operators audited so is_unsure propagates consistently; invalid-type comparisons resolve to unsure-false instead of erroring.
String variables on no-object cases now return an empty string with is_unsure=true and produce a warning in the log instead of an error per row — log volume on complex queries drops dramatically.
Removed the misleading "most likely mutating" warnings.
Substantial new test coverage.

`check_service` and `check_process` fixes (Windows)

"Failed to enumerate service: 6f7" on busy hosts — enumeration is now properly looped until the SCM signals end-of-data.
perf-syntax=none actually suppresses perfdata — check_service used to emit empty perfdata aliases ( ''=4;0;1 ''=4;0;1 ...), blowing past NRPE size limits.
No more TODO leaking into ${desc} — check_service service=Spooler used to render as OK: Spooler: TODO. Now: OK: Spooler: Print Spooler.
delayed only reported for SERVICE_AUTO_START — manual / boot / system / disabled services no longer randomly show up as delayed.
check_process sees protected / cross-user processes as NETWORK SERVICE — a PROCESS_QUERY_LIMITED_INFORMATION fallback is now attempted, so winlogon.exe, csrss.exe etc. no longer report CRITICAL: <name>=stopped when the agent runs unprivileged.
Realtime check_process is now case-insensitive, matching the active path and Windows itself.

`check_files` fixes

#730 — max-depth=0 now scans the top directory only (was: bail out before scanning anything, returning "no files found").
#598 — Non-ASCII paths (accented letters, CJK, ...) are no longer silently mangled by mismatched codepage conversions.
#613 — Top-level paths that cannot be opened now produce UNKNOWN: Path was not found: <path> instead of being hidden behind the configured empty-state.
#605 — NTFS junctions / symlinks / mount points are now skipped during recursion, preventing double-counts on self-referential trees.
#717 — The legacy CheckFiles shim now sets empty-state=ok when translating, restoring 0.4-era behaviour for legacy calls that find zero files.

Other check / module fixes

CheckDisk resilience — an error on a single unavailable volume no longer aborts the entire check_drivesize run.
#581 — CheckLogFile honours the line-split argument (previously hard-coded to \n); multi-character delimiters such as \r\n are handled correctly. Real-time seek behaviour fixed; CRLF handling harmonised.
#589 — Time/duration arguments such as time=3000foobar or time=3000mfoobar are no longer silently accepted; malformed inputs are rejected with a clear error.
#669 — The literal U (Nagios "undefined") in performance data is preserved end-to-end instead of being coerced to 0. Only an exact U, u, U% or u% token matches.
NSCA wire timestamps are now correctly built in UTC. Both server (IV packet) and client (data packet) used to derive seconds-since-epoch from second_clock::local_time(), which drifted by the host's TZ offset. A timezone setting on both ends allows legacy interop with agents that emit local-clock-as-Unix-time stamps.
Metrics collection regression fixed (some metrics were silently dropped).
Op5Client / ElasticClient unified on the new HTTP client; 401 path fixed; reponse → response typos corrected.
Gracefully handle non-numeric NSClient command codes.
TLS support fixes; better randomness for encryption; race condition fixes; boundary checks for various network payloads and reading certificates.
NRDP integration tests added; new nrdp client alias.

HTTP refactor

HTTP request and response are now distinct types instead of one shared bag.
Chunked transfer-encoding is decoded properly. check_http against servers using Transfer-Encoding: chunked ( most modern reverse proxies, Icinga 2, Kubernetes ingress, ...) now returns the full body instead of a truncated/garbled one. The IcingaClient module relies on this.
Header storage is normalised — case-insensitive lookup, no more duplicate-header surprises.

Security hardening

The 0.12.2 release is a security-focused pass. These do not change documented behaviour for well-formed traffic but close down attacker-controlled edge cases.

DoS / resource-exhaustion limits

Authorization header capped at 8 KiB to mitigate amplification.
Per-connection parser buffer cap to prevent memory pinning from oversized or never-completed requests.
Session token cap with eviction to prevent unbounded memory growth.
Payload lengths below the protocol minimum are rejected before allocation.
Path expansion now detects cycles and refuses to recurse, preventing stack overflow on pathological configurations.

NSCA hardening

Packet version is checked.
Timestamp validation tightened to mitigate replay attacks.

Log/output injection prevention

Control characters are stripped from values before they are written to external sinks, removing log/protocol-injection vectors:

Log file entries (file names and messages)
syslog messages (CR/LF/NUL stripped)
Graphite metric paths and values
HTTP response headers (header keys and values)
log_status is now JSON-serialised so attacker-controlled fields cannot inject extra structured fields.

Filesystem / process safety

PID file creation hardened against symlink attacks; exclusive access enforced.
Archive extraction has a zip-slip guard that validates entry paths and refuses traversal sequences.
Module and script names are validated to prevent path traversal at load time.
Argument substitution in external scripts is isolated to prevent command injection through user-controlled tokens.

Cryptography / TLS

HTTPS now logs explicitly when no certificate is present and warns on HTTP fallback in production.
SSL connections enable hostname verification by default.
Auto-generated passwords use OpenSSL RAND_bytes (cryptographically secure) instead of the previous predictable generator.
Sensitive values are no longer logged at debug level.
check_nt password compare is constant-time.

Breaking changes

Read this section carefully. Some changes are listener defaults that are now fail-closed; some are corrections to long-standing buggy behaviour; some are internal API changes for out-of-tree modules.

Listeners default to safer behaviour

Empty allowed hosts now rejects all connections. Previously treated as "allow any source". To genuinely expose the agent to any source, set it explicitly:
```
allowed hosts = 0.0.0.0/0,::/0
```
check_nt (NSClientServer) defaults to ssl = true. The legacy check_nt protocol carries the password in every request. The listener will not refuse to start if TLS is off, but it will log a warning. To keep the old plaintext behaviour for legacy clients, set ssl = false explicitly in [/settings/NSClient/server].
check_nt: the literal password None no longer authenticates. Empty server passwords now reject all requests. Errors are also genericised (ERROR: Bad request.) to remove the online password-guessing oracle.
WEBServer: /auth/token and /auth/logout are removed (HTTP 410). They accepted the password and session token as URL query parameters, leaking credentials into browser history and proxy logs. Migrate to:
- POST /api/v2/login with Authorization: Basic to obtain a token
- DELETE /api/v2/login with Authorization: Bearer to log out
WEBServer: ?TOKEN= / ?__TOKEN= query-string token auth removed. Send the token in a header instead: Authorization: Bearer <token>, TOKEN: <token>, or X-Auth-Token: <token>.
WEBServer: anonymous access is now opt-in. A role named anonymous registered in settings is silently ignored unless the new allow_anonymous flag is enabled.
WEBServer: existing admin user is no longer overwritten on restart. Deployments that relied on the password being reset to the default at boot must adapt.

Scheduler — cron expressions evaluate in local time by default (#570)

The Scheduler module previously used UTC, so 40 15 * * * fired at 15:40 UTC regardless of host TZ. The default has changed to local time, matching standard cron semantics. Hour and minute fields will shift accordingly on non-UTC hosts.

A new timezone setting under [/settings/scheduler] controls the reference clock:

[/settings/scheduler]
timezone = local                          ; default — standard cron semantics
; timezone = utc                          ; restore the pre-0.12 behaviour
; timezone = EST-05EDT,M3.2.0,M11.1.0     ; any POSIX TZ string is honoured

IANA names such as Europe/Stockholm are not supported — use the POSIX form. Unparseable values fall back to UTC and surface as UTC? in any timezone label.

Filter / threshold engine

warn= / crit= no longer fire mid-iteration on running counts. Configurations "tuned" against the buggy early-fire will produce different results.

crit = state = 'hung' OR count < 5
# Old: CRITICAL on the very first row (count == 1).
# New: CRITICAL only if any row is 'hung' OR final count < 5.

Mixed warn= / crit= now evaluate when no rows match.
```
crit = state = 'stopped' OR count = 0
# Old: OK when nothing matched (count = 0).
# New: CRITICAL when nothing matched (count = 0).
```
If your old config implicitly treated "empty" as OK, add a count > 0 AND ... guard or move the empty-case logic into a dedicated check.

Check-specific corrections

check_service: delayed is no longer reported for non-auto services. Filters that matched start_type = 'delayed' on Manual / Boot / System / Disabled services will stop matching. To alert on "any non-running service that isn't disabled":
```
filter = start_type IN ('auto','delayed','boot','system') AND state != 'running'
```
Realtime check_process is now case-insensitive. A rule that intentionally matched only an exact casing will now match all variants (almost certainly the desired behaviour).
check_service: ${desc} no longer returns the literal TODO. Use the real display name.
check_service: perf-syntax=none actually suppresses perfdata. Backends that consumed the empty-aliased entries (highly unlikely) will see them disappear.

`check_files` — corner cases changed

max-depth=0 now scans the top directory instead of returning empty (#730).
Missing paths now return UNKNOWN instead of OK / empty (#613).
NTFS junction loops are no longer double-counted (#605).
Legacy CheckFiles calls that previously returned UNKNOWN on empty results will now return OK (#717).

Configuration / startup

CheckExternalScripts: malformed alias commands are refused at startup. The fallback "split-on-space" parser has been removed. Aliases whose command line does not parse cleanly are refused with an error in the log instead of being silently registered with surprising tokenisation. Review your logs after upgrading.

Internal API (out-of-tree module authors)

HTTP request/response API changed. Internal C++ types http::request / http::response are now distinct, headers are case-insensitive, and chunked decoding happens transparently. Out-of-tree modules linked against the old shared bag type need a small adjustment:
```
// before
http::packet pkt = client.send(...);
auto body = pkt.body;

// after
http::response resp = client.send(http::request{...});
auto body = resp.body();   // chunked decoding already applied
```

Documentation reorganisation

The documentation tree was restructured (concepts/, checks-in-depth/, scenarios/, tutorial/, reference/ are now clearly separated). Bookmarks and external links may need updating.

Upgrade checklist

Audit allowed hosts on every node — empty values now reject everything.
check_nt (NSClientServer) now defaults to ssl = true. If your clients don't speak TLS, set ssl = false explicitly. Either way the listener will log a warning at startup if TLS is off or a password is configured, recommending a switch to REST or NRPE.
Replace any client that calls /auth/token or /auth/logout with the /api/v2/login flow.
Replace any client that passes ?TOKEN= / ?__TOKEN= in the query string with a header-based token.
Scheduler cron expressions on non-UTC hosts will shift to local time. Either update them or set [/settings/scheduler] timezone = utc to restore the previous behaviour.
Review check_service / check_process / check_files filters that may have relied on the corrected behaviours listed above.
Restart the service and review the log for new "refused alias" or "rejected connection" warnings — these flag configurations that were previously silently accepted.

No configuration migration is required for the new HTTP proxy keys, the Checkmk server, the Icinga client, the NSCA-ng client, or the new checks — they are all opt-in.

Download

You can download the new version from GitHub

// Michael Medin

April 7, 2026
5 min read

0.11.29 New checks and web ui enhancements

check_battery

Monitor battery status on Windows laptops and mobile devices. This command provides comprehensive battery health and status information using both the Windows Power API and WMI.

Charge Level Monitoring: Track battery charge percentage with warning/critical thresholds
Power Source Detection: Determine if system is running on AC or battery power
Battery Health: Calculate battery health as a percentage of design capacity
Status Tracking: Monitor charging, discharging, critical, low, and high states
Time Remaining: Estimate remaining battery life when on battery power
Detailed Metrics: Access charge/discharge rates and capacity information via WMI

Basic battery check with default thresholds (warn < 20%, crit < 10%):

check_battery
OK: system: 85% (ac, charging)

Check if battery charge is above 50%:

check_battery "warn=charge < 50" "crit=charge < 25"
OK: system: 85% (ac, charging)

Alert if running on battery power:

check_battery "warn=power_source = 'battery'"
WARNING: system: 72% (battery, discharging)

Show detailed battery information:

check_battery "detail-syntax=${name}: ${charge}% (${power_source}, ${status}, health: ${health}%, time: ${time_remaining}s)"
OK: system: 85% (ac, charging, health: 95%, time: -1s)

check_process_history

Track all processes that have been seen running since NSClient++ started. This command maintains a history of process executions, allowing you to verify that certain processes have (or haven't) run.

Process Tracking: Records every unique process seen since service start
Execution Counting: Tracks how many times each process has started
Timestamp Recording: Records first and last seen timestamps
Current State: Shows whether each process is currently running
Selective Filtering: Check specific processes by name

Use Cases - Compliance Monitoring: Verify that backup software, antivirus scanners, or other required applications have run - Security Auditing: Detect if unauthorized applications have been executed - SLA Verification: Confirm that scheduled maintenance tasks have executed

As checking processes is expensive it is disabled by default. You need to enable it by setting:
[/settings/system/windows] 
process history=true

List all processes in history: Check if a specific backup application has run:

check_process_history --process backup.exe "warn=times_seen = 0" "crit=times_seen = 0"
CRITICAL: backup.exe (false) - never seen running

Check if a process is currently running:

check_process_history --process important-service.exe "crit=running = 'false'"
CRITICAL: important-service.exe (false) - not currently running

Alert if a forbidden application has ever run:

check_process_history --process forbidden-game.exe "warn=times_seen > 0"
WARNING: forbidden-game.exe (seen 3 times, not running)

Show detailed history for a process:

check_process_history --process notepad.exe "detail-syntax=${exe}: first=${first_seen}, last=${last_seen}, count=${times_seen}, running=${running}"
OK: notepad.exe: first=2026-04-06 08:15:32, last=2026-04-06 14:22:45, count=5, running=false

check_process_history_new

Detect processes that have been started recently within a configurable time window. This is useful for security monitoring to detect unexpected process launches.

Time-Based Detection: Find processes first seen within a configurable window
Flexible Time Windows: Support for seconds (s), minutes (m), hours (h)
Security Focused: Ideal for detecting new/unexpected process launches

Use Cases - Security Monitoring: Detect newly launched processes that might indicate compromise - Change Detection: Monitor for new software installations or unauthorized programs - Incident Response: Identify what processes started around the time of an incident

As checking processes is expensive it is disabled by default. You need to enable it by setting:
[/settings/system/windows] 
process history=true

Check for any new processes in the last 5 minutes (default):

check_process_history_new
OK: No new processes found.

Check for new processes in the last hour:

check_process_history_new --time 1h
WARNING: suspicious.exe (first seen: 2026-04-06 14:15:32)

Check for new processes with detailed output:

check_process_history_new --time 30m "detail-syntax=${exe} started at ${first_seen} (running: ${running})"
OK: updater.exe started at 2026-04-06 14:10:00 (running: false)

Beware that depending on if you are looking for wanted or unwanted processes you likely want to change empty-state to ok, or critical.

`check_service` overhaul

Fixed a reported bug as well as overhauled the check with some new features and modernized the checks.

This is technically a breaking change, in that it will classify some services as "ok" which was not before. But I doubt that anyone relied on the default checking of all services

state_is_perfect() now treats auto-start services with triggers as OK when stopped (trigger-start services legitimately remain stopped until their trigger fires)
state_is_ok() now treats auto-start services with triggers as OK when stopped (same as delayed services were already treated)
state_is_ok() now treats auto-start services that stopped with exit code 0 as OK (services like WslInstaller that start, complete their task, and stop cleanly no longer trigger CRITICAL)
Added new filter keyword 'exit_code' exposing the Win32 exit code of a service. Allows users to write custom filters like 'exit_code != 0' to detect failed services
Improved error logging in trigger detection. fetch_triggers() previously swallowed all errors silently; now logs unexpected failures
check_service: Updated service classification list for Windows 11 24H2 / Server 2025
Added modern services: WslInstaller, WaaSMedicSvc, UsoSvc, DoSvc, CoreMessagingRegistrar, SecurityHealthService, SystemEventsBroker, vmcompute, HNS, sshd, LxssManager, and others
Removed obsolete services no longer present in modern Windows: Browser, NtFrs, IISADMIN, TlntSvr, napagent, IEEtwCollectorService, UI0Detect, SMTPSVC, aspnet_state, and others
Reclassified: COMSysApp (essential → ignored), SystemEventsBroker (supporting → system), WerSvc/wercplsupport (role → ignored)
Fixed casing: Eventsystem → EventSystem, systemEventsBroker → SystemEventsBroker
Changed default detail-syntax to include exit_code. From ${name}=${state} (${start_type})into ${name}=${state}, exit=%(exit_code), type=%(start_type)
Removed warning messages for excluded services. If a service is excluded we will not try to enumerate it.

Improvements to web-ui

web-disk-widgets

This version adds some new dashboard widgets that showcases system statistics as well as a network graph and disk stats. I also fixes and issue relating to calculating network measurements.

test-client

It also changes the tools bar slightly to make them a bit less intense:

test-client

Other changes:

three new metrics which contains the refresh times of metrics, system metrics and network metrics so you can see this in the web UI.
Removes unnecessary scientific notations for number in the metrics api so now you will get 1 instead of 1E1. Both are valid json so this should not impact anyone as long as your not using grep or some such to parse the json.

Download

You can download the new version from GitHub

// Michael Medin

March 24, 2026
2 min read

0.11.25 New Linux support and installer fixes

This release includes significant, but experimental, Linux support. While it has always been possible to use and build NSClient on Linux we now build official packages which are ready to be installed. In addition to this there are a lot of fixes and enhancements to make running on Linux much more viable.

🐧 Experimental Linux Support

The Linux version is now complete and mirrors the Windows experience more closely than ever before.

Unified Commands: CheckSystemUnix has been renamed to CheckSystem. Linux users can now use the same configuration as Windows users.
Distribution-Specific Binaries: We now provide optimized builds for Debian, and Rocky Linux (redhat).
Scripting Parity: Full support for Python and Lua scripts is now available on Linux, including proper script-folder routing.
Permission Improvements: Default logging on Linux is now directed to the console, allowing the agent to run without sudo when testing. Also now certificates are generated when you run nscp web install to prevent sudo requirements when running as a service.

🛠️ Installer & Core Stability

After a series of regression tests in the 0.11.x branch, the installer has been hardened.

Fixed Upgrade Logic: Resolved a critical issue where a DLL name change caused the WiX installer to fail or leave files missing during upgrades in some instances.
Configuration Protection: Added safeguards to prevent the installer from overwriting or wiping existing .ini configurations during an upgrade.
Silent Install Flags: Reintroduced and documented ALLOW_CONFIGURATION=0 for msiexec, allowing admins to deploy the MSI without touching existing config files.

🏗️ Architectural Refactoring

Modular Codebase: Significant internal refactoring of nscapi and protobuf functions to improve long-term maintainability.
Windows Core Cleanup: Reorganized Windows-specific code into a dedicated internal directory structure to separate it from cross-platform logic.
Enhanced Testing: Many unit tests as well as a new Azure-based automated integration test.

⚠️ Upgrade Note for `ALLOW_CONFIGURATION=0`

If you use ALLOW_CONFIGURATION when upgrading from an old version the configuration might be deleted. This is an issue which is in the old installer and thus not possible to fix. This has however been fixed in future upgrades.

Download

You can download the new version from GitHub

// Michael Medin

January 12, 2026
3 min read

0.11.6 New interactive client

New check_nsclient client

This new release adds a new check_nsclient client tool. This is a stand-alone application you can use to connect to and interact with NSClient. This new client can:

Run queries/checks
Change configuration
Show logs
Load/unload modules

It also have an interactive client you can use which is aimed as a replacement for "test mode".

To connect to NSClient you need to have the web server enabled and then you can login with the same username and password as you use in the web-ui:

$ check_nsclient nsclient auth login --password PASSWORD --ca %LOCALAPPDATA%\mkcert\rootCA.pem
Successfully logged in

Credentials are securely stored in store in credential manager.

The reason there is a nsclient command line option is that soon this will also support NRPE and other protocols as well becoming a universal monitoring tool.

After this you can show logs:

$ check_nsclient nsclient logs list
╭────────┬───────────────────────┬──────────────────────────────────────────────────────────────────╮
│ level │ date                 │ message                                                         │
├────────┼───────────────────────┼──────────────────────────────────────────────────────────────────┤
│ debug │ 2026-Jan-11 12:36:26 │ NSClient++ 0.4.0 2026-01-11 x64 booting...                      │
│ debug │ 2026-Jan-11 12:36:26 │ Booted settings subsystem...                                    │
│ debug │ 2026-Jan-11 12:36:26 │ Archiving crash dumps in: C:\src\build\nscp/crash-dumps         │
│ debug │ 2026-Jan-11 12:36:26 │ Found: CheckExternalScripts                                     │
│ debug │ 2026-Jan-11 12:36:26 │ Found: CheckSystem                                              │
│ debug │ 2026-Jan-11 12:36:26 │ Found: Checkhelpers                                             │
│ debug │ 2026-Jan-11 12:36:26 │ Found: LuaScript                                                │
│ debug │ 2026-Jan-11 12:36:26 │ Found: NRPEServer                                               │
│ debug │ 2026-Jan-11 12:36:26 │ Found: WEBServer                                                │
╰────────┴───────────────────────┴──────────────────────────────────────────────────────────────────╯

Or to load and enable a module you can:

$ check_nsclient nsclient modules use CheckHelpers
Successfully loaded and enable module CheckHelpers

Or you can execute queries:

$ check_nsclient nsclient queries execute-nagios check_cpu
OK: CPU load is ok.|'total 5m'=10%;80;90 'total 1m'=10%;80;90 'total 5s'=7%;80;90

As well as launch the new interactive client:

check_nsclient nsclient client

The client is included in the installer or it can be downloaded separately below as check_nsclient

One benefit of this client is that it can output everything as text, json, yaml or csv making it easy too integrate in any system:

$ check_nsclient --output json nsclient queries execute check_cpu
{
  "command": "check_cpu",
  "lines": [
    {
      "message": "OK: CPU load is ok.",
      "perf": {
        "total 1m": {
          "value": 12.0,
          "unit": "%",
          "warning": 80.0,
          "critical": 90.0,
        },
        "total 5s": {
          "value": 21.0,
          "unit": "%",
          "warning": 80.0,
          "critical": 90.0,
        },
        "total 5m": {
          "value": 11.0,
          "unit": "%",
          "warning": 80.0,
          "critical": 90.0,
        }
      }
    }
  ],
  "result": 0
}

You cal also have multiple profiles (foo) and connect to remote systems (--url):

check_nsclient nsclient auth login foo --url https://127.0.0.1:8443 --password PASSWORD --insecure
# ...
check_nsclient --output json nsclient --profile foo queries execute check_cpu

Once your are done you can log out (and remove credentials from credential store);

check_nsclient nsclient auth logout

Download

You can download the new version from GitHub

// Michael Medin

August 13, 2025
2 min read

0.9.14 New release

REST API updates

Removed some old (deprecated) rest API endpoints so hence forth use the versioned apis under /api. The main goal here was to remove the outdated json library and the protobuf to json conversion.

The old check endpoints have NOT been removed to retain compatibility with Icinga and similar tools.

In addition to this I have also added numerous integration test to help to keep the APIs stable.

Installer improvments

The installer has been updated a lot to behave more predictably and in general work better. I have also added numerous tests to the installer to ensure less accidental breaking changes in the future.

Should not impact anything but instead of a dedicated Json library we now use boost to reduce number of dependencies. Removed sample config from installer (as you can easily generate the config i removed it from the installer).

Web UI improvements

The web interface has gotten a medium overhaul improving settings and queries.

You can now change setting under modules.
Settings now have widgets for boolean settings
Settings view now show all settings not just changed ones.
You can now use " in queries when executing from the Web UI so "filter=1 > 2" is now possible,

Modern TLS Support for remote settings

Remote settings via https (TLS) has been improved to now support TLS 1.3 as well as certificate validation. This is configure in boot.ini (NOT nsclient.ini as that's the file loaded remotely).

Sensitive keys

Added the ability to mark keys as sensitive which can then be configured to be stored in Windows credential manager. Meaning you now have a way to keep secrets and passwords out of the config file.

Restored Linux builds

While Linux support is a work in progress it is now possible to build on windows and piplines for building on windows. "Soon(TM)" I will add some packages and config files and such to make it more usable.

Bug-fixes

Numerous bug fixes and minor enhancments.

Download

You can download the new version from GitHub

// Michael Medin

April 1, 2025
5 min read

0.7.0 Improved support for modern Windows

Changes since 0.6.9 (last official release).

Modern Windows detection for `check_os_version`

We now use the build number to detect OS versions above Windows 10. This means if you want to actually check that a version is above Windows 10 you need to include build number in your check.

check_os_version warn="version lt 10 or build lt 26100"
L        cli OK: OK: Windows 11 24H2 (10.0.26100)

Enhancements and experimental support for Pdh based `check_cpu`.

This version has some PDH (Performance data Helpers) fixes and improved error handling and introduces an experimental new option to switch check_cpu to use PDH instead of APIs. This is experimental and intended to solve the issue with incorrect, negative or zero values on some machines with more than 12 cores. The main issue is that PDH is messy. It is localized and has historically been prone to strange issues and errors such as counter index getting corrupted and similar issues so lets ee how this works before making it the default.

To switch change the following configuration:

[/settings/system/windows]
use pdh for cpu=true

Check CPU load values now uses more standard keywords: * idle * user * system

Old keywords are still retained for compatibility, so this is a non-breaking change.

We also added a short-hand option cores for expanding all cores:

check_cpu cores
L        cli OK: OK: CPU load is ok.
L        cli  Performance data: '0 5m'=58%;80;90 '1 5m'=47%;80;90 '10 5m'=56%;80;90 '11 5m'=42%;80;90 '2 5m'=59%;80;90 '3 5m'=49%;80;90 '4 5m'=56%;80;90 '5 5m'=45%;80;90 '6 5m'=57%;80;90 '7 5m'=43%;80;90 '8 5m'=57%;80;90 '9 5m'=39%;80;90 'total 5m'=51%;80;90 '0 1m'=65%;80;90 '1 1m'=52%;80;90 '10 1m'=65%;80;90 '11 1m'=48%;80;90 '2 1m'=64%;80;90 '3 1m'=52%;80;90 '4 1m'=62%;80;90 '5 1m'=65%;80;90 '6 1m'=70%;80;90 '7 1m'=51%;80;90 '8 1m'=61%;80;90 '9 1m'=46%;80;90 'total 1m'=58%;80;90 '0 5s'=65%;80;90 '1 5s'=46%;80;90 '10 5s'=56%;80;90 '11 5s'=42%;80;90 '2 5s'=70%;80;90 '3 5s'=57%;80;90 '4 5s'=52%;80;90 '5 5s'=45%;80;90 '6 5s'=70%;80;90 '7 5s'=40%;80;90 '8 5s'=48%;80;90 '9 5s'=41%;80;90 'total 5s'=53%;80;90

Lua

The biggest new change here is the re-added Lua support. The Lua support has been changed a bit so it might not be 100% compatible with old scripts. As there is not much documentation for Lua scripting, I plan to add that soon. And doing that I will highlight the main differences.

One thing still missing in Lua is protocol buffer support This means you can only create "simple function" is returning code, string and performance data. But given the nature of Lua I think this is acceptable for the time being.

But in general "optional parameters" to functions are no longer optional. So for instance:

local reg = Registry()
reg:simple_function('lua_test', test_func_query)

local settings = Settings()
str = settings:get_string('/settings/lua/scripts', 'testar')

local core = Core()
code, msg, perf = core:simple_query('lua_test')

Will now require to be written as:

local reg = Registry()
reg:simple_function('lua_test', test_func_query, '')

local settings = Settings()
str = settings:get_string('/settings/lua/scripts', 'testar', '')

local core = Core()
code, msg, perf = core:simple_query('lua_test', {})

The other change is that construction object is now generally done with new where before it was done with various functions like Core() here however I have retained backwards compatibility so both should be possible.

But in general the quality of error handling and such is much better and I will as I said expand the documentation and add some more examples and such.

`check_mk`

As a side note experimental check_mk support was also added back. This is experimental in so far as I have only verified it with NSClient++ not actual check_mk so will need to look into that next. Also note that check_mk is experimental currently it only provides the version and agent name. If there is genuin interest, this could easily be extended so please do let me know...

The way check_mk works is that the module only provides the communication layer and the data provided is provided by a Lua script (hence requiring Lua support). So the current script looks like so:

function server_process(packet)
    s = section.new()
    s:set_title("check_mk")
    s:add_line("Version: 0.0.1")
    s:add_line("Agent: nsclient++")
    s:add_line("AgentOS: Windows")
    packet:add_section(s)
end

reg = mk.new()
reg:server_callback(server_process)

So here we need to extend the packet to include more data and other sections for proper check_mk support.

Installer:

Removed padded version numbers from installer (this caused issues with upgrade)
Installer is now built with openssl presumably fixing remote config via https (have not verified this yet)
Enabled WebUI by default in installer (open can still be used to disable)
Added option to disable installing the service in installer

Security:

Added option to configure ciphers in the web server (default is TLS 1.2 but now you can set 1.3 if you prefer)
Default TLS (NRPE et al.) is now 1.2+ instead of only 1.2
Improved some options and added docs for using NRPE with certificates and Nagios…
Installer now installs the NRPE 2048 bit DH key

Other changes

Fixed check_nscp_verison parsing new semantic version
Added error messages for login failure via web browser
Updated build instructions
Fixed integer overflow in check_files.vbs script
Fixed status in summary text not matching actual summary when no results were found in filters (see UNKNOWN: OK in this example)
```
check_drivesize "filter=drive='foobar'"
L        cli UNKNOWN: OK: No drives found
L        cli  Performance data:
```
Fixed numerous spelling and grammar issue in the documentation.
Removed breakpad (replaced by restart watchdog and log files, but wont create and submit crash dumps (instead windows creates dumps which can be used))
Bumped dependencies

Dependencies

Library	Version
Boost	1.82.0
Cryptopp	8.9.0
Lua	5.4.7
OpenSSL	1.1.1w
Protobuf	21.12
TinyXml2	10.1.0

Download

You can download the new version from GitHub

// Michael Medin

February 9, 2025
2 min read

0.6.9 Fix installer bug

New versions out

As you probably notice, I do not always update the news section when new versions are released. If you want to know about new versions, you can always check the GitHub releases page Instead here I post when there are new and important updates.

And the latest release fixes an important installer issue where upgrading from 0.4.x or 0.5.x would wipe the existing configuration. So be sure you do not upgrade to any of the older versions unless you want to reconfigure. Other changes include some more installer issues and WEB server issues as well as new signature for the MSI files.

Changes

Fixes config is overwritten by installer when upgrading from 0.4.x or 0.5.x
Makes TLS default for web server (so enabled web server will now be exposed on https://localhost:8443)
Fixed broken TLS support in the WEBServer
Added signatures to MSI (currently using a "personal signature" as I haven't managed to get Microsoft to cooperate)
Metrics added to the WebUI and new welcome screen

Dependency	Version	Date
Boost	1.82.0	2023-04-15
OpenSSL	1.1.1w	2023-09-11
Python	3.11.0	2022-10-24
Crypto++	8.8.0	2023-05-25
Protocol Buffers	21.12	2022-12-22

There are some other dependencies as well that will be isolated and versioned soon.

There is a forum thread for this release here

Download

You can download the new version from GitHub

Next version

There is also a pre-release of the next version available on the GitHub releases page. This includes: * Some security improvements * Some installer improvements * documentation about using certificate-based authentication with NRPE and Nagios * Along with the usual minor bug fixes and improvements.

// Michael Medin

January 12, 2025
3 min read

0.6.4 First release of 2025

New versions out

For the early adopters there are not a lot of changes in this version (from version 0.6.3). As this is the first official release in a very long time, this post is focused on more changes since earlier version 0.4.x and 0.5.x.

Breaking changes

Versioning is now semantic this means 3 digits (0.6.4) instead of 4 (0.4.3.2).
dot-net support removed.
lua support removed (I am not sure if anyone used it, so let me know if so and I can probably add it back).
CheckPowerShell is removed (You can still use powershell scripts with the external scripts module).
The Web UI is a bit more limited than it was before, but all basic functionality like updating config and checking status is still there. This is something that will be restored soon.
Secondary installer has been removed (as we now have GitHub build pipelines you can easily build your own installer if you need it).
Automatic crash reporting has been removed, instead we build and publish symbols to GitHub so you can debug crashes yourself or send me the crash dump files.

Dependency updates

All dependencies have been updated to recent versions, I say recent here as this is a project that has been ongoing for over a year, so some dependencies are not the latest versions. This has been very time consuming, and I think the versions we have now are recent enough to be useful for most people. There are still some dependencies where we have not updated to the latest version, but I think we are in a good place now. And the focus will be on making some architectural changes to allow removing some dependencies, and then in a little months time we will update the dependencies again.

Going forward here, we need to be realistic. NSClient++ works on All versions of Windows since Windows XP, and not many dependencies support such as an old version of Windows. So likely at some, we will have to create two versions; 1. one with limited support for old Windows and more modern dependencies. 2. one with limited feature support b ut support for old Windows.

Likely this will be done with specific module early on and then later on we will have two separate versions.

Dependency	Version	Date
Boost	1.82.0	2023-04-15
OpenSSL	1.1.1q	2022-09-15
Python	3.11.0	2022-10-24
Crypto++	8.8.0	2023-05-25
Protocol Buffers	21.6	2022-09-14

There are some other dependencies as well, but most of them are "copied" and as such hard to version... This will also be resolved going forward.

New features

NRPE 3 and 4 is now supported
TLS 1.3 is now supported

Future plans

(This list is not ordered)

Improve the new Web UI (add wizards to simplify configuration).
Upgrade checks to for modern Windows.
Code cleanups and modernizations.
Automatic updates (or possibly a check to check for new versions)
More Unit tests
Overhaul and deprecating/removal of outdated features
Rewrite some modules and libraries in RUST

Please do let me know any specific things you would like to see!

There is a forum thread for this release here: 0.6.4 First release of 2025

Download

You can download the new version over on GitHub: 0.6.4

// Michael Medin

January 4, 2024
2 min read

NRPE version 4 support added

Hello,

Sorry for lack of updates but as always, things took longer than expected...

New versions out

Last year I spent a lot of time updating all dependencies and created automated pipelines for building NSClient++. This is a massive benefit as it means that anyone can (more) easily build NSClient++ without a lot of effort and configuration (just clone the repo, and your done).

The culmination of this work was 0.6.0.0 that was released a few months ago over on GitHub. Which was essentially just "the same version" as before but with a lot of dependency updates.

There is still some feature missing (which is why I still say "Pre release") but as I have now added the first new feature, I thought iot was time to let more people know about these versions.

The new version 0.6.0.1 can be downloaded from GitHub

Use NRPE 3/4 to check NSClient++

So to use NRPE 3/4 (not 100% sure if anyone uses NRPE 3 as it seems like NRPE 4 is a bug fix for a protocol alignment issue) you just need to upgrade to the new version. It will automatically detect new versions of the protocol so everything should just work as before.

As we now use a modern version of openssl, it is now also possible to configure which version of TLS to support. This is a bit awkward currently as I am just using the same options as before, so you have to disable each version manually (likely I will add a tlsv1.2+ option in the future)

[/settings/NRPE/server]
ssl options=no-sslv2,no-sslv3,no-tlsv1,no-tlsv1_1

But at least it is possible to configure this.

Check remote NRPE servers with version 4

Lastly you can also check remote servers with NRPE then you have two new options:

version which can be set to either 2 or 4 to specify which NRPE version to use.
tls version which can be set to tlsv1.3, tlsv1.2, tlsv1.1, tlsv1.0 as well as tlsv1.3+, tlsv1.2+, tlsv1.1+, tlsv1.0+

Future plans

(This list is not ordered)

Reenable missing features (i.e. upgrade some more things and ensure we have pipeline builds)
Build a new Web UI (web frameworks change so much it does not make sense to try to upgrade the old).
Upgrade checks to for modern Windows.
Investigate "old Windows" support (I expect the new builds will not run on Windows XP)
More Unit tests
Overhaul and deprecating/removal of outdated features
Code cleanups
Rewrite some modules and libraries in RUST

Please do let me know any specific things you would like to see!

// Michael Medin