From Nagios Wiki

Contents 1 Purpose 2 Security Considerations Before Installing 3 NSClient++ 3.1 Download and Install 3.2 NSC.ini example 3.3 Install and Start Service 4 NC_net 4.1 active_ip_accept_list.nc_net 4.2 startup.cfg 4.3 user.dat 5 Troubleshooting Tips 6 ExchangeCommands.cfg Definitions 7 Other check_nt Commands 8 Related Links

[edit] Purpose

Using this tutorial, one can check Microsoft Exchange 200x services using two freely available F/OSS (free and open source) tools

• Nagios (an open source host, service and network monitoring program), and
• one of the following server agents to listen and respond to Nagios' check_nt commands
  • NSClient++, or
  • NC_net (note: do NOT this version of NC_net, it is old and very unstable)

NSClient++ or NC_net is installed on the Exchange server that will be monitored, and Nagios will need to be installed on a separate and dedicated Linux, BSD, or UNIX platform. Once installed, NSClient++/NC_net listens on port 1248 or 12489 (by default) for check_nt instructions sent from the Nagios server. (NSClient++ and NC_net are only two of several Win32 clients out there. For a matrix of the features of some of the other NT clients can be found here). Op5 and Groundwork also provide similar monitoring for Exchange services, but some users may want to use the two aformentioned tools (Nagios + NSClient++/NC_net) out of their simplicity and ease-of-use.

A working understanding of Nagios and Nagios' check_nt commands is required.

[edit] Security Considerations Before Installing

Due to the fundamental risk of buffer overflow attacks on the Exchange server, NRPE (and thus NClient++ and NC_net) requires that parameters settings be client side via configuration files file (e.g. NSC.ini on NSClient++ or startup.cfg on NC_net)

Leaving settings "too open" (e.g. setting things like "allowed_hosts=") is HIGHLY DISCOURAGED, particularly with Microsoft products such as Exchange Server, which are likely to be targeted for all sorts of nasty attacks. In addition to tightening up security on these config files, you might also consider locking down ports 5667 (NSCA), 1248 (default NClient & NC_net), and 12489 (NSclient++) to your Nagios server.

If your check is going across untrusted areas (via NSCA), you might even consider encrypting your Nagios traffic.

[edit] NSClient++

From the NSClient++ webpage:

NSClient++ aims to be a simple yet powerful and secure monitoring daemon for Windows operating systems. It is built for Nagios, but nothing in the daemon is actually Nagios specific and could probably, with little or no change, be integrated into any monitoring software that supports running user tools for polling.

The structure of the daemon is a simple NT service that loads plug-ins to an internal stack. The plug-ins can then request data (poll performance data) from the other plug-ins through the internal stack. As of now there are a few plug-ins for basic performance data collection. For details of supplied modules, see CheckCommands.

NSClient++ can be extended in two ways: you can either write your own plug-in or you can execute an external script (as of now batch/exe/*). Writing your own plug-in is, of course, the most powerful way but requires knowledge of C++ or other languages which can produce DLLs and interface with regular C programs (generally, every other language available, but there is some simple API helpers for C/C++ as well as descriptions).

As for checking with NSClient++, I would recommend NRPE as it is a lot more flexible than check_nt. But NSClient has full support for check_nt, and if there is an interest, I could probably add support for check_nt from nc_net.

based on NSClient

[edit] Download and Install

download the latest version (e.g. NSClient++-Win32-20070925-0646.zip)

Unzip to the "c:\program files\nsclient++" folder on the Exchange server you would like to monitor.

Open up the NSC.ini with Notepad (or equivalent, many prefer Notepad++ instead).

[edit] NSC.ini example

The following is a modified NSC.ini file that should allow Nagios the ability to make majority of service checks with its check_nt plugin.

[modules]
;# NSCLIENT++ MODULES
;# A list with DLLs to load at startup.
;  You will need to enable some of these for NSClient++ to work.
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
; *                                                               *
; * N O T I C E ! ! ! - Y O U   H A V E   T O   E D I T   T H I S *
; *                                                               *
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

FileLogger.dll
CheckSystem.dll
CheckDisk.dll
NSClientListener.dll
NRPEListener.dll
SysTray.dll
CheckEventLog.dll
CheckHelpers.dll

;
; CheckWMI IS AN EXTREM EARLY IDEA SO DONT USE FOR PRODUCTION ENVIROMNEMTS!
;CheckWMI.dll
;
; RemoteConfiguration IS AN EXTREM EARLY IDEA SO DONT USE FOR PRODUCTION ENVIROMNEMTS!
;RemoteConfiguration.dll

[Settings]
;# OBFUSCATED PASSWORD
;  This is the same as the password option but here you can store the password in an obfuscated manner.
;  *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this file can still figure out the 
;  password. Its just a bit harder to do it at first glance.
;obfuscated_password=Jw0KAUUdXlAAUwASDAAB
;
;# PASSWORD
;  This is the password (-s) that is required to access NSClient remotely. If you leave this blank everyone will be able to access the daemon remotly.
;password=secret-password

password=password

;
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to the all daemons.
;  If leave this blank anyone can access the deamon remotly (NSClient still requires a valid password).
;  The syntax is host or ip/mask so 192.168.0.0/24 will allow anyone on that subnet access
;allowed_hosts=127.0.0.1/32

;Simply leaving this setting as "allowed_hosts=" allows traffic from any host, 
;leaving your Exchange Server vulnerable to a possible a buffer overflow attack.
;Here enter in the private subnet of your LAN network, using CIDR notation

allowed_hosts=192.168.1.0/24

;
;# USE THIS FILE
;  Use the INI file as opposed to the registry if this is 0 and the use_reg in the registry is set to 1 
;  the registry will be used instead.
use_file=1

[log]
;# LOG DEBUG
;  Set to 1 if you want debug message printed in the log file (debug messages are always printed to stdout when run with -test)

debug=1

;
;# LOG FILE
;  The file to print log statements to
;file=NSC.log

file=NSC.log

;
;# LOG DATE MASK
;  The format to for the date/time part of the log entry written to file.
;date_mask=%Y-%m-%d %H:%M:%S

date_mask=%Y-%m-%d %H:%M:%S


[NSClient]
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to NSClient deamon.
;  If you leave this blank the global version will be used instead.
;allowed_hosts=
;
;# NSCLIENT PORT NUMBER
;  This is the port the NSClientListener.dll will listen to.
;port=12489

port=12489

;
;# BIND TO ADDRESS
;  Allows you to bind server to a specific local address. This has to be a dotted ip adress not a hostname.
;  Leaving this blank will bind to all avalible IP adresses.
;bind_to_address=


[Check System]
;# CPU BUFFER SIZE
;  Can be anything ranging from 1s (for 1 second) to 10w for 10 weeks. Notice that a larger buffer will waste memory 
;  so don't use a larger buffer then you need (ie. the longest check you do +1).
;CPUBufferSize=1h
;
;# CHECK RESOLUTION
;  The resolution to check values (currently only CPU).
;  The value is entered in 1/10:th of a second and the default is 10 (which means ones every second)
;CheckResolution=10

[NRPE]
;# NRPE PORT NUMBER
;  This is the port the NRPEListener.dll will listen to.

port=5666

;
;# COMMAND TIMEOUT
;  This specifies the maximum number of seconds that the NRPE daemon will allow plug-ins to finish executing before killing them off.

command_timeout=60

;
;# COMMAND ARGUMENT PROCESSING
;  This option determines whether or not the NRPE daemon will allow clients to specify arguments to commands that are executed.
allow_arguments=0
;
;# COMMAND ALLOW NASTY META CHARS
;  This option determines whether or not the NRPE daemon will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow_nasty_meta_chars=0
;
;# USE SSL SOCKET
;  This option controls if SSL should be used on the socket.
;use_ssl=1
;
;# BIND TO ADDRESS
;  Allows you to bind server to a specific local address. This has to be a dotted ip adress not a hostname.
;  Leaving this blank will bind to all avalible IP adresses.
; bind_to_address=
;
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to NRPE deamon.
;  If you leave this blank the global version will be used instead.
;allowed_hosts=
;
;# SCRIPT DIRECTORY
;  All files in this directory will become check commands.
;  *WARNING* This is undoubtedly dangerous so use with care!
;script_dir=scripts\


[NRPE Handlers]
;# COMMAND DEFINITIONS
;# Command definitions that this daemon will run.
;# Can be either NRPE syntax:
;command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
;# Or simplified syntax:
;test=c:\test.bat foo $ARG1$ bar
;check_disk1=/usr/local/nagios/libexec/check_disk -w 5 -c 10
;# Or even loopback (inject) syntax (to run internal commands)
;# This is a way to run "NSClient" commands and other internal module commands such as check eventlog etc.
;check_cpu=inject checkCPU warn=80 crit=90 5 10 15
;check_eventlog=inject CheckEventLog Application warn.require.eventType=error warn.require.eventType=warning critical.require.eventType=error critical.exclude.eventType=info truncate=1024 descriptions

;check_disk_c=inject CheckFileSize ShowAll MaxWarn=1024M MaxCrit=4096M File:WIN=c:\ATI\*.*
;# But be careful:
; dont_check=inject dont_check This will "loop forever" so be careful with the inject command...
;# Check some escapings...
; check_escape=inject CheckFileSize ShowAll MaxWarn=1024M MaxCrit=4096M "File: foo \" WIN=c:\\WINDOWS\\*.*"
;# Some real world samples
;nrpe_cpu=inject checkCPU warn=80 crit=90 5 10 15
;nrpe_ok=scripts\ok.bat

Media:Example.ogg

[edit] Install and Start Service

Once the above ini file is to your liking, install and start the NSClient++ service.

To install:

NSClient++ /install
NSClient++ SystemTray install

NSClient++ /start

Make sure the port is listening. From the nagios box, type in:

telnet host.domain.com 12489

[edit] NC_net

Download the latest version of NC_net from Sourceforge (note, the "official" page you see from a google search is NOT the official site anymore). From the README file:

NC_Net has been developed as a drop in replacement for the program NS_Client. NS_Client has been developed to get performance information from Windows Servers and return them to Nagios using the Check_nt client. In addition to the standard metrics, a generic COUNTER function is provided to return the value of any counter maintained by Windows. NC_Net also provides passive checks via NSCA protocol (you do not need to install NSCA on the Windows client this has been built into NC_Net) NC_Net also provides remote configuration, and several newer checks (Event Log and WMI, Enumeration of performance counters)

Install to whatever directory you want and then open up the following cfg files for editing (assuming default install):

[edit] active_ip_accept_list.nc_net

C:\program files\Montitech\NC_Net\config\active_ip_accept_list.nc_net

# list of IP addresses that active checks can come from
# to enable this list set active_ip_accept_list to true.
# loopback should always be accepted.
# if this check does not work for some reason on your system 
# disable this option by seting active_ip_accept_list to false
#
# only list one IP per line
# comments begin with a #
# FQDN fully Qualified Domain Names are also accepted.
# Host names do not always work
# use "ping <Hostname>" from the command line of the host to retrieve the FQDN  
127.0.0.1

#enter in the IP address of your Nagios sever here
192.168.1.1

[edit] startup.cfg

C:\program files\Montitech\NC_Net\config\startup.cfg

################################################################################
##	#################
##	## startup.cfg ##
##	#################
##	This file is loaded by NC_Net at startup.
##	This file is for setting initial startup configuration of NC_Net.
##	All settings in this file consist of the form:
##	<parameter>[TAB]<data>
##	Do NOT use \t it must be a tab between the parameter and data.
##	Comments start with a # in position 0 of a line.
##	To use a parameter make sure to remove the # before it.
##	
##	All Changeable global variables of NC_Net are accessible
##	   through this file.
##		most of these variables can also be changed through CONFIG
##		But that only only affects the Running Configuration, 
##		Those settings are lost on reboot of NC_Net
##		Active checks CONFIG will not work when lock_active_config
##		is set to true. 
##		Passive check configuration changes will not work 
##		when lock_passive_config is set to true. 
##
##   All default settings have been comment out using # to modify  a 
##		argument uncomment the line.
##	Default configuration runs Active Checks
##  To RUN Passive Checks configure them below.
##
##	Default configuration without the startup.cfg(this file) will
##		Run Active checks only
##
##	Mode is no longer supported in NC_Net.
##
##	All parameters in this file are optional and Default settings 
##		take place when an argument is not present.
##
##	testrun when set to true will turn off send_nsca.
##		Passive checks will still process and write to passive.log.
##		The sending over the network is disabled. Testrun modifies the passive
##		check interval time when it is set.
##	passive_alwayson is used to keep trying passive checks even after errors 
##		occur in send_nsca
##
##		Enables the debug log. via MYDEBUG 
##			This log is used during development and troubleshooting.
##			over time its output would be modified for more meaningful log info.
##			During startup, debug.log will always list the results of each 
##			argument processed. Debug log rotation is being implemented to help
##			reduce the risk of log growth.
##
##	Testrun is handy for configuring passive checks.	
##  When using testrun – verify passive checks by viewing passive.log.
##		For disabling testrun, it is advisable 
##		to disable it in startup.cfg and restart NC_Net service.
##		Although, this can be done dynamically through Configuration commands, 
##		Dynamic changeover does not verify proper startup settings of NC_Net.
##
##
################################################################################
## This file is just one of the mechanism for configuration of NC_Net.
## NC_Net can startup as active check only without this file.
################################################################################
##	#########################################
##	## Options for Modifying Configuration ##
##	#########################################
## 1) Internal defaults. (Loaded when this file is missing or empty)
##		Active checks with check_nt CONFIG command enabled.
## 2) Startup.cfg, this config file - only loaded when the service is started. 
## 3) Dynamically through active check. 
##		After NC_Net has started only if lock_active_config is set to false.
## 4) Dynamically through passive check. 
##		After NC_Net has started only if lock_passive_config is set to false.
##		Use this option to reset the value each time the passive checks run.
## 5) Through a configuration tool - (Currently not Implemented) 
##		any third party configuration tool currently 
##		must simulate active checks (like the test console or check_nt) 
##		or modify the configuration files directly.
##	#############################
##	## Configuration Interface ##
##	#############################
##		NC_Net only implements three interfaces for configuration: 
##			startup.cfg, passive.cfg and active Check CONFIG.
##		An additional interface may be implemented in the future.
##	######################
##	## Output Interface ##
##	######################
##		NC_Net implements 6 output interfaces.
##			internal send_nsca, external send_nsca, Active check responces,
##			passive.log, Error handling via Windows Event Log and 
##			Passive Host checks.
################################################################################

##	###################
##	## Active Checks ##
##	###################
################################################################################

## active_check	- Enable or Disable active checks dynamically.
## 'false' to disable active checks 
## If changed to false dynamically - NC_Net may wait for one last  
##		Active check before disabling.
## Once disabled can be re-enabled via passive configuration check:
##	c[tab]active_check[tab]true
#active_check	true

## lock_active_config
## When true NC_Net configuration cannot be changed 
##    through active check TCP listener port.
#lock_active_config	false

## port - Default 1248 
## This is the port for the active check TCP listener service.
## If "Cannot map xxxxx to protocol number" occurs change the Port number
## because the port is already in use by some other service.
## Port 12489  is the default in Nagios v3
#port	1248

## active_ip_accept_list
## This is to check that the IP address of the active check is located in the
## active_ip_accept_list.cfg list.  this list is in the config directory
## if the active check is comming from an IP that is not in the list when this
##	argument is true, then the request will not be processed.
##
## use the test_ip_accept_name.exe from the script folder to test the FQDN 
#active_ip_accept_list	false

## verbose_logging 
## When verbose logging is true more informational Events will be 
## logged in Event Viewer for each Active command being processed.
#verbose_logging	false


## client_timeout
## this is the time it will wait for the command to process.
## if a command takes longer than this to process then the current
## client connection will be closed. 
## 20 second default - value is in miliseconds.
#client_timeout	20000

## socket_timeout
## this is the timeout on the TCP protocal 
## this timeout is for how long the TCP waits for confirmation
## of sending/recieving a msg. Default is 2 seconds
## value is in miliseconds.
## Increase to use telnet 
#socket_timeout	2000

##
##	End Active Check Configuration
################################################################################

##	####################
##	## Passive Checks ##
##	####################
################################################################################
##
##	#############
##	## General ##
##	#############

## passive_check - Enables or disables passive checks.
## 'false' to disable passive checks.
## This option is changeable dynamically once NC_Net has started.
## Restart passive checks via check_nt CONFIG command.  
##		(Only if lock_active_config was set to false)
## WARNING make sure to change this to true to use passive checks.
#passive_check	false

## passive_alwayson
## instead of having testrun=false in the passive config
## this variable will explicitly force the passive checks to 
## try again each passive check interval despite failure of last iteration.
## WARNING: WHEN PASSIVE_ALWAYSON IS TRUE TESTRUN IS ALWAYS IMPLICITLY OFF.
##
### When using Passive Checks If passive_alwayson is false
### and passive checks stop on a socket exception it would need to be restarted
###	the CONFIG passive_check,true active check can restart the passive checks 
###  command #99 or 100 or Perfstat for windows service can be restarted.
## NOTE: do NOT use TESTRUN, it is used internal,
## but should not be modified via STARTUP.cfg  or CONFIG commands 99 or 100
#passive_alwayson	true

## lock_passive_config 
## When true NC_Net configuration cannot be changed through 
##		configuration command in passive.cfg .
#lock_passive_config	false

## interval_passive - Default 5 minutes.
## Time interval in Minutes between passive checks runs.
## Dynamic changes to this will take place after next passive check run.
#interval_passive	5

## interval_div_passive - Default is 1.
## Interval div passive is a divisor to the passive checks interval.
## The actual timer for the passive check interval is in milliseconds.  
## This divisor is applied after the conversion of the interval to milliseconds.
## For example, if you wanted the interval to be 2.5 min,
## you can set the interval_passive to 5 and interval_div_passive to 2.
## Dynamic change of this will take place after next passive check run.
#interval_div_passive	1

## performance data format
## perfdata_format is a triger to allow for different performance data formats
## That have been preconfigured into NC_Net 
## 0 - default - same as old check_nt
## 1 - internal - ShatterIT rrd format
## 2 - standard - per developer-guidelines - similar to UNIX equivalant plugin
## 3 - o.......... REquests welcom, but dependent on time constraints
#perfdata_format	2

##	#######################
##	## EMBEDED SEND_NSCA ##
##	#######################

##	embedded_send_nsca
##	THis enables the internal Send_NSCA
#embedded_send_nsca	true

## port_passive - Default port of the NSCA server for Nagios.
## Default is 5667
#port_passive	5667

## host_passive 
## Nagios Host ID for this local host. -This must match Nagios config files 
## otherwise the check results may not be seen in Nagios.
#host_passive	NC_Net_host_ID

## pass_passive 
## Default passive check password NSCA default config does not have a password.
#pass_passive	

## ip_passive
## IP address of the NSCA daemon to send the passive checks.
## Default is loop back - should be set to your default NSCA/Nagios server.
#ip_passive	127.0.0.1

## encrip_passive - Default is 1 for Xor.
## Encryption type - For Passive checks via NSCA.
## Only implemented encryption types are listed here.
##	pass_passive is used with encryption in NSCA.
##	Currently only implementing NONE and Xor -neither use pass_passive.
## Use External Send_NSCA (Configurable below) for a greater selection
##		of encription types.
## 0 - none
## 1 - Xor  (Default)
## X - not implemented yet
#encrip_passive	1

##	Passive_timeout
##	Timeout used by internal send_NSCA
#Passive_timeout	10

##	########################
##	## EXTERNAL SEND_NSCA ##
##	########################
## Use the following variables to enable using an external send_nsca program.
## this was tested with the NSCA Win32Client found on NagiosExchange.
## set external_send_nsca_app to Send Nsca Directory.
## path example: C:\win send nsca\
## Make sure this directory contains both send_nsca.exe and send_nsca.cfg
##
## set SEnd_nsca type to true to enable or false to disable.
## if both are false then no passive checks will be sent.
## but passive.log will still be updated.
## set embedded to true to use internal send_nsca
## set external to true to use external send_nsca
## functionally the data can be sent to two different NSCA servers.

## external_send_nsca	
## this enables using the External Send_nsca
#external_send_nsca	false

##	external_send_nsca_app
##	Path of the Send Nsca Directory
##	 use single \ and no "
#external_send_nsca_app	C:\send nsca\

##	external_send_nsca_ip
##	Ip address of the Send_Nsca server
#external_send_nsca_ip	127.0.0.1

##	external_send_nsca_port
##	Port to use for external send_nsca
#external_send_nsca_port	5667

##	external_send_nsca_timeout
##	timeout used by external send_nsca
#external_send_nsca_timeout	10

##
##	end Passive Check Configuration
################################################################################


##	####################################
##	## Command Specific Configuration ##
##	####################################
################################################################################
##
##	#############
##	## CPULOAD ##
##	#############

## single_cpu - default is false
## on some single processor systems the CPULOAD is not properly collected.
## this may due to the performance counter not having a _total instance
## this variable was added for running CPULOAD bug fix on cpuload 
## when true check counter: /Processor/% Processor Time"
## when false check counter: /Processor(_Total)/% Processor Time"
#cpu_single	false

## cpu_max_interval - Default is 1 hour.
## Can only be changed in startup.cfg at this time.
## This number determins how many samples are taken for determining CPU LOAD.
## a sample is taken every 5 seconds for cpu_max_interval minutes.
## CPU Load may appear to process a time interval larger than this value,  
## but the result will actually be calculated based on the number of samples.
## If CPULOAD is being check for a duration of more than one hour 
##    make sure to increase this value.
#cpu_max_interval	60

## cpu_times_per_min - default 12
## this is the umber of times per min that the CPU load is check
## default is every 5 seconds, the greater this value the more accrate the
## cpu load, the lower this value the less accurate the CPU load value.
#cpu_times_per_min	12

##	##########################
##	## PERFORMANCE COUNTERS ##
##	##########################

## sampledelay - default 8ms      
## Sample delay (in milliseconds) is the delay implemented between performance counter samples
## This will change the value of some performance counters.
## Many performance counters need to have 2 samples to get  output.
## 8ms is a good compromise between performance and accuracy.
## Windows Performance counter uses a 1000ms delay (by default) 
## (this is to large since checks are done serial)
## If you consistently receive a 0 result from a counter, try a larger sampledelay.
## Sample delay can be changed via Config Command #99 or 100
## It is not recommended to keep sampledelay at a value above 100 unless tested in production.
## Sometimes newer hardware reduces the efficiency of this delay.
## There is no best value for sample delay, 
## Some counters do not need a delay while others must have a delay.
## Some counters will only reflect Windows Performance Monitor if the delay is ~1300
#sampledelay    15

##	##############
##	## EVENTLOG ##
##	##############

## evntlog_desc_trim - default 100
## this is the number of char in the Event_log_xml message to print to the 
## in the output.  the rest of the message field will be trimmed
#evntlog_desc_trim	100

## regex_options
## this is a comma separated list of the regular expresion options to use 
## when processing the Event Log XML check 2009
## Definitions for each of these can be viewed in the MSDN documentation 
## for the Namespace:System.Text.RegularExpressions > RegexOptions Enumeration 
## http://msdn2.microsoft.com/en-us/library/system.text.regularexpressions.regexoptions.aspx 
## choices are:
## Compiled
## CultureInvariant
## ECMAScript
## ExplicitCapture
## IgnoreCase
## IgnorePatternWhitespace
## Multiline
## None
## RightToLeft
## Singleline
#regex_options	Multiline,IgnorePatternWhitespace,IgnoreCase

##	######################
##	## External Scripts ##
##	######################
##  External scripts can be loaded into the <NC_Net>/Script Directory
##  Then they can be accessed by the RUNSCRIPT check commands.
##	
##	At this time only executables can be run, due to DOT NET not allowing
##		to redirect Standard output, with using shellextention.
##	A Workaround for this ussue is using a .bat as a wrapper 
##	For example test.bat  in the script directory runs DIR
##
##  RUNSCRIPT does not allow using .. in the commmand.
##		For security this will always remain out.

## allow_run_scripts - When TRUE all script commands are assesible
##						when FALSE only ENUMSCRIPT is allowed.
#allow_run_scripts	true

## script_timeout - in seconds the amount of time allowed for the script 
##					to execute.  if the script takes more time then it will
##					be killed by NC_Net
#script_timeout	30

## do_not_blaim_nc_net		- When False all Script commands will be choped
##							at the first space in the command.
##							It will only run the script name with no parameters.
##							When true the entire command sent including parameters will run.
##							WHen false scripts with a space in the name will not run.
#do_not_blaim_nc_net	false

##	###################
##	## NC_NET ENGINE ##
##	###################
##	These parameters affect NC_Net's internal engine and reporting 
##     and not specific command.

## evntlog_input_trim - default 1000
## this is the number of char that will write to the event log description
## when NC_Net writes to the event log, this parameter does not apply to event ID 1004
#evntlog_input_trim	1000

## trysleep is a flag that will be run each time a command is processed
## if true NC_Net will yield the processor to other application
## since many commands may run other commands this may be called often 
## Durring a single command sequence.
#trysleep	false

#  THe following may be obsolete.  
## error_value_on 
## a value of ERROR can be printed in WMICAT_XML and PErf COunters XML
## When false the value will be NULL ""
#error_value_on	true

## THis affects performance counter values in XML only
## When true a bad counter will have a value of -1
## When false  error_value_on determins the bad counter output.
#error_value_show_1	false

##
##	end Command Specific Configuration
################################################################################

##	#########################
##	## Passive Host Checks ##
##	#########################
################################################################################
##  Passive host checks use the Embedded Send NSCA
##	make sure to set at least the IP.
##
##  The parameters Ending with the X are for External Send_NSCA
##		While the parameters withtout the X are for internal SEnd_NSCA

##	hostcheck_alwayson -Turns Host checks on or off
##	makes hostchecks to continue trying even if there is a problem.
##  THIS MUST BE TRUE FOR HOSTCHECKS TO WORK
#hostcheck_alwayson	true

## hostcheck_interval - Default 5 minutes.
## Time interval in Minutes between passive Host checks runs.
## Dynamic changes to this will take place after next passive Host check run.
#hostcheck_interval	5

## hostcheck_interval_div - Default is 1.
## Interval div passive is a divisor to the passive Host checks interval.
## The actual timer for the passive host check interval is in milliseconds.  
## This divisor is applied after the conversion of the interval to milliseconds.
## For example, if you wanted the interval to be 2.5 min,
## you can set the interval_passive to 5 and interval_div_passive to 2.
## Dynamic change of this will take place after next passive host check run.
#hostcheck_interval_div	1

##	host_check
##	THis enables the Passive Host Check
#hostcheck	false
#hostcheckX	false

## hostcheck_port - Default port of the NSCA server for Nagios.
## Default is 5667
#hostcheck_port	5667
#hostcheck_portX	5667

## hostcheck_hostid 
## Nagios Host ID for this local host. -This must match Nagios config files 
## otherwise the check results may not be seen in Nagios.
## Default is the Computer name form WMI
#hostcheck_hostid	NC_Net_host_ID
#hostcheck_hostidX	NC_Net_host_ID

## hostcheck_pass 
## Default passive check password NSCA default config does not have a password.
#hostcheck_pass	
#hostcheck_passX	

## hostcheck_ip
## IP address of the NSCA daemon to send the Host checks.
## Default is loop back - should be set to your default NSCA/Nagios server.
#hostcheck_ip	127.0.0.1
#hostcheck_ipX	127.0.0.1

## encrip_passive - Default is 1 for Xor.
## Encryption type - For Passive checks via NSCA.
## Only implemented encryption types are listed here.
##	pass_passive is used with encryption in NSCA.
##	Currently only implementing NONE and Xor -neither use pass_passive.
## Use External Send_NSCA (Configurable below) for a greater selection
##		of encription types.
## 0 - none
## 1 - Xor  (Default)
## X - not implemented yet
#hostcheck_enc	1

## hostcheck_appX
## Path to SendNSCA directory
## Make sure this contians both Send_nsca.exe and send_nsca.cfg
#hostcheck_appX	1

## hostcheck_timeout
## Socket Timeout passed to send_nsca
#hostcheck_timeout	10
#hostcheck_timeoutX	10


##
##	end Passive Host Check Configuration
################################################################################

[edit] user.dat

C:\program files\Montitech\NC_Net\config\user.dat

remove the top line:

None

and enter in:

password

[edit] Troubleshooting Tips

• From your Nagios server, try typing in "telnet exchangeserver.yourdomain.com 1248" (or whatever other port you're using) to make sure NC_net is listening for your traffic. (This often avoids getting the "Connection refused" error in Nagios)
• If you ever make a change to one of your c:\path\to\config folder, then you will need to bounce (i.e. reset) the NC_net service for the changes to take affect.
• Before you make a check in Nagios, consider quickly checking your config from the command line.

e.g. on CentOS, type:

cd /usr/lib/nagios/plugins
./check_nt -H exchangeServerIP -s password -p 1248 -v SERVICESTATE -d SHOWALL -l MSExchangeIS,MSExchangeMTA,SMTPSVC,RESvc,W3SVC

and you should get something like:

MSExchangeIS: Started - MSExchangeMTA: Started - SMTPSVC: Started - RESvc: Started - W3SVC: Started

(Don't put spaces after the commas)

[edit] ExchangeCommands.cfg Definitions

To use the commands, you'll have to either import the following commands (or the file) into your environment. This process is made quite easy in some web GUIs, such as NagiosQL, and if you're using the next files, simply add the following line to your nagios.cfg file.

cfg_file=/etc/nagios/ExchangeCommands.cfg

Below are some check commands for Exchange. Comments above the define statements give some detail on what each checks does.

#check to see if your mail server is on any public RBLs (real time blackhole lists)
define  command {
        command_name    check_bl
        command_line    $USER1$/check_bl -H $HOSTADDRESS$ -B zen.spamhaus.org bl.spamcop.net dnsbl.ahbl.org dnsbl.njabl.org dnsbl.sorbs.net virbl.dnsbl.bit.nl rbl.efnet.org phishing.rbl.msrbl.net 0spam.fusionzero.com list.dsbl.org multihop.dsbl.org unconfirmed.dsbl.org will-spam-for-food.eu.org blacklist.spambag.org blackholes.brainerd.net blackholes.uceb.org spamsources.dnsbl.info map.spam-rbl.com ns1.unsubscore.com psbl.surriel.com l2.spews.dnsbl.sorbs.net bl.csma.biz sbl.csma.biz dynablock.njabl.org no-more-funn.moensted.dk  ubl.unsubscore.com dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net spamguard.leadmon.net opm.blitzed.org bl.spamcannibal.org rbl.schulte.org dnsbl.ahbl.org virbl.dnsbl.bit.nl combined.rbl.msrbl.net

define  command {
        command_name    check_exchange_pending_routing
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -s password -v COUNTER -l "\\SMTP Server(_Total)\\Messages Pending Routing","Messages Pending Routing are: %.f" -w $ARG1$ -c $ARG2$

define  command {
        command_name    check_exchange_remote_queue_length
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -s password -v COUNTER -l "\\SMTP Server(_Total)\\Remote Queue Length","Remote Queue Length is: %.f" -w $ARG1$ -c $ARG2$


define  command {
        command_name    check_Exchange_imap
        command_line    $USER1$/check_imap -H $HOSTADDRESS$
        }

define  command {
        command_name    check_Exchange_pop
        command_line    $USER1$/check_pop -H $HOSTADDRESS$
        }

define  command {
        command_name    check_Exchange_smtp
        command_line    $USER1$/check_smtp -H $HOSTADDRESS$
        }



#following commands are based off check_nt, which comes installed with Nagios
#
#
#define  command {
#        command_name    check_nt_service
#        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d #SHOWALL -l $ARG1$

define  command {
        command_name    check_Exchange_all services
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l MSExchangeIS,MSExchangeMTA,SMTPSVC,RESvc,W3SVC
        }


#Microsoft Exchange Server Information Store
define  command {
        command_name    check_Exchange_service_MSExchangeIS
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l MSExchangeIS
        }

define  command {
        command_name    check_Exchange_service_MSExchangeMTA
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l MSExchangeMTA
        }


define  command {
        command_name    check_Exchange_service_SMTPSVC
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l SMTPSVC
        }

define  command {
        command_name    check_Exchange_service_RESvc
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l RESvc
        }

define  command {
        command_name    check_Exchange_service_W3SVC
        command_line    $USER1$/check_nt -H $HOSTADDRESS$ -s password -p 12489 -v SERVICESTATE -d SHOWALL -l W3SVC
        }

define  command {
        command_name    check_owa_https
        command_line    $USER1$/check_http -H $HOSTADDRESS$ --ssl -u /exchange
        }

define  command {
        command_name    check_owa_http
        command_line    $USER1$/check_http -H $HOSTADDRESS$ -u /exchange
        }

#
#more information here:
#http://www.petri.co.il/ports_used_by_exchange.htm
#
#following commands based on 
#define  command {
#        command_name    check_tcp
#        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$
#        }


#Port 389 (TCP)
#Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active #Directory Connector, and the Microsoft Exchange Server 5.5 directory.

define  command {
        command_name    check_Exchange_tcp_LDAP
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 389
        }

#Port 636 (TCP)
#Description: LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data 
#that is transmitted and received is encrypted.
#To enable SSL, you must install a Computer certificate on the domain controller 
#or Exchange Server 5.5 computer.

define  command {
        command_name    check_Exchange_tcp_LDAP_SSL
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 636
        }

#Port (379 (TCP)
#Description: The Site Replication Service (SRS) uses TCP port 379.

define  command {
        command_name    check_Exchange_tcp_LDAP_SRS
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 379
        }

#Port 390 (TCP)
#Description: While not a standard LDAP port, TCP port 390 is the recommended alternate port 
#to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running 
#on a Microsoft Windows 200x Active Directory domain controller.

define  command {
        command_name    check_Exchange_tcp_LDAP_SRS
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 390
        }

#Port 3268 (TCP)
#Description: Global catalog. The Windows 200x Active Directory global catalog 
#(which is really a domain controller "role") listens on TCP port 3268. 
#When you are troubleshooting issues that may be related to a global catalog, 
#connect to port 3268 in LDP.

define  command {
        command_name    check_Exchange_tcp_global_catalog
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 3268
        }

#Port 3269 (TCP)
#Description: Global catalog over SSL. Applications that connect to TCP port 3269 
#of a global catalog server can transmit and receive SSL encrypted data. 
#To configure a global catalog to support SSL, you must install a computer certificate 
#on the global catalog.


define  command {
        command_name    check_Exchange_tcp_global_catalog_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 3269
        }

#Port 143 (TCP)
#Description: Internet Message Access Protocol version 4, may be used by "standards-based" 
#clients such as Microsoft Outlook Express or Netscape Communicator to access the e-mail server. #IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service (Inetinfo.exe), #and enables client access to the Exchange 200x information store.

define  command {
        command_name    check_Exchange_tcp_imap
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 143
        }

#Port 993 (TCP)
#Description: IMAP4 over SSL uses TCP port 993. Before an Exchange 200x server supports 
#IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on 
#the Exchange 200x server.

define  command {
        command_name    check_Exchange_tcp_imap_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 993
        }

#Port 110 (TCP)
#Description: Post Office Protocol version 3, enables "standards-based" clients 
#such as Outlook Express or Netscape Communicator to access the e-mail server. 
#As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access 
#to the Exchange 200x information store.

define  command {
        command_name    check_Exchange_tcp_pop
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 110
        }

#Port 995 (TCP)
#Description: POP3 over SSL. To enable POP3 over SSL, you must install a Computer 
#certificate on the Exchange 200x server.

define  command {
        command_name    check_Exchange_tcp_pop_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 995
        }

#Port 119 (TCP)
#Description: Network News Transport Protocol, sometimes called Usenet protocol, 
#enables "standards-based" client access to public folders in the information store. 
#As with IMAP4 and POP3, NNTP is dependent on the IIS Admin Service.

define  command {
        command_name    check_Exchange_tcp_nntp
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 119
        }

#Port 563 (TCP)
#Description: NNTP over SSL. To enable NNTP over SSL, you must install a Computer 
#certificate on the Exchange 200x Server.

define  command {
        command_name    check_Exchange_tcp_nntp_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 563
        }

#Port 80 (TCP)
#Description: Hyper-Text Transfer Protocol is the protocol used primarily by 
#Microsoft Outlook Web Access (OWA), but also enables some administrative actions in 
#Exchange System Manager. HTTP is implemented through the World Wide Web Publishing Service 
#(W3Svc), and runs on top of the IIS Admin Service.

define  command {
        command_name    check_Exchange_tcp_http
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 80
        }

#Port 443 (TCP)
#Description: HTTP over SSL. To enable HTTP over SSL, you must install a Computer 
#certificate on the Exchange 200x server.

define  command {
        command_name    check_Exchange_tcp_http_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 443
        }

#Port 25 (TCP)
#Description: Simple Mail Transfer Protocol, is the foundation for all e-mail 
#transport in Exchange 200x. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. 
#Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port 
#for secure communication (SSL), but rather, employs an "in-band security sub-system" 
#called Transport Layer Security (TLS).

define  command {
        command_name    check_Exchange_tcp_smtp
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 25
        }

#Port 465 (TCP)
#Description: SMTP over SSL. TCP port 465 is reserved by common industry practice 
#for secure SMTP communication using the SSL protocol. However, unlike IMAP4, POP3, 
#NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port for 
#secure communication (SSL), but rather, employs an "in-band security sub-system" 
#called Transport Layer Security (TLS). To enable TLS to work on Exchange 200x, 
#you must install a Computer certificate on the Exchange 2000 server.


define  command {
        command_name    check_Exchange_tcp_smtp_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 465
        }

#Port 691 (TCP)
#Description: The Microsoft Exchange Routing Engine (also known as RESvc) listens 
#for routing link state information on TCP port 691. Exchange 200x uses routing 
#link state information to route messages and the routing table is constantly updated. 
#The Link State Algorithm (LSA) propagates outing status information between Exchange 200x 
#servers. This algorithm is based on the Open Shortest Path First (OSPF) protocol 
#from networking technology, and transfers link state information between routing groups 
#by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol 
#(TCP) connection to port 691 in a routing group.

define  command {
        command_name    check_Exchange_tcp_RESvc
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 691
        }

#Port 80 (TCP)
#Description: RVP is the foundation for Instant Messaging in Exchange 200x. 
#While RVP communication begins with TCP port 80, the server quickly sets up a 
#new connection to the client on an ephemeral TCP port above 1024. Because this port 
#is not known in advance, issues exist when you enable Instant Messaging through a firewall.

define  command {
        command_name    check_Exchange_tcp_RVP
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 80
        }

#Port (TCP/UDP): 6667 (TCP)
#Description: Internet Relay Chat (IRC) is the chat protocol. IRCX is the 
#extended version offered by Microsoft. While TCP port 6667 is the most common 
#port for IRC, TCP port 7000 is also very frequently used.

define  command {
        command_name    check_Exchange_tcp_IRCX
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 6667
        }

#Port 994 (TCP)
#Description: IRC (or Chat) over SSL. IRC or IRCX over SSL is not supported 
#in Exchange 200x.

define  command {
        command_name    check_Exchange_tcp_IRC_ssl
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 994
        }

#Port 102 (TCP)
#Description: ITU-T Recommendation X.400 is really a series of recommendations 
#for what an electronic message handling system (MHS) should look like. TCP port 102 is 
#defined in IETF RFC-1006, which describes OSI communications over a TCP/IP network. 
#In brief, TCP port 102 is the port that the Exchange message transfer agent (MTA) 
#uses to communicate with other X.400-capable MTAs.

define  command {
        command_name    check_Exchange_tcp_MHS_x400
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 102
        }

#Port 135 (TCP)
#Description: Microsoft Remote Procedure Call is a Microsoft implementation of 
#remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, 
#which is like the registrar for all RPC-enabled services that run on a particular server. 
#In Exchange 200x, the Routing Group Connector uses RPC instead of SMTP when the target 
#bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. 
#To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled.

define  command {
        command_name    check_Exchange_tcp_rpc
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 135
        }

[edit] Other check_nt Commands

The following results of "check_nt --help" show some of the many other things that check_nt can monitor on a Windows host:

This plugin collects data from the NSClient service running on a
Windows NT/2000/XP/2003 server.

Usage:check_nt -H host -v variable [-p port] [-w warning] [-c critical][-l params] [-d SHOWALL] [-t timeout]

Options:
 -h, --help
    Print detailed help screen
 -V, --version
    Print version information
Options:
 -H, --hostname=HOST
   Name of the host to check
 -p, --port=INTEGER
   Optional port number (default: 1248)
 -s <password>
   Password needed for the request
 -w, --warning=INTEGER
   Threshold which will result in a warning status
 -c, --critical=INTEGER
   Threshold which will result in a critical status
 -t, --timeout=INTEGER
   Seconds before connection attempt times out (default: 10)
 -h, --help
   Print this help screen
 -V, --version
   Print version information
 -v, --variable=STRING
   Variable to check

Valid variables are:
 CLIENTVERSION = Get the NSClient version
  If -l <version> is specified, will return warning if versions differ.
 CPULOAD =
  Average CPU load on last x minutes.
  Request a -l parameter with the following syntax:
  -l <minutes range>,<warning threshold>,<critical threshold>.
  <minute range> should be less than 24*60.
  Thresholds are percentage and up to 10 requests can be done in one shot.
  ie: -l 60,90,95,120,90,95
 UPTIME =
  Get the uptime of the machine.
  No specific parameters. No warning or critical threshold
 USEDDISKSPACE =
  Size and percentage of disk use.
  Request a -l parameter containing the drive letter only.
  Warning and critical thresholds can be specified with -w and -c.
 MEMUSE =
  Memory use.
  Warning and critical thresholds can be specified with -w and -c.
 SERVICESTATE =
,  Check the state of one or several services.
  Request a -l parameters with the following syntax:
  -l <service1>,<service2>,<service3>,...
  You can specify -d SHOWALL in case you want to see working services
  in the returned string.
 PROCSTATE =
  Check if one or several process are running.
  Same syntax as SERVICESTATE.
 COUNTER =
  Check any performance counter of Windows NT/2000.
  Request a -l parameters with the following syntax:
  -l "\\<performance object>\\counter","<description>
  The <description> parameter is optional and is given to a printf
  output command which requires a float parameter.
  If <description> does not include "%%", it is used as a label.

  Some examples:
  "Paging file usage is %%.2f %%%%"
  "%%.f %%%% paging file used."

Notes: - The NSClient service should be running on the server to get any information
 (http://nsclient.ready2run.nl).
 - Critical thresholds should be lower than warning thresholds
 - Default port 1248 is sometimes in use by other services. The error
 output when this happens contains "Cannot map xxxxx to protocol number".
 One fix for this is to change the port to something else on check_nt
 and on the client service it's connecting to.

[edit] Related Links

• Monitoring Microsoft Exchange
• Tivoli article on monitoring MS Exchange 200x
• Nagios 2.x manual
• If Exchange Perfmon counters are missing
• Monitoring Exchange with Hyperic
• CheckCounter with NSClient++