Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
Windows client

Download the NSClient++ x64 from start the installation:

Allowed host: the IP of the Nagios server

NSClient password:

Modules to load: enable the “enable common check plugins”, “Enable nsclient server(check_nt)”, “Enable NRPEserver (check_nrpe)”.

Go to the services.msc to check the NSclient++(x64) service is running.

Go to the installation folder, nsclient.ini file stores the configuration, if you want to modify it later.

Via GPO:


1. Install NSCP

Download the NSClient++ x64 and store it in a network location where all the machine have read permission

2. Deploy the NSCP: The package provides everything required to install a default NSClient++ agent. For the purposes of this article, all configurations will be applied to the Default Domain Policy Organizational Unit (OU). The OU(s) utilized in a production environment will vary depending upon the structure of the actual Active Directory domain.  Save the .msi file to a shared directory. Then, open the Group Policy Management Console and edit the policy for the selected OU. The package is then selected for deployment by its shared path (<Server>\,<Share>) under the

Computer Configuration > Policies > Software Settings > Software Installation policy.

Upon rebooting, each server to which the GPO is applied will then install the agent.  However, the configuration file will be the default installation one and not operational.  The customized installation file (described below) requires a second reboot.

If you also wish to support python scripting, also install the .msi file that may be downloaded here.

The .msi install will also add a Windows Firewall rule (pictured above) to allow any inbound traffic to connect to the nscp.exe process.

The following video depicts the Windows boot process and application installation, admittedly not exciting, but included as a demonstration.

3. Edit the Configuration file

The default configuration file — c:\program files\nsclient++\nsclient.ini — deployed above is not customized for a production environment.  You may generate new configurations using the nsclient++ program or simply issue the following command to generate a configuration file with all options supported (but not enabled):

c:\program files\nsclient++>nscp settings – -generate – -add-defaults – -load-all

If you have not installed the python .msi file above, you will receive an error that the python .dll file is missing; simply click through the warning an the process will complete.

A configuration file defining the live environment must be deployed to each node before the agents may communicate with the server.  The nsclient.ini defines many different features (modules, Nagios Remote Plugin Executor (NRPE) Server, Nagios Service Check Acceptor (NSCA), scripts, etc.)  A full description of the capabilities is beyond the scope of this article, but I will focus on modules and NRPE Server settings.

Default settings are located at the bottom of the file.  These include:

allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts =    [set to IP address(es) of allowed Nagios/Icinga Servers] cache allowed hosts = true
certificate = [specify path to SSL certificate)
password = [set to shared password] timeout = 30
use ssl = [true or false; if true, requires certificate] verify mode = none


The other thing which you should configure is which modules to use. There is several modules which can be used to check various aspects of your system. So choosing which you need can be a bit of work. Here we shall start out with the basic ones and for details on the rest check out the [references section]/../references).

Module Description Commands
CheckSystem Handles many system checks check_cpu, check_memory etc
CheckDisk Handles Disk related checks check_drivesize
CheckExternalScripts Handles aliases (which is what we will use) and external scripts. N/A
NRPEServer Listens and responds to incoming requests from Nagios via NRPE N/A
There are a lot more modules

The finished modules section from the INI file will look like so:



Modules provide the core functionality of NSClient++.  To support Nagios/Icinga check_nt, check_nrpe and NSCA commands, the following apply:

NRPEServer = 1 (for Nagios/Icinga check_nrpe commands)
NSCAClient = 1 (for Nagios/Icinga NSCA commands)
NSCAServer = 1 (for Nagios/Icinga NSCA commands)
NSClientServer = 1 (for Nagios/Icinga check_nt commands)


CheckSystem = 1 (important for supporting check_nrpe Performance Counter commands)

CheckExternalScripts = 1
CheckHelpers = 1
CheckEventLog = 1
CheckNSCP = 1
CheckDisk = 1

To implement the NRPE Server, the following modifications apply:

allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allow arguments = true
allow nasty characters = true
port = 5666

These settings define the ciphers allowable, whether NSClient++ accepts arguments and normally illegal characters and the port upon which it listens.  By default, use ssl = TRUE requires SSL encryption; if you disable this, any check_nrpe commands issued by the Nagios/Icinga server must include the -n option to disable SSL.

Then save the config file to a network location as well.

4. Deploy the configuration file:

The file is deployed through the GPO Computer Configuration > Preferences > Windows Settings > Files.

Action: replace

Source: the location where the configuration file been saved: eg. \\fileserver\config\nsclient.ini

Target: the NSCP installation location, tipically C:\Program Files\NSClient++\nsclient.ini


Add Services to monitor

1. find the service name: Start > services.msc > right click the sercie, write down the name after Service name. Eg. the Domain servcies name is NTDS.


2. Edit the /usr/local/nagios/etc/objects/windows.cfg file

In this example I will add two services to monitor: Active Directory Domain services and Printer Spooler.

define service{
        use                     generic-service
        host_name               winserver
        service_description     Active Directory Domain Services
        check_command           check_nt!SERVICESTATE!-d SHOWALL -l NTDS -s mypass

define service{
        use                     generic-service
        host_name               winserver
        service_description     Printer spooler
        check_command           check_nt!SERVICESTATE!-d SHOWALL -l Spooler -s mypass
User check_ad plugin

In your Windows AD Machine :

– Install NSClient++ on the Windows AD server.
– Install the necessary plugins for check_ad in the NSClient++ directory (check_ad.exe)
– Configure, the file NSC.ini with:

command[check_ad]=C:\Program Files\NSClient++\modules\check_ad.exe --dc
command[check_ad_member]=C:\Program Files\NSClient++\modules\check_ad.exe --member

– Check that dcdiag runs on the Windows machine being checked

In your Nagios server :
– Install the NRPE plugin
– Restart Nagios
– Use this command (in the repository /usr/local/nagios/libexec) :
./check_nrpe -H @IP -c check_ad

No handler for command ‘check_ad’:

Enable the firewall on the Windows servers

No matter install it manually or via GPO, make sure below ports are enabled:

  • check_nt: 12489
  • nrpe: 5666
1.  Internal Server Error:

Use the command:

tail -30 /var/log/httpd/error_log 
[Tue Mar 21 10:42:43.785607 2017] [cgi:error] [pid 1262] [client ::1:60394] End of script output before headers: statusjson.cgi, referer: http://localhost/nagios/trends.html
[Tue Mar 21 10:42:43.789397 2017] [cgi:error] [pid 3958] [client ::1:60398] AH01215: (13)Permission denied: exec of '/usr/local/nagios/sbin/statusjson.cgi' failed, referer: http://localhost/nagios/trends.html
[Tue Mar 21 10:42:43.789431 2017] [cgi:error] [pid 3958] [client ::1:60398] End of script output before headers: statusjson.cgi, referer: http://localhost/nagios/trends.html
[Tue Mar 21 10:42:44.112605 2017] [cgi:error] [pid 4007] [client ::1:60396] AH01215: (13)Permission denied: exec of '/usr/local/nagios/sbin/avail.cgi' failed, referer: http://localhost/nagios/side.php

Note the highlighted area: Permission denied.

Then try:

sudo setenforce 0

If it works, then we need to fix the SElinux configuration. on the nagios doc it says we can use two command instead of set the permission to permissive or disabled.

 chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
 chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

But after some trying, it still need another command, Since …/nagios/sbin contains scripts, it needs script permissionts:

chcon -R -t httpd_sys_script_exec_t /usr/local/nagios/sbin/

This solution is here: by  patrickh99.

2. 500 error after login

after tail -20 /var/log/httpd/error_log

[Mon Apr 24 03:53:39.690681 2017] [core:notice] [pid 2137] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 24 03:53:44.112118 2017] [authn_file:error] [pid 2141] (2)No such file or directory: [client] AH01620: Could not open password file: /usr/local/nagios/etc/htpasswd.users

Then check the actual folder, the name is different:



mv /usr/local/nagios/etc/htpassword.users /usr/local/nagios/etc/htpasswd.users

then restart the nagios and httpd service, done!

3. When you click on a service and then Re-schedule the next check of this service , Got error

Error: Could not open command file '/usr/local/nagios/var/rw/nagios.cmd' for update!

The permissions on the external command file and/or directory may be incorrect. Read the FAQs on how to setup proper permissions

The probably problem is the apache and nagios is not in the nagcmd group:

use this command to verify:

$ grep nag /etc/group

Then use command sudo usermod -aG :

$ sudo usermod -aG nagcmd apache
$ sudo usermod -aG nagcmd nagios
$ grep nag /etc/group

Then change the ownership of the folder /usr/local/nagios/var/rm:

$ sudo chown nagios:nagcmd -R /usr/local/nagios/var/rw 
$ ls -l /usr/local/nagios/var/rw
total 0
prw-rw----. 1 nagios nagcmd 0 Apr 26 16:43 nagios.cmd
srw-rw----. 1 nagios nagcmd 0 Apr 26 16:43 nagios.qh

Then restart the nagios service and apache service:

$ sudo service nagios restart
Restarting nagios (via systemctl):                         [  OK  ]
$ sudo service httpd restart
Redirecting to /bin/systemctl restart  httpd.service

Go back to the web interface and have a try.

4. Check_snmp does not exist

check_snmp will get installed only if you have net-snmp and net-snmp-utils installed . So first install them.

In ubuntu:

sudo apt-get update
sudo apt-get install -y autoconf gcc libc6 libmcrypt-dev make libssl-dev wget bc gawk dc build-essential snmp libnet-snmp-perl gettext

5. connection refused

If there is a firewall sitting between the monitoring server and the target monitored server, make sure the port 5666 (nrpe), 12489 (check_nt) is permited.

6. Deal with $ sign

The service such as “MSSQL$SQLEXPRESS” has a $ sign in it, we needs to use “check_command           check_nt!SERVICESTATE!-d SHOWALL -l MSSQL$$SQLEXPRESS”

7. No performance data from command

NSClient – ERROR: No performance data from command: check_drivesize
NSClient – ERROR: No performance data from command: check_cpu
NSClient – ERROR: No performance data from command: xxxxxxxxxxxxxxxx


Internal error:

Deploy the NSCP :

Installing Nagios Plugins From Source:

Install NRPE v3 From Source: