docWindows Monitoring
download 
Report Transcription
Windows Monitoring
Monitoring
Simplified
http://nsclient.org
How many use NSClient++
NS-what did he say?
?#@*&%!
wrong room!
How many like NSClient++?
..pdh collection thread not running…
ERROR: Missing argument exception
PdhCollectQueryData? failed: : 2147481643: No data to return.
Failed to query performance counters:
..pdh collection thread not running…
ERROR: Missing argument exception
PdhCollectQueryData? failed: : 2147481643: No data to return.
Failed to query performance counters:
simple?
CheckEventLog file=application
file=system MaxWarn=1
MaxCrit=1 "filter=generated gt
-2d AND severity NOT IN
('success', 'informational')
AND source != 'SideBySide'"
truncate=800 unique
descriptions
"syntax=%severity%: %source%:
%message% (%count%)"
WTF?!?!
How many saw me last year?
Boring…
Get started
already!
dev not ops
worked in ops a long time ago
work with soa not, C/C++, nagios
NSClient++
Agent (Passive, Active, Reallinux and windows <0.4.0
since 2003? (
)
modular by design
Open source not open core
Highly extensible
0.4.1: 2012-10-xx
0.4.2: 2013-10-xx?
0.4.3: 2014-02-xx?
is stable
one-man-band
no company
no commercial version
no paid time
Please
Get your a**
over here and
play
NOW!
Some times I am busy
sponsoring!
donations!
support!
Thank you!
0.4.1
Sockets: ipv6, ssl (true)
Modernized: NRPE, NSCA, check_nt
New protocols: NRDP, check_mk, Graphite, syslog, smtp
Real-time checks: eventlog, logfiles
Simplified: Command line syntax
Secure monitoring
0.4.1
Build 90 (2013-02-xx)
◦
◦
◦
◦
◦
◦
nsclient-full.ini
Reload from script
(re)added check_filesize (ie. Check_nt –v FILESIZE)
Encoding support for NRPE
New option: scan-range for CheckEventLog
Various minor bug fixes
Build 96 (2013-04-xx)
◦
◦
◦
◦
Reverted external script quoting issues
(re)added check_fileage (ie. Check_nt –v FILEAGE)
Added support for binding to both ipv6 and ipv4
Various minor bug fixes
Build 102 (2013-08-xx)
◦
◦
◦
◦
PDH improvements
Performance data: pass through
Encoding support through out
Various minor bug fixes and enhancements
0.4.2: The goals
Modern Windows support
Real-time monitoring
Simplified monitoring
Linux checks
0.4.2: The STATUS
Modern Windows support
Real-time monitoring
Simplified monitoring
Linux checks NSCP protocol
Check_xxx clients
0.4.2: Some Examples
Check_os_Version
Check_process
Check_pagefile
NO MORE PDH Check_service
Nrpe_client
0.4.3: The goals
LINUX PACKAGES
QUALITY IMPROVMENTS
AUTO DETECTION
SCRIPTS
ADADIGIOS INTEGRATION?
Filters
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
(
)
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
(source
or level
)
Core
Load
…
…
core1
5
…
…
core2
0
…
…
core3
0
…
…
core4
5
…
…
core5
0
…
…
core6
0
…
…
Total
2
…
…
load > 10
Name
Size
…
…
Foo.txt
5k
…
…
Bar.txt
12k
…
…
Log.txt
0
…
…
Test.txt
123
…
…
Foobar.txt
1k
…
…
Testing.txt
2k
…
…
Barfoo.txt
24k
…
…
size > 10k
Name
Size
…
…
physical
8g
…
…
commited
12g
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
used > 80%
filter = (id NOT IN ('3', '4', '6', '11', '16', '23', '24', '27', '29', '36', '46', '47', '50', '56', '134', '142', '219', '267', '270', '1006', '1009', '1014', '1030', '1035', '1036', '1055', '1058', '1071', '1073',
'1085', '1102', '1110', '1111', '1112', '1131', '1291', '1500', '3095', '5719', '5722', '5783', '5788', '5789', '6008', '7000', '7001', '7003', '7005', '7009', '7011', '7022', '7023', '7024', '7026',
'7030', '7031', '7034', '7038', '7041', '9015', '9018', '9026', '9028', '10009', '10010', '10016', '10149', '12294', '15300', '15301', '24679', '36887', '36888', '40960', '40961', '45056') AND
level IN ('error', 'warning'))
OR (id IN ('3') AND source NOT IN ('FilterManager') AND level IN ('error', 'warning'))
OR (id IN ('4') AND source NOT IN ('q57','L2ND') AND level IN ('error', 'warning')) OR (id IN ('6') AND source NOT IN ('Security-Kerberos') AND level IN ('error', 'warning')) OR (id
IN ('11') AND source NOT IN ('Kerberos-Key-Distribution-Center') AND level IN ('error', 'warning')) OR (id IN ('16') AND source NOT IN ('WindowsUpdateClient') AND level IN ('error',
'warning')) OR (id IN ('23') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('24') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR
(id IN ('27') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('29') AND source NOT IN ('Kerberos-Key-Distribution-Center') AND level IN ('error', 'warning'))
OR (id IN ('36') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('46') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN
('47') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('50') AND source NOT IN ('TermDD','Time-Service') AND level IN ('error', 'warning')) OR (id IN
('56') AND source NOT IN ('TermDD') AND level IN ('error', 'warning')) OR (id IN ('134') AND source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('142') AND
source NOT IN ('Time-Service') AND level IN ('error', 'warning')) OR (id IN ('219') AND source NOT IN ('Kernel-pnp') AND level IN ('error', 'warning')) OR (id IN ('267') AND source
NOT IN ('Storage-agents') AND level IN ('error', 'warning')) OR (id IN ('270') AND source NOT IN ('Storage-agents') AND level IN ('error', 'warning')) OR (id IN ('1006') AND source
NOT IN ('DNS Client Events','GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1009') AND source NOT IN ('picadm') AND level IN ('error', 'warning')) OR (id IN ('1014') AND
source NOT IN ('DNS Client Events') AND level IN ('error', 'warning')) OR (id IN ('1030') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1035') AND
source NOT IN ('TerminalServices-RemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1036') AND source NOT IN ('TerminalServices-RemoteConnectionManager')
AND level IN ('error', 'warning')) OR (id IN ('1055') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1058') AND source NOT IN ('GroupPolicy') AND
level IN ('error', 'warning')) OR (id IN ('1071') AND source NOT IN ('TerminalServices-RemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1073') AND source NOT
IN ('USER32') AND level IN ('error', 'warning')) OR (id IN ('1085') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1102') AND source NOT IN
('SNMP') AND level IN ('error', 'warning')) OR (id IN ('1110') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1111') AND source NOT IN ('Server Agents')
AND level IN ('error', 'warning')) OR (id IN ('1112') AND source NOT IN ('GroupPolicy') AND level IN ('error', 'warning')) OR (id IN ('1131') AND source NOT IN ('TerminalServicesRemoteConnectionManager') AND level IN ('error', 'warning')) OR (id IN ('1291') AND source NOT IN ('NIC-agents') AND level IN ('error', 'warning')) OR (id IN ('1500') AND source
NOT IN ('SNMP') AND level IN ('error', 'warning')) OR (id IN ('3095') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5719') AND source NOT IN
('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5722') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5783') AND source NOT IN ('Netlogon')
AND level IN ('error', 'warning')) OR (id IN ('5788') AND source NOT IN ('Netlogon') AND level IN ('error', 'warning')) OR (id IN ('5789') AND source NOT IN ('Netlogon') AND level
IN ('error', 'warning')) OR (id IN ('6008') AND source NOT IN ('Eventlog') AND level IN ('error', 'warning')) OR (id IN ('7000') AND source NOT IN ('service control manager') AND
level IN ('error', 'warning')) OR (id IN ('7001') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7003') AND source NOT IN ('service control
manager') AND level IN ('error', 'warning')) OR (id IN ('7005') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7009') AND source NOT IN
('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7011') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7022') AND
source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7023') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN
('7024') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7026') AND source NOT IN ('service control manager') AND level IN ('error',
'warning')) OR (id IN ('7030') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7031') AND source NOT IN ('service control manager') AND
strings not like 'citrix' AND level IN ('error', 'warning')) OR (id IN ('7034') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7038') AND source
NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN ('7041') AND source NOT IN ('service control manager') AND level IN ('error', 'warning')) OR (id IN
('9015') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9018') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9026')
AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('9028') AND source NOT IN ('Metaframe') AND level IN ('error', 'warning')) OR (id IN ('10009') AND
source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10010') AND source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10016')
AND source NOT IN ('DistributedCOM') AND level IN ('error', 'warning')) OR (id IN ('10149') AND source NOT IN ('WindowsRemoteManagement') AND level IN ('error', 'warning')) OR
(id IN ('12294') AND source NOT IN ('Directory-Services-SAM') AND level IN ('error', 'warning')) OR (id IN ('15300') AND source NOT IN ('HTTPEVENT') AND level IN ('error',
'warning')) OR (id IN ('15301') AND source NOT IN ('HTTPEVENT') AND level IN ('error', 'warning')) OR (id IN ('24679') AND source NOT IN ('Cissesrv') AND level IN ('error',
'warning')) OR (id IN ('36887') AND source NOT IN ('Schannel') AND level IN ('error', 'warning')) OR (id IN ('36888') AND source NOT IN ('Schannel') AND level IN ('error',
'warning')) OR (id IN ('40960') AND source NOT IN ('LSASRV') AND level IN ('error', 'warning')) OR (id IN ('40961') AND source NOT IN ('LSASRV') AND level IN ('error',
'warning')) OR (id IN ('45056') AND source NOT IN ('LSASRV') AND level IN ('error', 'warning'))
Numbers, constants etc
Key
Safe Key
Description
=
eq
Equals
!=
ne
Not equals
>
gt
Greater than
<
lt
Less than
>=
ge
Greater or equal than
<=
le
Less or equal than
in ( <LIST OF VALUES>)
In a given list
not in (…)
Not in a given list
Strings
Key
Safe Key
Description
=
eq
Equals
!=
ne
Not equals
>
gt
Greater than
<
lt
Less than
>=
ge
Greater or equal than
<=
le
Less or equal than
in ( <LIST OF VALUES>)
In a given list
not in (…)
Not in a given list
like
Substring matching
regexp
Regular expression
not like
Opposite of like
not regexp
Opposite of regexp
All good things are three!
RETURNED
filter
warning
critical
Level
Source
…
…
Error
Word
…
…
Error
Excel
…
…
Info
Word
…
…
Warning
Excel
…
…
Error
App1
…
…
Warning
App1
…
…
Error
App3
…
…
Display
Custom strings
Supports
top- and detail-syntax
Display
detailtop-
${source}
${list}
Hello: s: App1, s: App1, s: App3
check_pagefile
"filter=name = 'total
check_uptime
"warn=uptime > "crit=uptime > check_process process=explorer.exe
"warn=working_set > 70m"
"detail-syntax=${exe} ws:${working_set}, handles: ${handles}, user time:${user
Simple?
Let me guess
This all seems
Like a lot of
typing!
Sensible
defaults!
check_cpu
Just works!
Real time
monitoring
Active monitoring!
check_cpu
check_mem
check_uptime
check_eventlog
check_updates
...
...
Monitoring Server
(Nagios)
Monitored Server
(Windows)
Passive monitoring!
check_cpu
check_mem
check_uptime
check_eventlog
check_updates
...
...
Monitoring Server
(Nagios)
Monitored Server
(Windows)
Real-time monitoring!
Error detected in eventlog
Everything is ok
Monitoring Server
(Nagios)
Monitored Server
(Windows)
Zero overhead log-file checks
Composite checks
Stateful monitoring
Adaptive thresholds?
Correlation CEP
But HOW ABOUT
Graphing?
Two options:
1, store/fetch from cache
2, submit passively
but not to Nagios!
Simple
Native
Secure
Fast Light weight
A work in progress
check_service computer=192.168.0.1
check_disk drive=\\192.168.0.1\c$
check_task_sched computer=192.168.0.1
check_wmi computer=192.168.0.1
Light weight remote deployable agent
Similar to psexec
check_cpu
check_memory
check_process
External scripts!
MONITORING
SIMPLIFIED?
simple?
CheckEventLog file=application
file=system MaxWarn=1
MaxCrit=1 "filter=generated gt
-2d AND severity NOT IN
('success', 'informational')
AND source != 'SideBySide'"
truncate=800 unique
descriptions
"syntax=%severity%: %source%:
%message% (%count%)"
simple?
check_eventlog
THANK YOU!
Photo by Olga Berrios
Most images taken by me
whilst visiting the INTREPID
Information about NSClient++
http://nsclient.org
facebook.com/nsclient
Slides, and examples
http://nsclient.org/nscp/conferances/nwc/2013/
My Blog
http://blog.medin.name