NSClient

check_eventlog fixes and linux packages

CheckEventLog

• New opcode filter keyword. You can now filter Windows event log entries on the event opcode, in addition to the existing fields (e.g. filter=opcode = 'Info').
• Filter expressions: regex and in operators now work with numbers. Numeric fields such as id, level, task, etc. can now be matched using regular expressions and the in (...) operator, not just string fields.
• Fixed scan-range. The scan-range option in check_eventlog now correctly limits the scanned time window again.
• Fixed event ID matching issue. Event IDs are now interpreted and compared correctly in filter expressions; previous releases could mismatch certain IDs.
• Eventlog integration tests are run again as part of the acceptance test suite.

Linux / ARM packages

• New ARM64 (aarch64) builds and release artifacts are now produced for Linux:
  • Ubuntu 24.04: NSCP--ubuntu-24.04-arm64.deb and check_nsclient--ubuntu-24.04-arm64
  • Rocky Linux 9 and 10: NSCP--rocky-9-aarch64.rpm, NSCP--rocky-10-aarch64.rpm and matching check_nsclient binaries.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.29...0.11.30

New system checks

New checks:

This release adds three new checks.

check_battery

Monitor battery status on Windows laptops and mobile devices. This command provides comprehensive battery health and status information using both the Windows Power API and WMI.

• Charge Level Monitoring: Track battery charge percentage with warning/critical thresholds
• Power Source Detection: Determine if system is running on AC or battery power
• Battery Health: Calculate battery health as a percentage of design capacity
• Status Tracking: Monitor charging, discharging, critical, low, and high states
• Time Remaining: Estimate remaining battery life when on battery power
• Detailed Metrics: Access charge/discharge rates and capacity information via WMI

Basic battery check with default thresholds (warn < 20%, crit < 10%):

check_battery
OK: system: 85% (ac, charging)

Check if battery charge is above 50%:

check_battery "warn=charge < 50" "crit=charge < 25"
OK: system: 85% (ac, charging)

Alert if running on battery power:

check_battery "warn=power_source = 'battery'"
WARNING: system: 72% (battery, discharging)

Show detailed battery information:

check_battery "detail-syntax=${name}: ${charge}% (${power_source}, ${status}, health: ${health}%, time: ${time_remaining}s)"
OK: system: 85% (ac, charging, health: 95%, time: -1s)

check_process_history

Track all processes that have been seen running since NSClient++ started. This command maintains a history of process executions, allowing you to verify that certain processes have (or haven't) run.

• Process Tracking: Records every unique process seen since service start
• Execution Counting: Tracks how many times each process has started
• Timestamp Recording: Records first and last seen timestamps
• Current State: Shows whether each process is currently running
• Selective Filtering: Check specific processes by name

Use Cases

• Compliance Monitoring: Verify that backup software, antivirus scanners, or other required applications have run
• Security Auditing: Detect if unauthorized applications have been executed
• SLA Verification: Confirm that scheduled maintenance tasks have executed

> As checking processes is expensive it is disabled by default. > You need to enable it by setting: > > [/settings/system/windows] > process history=true >

List all processes in history: Check if a specific backup application has run:

check_process_history --process backup.exe "warn=times_seen = 0" "crit=times_seen = 0"
CRITICAL: backup.exe (false) - never seen running

Check if a process is currently running:

check_process_history --process important-service.exe "crit=running = 'false'"
CRITICAL: important-service.exe (false) - not currently running

Alert if a forbidden application has ever run:

check_process_history --process forbidden-game.exe "warn=times_seen > 0"
WARNING: forbidden-game.exe (seen 3 times, not running)

Show detailed history for a process:

check_process_history --process notepad.exe "detail-syntax=${exe}: first=${first_seen}, last=${last_seen}, count=${times_seen}, running=${running}"
OK: notepad.exe: first=2026-04-06 08:15:32, last=2026-04-06 14:22:45, count=5, running=false

check_process_history_new

Detect processes that have been started recently within a configurable time window. This is useful for security monitoring to detect unexpected process launches.

• Time-Based Detection: Find processes first seen within a configurable window
• Flexible Time Windows: Support for seconds (s), minutes (m), hours (h)
• Security Focused: Ideal for detecting new/unexpected process launches

Use Cases

• Security Monitoring: Detect newly launched processes that might indicate compromise
• Change Detection: Monitor for new software installations or unauthorized programs
• Incident Response: Identify what processes started around the time of an incident

> As checking processes is expensive it is disabled by default. > You need to enable it by setting: > > [/settings/system/windows] > process history=true >

Check for any new processes in the last 5 minutes (default):

check_process_history_new
OK: No new processes found.

Check for new processes in the last hour:

check_process_history_new --time 1h
WARNING: suspicious.exe (first seen: 2026-04-06 14:15:32)

Check for new processes with detailed output:

check_process_history_new --time 30m "detail-syntax=${exe} started at ${first_seen} (running: ${running})"
OK: updater.exe started at 2026-04-06 14:10:00 (running: false)

> Beware that depending on if you are looking for wanted or unwanted processes you likely want to change empty-state to ok, or critical.

check_service overhaul

Fixed a reported bug as well as overhauled the check with some new features and modernized the checks.

> This is technically a breaking change, in that it will classify some services as "ok" which was not before. > But I doubt that anyone relied on the default checking of all services

• state_is_perfect() now treats auto-start services with triggers as OK when stopped (trigger-start services legitimately remain stopped until their trigger fires)
• state_is_ok() now treats auto-start services with triggers as OK when stopped (same as delayed services were already treated)
• state_is_ok() now treats auto-start services that stopped with exit code 0 as OK (services like WslInstaller that start, complete their task, and stop cleanly no longer trigger CRITICAL)
  • Added new filter keyword 'exit_code' exposing the Win32 exit code of a service. Allows users to write custom filters like 'exit_code != 0' to detect failed services
  • Improved error logging in trigger detection. fetch_triggers() previously swallowed all errors silently; now logs unexpected failures
  • check_service: Updated service classification list for Windows 11 24H2 / Server 2025
  • Added modern services: WslInstaller, WaaSMedicSvc, UsoSvc, DoSvc, CoreMessagingRegistrar, SecurityHealthService, SystemEventsBroker, vmcompute, HNS, sshd, LxssManager, and others
  • Removed obsolete services no longer present in modern Windows: Browser, NtFrs, IISADMIN, TlntSvr, napagent, IEEtwCollectorService, UI0Detect, SMTPSVC, aspnet_state, and others
  • Reclassified: COMSysApp (essential → ignored), SystemEventsBroker (supporting → system), WerSvc/wercplsupport (role → ignored)
  • Fixed casing: Eventsystem → EventSystem, systemEventsBroker → SystemEventsBroker
• Changed default detail-syntax to include exit_code. From ${name}=${state} (${start_type})into ${name}=${state}, exit=%(exit_code), type=%(start_type)
• Removed warning messages for excluded services. If a service is excluded we will not try to enumerate it.

Also improves debugging filters a bit:

• Improved how expressions are rendered when using debug
• Fixed issue with type resolution for "unary functions" i.e. not( something ). Before it would fail to parse the expression with an error.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.28...0.11.29

What's Changed

check_service overhaul

Fixed a reported bug as well as overhauled the check with some new features and modernized the checks.

> This is technically a breaking change, in that it will classify some services as "ok" which was not before. > But I doubt that anyone relied on the default checking of all services

• state_is_perfect() now treats auto-start services with triggers as OK when stopped (trigger-start services legitimately remain stopped until their trigger fires)
• state_is_ok() now treats auto-start services with triggers as OK when stopped (same as delayed services were already treated)
• state_is_ok() now treats auto-start services that stopped with exit code 0 as OK (services like WslInstaller that start, complete their task, and stop cleanly no longer trigger CRITICAL)
  • Added new filter keyword 'exit_code' exposing the Win32 exit code of a service. Allows users to write custom filters like 'exit_code != 0' to detect failed services
  • Improved error logging in trigger detection. fetch_triggers() previously swallowed all errors silently; now logs unexpected failures
  • check_service: Updated service classification list for Windows 11 24H2 / Server 2025
  • Added modern services: WslInstaller, WaaSMedicSvc, UsoSvc, DoSvc, CoreMessagingRegistrar, SecurityHealthService, SystemEventsBroker, vmcompute, HNS, sshd, LxssManager, and others
  • Removed obsolete services no longer present in modern Windows: Browser, NtFrs, IISADMIN, TlntSvr, napagent, IEEtwCollectorService, UI0Detect, SMTPSVC, aspnet_state, and others
  • Reclassified: COMSysApp (essential → ignored), SystemEventsBroker (supporting → system), WerSvc/wercplsupport (role → ignored)
  • Fixed casing: Eventsystem → EventSystem, systemEventsBroker → SystemEventsBroker
• Changed default detail-syntax to include exit_code. From ${name}=${state} (${start_type})into ${name}=${state}, exit=%(exit_code), type=%(start_type)
• Removed warning messages for excluded services. If a service is excluded we will not try to enumerate it.

Also improves debugging filters a bit:

• Improved how expressions are rendered when using debug
• Fixed issue with type resolution for "unary functions" i.e. not( something ). Before it would fail to parse the expression with an error.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.27...0.11.28