What's Changed

NSClient++ 0.11.33 Release Notes

Changes since 0.11.32 (commit 06be00cc).

This release is focused on two user-facing areas:

1. HTTP proxy support for every HTTP-based client (NRDPClient, ElasticClient, Op5Client, the configuration loader, ...).
2. CheckDisk improvements — a new check_single_file command plus five long-standing check_files bug fixes.

HTTP proxy support

NSClient++ can now route HTTP and HTTPS traffic through a corporate proxy. The same configuration surface is used by every component that builds on the internal http::simple_client (NRDPClient, ElasticClient, Op5Client, the remote boot.ini loader, ...).

For HTTPS targets the client opens a CONNECT tunnel to the proxy, validates the proxy's response, and only then performs the TLS handshake — so a single setting covers both http:// and https:// URLs.

Per-target proxy on submit (NRDP, Elastic, Op5)

Two new options are accepted on every HTTP client command and target:

Example — submit an NRDP check through a corporate proxy, but never proxy intranet hosts:

nscp client --module NRDPClient --query submit_nrdp \
    --host nagios.example.com --token mytoken \
    --proxy http://alice:s%40cret@proxy.corp.example:3128/ \
    --no-proxy localhost,127.0.0.1,.internal \
    --command check_disk --result OK --message "All disks healthy"

The same keys are accepted in nsclient.ini target definitions:

[/settings/NRDP/client/targets/nagios]
address = https://nagios.example.com/nrdp/
token = mytoken
proxy = http://proxy.corp.example:3128/
no proxy = localhost,127.0.0.1,.internal

Notes:

• If the proxy needs authentication, embed credentials in the URL — they are sent as Proxy-Authorization: Basic. Both @ and : inside the username/password must be percent-encoded (alice:s%40cret decodes to alice:s@cret).
• Bypass matching is case-insensitive. .internal matches both foo.internal and internal.
• On a 407 Proxy Authentication Required the proxy's response body is now captured in the error message, so misconfigured credentials produce an actionable error instead of an opaque "connect failed".

Proxy for the configuration loader

If boot.ini itself lives behind a proxy, configure it in boot.ini:

[proxy]
url = http://proxy.corp.example:3128/
no_proxy = localhost,127.0.0.1,.internal

The proxy is applied to the initial configuration download, every refresh, and any attachments declared in the remote configuration. HTTPS targets are tunnelled via CONNECT, so the same setting covers http:// and https:// settings URLs.

> Failed downloads still fall back to the cached copy of the configuration if one is present, so a transient proxy > outage will not stop NSClient++ from starting — but the very first run on a fresh machine needs the proxy to be > reachable.

What is not included

• Only the http:// proxy scheme is supported. socks5:// / https:// proxies are not.
• No automatic detection of system proxy settings (HTTP_PROXY env vars, WinINET / WPAD). The proxy must be configured explicitly.

CheckDisk: new command check_single_file

check_single_file is a focused variant of check_files for inspecting a single, known path. Compared to using check_files for the same job it has:

• Only one required argument (file=) — no path + pattern, no max-depth, no total.
• A clear error when the input is empty (No file specified (use file=)).
• UNKNOWN: File not found: when the file is missing — instead of the empty-set / "No files found" workflow that surprised users in #613.
• A useful default detail-syntax (%(filename) (size=%(size), age=%(age))) so a no-threshold run is informative on its own.

All existing filter keywords (size, age, written, version, line_count, type, ...) work, because the implementation reuses the existing check_files filter machinery.

Examples

Confirm a file exists:

check_single_file file=C:/Windows/System32/notepad.exe
OK: notepad.exe (size=201728, age=12345)

Warn when a file becomes stale:

check_single_file file=C:/windows/WindowsUpdate.log "warn=age > 5m" "crit=age > 1h"
CRITICAL: WindowsUpdate.log (size=276, age=917)

Pin a specific binary version:

check_single_file file="C:/Windows/System32/notepad.exe" \
    "crit=version != '1.2.3.4'" \
    "detail-syntax=%(filename): %(version)"
CRITICAL: notepad.exe: 6.2.26100.8115

CheckDisk: check_files bug fixes

730 — max-depth=0 is now "top directory only"

Previously max-depth=0 caused check_files to bail out before scanning anything, returning no files found for users who simply asked for a non-recursive scan. It is now equivalent to max-depth=1 (scan the top directory, do not recurse). max-depth=N for N >= 1 is unchanged, so this is not a breaking change for existing configurations.

check_files path=C:/logs pattern=*.log max-depth=0

598 — Non-ASCII paths now work

> Beware that this is still tricky to get right if you are checking from linux via for instance NRPE.

Recursive scanning previously called GetFileAttributes through boost::filesystem's system codepage conversion while every other Win32 call in the same scan went through UTF-8 conversion. Paths containing accented letters, CJK characters, etc. were silently mangled and reported as File was NOT found even when they existed. They now work consistently.

613 — Missing paths surface as UNKNOWN

If the path passed to check_files could not be opened (typo, deleted directory, permission denied) the failure was previously hidden behind the configured empty-state — typically OK or a generic No files found. Operators monitoring file/folder counts therefore got a green status for misconfigured paths.

Top-level paths that cannot be opened now produce an explicit UNKNOWN: Path was not found:, so the failure is visible in the monitoring system.

605 — Reparse points are skipped during recursion

NTFS junctions, symlinks and mount points all look like directories, so a tree containing a junction back into itself was walked twice and files were counted twice. check_files now skips entries whose attributes contain FILE_ATTRIBUTE_REPARSE_POINT when recursing — the same default as Windows tools like robocopy /XJ. Files matched in the top-level pass are unaffected.

717 — Legacy CheckFiles defaults empty-state=ok

The legacy CheckFiles shim translates old-style arguments (path, pattern, MaxWarn, MaxCrit, …) into modern check_files arguments. Modern check_files defaults empty-state to unknown, which meant a legacy command that found zero files came back as UNKNOWN even though the original 0.4-era behaviour was to return OK. The shim now sets empty-state=ok when translating, restoring the legacy semantics.

Other changes

• Numerous small clean-ups across CheckSystem, CheckSystemUnix, CheckNet, NRDPClient, Op5Client, ElasticClient and the WEB server — internal only, no behaviour change.
• New unit test infrastructure for the settings layer (settings_dummy_test, settings_http_test, settings_ini_test, settings_interface_impl_test) and 100+ new tests around the HTTP client / proxy code paths.
• Linux build is back to green after the proxy work.

Upgrade notes

• No configuration migration is required. All new keys (proxy, no-proxy, the [proxy] boot.ini section) are opt-in.
• The check_files fixes change observable behaviour in a few corner cases:
  • max-depth=0 now scans the top directory instead of returning empty (#730).
  • Missing paths now return UNKNOWN instead of OK/empty (#613).
  • Junction loops are no longer double-counted (#605).
  • Legacy CheckFiles calls that previously returned UNKNOWN on empty results will now return OK (#717). If any existing alerting was relying on the old behaviour of these specific corner cases, review it before upgrading.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.32...0.11.33

What's Changed

This release is focused on three things:

1. More built-in checks – a real check_net family, a real Windows registry checker, and real-time metrics on Linux.
2. A much nicer Web UI – modern theme, filtering, settings diff dialog and a proper dashboard.
3. A large documentation overhaul – restructured manual, every command has a samples page, and the HTTP client used by the Op5/Elastic clients has been modernized.

✨ New features

CheckSystem (Windows) – registry checks

Two new commands let you monitor the Windows registry directly from NSClient++ instead of relying on external scripts. They support recursion, exclude lists, 32/64-bit (WoW64) views, custom filters and the usual warn=/crit= expression syntax.

• check_registry_key – verify that a key exists, count sub-keys/values, watch its last-write time.
• check_registry_value – read a single value (or enumerate all values under a key), assert its type, size or content.

Examples:

# Just verify a key exists (default crit = "not exists")
check_registry_key "key=HKLM\Software\Microsoft\Windows NT\CurrentVersion"
OK: All 1 registry key(s) are ok.

# Watchdog: alert when the key has not been written for over 30 days
check_registry_key "key=HKLM\Software\NSClient" \
    "warn=age > 7d" "crit=age > 30d or not exists"

# Recursive enumeration of every immediate sub-key, with exclusions
check_registry_key "key=HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" \
    recursive max-depth=1 exclude=KB5005463 exclude=KB5005539

# Type assertion on a single value
check_registry_value "key=HKLM\Software\NSClient" value=InstallVersion \
    "crit=type != 'REG_SZ' or not exists"

# Numeric DWORD comparison
check_registry_value "key=HKLM\System\CurrentControlSet\Services\W32Time\Config" \
    value=MaxPollInterval "warn=int_value > 14" "crit=int_value > 17"

# Force the 32-bit (WoW64) view
check_registry_key "key=HKLM\Software\NSClient" view=32

CheckNet – five new (cross-platform) checks

CheckNet has graduated from a placeholder into a full network-check module. Five new commands have been added, all using the new internal http::simple_client and all unit-tested:

• check_tcp – open a TCP socket to one or more host/port pairs, optionally send a payload and require an expected substring.
• check_dns – resolve a hostname and optionally assert which addresses come back.
• check_http – fetch one or more URLs, check status code, response time and body content; supports custom headers and user-agent.
• check_ntp_offset – query one or more NTP servers and alert on offset / stratum.
• check_connections – Windows-side TCP/UDP connection table inspection (counts per protocol/family/state).

Examples:

# Single host TCP probe
check_tcp host=127.0.0.1 port=8443

# Multiple hosts in one call
check_tcp host=www.google.com host=www.ibm.com port=443 timeout=2000

# SMTP banner check (send + expect)
check_tcp host=smtp.gmail.com port=25 send="EHLO nsclient.org" expect="250"

# DNS resolution with expected address
check_dns host=google.com expected-address=172.217.20.174

# HTTP with body match and tighter latency thresholds
check_http url=https://nsclient.org/ expected-body="NSClient" \
    "warn=time > 500 or code >= 400" \
    "crit=time > 2000 or code >= 500 or result != 'ok'"

# NTP offset against multiple servers
check_ntp_offset "servers=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" timeout=2000

# Alert on too many sockets stuck in TIME_WAIT
check_connections "filter=protocol = 'tcp' and state = 'TIME_WAIT'" \
    "warn=count > 200" "crit=count > 1000"

All five also work over NRPE, e.g.:

check_nscp_client --host 192.168.56.103 --command check_http \
    --argument "url=https://nsclient.org/"

CheckSystem (Linux) – real-time metrics

The Linux build of CheckSystem now ships with the same real-time metric collection that has been available on Windows for a long time: CPU, memory, disk, network and load are sampled in the background and exposed both to dashboards/metrics and to real-time filters (filter=... rules that fire when a threshold is crossed).

No new commands are exposed by name – existing real-time filter configuration just works on Linux now.

Web UI – refresh

The bundled web interface has been heavily reworked:

• Modern theme with active-navigation highlighting and a redesigned login page.
• Filterable lists for Modules, Queries and Settings.
• Settings diff dialog – the "settings changed" widget can now show exactly which keys changed.

🐛 Fixes / smaller improvements

• Op5Client: fixed a 401 path and several reponse → response typos.
• Unified the various http clients meaning Op5Client and ElasticClient should now work better.

📚 Documentation

The documentation has had its biggest pass in years:

• Restructured manual – concepts/, checks-in-depth/, scenarios/, tutorial/ and reference/ are now clearly separated; mkdocs navigation rebuilt accordingly.
• New scenario guides: disk space, event log, external scripts, network checks, passive monitoring, service monitoring, Windows server health.
• New "checks in depth" pages: filters, performance data, syntax, thresholds.
• Rewritten REST API reference (info, login, modules, queries).
• **Many commands now has samples with copy-pasteable examples and expected output, including all new commands listed above.

⚠️ Upgrade notes

• The documentation tree was reorganized; bookmarks/links might not be valid.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.31...0.11.32

What's Changed

New Check: check_os_updates

Added check_os_updates command to CheckSystem (Windows) utilizing WUA and CheckSystemUnix to monitor pending operating system updates.

check_os_updates

If there are any pending updates, this will return a warning state by default (because the default warning filter is count > 0).

Checking for critical updates

Often, you only want to be alerted if there are security or critical updates missing. You can configure this using the warning and critical filters:

check_os_updates "warning=important > 0" "critical=security > 0 or critical > 0"

Improvements

• CheckDisk Resilience: Improved check_drivesize resilience. An error on a single unavailable volume will no longer abort the entire check, allowing other volumes to still be checked successfully.
• CPU Monitoring Documentation: Updated documentation and added detailed documentation for check_cpu time.
• TLS Support: Fixed issues related to TLS support.
• Security Enhancements: Addressed multiple security issues including better randomness for encryption, fixing race conditions, adding boundary checks for various network payloads and reading certificates.
• NRDP Integration: Added NRDP integration tests and a shorthand nrdp client alias for easier configuration.
• Gracefully handled non-numeric NSClient command codes.

Full Changelog: https://github.com/mickem/nscp/compare/0.11.30...0.11.31