Of late I’ve started to use Nagios more and more. Looking at the various plugins available I came across some plugins which were supposed to check after missing Windows Updates. I found most of them to be quite blunt with the exception of the setup over at Frank4dd. However I just wanted a plugin to monitor a single server and Franks setup was a bit to big for my needs. I was also interested in writing plugins for Nagios mostly to see what is needed to make it work.
I ended up writing a script which runs locally on a Windows machine. In my setup I’ve installed NSClient++ on the Windows machine. Nagios calls the NRPE part of NSClient++ which in turn runs the VBScript I wrote.
The script check_available_updates.vbs queries Windows Update (or a WSUS server) and returns a Critical (2) if missing critical updates are found. If important updates are missing a Warning (1) is returned to Nagios.
On the target computer I add the script to the scripts directory of NsClient++ and edit the NSC.ini file. First to enable externals scripts, just remove the semicolon before the DLL file:
CheckExternalScripts.dll
Then I add the script in the external scripts section:
[External Scripts]
;check_es_long=scripts\long.bat
;check_es_ok=scripts\ok.bat
;check_es_nok=scripts\nok.bat
check_available_updates=cscript.exe //T:30 //NoLogo scripts\check_available_updates.vbs
Running the script can take a while so you might have to set a higher timeout for NRPE. Using Nagios from the Ubuntu package I edited the file /etc/nagios-plugins/config/check_nrpe.cfg and added this command:
define command {
command_name check_nrpe_60
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -t 60 -c $ARG1$
}
After updates have been installed it seems to take a bit longer to run the script so I might end up setting an even higher timeout.
Then I setup a service like this:
define service{
use windows-service-12h
hostgroup_name windows-computers
service_description Check Windows Patches
check_command check_nrpe_60!check_available_updates
}
If you are running WSUS this script would only check against updates which the WSUS server configured for the targeted machine is aware of.
In future versions of the script could use command line arguments to specify which types of messages are returned depending on which types of patches are missing.
Please let me know if you find it useful or have any ideas in terms of improvement.
{ 36 comments… read them below or add one }
great plugin!
I have it running and its doing its warnings as it is supposed to.
One query is I would like to tweak it slightly but I’m hopeless with code.
I don’t want it to go critical for the most part so I tried changing the values so it would only warn.
CONST rOK = 0
CONST rWarning = 5
CONST rCritical = 100
CONST rUnknown = 200
Moving the critical figure higher got rid of criticals coming up for a server with about 12 odd critical updates due. The problem is now, no matter what setting I have, if the level of updates is under the critical figure, it always says unknown.
So as above, the nagios alert shows all the updates needed when you look at the service but its state is always unknown (no warn, no OK) no matter what figure I use.
Any chance you know what I need to be changing to make the ok and warning figures my own levels?
thanks in advance!
I’m glad to hear that you like the plugin, I’ve made some new changes which I haven’t yet published.
One way Nagios can report the unknown status is if the plugin returns too much information. Be default check_nrpe can’t handle that much information. So I’m thinking of just reporting back the number of missing security updates.
The variables you’ve changed aren’t actually the number of missing updates but codes which Nagios uses to determine the result of the check. So 0 is OK, 1 is WARNING, 2 is CRITICAL, 3 is UNKNOWN. I’m guessing other values would translate to UNKNOWN too.
What is it you would like it to do? Set a number of updates that need to be missing before it goes critical?
Also currently the script only looks for critical or important security updates. I’m considering adding support for critical or important non-security related updates.
thanks for the prompt reply!
So when it reports back without me modifying those values, it goes critical and if you open the service you see all the updates in a perfect neat little row. So It shouldn’t be a case of too much info but maybe it is, I’m no expert at any of this
Yes, I would like to be able to set the variables at which it goes to warning and critical. This is never really going to be a critical event for me and more just something that sits at warning and tells me I’m being lazy and need to update specific servers if they were missed in maintenance. But I would love to be able to set the value for warn and crit.
Your idea about it showing the number of missing updates would be ideal for the summary, when these computers with a large number of updates go critical with the plugin, it just says “Critical Updates Missing:”
If that could have the number of updates in that report and it shows you the full number when you open up the service it would be ideal. But in the end for me, if I could just specify how many updates it warned on and how many made it go critical and it just said “critical updates missing: 8″ that would be ideal for my needs.
I would try and do all this myself but I’m an absolute noob when it comes to code
To give you a better idea of what I’m trying to describe, heres a snap of the summary and service detail. http://imgur.com/a/irf3X
I’ve posted my small update for the plugin which shows the number of missing security updates. Please let me know what you think.
If you just change the rCritical as below you will probably get the result you want.
CONST rCritical = 1
Currently it returns a critical state when critical security updates are missing and a warning state when important security updates are missing.
As you say this might not be considered critical and I’ll add switches for defining what type of updates returns which states.
However I’m not sure it really makes sense to assign a specific state to a number of patches. In terms of security one update should be enough to indicate a specific state. A system with 5 missing security updates doesn’t have to be more insecure that one with 1 missing security patch. Do you follow my reasoning?
I totally agree and thank you for your efforts!
The reasoning behind having a switch on when it warns and goes critical is that we do a patch window once a month for patches where we apply them all. It will just get annoying seeing it notify on patches up until that time period. It is just so I can see that there are overdue patches and it’s about being more proactive than things like wsus are.
Just letting you know this is working perfectly for me now.
Thank you for your efforts, this saved me a lot of hassles that I was having with other plugins!
Here is how it is looking for me with that updated version and
rcritical = 1
http://i.imgur.com/DqJyN.png
oops, bad imgur link.
try this one.
http://i.imgur.com/er8Qt.png
Ok thanks.
I’ll probably add some more options for coming versions but I don’t think I’ll do that much coding during the summer.
I noticed an error on line 69. It should be:
Wscript.Quit(rWarning)
I’ve also written a small PowerShell script / plugin which will warn when certificates are about to expire. But I’ll write more about that later.
very smart plugin ! is there a way to notify about critical or important non-security related updates ?
Thanks in advance
Thanks Florent
Currently no, but I will add this as an option and also add some arguments so that you can choose which types of updates generate a specific state in Nagios.
Ok cool, hurry to see it ! Do you think it’s possible to notify about a needed reboot after updates?
In what way do you mean? I actually have another Nagios plugin which I haven’t published which checks to see if a Windows server has installed updates and needs a reboot but haven’t done so yet.
However I don’t know of a way to check if a particular update will need a reboot. Don’t each and every one of the updates come with the text: this update “might” need a reboot?
I mean exactly what you said “I actually have another Nagios plugin which I haven’t published which checks to see if a Windows server has installed updates and needs a reboot but haven’t done so yet”
I have most of the code for an updated plugin ready but I need to test it some more. It will check for critical, important, moderate or low security update and also critical and important non security related updates. I’m working with how to setup the arguments so that it works with NRPE and NSClient++. I’m also thinking of doing the check to see if a reboot is required inside the Windows update plugin. So first it will check to see if there are missing updates, if non are found it will check ti see if a reboot is required.
I uploaded my plugin which only checks if a reboot is required. Let me know what you think.
I think it’s perfect, it only remains to merge the two scripts (updates and reboot) and it will be good!
Thanks a lot
I’ve uploaded version 1.2 of the check updates plugin. I haven’t published it to the Nagios site yet to but it’s available from my blog. It would be great if you had time to test it a bit before I upload it to Nagios Exchange.
You can use the default settings, or take a look at the options with check_available_updates.vbs -h, or you can edit the settings section of the script.
Let me know how it works out for you.
Ok i will test it asap and let you know.
Thank you
It works good for me, i think the plugin can now be publish on nagios site !
what could be wrong ! In server 2003 works fine this plugin i copyed same NSC.ini to server 2008, but this time port is not 5666, but 5668(same in nagios and in client), telnet goes thru this port, but in Nagios Unknown: No handler for that command.
define command {
command_name check_nrpe_60_5668
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -t 60 -p 5668 -c $ARG1$
}
define service{
use generic-service
host_name EHR_EDC
service_description Check Windows Patches
check_command check_nrpe_60_5668!check_available_updates
}
Thank You
My guess would be that there’s something wrong with the configuration for NSClient++. Did you restart the service?
Ok i removed IP restriction from port forwarding. Seems Nagios allows default port 5666 IP restriction, but if i make another port forwarding wiht 5668 then i can’t get any information from remote host.
then i did got few times Script execution time was exceeded on script “C:\Program Files\NSClient++\scripts\check_available_updates.vbs”.
but after trying few times, no its working excellent. Thank You
But still often, if some server has plenty of updates sometimes gets information, sometimes Script execution time was exceeded on script “C:\Program Files\NSClient++\scripts\check_available_updates.vbs”.
i changed i command.cfg t 90 and t 120 still the same.
Any cure for that
Use a faster computer or increase the timeout
Yep, I find that nomatter how fast your machine is, the initial poll for getting the updates list is always slow. If i query at the command line, the first query takes over 100 seconds on any of my beefy servers, if i do a poll immediately after that, it’s almost instant (must be cached).
I had to bolster my polling out to 120 seconds to avoid false alerts from the query timing out.
Hello,
I am having some trouble. I am stuck at having the service report a warning and tell me the status is : Input Error: There is no script file specified.
As far as I know I have added the vb script to the script to the proper location: nsclient/scripts
I also added the changes to the nsc.ini and restarted the service. Any suggestions?
Jamie
in nsc.ini:
; Script to check external scripts and/or internal aliases.
CheckExternalScripts.dll uncommented ?
Yes, the CheckExtrernalscripts is uncommented.
Thanks,
Cool script and working here without any problems (Implemented in 28 servers over no time)
The only thing we/I’m missing is the option to view (In Windows 2008 language) Optional updates. Would that be an option to build in ?
Hi,
I am having trouble getting any output from the plugin, I keep getting a “(No output returned from plugin)” error in nagios.
I have added “check_available_updates=cscript.exe //T:30 //NoLogo scripts\check_available_updates.vbs” to the ExternalScripts Section in NSC.ini
I have also defined and command and service.
Any idea’s?
Thanks
Leif: I reasoned that there wasn’t a point to most of those updates. There are always different language packs. Do you need them?
Sam: Are external scripts enabled in NSClient++?
Ignore Above comment Got Working,
New problem. Some hosts are reporting NRPE Socket Timeout. I have modified the socket timeout in reporting hosts but keep still getting error, seems to be working fine on 3 others hosts.
If anyone has issues with NRPE Socket Timeout, All you need to do it set -t 120 (or what you want) to the define service section.
Patrick -> That depends on the policy…. but in Optional updates there are coming updates like .NET and like, and if you have a policy that says all updates need to be installed, yeah, then you need them
But I would just make it like at option to choose if I want the check of that or not.
I have choosen to change to http://nsclient.org/nscp/attachment/wiki/CheckExternalScripts/check_updates_available.vbs at the moment with a change that in the beginning it use the: “Check Reboot status” from your script.
It’s a little bit more basic but seems to take the “Optional Updates” within the calculation.
This script (or any other scripts that uses windows update api) not work through check_nrpe:
./check_nrpe -H x.x.x.x -t 100 -c check_updates_available
C:\Program Files\NSClient++\scripts\check_updates_available.vbs(49, 1) (null): 0x80072EFD
If i execute the script manually on the server, works perfect.
Any ideas?
TIA.
@Marcelo – I would guess that NSClient++ isn’t configured correctly. Does any other external scripts work? Check the nsc.ini file.