Nagios Plugin for Windows Security Updates

  • by Patrick Ogenstad
  • May 13, 2011

NagiosOf late I’ve started to use Nagios more and more. Looking at the various plugins available I came across some plugins which were supposed to check after missing Windows Updates. I found most of them to be quite blunt with the exception of the setup over at Frank4dd (http://nagios.frank4dd.com/howto/windows-patch-update-monitoring.htm). However I just wanted a plugin to monitor a single server and Franks setup was a bit to big for my needs. I was also interested in writing plugins for Nagios mostly to see what is needed to make it work.

I ended up writing a script which runs locally on a Windows machine. In my setup I’ve installed NSClient++ on the Windows machine. Nagios calls the NRPE part of NSClient++ which in turn runs the VBScript I wrote.

The script check_available_updates.vbs queries Windows Update (or a WSUS server) and returns a Critical (2) if missing critical updates are found. If important updates are missing a Warning (1) is returned to Nagios.

On the target computer I add the script to the scripts directory of NsClient++ and edit the NSC.ini file. First to enable externals scripts, just remove the semicolon before the DLL file:

CheckExternalScripts.dll

Then I add the script in the external scripts section:

[External Scripts]
;check_es_long=scriptslong.bat
;check_es_ok=scriptsok.bat
;check_es_nok=scriptsnok.bat
check_available_updates=cscript.exe //T:30 //NoLogo scriptscheck_available_updates.vbs

Running the script can take a while so you might have to set a higher timeout for NRPE. Using Nagios from the Ubuntu package I edited the file /etc/nagios-plugins/config/check_nrpe.cfg and added this command:

define command {
        command_name    check_nrpe_60
        command_line    /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -t 60 -c $ARG1$
}

After updates have been installed it seems to take a bit longer to run the script so I might end up setting an even higher timeout.

Then I setup a service like this:

define service{
        use                     windows-service-12h
        hostgroup_name          windows-computers
        service_description     Check Windows Patches
        check_command           check_nrpe_60!check_available_updates
        }

If you are running WSUS this script would only check against updates which the WSUS server configured for the targeted machine is aware of.

In future versions of the script could use command line arguments to specify which types of messages are returned depending on which types of patches are missing.

This plugin is a part of Nelmon.

Please let me know if you find it useful or have any ideas in terms of improvement.