FAQ: Frequently asked questions

1. Problems

1.1 I am having problems where do I start?

NSCP has a built-in “test and debug” mode that you can activate with the following command
nscp test

What this does is two things. 1. it starts the daemon as “usual” with the same configuration and such. 2. it enables debug logging and logs to the console. This makes it quite easy to see what is going on and why things go wrong.

1.2 MSI or ZIP installation?

In general never use the ZIP installation unless you have a strong reason for doing so. The MSI is the preferred way to install NSCLient++ and will work much better then trying to manually install it.

1.3 Failed to open performance counters

  • The first thing to check is the version. If you are using an old version (pre 0.4.2) upgrade! In 0.4.2 PDH was greatly improved and all core checks stopped using PDH which means that for “normal” checks you no longer need PDH.
  • Second thing to check is whether the servers’ performance counters working? Sometimes the performance counters end up broken and need to be rebuilt there is a command to validate performance counters:
nscp sys --validate

For details: Microsoft KB: http://support.microsoft.com/kb/300956 essentially you need to use the “lodctr /R” command.

1.4 Bind failed

Usually this is due to running more then once instance of NSClient++ or possibly running another program that uses the same port.
  • Make sure you don’t have any other instance NSCLient++ started.
  • Check if the port is in use (netstat -a look for LISTENING)

1.5 EventlogBuffer is too small

This is because you have one or more entries in your eventlog which are larger then the “default buffer size of 64k”. The best way to fix this is to increase the buffer used.


1.6 System Tray does not work

NOTICE System tray is currently disabled and will be added back at some point

1.7 I get <insert random error from nagios here>

This information is usually useless to me since the error in nagios is not related to the problem. This is due to most protocols supported by nagios does not support reporting errors only status. To see the error do the following:

net stop nscp
nscp test --log info
... wait for errors to be reported ...
net start nscp

To get the debug log do the following:

net stop nscp
nscp test --log debug
... wait for errors to be reported ...
net start nscp

Please check and include this information before you submit questions and/or bug reports.

1.8 High CPU load and check_eventlog

Som people experience high CPU load when checking the event log this can usualy be resolved using the new command line option scan-range setting it to the time region you want to check

CheckEventLog ... scan-range=12h ...

1.9 Return code of 139 is out of bounds

This means something is wrong. To find out what is wrong you need to check the NSClient++ log file. The message means that an plugin returned an invalid exit code and there can be many reasons for this but most likely something is miss configured in NSClient++ or a script your using is not working. So the only way to diagnose this is to check the NSClient++ log.

One simple way to show the log is to run in test mode like so:

net stop nscp
nscp test
# wait for error here
net start nscp


But it is impossible to tell what is wrong without the NSClient++ log.

1.10 Enable debug log

By default the log level is info which means to see debug messages you need to enable debug log:

file name = nsclient.log
level = debug

2. Escaping and Strings

2.1 How do I properly escape spaces in strings

When you need to put spaces in a string you do the following:
  • nagios: - As usual you can do it anyway you like but I prefer: check_nrpe ... ‘this is a string’

2.2 How do I properly escape $ in strings

Dollar signs are “strange” in nagios nad has to be escaped using double $$s

  • nagios: - $$ (you use two $ signs)
  • from NSClient++ - $ (you do not need to escape them at all)

2.3 How do I properly escape in strings

Backslashes and som other control characters are handled by the shell in Nagios and thus escaped as such.

  • nagios: - ”...\...”
  • from NSClient++ - ”...\...”

2.4 Arguments via NRPE

For details see External Scripts

2.5 Nasty metacharacters

If you get illegal metachars or similar errors you are sending characters which are considered harmful through NRPE. This is a security measure inherited from the regular NRPE client.

The following characters are considered harmful: |`&><’”\[]{} To work around this you have two options.

  1. You can enable it
  2. You can switch most commands to not use nasty characters

To enable this in the NRPE server you can add the following:

allow nasty characters=true

[/settings/external scripts]
allow nasty characters=true

To not use nasty characters you can replace man y of them in built-in commands:

Expression Replacement
> gt
< lt
‘..’ str(...)
${..} %(..)

3. Versions

3.1 I use version 0.3.9 or 0.2.7

please upgrade to 0.4.2 and see if the error still persist before you ask questions and/or report bugs. I generally do NOT fix issues in several years old versions.

3.2 I use version 0.4.0 or 0.4.1

A good idea to upgrade to 0.4.2 and see if the issue has been resolved but please report this anyway so I can (if possible) fir it for 0.4.1

3. General

3.1 My question is not here?

Please ask in the forums or the questions site.

3.2 Rejected connection from: <ip address here>

This is due to invalid configuration. One important thing you ‘’‘NEED’‘’ to configure is which hosts are allowed to connect. If this configuration is missing or invalid you will get the following error:

013-04-02 16:34:07: e:D:\source\nscp\trunk\include\check_nt/server/protocol.hpp:65: Rejected connection from: ::ffff:

To resolve this please update your configuration:


; ALLOWED HOSTS - A coma separated list of hosts which are allowed to connect. You can use netmasks (/ syntax) or * to create ranges.

3.3 Timeout issues

Configuring timeouts can some times be a problem and cause strange errors. It is important to understand that timeouts are cascading this means if you have all timeouts set to 60 seconds they will all miss fire.


The nagios server timeout will fire after exactly 60 seconds but the script timeouts will be started m,aybe 1 second after the nagios service check timeout this means once we reach 60 seconds the nagios service timeout will fire first and 1 second after the script will timeout. This you always have to set each timeout slightly less to accomodate this drift.

If your command takes 60 seconds you need to set the timeouts like this:

  1. Script timeout: 60s
[/settings/external scripts/wrappings]
vbs = cscript.exe //T:120 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
  1. External script timeout: 65 seconds
[/settings/external scripts]
timeout = 65
  1. NRPE/server timeout: 70s
timeout = 70
  1. check_nrpe timeout: 75s
check_nrpe -t 75
  1. nagios service check timeout: 80s

3.4 Rotate log files

Rotating logfile can be done when size reaches a certain level (in this case 2048000 bytes):

date setting = %Y.%m.%d %H:%M:%S
file name = nsclient.log
level = info
max size = 2048000

4. check_nt

4.1 I use check_nt and...

Check_nt is NOT a good protocol and is considerd abandoneware. NSClient++ supports it only for legacy reasons. There is generally no reason to use check_nt

4.2 MEMUSE reports the wrong value

No it does not :) MEMUSE reports physical+page (normally called commited bytes). This is the amount of memory the system has promised to various applications. Thus it will be “more” than your RAM if you want to check physical memory please use check_nrpe and check_memory instead.

5. Eventlog

5.1 Can I check “modern” eventlogs from Windows 2008 and above?

Yes, but it requires NSClient++ 0.4.2 and later.

5.2 I use severity but still dont get errors (or get non error messages).

This is a “feature” of the Windows Eventlog API. They have something called severity which most programs do not use as severity. instead please try using level which is more accurate.


6.1 What is insecure mode

The NRPE protocol is broken it is using some strange encryption protocols which are (to our knowledge) rather insecure. To work around this in 0.4.x we introduced real SSL support as well as certificate based authentication. This became the default in 0.4.3.

To allow old “legacy” check_nrpe connect to NSClient++ you need to enable insecure mode which can be done in multiple ways.

# In the MSI installer there is an option to select insecure mode # From command line you can run the “nscp nrpe install –insecure” # You can manually set the option in your config file

All these options will result in the following configuration:

certificate key =
certificate = ${certificate-path}/certificate.pem
ssl options =
allowed ciphers = ADH
ssl = true
insecure = true

If you instead opt to use the more secure standard SSL aproach used in NSClient++ you can easily install NSClient++ on a linux system as well.

comments powered by Disqus