Windows Monitoring

Report
…on the Windows side



These slides represent the work and opinions
is not
theirconstitute
fault!
of the author Itand
do not
official
positions of any organization sponsoring the
author’s work It is not my fault!
This material has
not
been
peer reviewed and
It is
your
fault!
is presented here as-is with the permission of
the author.
The author assumes no liability for any
content or opinion expressed in this
presentation and or use of content herein.







External Scripts
Internal Scripts
Arguments
Scripting: Batch files
Wrapped scripts
Scripting: VBA
Internal Scripts
NSClient++ (from a scripters
perspecitve)

External Scripts
◦ The normal kind of scripts
◦ Can be written in:
 Batch
 VBA/VBScript (pretty popular on Windows)
 Powershell (a rather strange language)
◦ But also:
 Perl, python, bash, etc etc…

Internal Scripts
◦
◦
◦
◦
Can
Can
Can
Can
interact with (other) internal commands
access settings
hold state
be written in:
 Lua
 Python (requires python on the machine)
1.
Enable the check module
[/modules]
CheckExternalScripts=
NRPEServer=
2.
# Runs the script
# NRPE server
Each script requires a definition
[/settings/External Scripts]
check_es_test=scripts\test.bat
3.
Options disabled by default (for a reason)
allow arguments = false
allow nasty characters = false
1.
Enable the check module
[/modules]
LUAScript=
PythonScript=
2.
Each script requires a definition
[/settings/LUA/Scripts]
<alias>=test.lua
[/settings/python/Scripts]
<alias>=test.py
3.
Scripts requires NRPE/NSCA (or NSCP)
[/modules]
NRPEServer=

Can be configured in many places
◦ Is probably more confusing then it is worth

The server module
◦ Means NO commands can have arguments

The script module
◦ Means NO external script can have arguments
script.bat
ExternalScripts
script.vbs
CheckCPU
NRPE
NSClient++
CheckSystem
CheckMem
CheckEventLog
CheckEventLog
CheckTaskSched
CheckTaskSched
The first batch script

Output:

Exit statuses:

NSC.ini syntax:
◦ Use: echo <text>
◦ Don’t forget @echo off (or all commands will be echoed)
◦ Use: exit <code>
 0 = OK
 1 = Warning
 2 = Critical
 3 = Unknown
[/settings/External Scripts/scripts]
my_script=scripts\script.bat

Reference:

Don’t let preconceptions fool you: batch can actually do a lot!
◦ http://www.ss64.com/nt/
…\NSClient++\scripts>cmd /c test.bat
CRITICAL: Everything is not going to be fine
…\NSClient++\scripts>echo %ERRORLEVEL%
2
Command
Writing our first Scripts
Killing notepad once and or
all!
TASKKILL [/S dator [/U användarnamn [/P lösenord]]]]
{ [/FI filter] [/PID process-ID | /IM avbildning] } [/T][/F]
Beskrivning:
Det här verktyget används för att avsluta en eller flera aktiviteter
utifrån process-ID (PID) eller avbildningsnamn.
Parameterlista:
…
/FI filter
Använder ett filter för att välja aktiviteter.
Jokertecknet * kan användas, t.ex:
imagename eq note*
/PID process-ID
Anger process-ID för den process som ska avbrytas.
Använd kommandot Tasklist för att hämta process-ID
/IM avbildning
Anger avbildning för den process som
för den process som ska avslutas. Jokertecknet *
användas för att ange alla aktiviteter eller
avbildningar.
Killing notepad…
Interlude

NSC.ini syntax:
◦
◦

[External Scripts]
check_bat=scripts\check_test.bat
Or
◦
◦
[Wrapped Scripts]
check_test=check_test.bat

NSC.ini syntax:
◦
◦

[External Scripts]
check_test=cscript.exe /T:30 /NoLogo scripts\check_test.vbs
Or
◦
◦
[Wrapped Scripts]
check_test=check_test.vbs


NSC.ini syntax:
◦
[External Scripts]
◦
check_test=cscript.exe /T:30 /NoLogo scripts\lib\wrapper.vbs scripts\check_test.vbs
Or
◦
◦
[Wrapped Scripts]
check_test=check_test.vbs


NSC.ini syntax:
◦
[External Scripts]
◦
check_test=cmd /c echo scripts\check_test.ps1; exit($lastexitcode) | powershell.exe -command -
Or
◦
◦
[Wrapped Scripts]
check_test=check_test.ps1
[…/wrappings]
bat=scripts\%SCRIPT% %ARGS%
vbs=cscript.exe //T:30 //NoLogo
scripts\lib\wrapper.vbs %SCRIPT% %ARGS%
ps1=cmd /c echo scripts\%SCRIPT% %ARGS%;
exit($lastexitcode) | powershell.exe -command […/wrapped scripts]
check_test_vbs=check_test.vbs /arg1:1 /variable:1
check_test_ps1=check_test.ps1 arg1 arg2
check_test_bat=check_test.bat $ARG1$ arg2
check_battery=check_battery.vbs
check_printer=check_printer.vbs
; So essentially it is a macro! (but a nice one)
Writing a simple VB script

Output:
◦ Use: Wscript.StdOut.WriteLine <text>

Exit statuses:
◦ Use: Wscript.Quit(<code>)
 0 = OK
 1 = Warning
 2 = Critical
 3 = Unknown

NSC.ini syntax:
[External Scripts]
check_vbs=cscript.exe //T:30 //NoLogo scripts\check_vbs.vbs
//T:30 Is the timeout and might need to be changed.

Reference:
◦ http://msdn.microsoft.com/en-us/library/t0aew7h6(VS.85).aspx

Set <variable name>=CreateObject(“<COM Object>")
There is A LOT of objects you can create
A nice way to interact with other applications

For instance:


◦
Set objWord = CreateObject("Word.Application")
◦
◦
◦
objWord.Visible = True
Set objDoc = objWord.Documents.Add()
Set objSelection = objWord.Selection
◦
◦
◦
◦
objSelection.Font.Name = “Comic Sans MS"
objSelection.Font.Size = “28"
objSelection.TypeText “Hello World"
objSelection.TypeParagraph()
◦
◦
◦
objSelection.Font.Size = "14"
objSelection.TypeText "" & Date()
objSelection.TypeParagraph()
Words…
Are we running Windows?
Dissecting a VBScript



Can be used to extend NSClient++
Are very powerful
A good way to:
◦ Alter things you do not like
◦ Create advanced things


Are written in Lua or Python
Possibly unsafe
◦ Runs inside NSClient++


Internal scripts are fundamentally different
One script is NOT equals to one function
◦ A script (at startup) can:





Register query (commands) handlers
Register submission (passive checks) handlers
Register exec handlers
Register configuration
Access configuration
◦ Handlers can:
 Execute queries (commands)
 Submit submissions (passive checks)
 Etc etc…
Questions?
[email protected]
http://www.linkedin.com/in/mickem
http://nsclient.org
Facebook: facebook.com/nsclient
http://nsclient.org/nscp/conferances/2011/nwcna/

similar documents