How to Adjust the Thresholds of check_apt

Hi everyone!

Im pretty new to Icinga2, so don’t mind, if im asking a pretty basic question, but i didn’t find a solution via Google. Im trying to track, if my servers need secuirty updates. Therefore i use the check_apt from the nagios-plugins package.

in my commands.conf i defined the Object:

object CheckCommand "check_apt_security_updates" {
    import "plugin-check-command"
    command = [ PluginDir + "/check_apt" ]
    arguments = {
        "-t" = {
            value = "$check_apt_timeout$"
    vars.check_apt_numeric = true  // Custom argument to request numeric output

And in my services.conf i applied the service (currently only testing on icingaserver itself:

apply Service "check for security updates" {
    import "generic-service"
    check_command = "check_apt_security_updates"
    zone = "master"
    assign where == NodeName
    vars.check_apt_timeout = 60
    vars.check_apt_warning = "100"   // Warnung, wenn mehr als 100 Updates verfügbar sind
    vars.check_apt_critical = "200"  // Kritisch, wenn mehr als 200 Updates verfügbar sind
    check_interval = 1d

It wokrs fine and this is how it looks like in Icinga2 itself. But now i want to adjust the threshold, so e.g. its only critical, when value is above 200 or something.
Bildschirmfoto vom 2024-04-23 11-33-32

I didn’t find any kind of docs, from Icinga to the nagios_plugins itself on how to define them. I also asked chatgpt and the result was, that i had to add the vars into the services.conf, but as u imagine, this didnt work aswell.

What am i doing wrong?

Thank you in Advance

Hi and welcome!

Debian’s nagios-plugins is a transition package to monitoring-plugins-contrib. Thus, you might wanna check the Monitoring Plugins for documentation.

Their check_apt documentation states how and when the plugin goes CRITICAL. It does so by matching a regular expression on each output, checking against -security updates. By this design, the availability of one security updates results in a CRITICAL state, which, IMHO, seems useful.
However, it is possible to configure the threshold for normal upgrades until the check is WARNING.

Thus, on a first glance, it does not seem to be possible to become not CRITICIAL for a “small amount” of security upgrades.

BTW, if you want to play with the check plugin to check for another regex, consider using the -v flag. The following example checks for (non existing) -very-important-security updates:

root@214c7d1ee64e:/# /usr/lib/nagios/plugins/check_apt -v -c '-very-important-security'
Inst libc6 [2.36-9+deb12u4] (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
*Inst libc6 [2.36-9+deb12u4] (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
Conf libc6 (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
Inst libc-bin [2.36-9+deb12u4] (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
*Inst libc-bin [2.36-9+deb12u4] (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
Conf libc-bin (2.36-9+deb12u6 Debian-Security:12/stable-security [amd64])
APT WARNING: 2 packages available for upgrade (0 critical updates). |available_upgrades=2;;;0 critical_updates=0;;;0

Please also note that your CheckCommand needs to specify the necessary arguments, expected by the check plugin. In your posted setup, you only pass the -t flag but also specify two unused variables vars.check_apt_{warning,critical}.

1 Like

Thanks for your fast reply. Ur Answer helped me alot already with understanding how Icinga works. acutally i decided to switch from the plugin to a self written shell script in order to have more “playground” for my checks in Icinga.

IMHO, this is often a good idea as lots of check plugins out there are kinda opinionated. If you’re looking for other plugins or want to share your (opinionated) plugin with the world, please take a look at


Hey there! I would like to ask you to mark an answer as the solution, if it resolves your topic.

If your topic is resolved, please also make sure to mark the response that helped you solve it as the “solution” by clicking the three dots on that message.

If the solution can’t be found in a single answer, it would be super helpful, if you could write a summary of what helped and marked this as the solution. This way users with a similar problem can solve their issues a lot easier. Thank you!