Icinga2 Query NSClient on Endpoints

In the Icinga Documentation there is a “Tip” that states:

Best practice is to use the Icinga agent as secure execution bridge (check_nt and check_nrpe are considered insecure) and query the NSClient++ service locally.

I am currently using a Nagios install from 2008 and was tasked with converting what we have over to Icinga2. We have a ton of services that use NRPE. I tried my hand at the latest version of check_nrpe and the pseudo-mandatory SSL/TLS. I’m not super confident in my PKI implementation experience to debug this as the Windows endpoint was using a self-signed certificate despite our domain root certificate being installed on both servers. I’m sure this was a simple issue, I’m just not sure how to fix it myself.

After this, I tried implementing the quoted Tip above. From what I can tell, Director has an “nscp” command which just runs check_nt. Check_nt, unless I’m mistaken, is extremely restrictive and only allows querying certain values. Because I could not see how to execute external scripts, I abandoned this.

I found some commands in Director running “nscp.exe client” commands. I have spent the last few days working on the syntax for these which seems to be undocumented for the most part. I have in my config a custom command via:


However, I’m seeing this:

c:\Program Files\NSClient++>nscp client -M CheckExternalScripts -e “checkExternalScripts_whoami”
Command not found: checkExternalScripts_whoami

There is certainly some NSClient issue overlap here but I guess my question is, how should I proceed? Am I going about this all wrong? After bringing up the idea, my boss would prefer I use the Icinga agent to query the local NRPE instance on the Windows endpoint. However, I can’t figure out how to do that exactly.