Windows Service Monitoring - OK - but Unknown

Hello All

I am having issue on servers where the service status is going in Unknown state instead of OK state. I am using nscp local. My Service defination looks like below

Note this is a override on the specific server

filter=start_type = ‘auto’ and state=‘stopped’ and name not in ( ‘RemoteRegistry’ , ‘wuauserv’ , ‘sppsvc’)
Note if I do not remove the above services it becomes red as these services are in auto startup and is currently in stopped state

@cstein if you can help on this will be great

Hello,

i think the and state='stopped' is not needed. NSCP checks if the service are on autostart and running. If not started it will report them.
Also the default for empty (no serrvice found by the filter) is unknown, see https://docs.nsclient.org/reference/windows/CheckSystem/#check_service_empty-state

Regards,
Carsten

Thanks Carsten
But my services are present like RemoteRegistry , wuauserv and sppsvc

filter=start_type = ‘auto’ and state=‘stopped’ and name not in ( ‘RemoteRegistry’ , ‘wuauserv’ , ‘sppsvc’)

Also if I do not mention state=‘stopped’ then the plugin output becomes the full list of services. Which becomes very clumsy

Why will it report Unknown. Are you saying that if it doesn’t see any issue it will report unknown ?? I can’t report unknown as this will create a ticket for tools team

EDIT:
Understood that if I change my filter to below and remove state=stopped it is behaving normally - and the unknown is gone - but now I am living with a huge list of services as plugin output. When I send this to ticketing -> people will be running after me with a stick

filter=start_type = ‘auto’ and name not in ( ‘RemoteRegistry’ , ‘wuauserv’ , ‘sppsvc’)

Ahh now i got what you like to monitor. Just add the argument empty-state=ok and it should also return ok state if no service found matching your filter.

You mean
filter=start_type = ‘auto’ and state=‘stopped’ and name not in ( ‘RemoteRegistry’ , ‘wuauserv’ , ‘sppsvc’) and empty-state=ok

will be my nscp_service_arguments ?

Failed

The arguments should be an array like

nscp_service_arguments = [ "filter=start_type = ‘auto’ and state=‘stopped’ and name not in ( ‘RemoteRegistry’ , ‘wuauserv’ , ‘sppsvc’) ", "empty-state=ok" ]

The documentation is not fully correct for this check, but if you see the repeat_key = true in a command you can use either a string or array.

        "-a" = {
            repeat_key = true
            value = "$nscp_service_arguments$"
        }

String works if you have only 1 argument, if more then 1 you need to use an array.
Sadly the Director does not import them as an array

Regards,
Carsten

Thank You Carsten. Worked perfectly

I changed the data type of nscp_service_arguments from String to Array

Filter Argument Looks like this
filter=start_type = ‘auto’ and state=‘stopped’ and name not in (‘RemoteRegistry’ , ‘CDPSvc’ , ‘sppsvc’)

Hi Carsten

Sorry just writing back on the same thread. We want to raise Warning Alert for the service and not critical (default)

My Filter Looks Like Below

nscp_service_arguments=[“filter=start_type = ‘auto’ and state=‘stopped’ and name not in (‘RemoteRegistry’ , ‘wuauserv’ , ‘CDPSvc’ , ‘sppsvc’, ‘WbioSrvc’)” , “empty-state=ok”]

‘C:\Program Files\NSClient++\nscp.exe’ ‘client’ ‘–log’ ‘critical’ ‘–module’ ‘CheckSystem’ ‘–show-all’ ‘-a’ ‘filter=start_type = ‘’‘auto’’’ and state=’’‘stopped’’’ and name not in (’’‘RemoteRegistry’’’ , ‘’‘CDPSvc’’’ , ‘’‘sppsvc’’’, ‘’‘WbioSrvc’’’)’ ‘-a’ ‘empty-state=ok’ ‘-b’ ‘-q’ ‘check_service’

I want to raise all Warning Alert and no Critical. By default it goes Critical.

Hello there

I would like to ask you to open a new topic for the new question.
This way it won’t be buried in here

Thank you,
Feu

I agree. New Topic opened. Thanks. It sounded simple ask - but somehow not able to figure out