NSClient++

MySolutions NORDIC·MySolutionsNORDIC.NSClient++

A fully fledged monitoring agent which can be used with many monitoring tools.

NSClient++ (nscp) aims to be a simple yet powerful and secure monitoring daemon. It was built for Nagios/Icinga, but nothing in the daemon is Nagios/Icinga specific and it can be used in many other scenarios where you want to receive/distribute check metrics. The daemon has 3 main functions: - Allow a remote machine (monitoring server) to request commands to be run on this machine (the monitored machine) which return the status of the machine. - Submit the same results to a remote (monitoring server). - Take action and perform tasks.

winget install --id MySolutionsNORDIC.NSClient++ --exact --source winget

Latest 0.14.1.0·July 6, 2026

Release Notes

Host security posture, JSON-aware HTTP checks, and a clearer licence This release adds a brand-new CheckSecurity module for monitoring a host's security posture — certificates, firewall, antivirus, BitLocker, Secure Boot, NLA and logged-on users — and teaches check_http to assert on values inside a JSON response body. It also fixes boolean check arguments over REST, tidies up process aggregation and module activation, relicenses the project under a clear dual licence, and reworks the documentation to handle Windows and Linux side by side. Highlights

  • New CheckSecurity module. Seven new checks for host security posture: check_certificate, check_firewall, check_antivirus, check_bitlocker, check_secureboot, check_nla and check_users. check_certificate and check_users run everywhere; the rest are Windows-only. (#1339)
  • check_http can assert on JSON responses. New json-path=alias:path options extract values from a JSON body into filter keywords you can threshold on and emit as perfdata. (#1341)
  • CheckNet queries now emit performance data by default, so check_http, check_tcp and friends graph out of the box without an explicit perf syntax. (#1341)
  • Boolean check arguments accept values, not just flags. check_ping host=www.google.com total=true now works alongside the bare-flag form — the form REST already used. (#1338)
  • Activate several modules in one command: nscp settings --active-module CheckSystem CheckNet. (#1329-follow-up)
  • Clear dual licence. NSClient++ is now Apache-2.0 OR GPL-2.0-only, with machine-readable REUSE metadata and third-party notices. (#1343)
  • Reworked, multi-OS documentation that presents Windows and Linux options and features together instead of assuming one platform. (#1342) Detailed changes CheckSecurity — new host security-posture module A new module, CheckSecurity (alias security), checks whether a host is in the security state you expect. Each check is a normal modern_filter check, so you can override the default warn/crit expressions, filter, and detail-syntax/top-syntax as usual. Command Platforms What it checks check_certificate All X.509 certificate expiry / validity / hygiene from files or the Windows store check_users Windows + Linux Count and detail of logged-on / RDP sessions check_firewall Windows only Firewall profile (Domain/Private/Public) enabled and active state check_antivirus Windows only Registered antivirus products' enabled / up-to-date state (Security Center) check_bitlocker Windows only BitLocker drive-encryption protection status per volume check_secureboot Windows only Whether UEFI Secure Boot is enabled (distinguishes "disabled" from "legacy") check_nla Windows only Network Location Awareness category (public/private/domain) per network check_certificate defaults to warning when a certificate expires within 30 days and critical within 10 (matching common practice), emits expires_in (whole days until expiry) as perfdata, and can scan a whole directory: check_certificate file=/etc/ssl/certs/mysite.pem check_certificate file=/etc/ssl/certs recursive=true "detail-syntax=${subject}: ${expires_in}d" check_certificate file=/etc/pki/tls/certs critical=expired=1 The Windows checks expose the raw state fields so you can tighten or relax the default posture. check_firewall adds an active flag (which profile is currently in effect) alongside enabled, so you can warn when a machine silently falls back to the Public profile after a network change: check_firewall "warn=active = 1 and profile = 'Public'" "detail-syntax=${profile} profile is active" check_secureboot "warn=supported = 0" "crit=supported = 1 and enabled = 0" check_nla "crit=connected = 1 and category != 'domain'" "detail-syntax=${network}=${category}" On a platform where a Windows-only check does not apply, the check returns UNKNOWN with a clear message rather than failing. CheckNet — check_http JSON path extraction check_http can now pull values out of a JSON response body and treat them as filter keywords. Each json-path=alias:path option extracts the value at a dotted path (numeric segments index into arrays; single-quote a segment that itself contains a dot) and makes it available for warning=/critical= expressions and perfdata: check_http url=https://api.example.com/health "json-path=qlen:data.queue.length" "crit=qlen > 100" check_http url=https://api.example.com/health "json-path=st:status" "crit=st != 'ok'" check_http url=https://api.example.com/health "json-path=err:metrics.error_rate" "warn=err > 0.01" "crit=err > 0.05" check_http url=https://api.example.com/health "json-path=first:items.0.name" "json-path=cfg:'a.b'.c" Numeric values keep full precision, strings compare and render as strings, and booleans read as 1/0. A missing path — or a body that is not valid JSON — leaves the alias empty rather than failing the check, and multiple json-path options can be combined freely. CheckNet — default performance data CheckNet queries now attach sensible performance data by default, so check_http, check_tcp and the other network checks produce graphable perfdata without a hand-written perf syntax. check_ntp_offset threshold handling was also tidied up in the same change. Check arguments — boolean options accept values Boolean check options now accept an explicit value in addition to the bare-flag form: check_ping host=www.google.com total=true Previously the value form was rejected from the CLI even though REST always passes flags as key=true tokens, so a boolean option that worked over REST could look broken from the command line. Both forms now behave identically. CheckSystem — process total aggregation check_process process-total aggregation now correctly reports the started and hung states (on both Windows and Linux), so totals of these statuses match what the per-process detail shows. Settings — activate multiple modules at once nscp settings --active-module now accepts several module names in one invocation: nscp settings --active-module CheckSystem CheckNet Licensing — dual-licensed Apache-2.0 OR GPL-2.0-only NSClient++ is now explicitly dual-licensed under Apache-2.0 OR GPL-2.0-only. Source headers were updated to SPDX identifiers, the project carries machine-readable REUSE metadata (REUSE.toml, LICENSES/), and a THIRD-PARTY-NOTICES.md / NOTICE collect the third-party licences. The installer, packaging and docs licence text were updated to match. Build — Python library discovery CMake now derives the default Python library name instead of hardcoding a version, and defaults it to the soname so the module loads without the Python development packages installed. This makes Linux builds far less sensitive to the exact Python version on the build and target hosts. (#1334) Documentation
  • Multi-OS reference docs. The reference documentation was reworked to present Windows and Linux options and features together, handling checks whose options diverge by platform instead of documenting a single OS. Windows docs were regenerated. (#1342)
  • New docs/samples/ usage examples and descriptions for every new CheckSecurity command and the check_http JSON feature.
  • check_process docs cross-reference filter_perf for top-N processes. (#1330)
  • README restructured and dead files removed. (#1340) Quality and CI
  • Spelling. A codespell GitHub workflow was added and spelling errors in log messages and settings descriptions were fixed. (#1314, #1344)
  • Live integration tests. A new opt-in test suite runs checks against a real VM in Azure, alongside the existing REST-driven integration tests. New integration tests cover CheckSecurity, the check_http JSON feature, and --active-module. (#1335)
  • Assorted build fixes for older Windows toolchains, Linux, and sanitizer runs. Upgrade notes
  • Licence change: NSClient++ is now distributed as Apache-2.0 OR GPL-2.0-only. This is a clarification/relicensing — review it if your organisation tracks the exact licence of bundled software. No code or runtime behaviour changes as a result.
  • CheckNet perfdata is now on by default. Network checks emit performance data without an explicit perf syntax. If you were adding perfdata manually, double-check you are not now emitting it twice; graphs that previously showed nothing will start populating.
  • Boolean check arguments: option=true / option=false now work from the CLI as well as over REST. Existing bare-flag usage is unchanged.
  • CheckSecurity is not loaded by default. Enable it before using the new checks, e.g. nscp settings --active-module CheckSecurity. Windows-only checks return UNKNOWN on other platforms rather than erroring. Full Changelog: https://github.com/mickem/nscp/compare/0.14.0...0.14.1

Installer type: wix

ArchitectureScopeDownloadSHA256
x86DownloadEE3DFDDE334D6420A7E3ADE471E64190749837A6077A2BB27AC7910B6328DC9D
x64Download3BA1CAA877B67ECB54D3DA72E9968BD20B51001C362974A30524D7E88B5110A6

Details

Homepage
https://nsclient.org/
License
GPL-2.0
Publisher
MySolutions NORDIC
Support
https://github.com/mickem/nscp/issues
Copyright
Copyright (C) 2026 - Michael Medin
Moniker
nscp

Tags

icinganaemonnagios

Older versions (20)

0.14.0.0
ArchitectureScopeDownloadSHA256
x86DownloadA0E4CA4B77D6A0C8AC84FDABA74DCF5779DC162450632C276CA978CC7006DF7F
x64Download97BEF7D36B7F57B21F2102881694D75222F0D4B673083997054AA07DDFB7594F
0.12.6.0
ArchitectureScopeDownloadSHA256
x86Download76C6CD5DBB630E0237F110A42F416F54710EA1A9E6AA6C31A98B80D16219963E
x64Download3B91EE23E1E18D757667485A7CAA93D05F93606C8620BCE6EE0BAE2D14D204C1
0.12.4.0
ArchitectureScopeDownloadSHA256
x86Download603376EF822C13F8EA81D0180858A93E68627DAA4684390AFFD7CCC9076BFA7A
x64DownloadD85FF028621CE5DFCC382D631EE7C75E4DBD382027CAF5E79B15A3347F6420AB
0.12.3.0
ArchitectureScopeDownloadSHA256
x86DownloadD96EB8CEE1AA0E1668CBB1C81D86DEAA38787E234CD15EEA99FF9DA8216E227F
x64Download30301C05599D786D09312D0046A942589819878F87CEF8A318E139F345C94775
0.11.30.0
ArchitectureScopeDownloadSHA256
x86DownloadC2AAB71766DB09132EAC5295A51C48A07C6895C4AF875BA0F225A3371B3EB19F
x64Download319093AC437249BA02E5B9D88113DCA5981E9062580DDC680E59E144427831EB
0.11.29.0
ArchitectureScopeDownloadSHA256
x86Download48FA1C10A13666683964181B07DC2DFDE447D6A426B869465AF8F4F25B03DAD6
x64Download135CE3226E8B10FBB4CC512FEF25CDE670E696C092F4F200937599976AC3D755
0.11.26.0
ArchitectureScopeDownloadSHA256
x86DownloadC39199B5D2B089C0A525329DC675ED90C5F3BC602AEFF25CC7C442F61859F1C3
x64Download15F08B900B41C61EC875A08F636901B7D598082C81C17791D770E93EA25131C6
0.11.25.0
ArchitectureScopeDownloadSHA256
x86DownloadA8B9674E2C54C18ACCF5826415CA74DCE65220F7EE687420E36339CB11EEF85A
x64Download60B48CF8547C26A833193A016AA6E8A2372649CBD4310AFCFBC7C1C016A67695
0.11.24.0
ArchitectureScopeDownloadSHA256
x86Download07CE7261A88A58F983D8085AF3E9FE0C2D9E3EFBFEAFAEA72FA3EE70F49D6A06
x64Download1515F9F3BF90BAB990C2CED3A75D1C242611855D3AA5F9140EB452CFCD125CB6
0.11.8.0
ArchitectureScopeDownloadSHA256
x86Download430876CB770BCC348915AC170253C8F56815C8E5D60CDA39B9014A7D39A35923
x64Download7586B43DC18DC7E99A744D62C7B3F464F2BB3059A048DBB1584048530111CA65
0.11.7.0
ArchitectureScopeDownloadSHA256
x86DownloadF166F31A2CE129D7D8B8510AFD6D2D4757F996BD8A5706AF5189F74ADA2BE8DB
x64Download55246FC63B132B67BBEB4027EC24087F3F385C81F69F7188C509C327D488CB8F
0.11.6.0
ArchitectureScopeDownloadSHA256
x86Download2DFAF0E5EA313FF30CF69B772BF3CC88DB06BB13FF839BB2D01C5414B44EB351
x64DownloadA4F7BBDE55D5489D7E2E09E1143A8367955C46CF6E05303C6B4C9B0DDDDC9F76
0.10.9.0
ArchitectureScopeDownloadSHA256
x86Download1783B43252582F73FA922CB314EBEE50D0FA36826662B15A3C359C43B7BBF5EE
x64DownloadC99C4E8FC00AD0544FA5E06378B03C6C3453221150F3BFBF17402E94289464FC
0.10.8.0
ArchitectureScopeDownloadSHA256
x86DownloadFDFA57C7026C3ED5DA574DFF2E5CCC5862B8BE4001E203E27EB372DB26539118
x64DownloadD98A46E06078C3542018FABEA877E3DE28DFA8818A00E482552809F18E3231FA
0.10.7.0
ArchitectureScopeDownloadSHA256
x86DownloadC5B7805E5D35416AD9F4F4610229303450027DA86786BEDDA0E74703480E5FB8
x64Download48A55FDDADDC371A465582D389103B87B8801D6F6893A328224772978317BDCA
0.9.15.0
ArchitectureScopeDownloadSHA256
x86Download391FE5B1F4C8F42450915B9452E73F0318B8DCB54A8B038081914C8AD79EF445
x64DownloadF26473E6A52AFB7A8B5FA1EA099B2EB39EB57E57CA7D3547C0BF29334638CBE1
0.9.14.0
ArchitectureScopeDownloadSHA256
x86DownloadA5D554231523E870F682FC9BE2F3B7ACCD807D15FAA6B56E60962F79885927DC
x64Download2CF1FC203925E3231806AF237E046DCEE835FC8588749CB97493FF7602E7AB02
0.9.13.0
ArchitectureScopeDownloadSHA256
x86Download69F46BBF884F3DEF34501090299838132D97D6EC55C4770B87B21A6F012B36D6
x64Download1192A8DBF26434CE8B334ABA228E12A641836974176D1C69F3011EAA70A0F569
0.9.12.0
ArchitectureScopeDownloadSHA256
x86DownloadA284CEA543A26AB6FE2A04F851B343B18FECCBD36F0591CA89D1EB90801A9E85
x64DownloadC9074F3473F2DA8B6A73F2C2B99F4EF8D8E8FB8641091CCAB3867DDC1A7073CE
0.8.0.0
ArchitectureScopeDownloadSHA256
x86DownloadB83D3873AFB7A1DBF71ED0F0B59675BD755E68DE2C671C9F1245447CF0939B1B
x64Download50A23A2B6546A0475673458E60DD2891A65FF66944E18CC794BB841F9E4A9033