CustoSec:Check Windows Service

From CustosecWiki
Jump to navigation Jump to search
Basic Information on Check
Name of Check Windows Service Technical Name check_win_service
Available in All Systems Number of Arguments 3
From Version >ARANSEC 1.0 Compability All ARANSEC and CustoSec

Scope of Check

This is a standard check to monitor the status of one or more installed services (given as a list) running on a Windows system. The check is based on a snmp query.


For the check to work properly the following requirements must be met:

  • The check is configured as a service check on the target host that should The name of the service that should be monitored
  • SNMP must be activated on the target host (read only and a community name; It is also recommended to allow only the ARANSEC/CustoSec IP-Address to read SNMP information on the host). SNMP can easily be checked by starting a second session in a second browser tab and do a SNMP-Walk from ARANSEC's SNMP-Walk function (bottom entry in the left hand menu).
  • The check focuses on installed services on a host, not on processes. They must be in the services list of "computer administration" where they can be configured (i.e. the way they are started)


To configure the check, the following arguments are available:

Argument No. Argument Name Allowed Arguments Explanation Examples
Arg1 snmp-community string Community name for the SNMP agent. It is strongly recommended to change the default community on most windows systems from "public" to something like "aransec".
Must be entered or check cannot find OID.
Arg2 Number of instances integer The number of instances of the service, that are expected to be running 5
Arg3 service name integer The name(s) of the service(s) that should be queried.
Both, the Display name, i.e. SQL Server, or the service name, i.e. SQLSERVERAGENT, can be used.
It does not matter if the display name of the service contains empty spaces.
By default, this argument is not case sensitive (WINS=wins)
Comma separated list of service names if multiple services should be queried.
Pearl regular expressions can be used for each single service name
Microsoft Exchange-ReplikationService

Returned Values of the Check

The Check returns the following values and information.

Status Output Remarks
OK 1 services active (matching "Dhcp") : OK OK will be returned if all services queried are in active state and the number of services matches the expected number given as ARG 3.
WARNING 14 services active (matching "Microsoft Exchange*") : WARNING Warning will be returned if there are more services active than specified
CRITICAL 1 services active (matching "Microsoft Exchange-ReplicationService") : CRITICAL Critical will be returned if the number of active services found is less than expected.


The following examples should explain the usage of the check and how the arguments should be entered.
(Please Note: Pipe Character in the fields of this table divide different options. Exception: Within the "Output" lines in the "Output" field, the pipe character is real and shows the division between the checks output and the checks performance data)

Example Description Output
!custosec!1!dhcp The service DCHP-Client (service name: Dhcp) is queried. SNMP-community on this system is "custosec";
The check will return "OK" if one active service is found.
Status: OK
1 services active (matching "dhcp") : OK
!custosec!1!DHCP-Client Like the example above but with this time the display name of the service is used. Status: OK
1 services active (matching "DHCP-Client") : OK
!custosec!1!DHCP-Client Like the example above but with this time the display name of the service is used. Status: OK
1 services active (matching "DHCP-Client") : OK
!custosec!1!Microsoft Exchange* In this case, all services named "Microsoft Exchangexyz" are queried. The host in this example has 16 Exchange services installed, but only 14 are started automatically and running. 2 services have to be started "manually" and are not active at this moment. Status: Warning
14 services active (matching "Microsoft Exchange*") : WARNING
!custosec!16!Microsoft Exchange* Same as above, but the number of expected active services has been changed to 16 (because we expect our exchange installation to automatically start all installed exchange services. Status: Critical
14 services active (matching "Microsoft Exchange*") : CRITICAL
!custosec!86!.* With this check, we just count the number of services active on that host. We expect that to be 86 services (this is how we installed the server, since 52 other services are configured as "deactivated" or "start manually").
This would allow us to be notified if there are additional services started on a host.
Status: OK
86 services active (matching ".*") : OK
!custosec!16!Microsoft Exchange*,VMWare* This time all services matching "Microsoft Exchange*" and "VMWare*" are queried.
This list of service names in ARG 3 can be extended with single service names or perl expressions.
20 services active (matching "Microsoft Exchange*,VMWare*") : WARNING


  • it is also possible to monitor windows services using the "Windows Process" check, using the process name.