API Reference

The core of NCPA is the API, which works the same across all platforms. It was designed to make it easy for administrators to set-up checks, troubleshoot problems, test checks, while still being flexible. This section covers how the API works with individual references for each module. Some of the extended nodes are specific to an operating system, but the standard nodes are available on any platform.

Overview of the API

The API is constructed in a way that allows users to easily follow the hierarchy down, creating a URL that will access specific requested data.

In the example of this systems API return we see what we call nodes. Each node is a specific part of the API that gets specific data and functions a certain way. These are also sometimes referred to as API endpoints when farther down the list, when we have reached the end of a node.

Open up your web browser, and navigate to the URL below, replacing localhost:5693 with your NCPA server hostname/IP and port or if you're reading this inside NCPA, you can look at the box.

https://localhost:5693/api?token=mytoken

The API is formatted as JSON. If you're used to interacting with APIs, this shouldn't be too much of a surprise. However, something unique to NCPA is the way the API is accessed.

NCPA is structured with a set of base modules and each module has nodes. The nodes end up forming a URL, which is used to get data about that specific item or to run a check on that specific item's data.

Take a look at how an API call is formatted by hovering over each section:

https://localhost:5693/api  /  memory  /  virtual/total  ?  token=mytoken

Nodes are direct key names shown in the JSON, so essentially you are creating a way to access the endpoint by selecting which nodes to follow. The module and nodes together form the endpoint requested. In this case, the endpoint would be memory/virtual/total. The additional URL parameters after the ? are used to filter datasets, convert values or units, and authenticate using the token.


                            

Standard Parameters

Accessing the API is just the starting point, there are set parameters that can be used on all modules and nodes. There are also some parameters, such as delta that are only available on certain nodes. The API reference at the end of this document explains the parameters that are available for use.

The most common parameters (via GET or POST) that are always available:

Parameter Description
token The token used to authenticate. You must pass this with every API call. Corresponds to the community_string value in the config.
units This is a special prefix parameter that will only work on endpoints that return B and b. It will convert the values into the type passed. An example is units=Ki would give you KiB. It converts the value (KiB = B / 1024) and returns the new value with the update unit. Available options are k, Ki, M, Mi, G, Gi, T, Ti.
unit Unlike the units parameter, this value overwrites the unit name. If an endpoint returns no unit but you want it to return 'ms' then you can set this value.
delta This is used on certain endpoints to create per second values. Particularly on interfaces, but can also be used in other places too. Setting delta=1 will have NCPA calculate the change in the value divided by the amount of time passed (in seconds) since the last check creating unit/sec values.

The Different Unit(s) Parameters

The distinction between units and unit can be a bit confusing. Check out the examples below to see what these parameters do.

Example: Without Any Parameter

This example shows what the standard value and unit would be without passing any special parameters.

https://localhost:5693/api/disk/logical/C:|/used?token=mytoken

This would output:

{
    "total_size": [
        379222138880,
        "B"
    ]
}
Example: Using units Parameter

This example shows how the value and unit change when passing the units parameter to an endpoint that returns B.

https://localhost:5693/api/disk/logical/C:|/used?token=mytoken&units=Gi

This would return the value and units:

{
    "total_size": [
        353.09,
        "GiB"
    ]
}
Example: Using unit Parameter

This example shows how the value does not change but the unit, no matter what the default unit is, changes to unit.

https://localhost:5693/api/disk/logical/C:|/used?token=mytoken&unit=Units

This would return the value and units:

{
    "total_size": [
        379222138880,
        "Units"
    ]
}

Returning Nagios Check Results

Most of the endpoints in NCPA can be run as a check, and return Nagios plugin-style check results. This is helpful for testing, and production. This style of API call is what the check_ncpa.py plugin uses to get the check results for things like the CPU, interface, memory, and disk.

The parameters (via GET or POST) available for running an API endpoint as a check:

Parameter Description
check In order to run the API endpoint as a check, you must pass check=1 with the URL.
warning Specifies the warning threshold for the check. Conforms to the Nagios Plugins format guidelines .
critical Specifies the critical threshold for the check. Conforms to the Nagios Plugins format guidelines .

Example of an API Check

You can get check results on most API endpoints. Below is an example of running a check on the API endpoint memory/virtual/percent which will return the used percent:

https://localhost:5693/api/memory/virtual/percent?token=mytoken&warning=50&critical=60&check=1

This would return the following result:

{
    "returncode": 2,
    "stdout": "CRITICAL: Percent was 76.80 % | 'percent'=76.80%;50;60;"
}

If you are familiar with how a Nagios check works, this data should look familiar. The API will return the returncode and stdout for the check just like it would if it was running it from the command line. The check_ncpa.py plugin passes this data to Nagios by being a sort of proxy, printing the stdout and exiting with the return code given.

Combined Check Results

Tip: You can get combined checks using select node endpoints. Combined results are available from disk/logical/<partition>, memory/swap, memory/virtual, and processes.

Certain node endpoints have the ability to combine all the nodes inside of them into a single check. This is really handy when you want to see all the data that the node has in a single line output. The warning and critical values will be applied to the main value given - but you will still see all the details so that in your Nagios display you can see what value of disk or memory is actually being used when it says a percent.

https://localhost:5693/api/memory/virtual?token=mytoken&units=G&check=1

Since we are using memory/virtual instead of memory/virtual/<option> we will get:

{
    "returncode": 0,
    "stdout": "OK: Used memory was 76.80 % (Available: 3.98 GB, Total: 17.13 GB, Free: 3.98 GB, Used: 13.15 GB) | 'percent'=76.80%;;;"
}

You can see that it returns the value as a percentage, but also gives you values for available, total, free, and used.

Running Nagios Plugins

The NCPA API is flexible enough to let you run your own Nagios plugins. In order to do so, you'll need to place them in your plugins directory defined in the [plugin directives] section of the config.

Note: Make sure that your plugins have the proper permissions on Linux and Mac OS X systems. They need to be able to be executed by the user and group you have specified the NCPA service to run as. The default user and group is nagios:nagios. No permissions settings need to be edited for Windows.

You can see a list of all available plugins by going to the plugins API node:

https://localhost:5693/api/plugins?token=mytoken
{
    "plugins": [
        "check_test.ps1",
        "check_mssql.vbs"
    ]
}

The list above shows you the plugins that are available to run.

Sending Arguments to Plugins

As of 2.1 you should now send arguments as URL parameters instead of in your path. You can pass arguments to the plugin specified by passing args parameters.

Note: You cannot use the built-in warning and critical URL parameters for custom plugins, you must specify them however the plugin requires and pass them as arguments.

An example of running a plugin with arguments:

https://localhost:5693/api/plugins/test.ps1?args=-u local&args=-p one,two&token=mytoken
{
    "returncode": 0,
    "stdout": "Arg1: -u local - Arg2: -p one,two"
}

API Module Reference

This section is a reference for the parameters available for each of the API's modules. Since some of the modules have special properties, they are explained in detail here. There are two types of modules: standard modules and extended modules. The standard modules are built directly into NCPA and run the same across all operating systems. Extended modules are separate Python modules that are included into NCPA. The current extended modules do not work on all operating systems, but we are working on extending NCPA for future releases.

Standard Modules

These modules are available and work the same on all supported operating systems.

cpu

The CPU module let's you get information on the currently used system-wide percentage. You can also view the CPU's idle, user, and system time. Since most modern day systems have multiple CPU cores, there is a cpu/count endpoint that gives the amount of cores. This may be helpful when interpreting the other endpoints, since each core is reported separately.

If you'd like to see an aggregated view of the endpoints, the CPU module has a special parameter called aggregate that will aggregate all values by a specific aggregation type.

Example of CPU Usage Per Core
https://localhost:5693/api/cpu/percent?token=mytoken
{
    "percent": [
        [
            18.8,
            0.0,
            1.5,
            0.0,
            13.8,
            0.0,
            3.2,
            0.0
        ],
        "%"
    ]
}
Example of Aggregation
https://localhost:5693/api/cpu/percent?token=mytoken&aggregate=avg
{
    "percent": [
        [
            3.81
        ],
        "%"
    ]
}
Basic Parameters

Parameter Description
aggregate Aggregate the values in the endpoint. This can be helpful for systems with a lot of cores or when making a CPU usage check.
Options are avg, min, max, sum
check You can make checks out of the services module calls.
warning Warning threshold for check. Applies to all cores or total aggregated value.
critical Critical threshold for check. Applies to all cores or total aggregated value.
delta Delta allows you to get the change in value (in seconds) over time since the last check result. It will return a different unit, value/sec.
unit Overrides the unit given but does not change the value.

disk

The disk module is fairly large and one of the few modules to have combined check results for multiple nodes inside the disk/logical node. The disk module shows mount information, logical partition usage, and physical disk statistics through three main nodes shown below:

  • disk/mount - Information on mounted devices that are not disks.
  • disk/logical - Information on each mounted disk partition. Remember all \ and / must be represented as |.
  • disk/physical - Each physical drive's hardware stats and information.

Example of Disk Data
https://localhost:5693/api/disk/logical/C:|?token=mytoken&units=Gi
{
    "C:|": {
        "used_percent": [
            76.8,
            "%"
        ],
        "used": [
            356.94,
            "GiB"
        ],
        "opts": "rw,fixed",
        "total_size": [
            464.87,
            "GiB"
        ],
        "fstype": "NTFS",
        "free": [
            107.93,
            "GiB"
        ],
        "device_name": [
            "C:\\"
        ]
    }
}
Basic Parameters

Parameter Description
units Converts the value into the type passed for b and B values and prefixes the unit returned with the value given.
Options are k, Ki, M, Mi, G, Gi, T, Ti.
check Overrides the unit given but does not change the value.
warning Warning threshold for check. Applies to primary check if combined.
critical Critical threshold for check. Applies to primary check if combined.
delta Delta allows you to get the change in value (in seconds) over time since the last check result. It will return a different unit, value/sec.
unit Overrides the unit given but does not change the value.

interface

The interface module is a group of counters for each of the available network interfaces that exist. You can see by the example below that there is quite a lot of information. The most important part for most people is going to be the bytes_recv and bytes_sent values.

This particular node can use delta=1 to get the change in bytes send or received since the last check, making it able to produce bandwidth usage data.

Example of Interface Data
https://localhost:5693/api/interface/Local Area Connection?token=mytoken&units=Gi
{
    "Local Area Connection": {
        "packets_sent": [
            24194869,
            "packets"
        ],
        "bytes_recv": [
            20.95,
            "GiB"
        ],
        "packets_recv": [
            25115980,
            "packets"
        ],
        "bytes_sent": [
            9.87,
            "GiB"
        ],
        ...
    }
}
Example of Bytes Received/Second

This example shows the average of bytes received per second since the last check.

https://localhost:5693/api/interface/Local%20Area%20Connection/bytes_recv?token=mytoken&delta=1&units=k
{
    "bytes_recv": [
        3.56,
        "kB/s"
    ]
}
Basic Parameters

Parameter Description
units Converts the value into the type passed for b and B values and prefixes the unit returned with the value given.
Options are k, Ki, M, Mi, G, Gi, T, Ti.
check Overrides the unit given but does not change the value.
warning Warning threshold for check. Applies to primary check if combined.
critical Critical threshold for check. Applies to primary check if combined.
delta Delta allows you to get the change in value (in seconds) over time since the last check result. It will return a different unit, value/sec.
unit Overrides the unit given but does not change the value.

memory

The memory module shows the virtual and swap memory information. This module supports combined check results on both nodes. The percent used is probably the most commonly used value here and it is the primary value that is displayed in combined checks, along with the other node values.

Percent is actually percent used based on available memory (which includes free) and calculated like so: percent = total - available / 100

Example of Memory Data
https://localhost:5693/api/memory/virtual?token=mytoken&units=Gi
{
    "virtual": {
        "available": [
            19.83,
            "GiB"
        ],
        "total": [
            31.89,
            "GiB"
        ],
        "percent": [
            37.8,
            "%"
        ],
        "free": [
            19.83,
            "GiB"
        ],
        "used": [
            12.07,
            "GiB"
        ]
    }
}
Basic Parameters

Parameter Description
units Converts the value into the type passed for b and B values and prefixes the unit returned with the value given.
Options are k, Ki, M, Mi, G, Gi, T, Ti.
check Overrides the unit given but does not change the value.
warning Warning threshold for check. Applies to primary check if combined.
critical Critical threshold for check. Applies to primary check if combined.
delta Delta allows you to get the change in value (in seconds) over time since the last check result. It will return a different unit, value/sec.
unit Overrides the unit given but does not change the value.

processes

Processes shows the list of currently running processes. It also includes data about the process such as the PID, memory, CPU usage, user, and binary name. You can filter the processes list to get specific processes. You can also get a combined check on processes giving the total process count. This combined check is special since you can filter the total processes that the check is looking for.

Example of Total Process Count Check
https://localhost:5693/api/processes?token=mytoken&check=1
{
    "returncode": 0,
    "stdout": "OK: Process count was 119 | 'process_count'=119;;;"
}
Example Search for Processes Check

This example is searching for the word "steam" in all processes and reporting the amount it finds in the form of check results. This can be helpful if you need to make sure only so many processes are running.

https://localhost:5693/api/processes?token=mytoken&name=Steam&match=search&check=true
{
    "returncode": 0,
    "stdout": "OK: Process count for processes named steam was 5 | 'process_count'=5;;;"
}
Example Search for Processes Check with Multiple Names

An example that displays searching with multiple process names and how it adds them with or.

https://localhost:5693/api/processes?token=mytoken&name=steam&name=chrome&combiner=or&match=search&check=true
{
    "returncode": 0,
    "stdout": "OK: Process count for processes named steam,chrome was 15 | 'process_count'=15;;;"
}

These are pretty basic examples of how to use the processes module. You can view, in real time, the available output of processes by using the API section of the GUI.

Filter Parameters

These are special parameters that are applied to the processes module and filter out processes. You can apply as many filters as you want and multiple of each if necessary. These are combined using the combiner parameter which is and by default and not specified.

Parameter Description
name The name of the binary that is running for this process.
exe The path to the binary file that is being used.
cmd The full command the process was called with.
mem_percent Filters by mem_percent >= value.
mem_vms Filters by mem_vms >= value.
mem_rss Filters by mem_rss >= value.
cpu_percent Filters by cpu_percent >= value.

Basic Parameters

Parameter Description
combiner When combining the filter values to form a query, combine using this method. By default, filters are combined with an and.
Options are and, or
match The name and exe parameters are an exact match by default. If you set this parameter you can make the name and exe values searches instead.
Options are search, regex
units Converts the value into the type passed for b and B values and prefixes the unit returned with the value given.
Options are k, Ki, M, Mi, G, Gi, T, Ti.
check Overrides the unit given but does not change the value.
warning Warning threshold for check. Applies to primary check if combined.
critical Critical threshold for check. Applies to primary check if combined.

services

This node is different than most of the standard nodes. When using just the services endpoint you will see a list of all services NCPA can find and their current state. You can select a single service by adding the service=<servicename> parameter. You can also turn the service parameter into a search by adding the match=search parameter to the query.

Example of Service Filtering
https://localhost:5693/api/services?token=mytoken&service=sshd&service=httpd
{
    "services": {
        "sshd": "running",
        "httpd": "stopped"
    }
}
Example of Service Check
https://localhost:5693/api/services?token=mytoken&service=sshd&status=running&check=1
{
    "returncode": 0,
    "stdout": "OK: Service sshd is running"
}
Filter Parameters

You can filter down the list of services during a query and during a check by defining the service names. You can also use the service parameter as a search if you set the match parameter to search or regex.

Parameter Description
service You can select service(s) by service name using this parameter. Multiples of this parameter are acceptable. Example: service=sshd&service=crond

Basic Parameters

Parameter Description
match When not set, the service parameter an exact match. If you set this parameter you can make the service values searches instead.
Options are search, regex
check You can make checks out of the services module calls.
status When check=1 you can set the status that the services should be in. If the service is not in the status value defined then the check it will return CRITICAL, otherwise it will return OK.
Options are running, stopped

system

This module is used for getting information about the system that NCPA is running on and the agent version. It doesn't currently have the ability to perform many checks. However, we do use the output of the system/agent_version check to give the default __HOST__ service an output in passive checks and for the host in active checks created by running the Nagios XI NCPA config wizard.

You cannot use any special parameters on this module. This module is just for getting system information.

plugins

This module will show you a list of all available plugins (that are in the directory defined plugin_path) and let's you run them.

You can run a custom plugin by following this format in the URL:

https://localhost:5693/api/plugins/<plugin name>/<arg1>/<arg2>/?token=mytoken

Some examples of the kinds of arguments you would be passing this way are "/usr/local/program/test.log", -c 'test.sh', and --critical=20. Each argument is specified by another / after the plugin name. The built-in parameters for warning and critical do not work with custom plugins and must be passed as arguments. Read more about how to run plugins from the API.

Custom plugins should conform to the Nagios plugin guidelines for exit code and text output or NCPA may not accurately return the proper exit code and output.

user

This node allows you to see how many users are logged in using list. It also lets you use the count to create a check for how many users are currently logged in.

Example of User Endpoint
https://localhost:5693/api/user?token=mytoken
{
    "user": {
        "count": [
            2,
            "users"
        ],
        "list": [
            [
                "root",
                "root"
            ],
            "users"
        ]
    }
}
Basic Parameters
Parameter Description
check Overrides the unit given but does not change the value.
warning Warning threshold for check. Applies to primary check if combined.
critical Critical threshold for check. Applies to primary check if combined.

Extended Modules

These modules are extensions of NCPA's core and are only available on Windows right now.

logs

This extended module currently only works for Windows event logs. This module will not show any data by default since it does not know the name of logs to look for. Instead, you will see a short explanation on how to get data. You can start seeing logs by setting the name parameter. The name should correspond to a name of event log. Typically Windows systems have System and Application so our examples will use those.

Like other filter parameters, name can have multiple values. So name=Application&name=System would give Application and System logs.

Example of Application Logs

This will list all Application logs within the last 24 hours (the default lookback period) in a list. The list has been truncated due to the amount of logs.

https://localhost:5693/api/logs?token=mytoken&name=Application
{
    "logs": [
        {
            "Application": [
                {
                    "category": "0",
                    "severity": "INFORMATION",
                    "event_id": "0",
                    "application": "Service1",
                    "computer_name": "Win10-PC",
                    "message": "PowerEvent handled successfully by the service.\r\n",
                    "time_generated": "12/04/16 01:15:37"
                },
                ...
            ]
        },
        "logs"
    ]
}
Example Check with Multiple Types

Check results for multiple log types over the last 1 week period.

https://localhost:5693/api/logs?token=mytoken&name=System&name=Application&logged_after=1w&check=true
{
    "returncode": 0,
    "stdout": "OK: Application has 362 logs, System has 205 logs, Total Count has 567 logs (Time range - last 1 week) | 'Application'=362;;; 'System'=205;;; 'Total Count'=567;;;"
}
Filter Parameters

These parameters are what filter the logs that are returned. Each event log type (defined by name) is listed separately by the name with it's own list of logs.

Parameter Description
name The name of the Windows event logs that will be retrieved. Multiple event log names can be specified here.
logged_after The lookback period for the check. This defaults to 24 hours.
Examples: 30m, 24h, 3d, 1w, 2M (M = months)
Options are s, m, h, d, w, M
severity Exact match for event log's EventType.
event_id Exact match for event log's EventID field.
application Exact match for event log's SourceName field.
computer_name Exact match for event log's ComputerName field.
category Exact match for event log's EventCategory field.
message Search (or Python regex) match to the event log's Message field.
Basic Parameters

Parameter Description
check Turn the call into check results output.
warning Warning threshold for check. Applies to total log count too.
critical Critical threshold for check. Applies to total log count too.
type This is an optional value for the log node that allows you to select if you'd like the warning and critical values to be applied to the total or to each individual log type. Defaults to all, which means it will use the total log count for checks.
Options are all, individual

windowscounters

This extended module gives access to Windows counters. There are multiple types of counters that are available should work. Per second counters, or counters that show data over time, must be passed a sleep value given or they will always return a 0 result.

Example of a Windows Counter
https://localhost:5693/api/windowscounters/TCPv4/Connections Active?token=mytoken
{
    "windowscounters": [
        1421,
        "Connections Active"
    ]
}
Examples of Counters Over Time

Any counter that requires data over time can be shown by adding sleep.

https://localhost:5693/api/windowscounters/Processor(_Total)/% User Time?token=mytoken&sleep=5
{
    "windowscounters": [
        6.43,
        "% User Time"
    ]
}

Per second counters also use the sleep parameter.

https://localhost:5693/api/windowscounters/TCPv4/Segments Received/sec?token=mytoken&sleep=5
{
    "windowscounters": [
        1069.79,
        "Segments Received/sec"
    ]
}
Example of Per Second Counters Using Delta

Counters that are not typically per second can use the delta parameter to show the average change over time (in seconds) since the last query.

https://localhost:5693/api/windowscounters/TCPv4/Connections Active?token=mytoken&delta=1
{
    "windowscounters": [
        3.61,
        "Connections Active/s"
    ]
}
Basic Parameters

Parameter Description
sleep The sleep value is a value that represents a time frame to generate data for. Some counters (% values, /sec values) sometimes require a sleep value to get data over a certain amount of time or a result of 0 will be returned.
delta Delta allows you to get the change in value (in seconds) over time since the last check result. It will return a different unit, value/sec.
check Turn the call into check results output.
warning Warning threshold for check. Applies to total log count too.
critical Critical threshold for check. Applies to total log count too.