How-to: Use UCS built-in monitoring checks

General information

Each instance of Univention Corporate Server (UCS) comes with a preconfigured set of monitoring checks. These Univention monitoring checks are partly based on the “monitoring-plugins” package, partly they are Univention’s own development in order to be able to execute UCS-specific checks (cf. univention-corporate-server/nagios at 5.0-1 · univention/univention-corporate-server · GitHub).

UCS 4.x offered the possibility to optionally install a Nagios server on a UCS system, which then automatically queried the preconfigured monitoring checks of all UCS systems in the domain. This is not possible with UCS 5.x anymore, because the Nagios server integration was discontinued. However, the monitoring checks are still available and should be used with the monitoring server solution of your choice.

Querying the monitoring checks

All checks are Nagios compatible and can either be executed locally on the UCS system or queried via NRPE (port 5666). For querying via NRPE, the querying server must be enabled via the corresponding UCR variable:

  This variable limits the hosts which can access the NRPE service. The hosts need to
  be specified through their hostname or with an IP address. If the variable is unset,
  the master domain controller is used. Multiple entries need to be separated by

The NRPE daemon must be restarted after changing the UCR variable:

systemctl restart nagios-nrpe-server.service

The query of such a check via NRPE from the monitoring server can look like this for example:

root@mon01:~# /usr/lib/nagios/plugins/check_nrpe -H -c UNIVENTION_REPLICATION
OK: replication complete (nid=11976 lid=11976)

In the above examples, the querying monitoring server mon01 has the IP address and the queried monitoring client (the UCS system with the local checks) has the IP address

Available checks

All checks are located in /usr/lib/nagios/plugins/. The following list is not guaranteed to be complete. Additional services and apps might add their own monitoring checks and plugins.

The following checks are present on every UCS system and must be checked:

NRPE Command Name actually executed check
UNIVENTION_DISK_ROOT check_disk -w '25%' -c '10%' -p '/'
UNIVENTION_JOINSTATUS check_univention_joinstatus_suidwrapper
UNIVENTION_LDAP_AUTH check_univention_ldap_suidwrapper
UNIVENTION_LISTENER_MDB_MAXSIZE check_univention_slapd_mdb_maxsize_suidwrapper -l -w 75 -c 90
UNIVENTION_LOAD check_load --percpu --warning='3,2,1' --critical='6,4,2'
UNIVENTION_NSCD2 check_univention_nscd_suidwrapper
UNIVENTION_PACKAGE_STATUS check_univention_package_status
UNIVENTION_REPLICATION check_univention_replication -n 10 -w 50 -c 100
UNIVENTION_SMTP2 check_univention_smtp
UNIVENTION_SSL check_univention_ssl_certificate -w 40 -c 20
UNIVENTION_SWAP check_swap -w '40%' -c '20%'

Load, SWAP, and disk space may also be more effectively covered by other check mechanisms of your monitoring solution. Please note, that the default check for disk space only covers the root partition (/).

The following checks are also available and should be checked on the UCS systems with the roles domain controller master (primary directory node), domain controller backup (backup directory node) and domain controller slave (replica directory node):

NRPE Command Name actually executed check
UNIVENTION_SLAPD_MDB_MAXSIZE check_univention_slapd_mdb_maxsize_suidwrapper -w 75 -c 90

The following checks are also available and must be checked on the UCS systems that also act as Samba Active Directory domain controllers (e.g. UCS@school school server):

NRPE Command Name actually executed check
UNIVENTION_S4CONNECTOR check_univention_s4_connector_suidwrapper
UNIVENTION_SAMBA_REPLICATION check_univention_samba_drs_failures_suidwrapper