Hello ssax and tgriep
I have done more operations and troubleshooting according your recommendations, and checking the NSClient++
from server A - I can reach Server B with no Issues,
Code: Select all
[root@TestNagiosA]# /usr/local/nagios/libexec/check_nrpe -H ServerB
NRPE v3.2.1
also the option for arguments, "dont_blame_nrpe=1" is now enabled.
I have the following definition for check_nrpe_external on the server B, as mentioned in this post earlier
(important, adding the -n option):
Code: Select all
command[check_nrpe_external]=/usr/local/nagios/libexec/check_nrpe -t 90 -H $ARG1$ -n -c $ARG2$ $ARG3$
and then on the NSClient.ini file, all setting regarding TLS are now disabled (Server B - PCs Clients insidde Location B)
Code: Select all
[/settings/NRPE/server]
insecure = true
verify mode = none
allow arguments = true
allow nasty characters = 1
allowed host =SERVERA,SERVERB,sub-net_from_serverB,internal_subnet_LocationB
extended response = 0
use ssl = false
; PORT NUMBER - Port to use for NRPE.
port = 5666
with those seeting, now finally works, from Server A, when executing the commads on the SERVER A, so I get the expected response, using the -n option in the check_nrpe_external defintion, and the following syntax
Code: Select all
[root@TestNagiosA ]# /usr/local/nagios/libexec/check_nrpe -t 90 -H "IPofServerB" -c check_nrpe_external -a "IPofClientPC1B" check_cpu '-a show-all'
OK: 5m: 0%, 1m: 0%, 5s: 0%|'total 5m'=0%;80;90 'total 1m'=0%;80;90 'total 5s'=0%;80;90
Just also to notice that PCClient1B on Location B, has two NIC cards, (additional one for the internal LAN) and both IP addresses are used for the monitoring, so both are IP ranges are included in the allowed host settings.
Now that works in the command line, I have the smaller issues of how to "translate" the syntax to the cfg files, with the current definition of the check_nrpe_external on SERVERB
Code: Select all
command[check_nrpe_external]=/usr/local/nagios/libexec/check_nrpe -t 90 -H $ARG1$ -n -c $ARG2$ $ARG3$
and the LocationB.cfg file, may contain the following syntax on the SERVER A at /etc/nagios/LocationB/ directory
Code: Select all
define service {
use generic-service
host_name ClientPC1B
service_description Remote_CPU
check_command check_nrpe_ext!check_nrpe_external!check_cpu '-a show-all'
}
and where check_nrpe_ext is the local check_nrpe on SERVERA
Code: Select all
define command {
command_name check_nrpe_ext
command_line $USER1$/check_nrpe -t 90 -H IPofSERVERB -c $ARG1$
}
and whith that syntax I do not get it right, I get status UNKNOWN on the monitoring interface
Code: Select all
UNKNOWN
NRPE Plugin for Nagios Version: 3.2.1
how to pass the arguments in the LocationB.cfg file, it is the last step, any hint will help me. I am also a bit not understanding the complete set-up, as when I do the same commands on the SERVER A, with a different plugin, i am getting different anwers, not desired answers. I am doing something wrong, or is this a bug in the NRPE
For example when checking the amount of users on the remote PCClien1B from Server A in the command line:
Code: Select all
[root@TestNagiosA]# /usr/local/nagios/libexec/check_nrpe -t 90 -H IPofServerB -c check_nrpe_external -a IPofPCClien1B -n check_users -w 2 -c 3
I get the following not desired output:
Code: Select all
NRPE Plugin for Nagios
Version: 3.2.1
Copyright (c) 2009-2017 Nagios Enterprises
1999-2008 Ethan Galstad (nagios@nagios.org)
Last Modified: 2017-09-01
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: OpenSSL 0.9.6 or higher required
Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]
[-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]
[-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]
[-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]
[-c <command>] [-E] [-a <arglist...>]
Options:
-H, --host=HOST The address of the host running the NRPE daemon
-2, --v2-packets-only Only use version 2 packets, not version 3
-4, --ipv4 Bind to ipv4 only
-6, --ipv6 Bind to ipv6 only
-n, --no-ssl Do no use SSL
-u, --unknown-timeout Make connection problems return UNKNOWN instead of CRITICAL
-V, --version Print version info and quit
-l, --license Show license
-E, --stderr-to-stdout Redirect stderr to stdout
-d, --use-dh=DHOPT Anonymous Diffie Hellman use:
0 Don't use Anonymous Diffie Hellman
(This will be the default in a future release.)
1 Allow Anonymous Diffie Hellman (default)
2 Force Anonymous Diffie Hellman
-P, --payload-size=SIZE Specify non-default payload size for NSClient++
-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
SSLv2 SSL v2 only
SSLv2+ SSL v2 or above
SSLv3 SSL v3 only
SSLv3+ SSL v3 or above
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above
-L, --cipher-list=LIST The list of SSL ciphers to use (currently defaults
to "ALL:!MD5:@STRENGTH". THIS WILL change in a future release.)
-C, --client-cert=FILE The client certificate to use for PKI
-K, --key-file=FILE The private key to use with the client certificate
-A, --ca-cert-file=FILE The CA certificate to use for PKI
-s, --ssl-logging=OPTIONS SSL Logging Options
-b, --bind=IPADDR Local address to bind to
-f, --config-file=FILE Configuration file to use
-g, --log-file=FILE Log file to write to
-p, --port=PORT The port on which the daemon is running (default=5666)
-c, --command=COMMAND The name of the command that the remote daemon should run
-a, --args=LIST Optional arguments that should be passed to the command,
separated by a space. If provided, this must be the last
option supplied on the command line.
NEW TIMEOUT SYNTAX
-t, --timeout=INTERVAL:STATE
INTERVAL Number of seconds before connection times out (default=10)
STATE Check state to exit with in the event of a timeout (default=CRITICAL)
Timeout STATE must be a valid state name (case-insensitive) or integer:
(OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3)
Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here. Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin. This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.
Many thanks for your support.
Best Regards
X.