NRPE issue

[sebastiaopburnay]

Hi!

Thank you for managing this great portal.

I have a distributed monitoring infrastructure with a central nagios server (working with NDOUtils to write in a MySQL DB) receiving passive service and host checks from a remote nagios instance/server via nsca. It was quite tricky to learn nagios and configure it to work the way it does.

Now I'm trying to configure the system so that the central server actively uses nrpe_checks on the remote one, when the passive checks' results aren't fresh enough.

I've istalled the nagios-nrpe-server_2.8.1-1_i386.deb on the remote host and that installation created the /etc/nagios/nrpe.cfg and the /usr/sbin/nrpe files (which is normal) and also registered the service nagios-nrpe-server (which is cool).

I added the central server's IP address to the allowed_hosts directive on the nrpe.cfg file.

Problem is I can only do local checks (on the remote host to -H localhost || -H 127.0.0.1), so I tried changing the server_address directive on the nrpe.cfg file to reflect the remote server's IP address and restarted the nagios-nrpe-server service. That change made impossible for the remote nagios to check on itself with nrpe.

Please give me a light on this.

With my best regards,
sebastiaopburnay

[mguthrie]

Scroll down in the config file a bit further and look for the "allowed hosts" directive. Leave the 'server address' as your localhost, and then add your central server to the list of allowed hosts (you can have many addresses separated by spaces). Make sure your firewall has port 5666 open as well. Once the nrpe is running on the remote system, you can type "netstat -aunt" to make sure it's listening on port 5666 for requests.

[sebastiaopburnay]

Hi!

Thank you for replying and sorry for taking so long to review this (I'm dealing with a lot of other issues that appear as I fix the preceding ones)

I have done what you suggested and verified the netstat:

Code: Select all

netstat -aunt | grep 5666
tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN

Then I ran the check_nrpe

Code: Select all

root@nagios-virtual-machine:/usr/lib/nagios/plugins# ./check_nrpe -H <IP@eth0> -n
CHECK_NRPE: Error receiving data from daemon.

And without the '-n' option

Code: Select all

root@nagios-virtual-machine:/usr/lib/nagios/plugins# ./check_nrpe -H <IP@eth0>
CHECK_NRPE: Error - Could not complete SSL handshake.

Strangely, when I target the l0 interface (127.0.0.1) and run check_nrpe I get the nrpe version as expected.

Could it be an SSL error or just a misconfiguration issue?

With my best regards,
sebastiaopburnay

[mguthrie]

I've run into this issue before, and I'm sorry to say I don't remember exactly what I did to fix it, but I think the issue was related to an SSL package not being installed on one of the machiens. I think both machines either needed libssl or openssl (depending on the distro). Sorry that's a little vague, but hopefully it will point you in the right direction.

[rdedon]

Please check on the /etc/xinetd.d/nrpe as following.

Code: Select all

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags           = REUSE
        socket_type     = stream   
 port  = 5666   
        wait            = no
        user            = nagios
 group  = nagios
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable               = no
 only_from                = 10.1.2.2
}

You need to make sure the only_from ip is the IP for nagios monitoring server.

If the only_from IP is not correct, rectify it and then restart xinetd.d by using the following command.

Code: Select all

[admin@remotehost ~]$ sudo /etc/init.d/xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

If the nrpe setting is already correct, then you need to check in /var/log/messages in the remote host. You might see the following error.

[codeJul 29 13:36:56 remotehost xinetd[7336]: FAIL: nrpe address from=10.1.2.2
Jul 29 13:36:56 remotehost xinetd[6595]: START: nrpe pid=7336 from=10.1.2.2
Jul 29 13:36:56 remotehost xinetd[6595]: EXIT: nrpe status=0 pid=7336 duration=0(sec)[/code]

Try to restart xinetd daemon using the command above and then check on /var/log/messages again. If you see the following error, it might mean that xinetd had problem to start up nrpe becuase of its bug to release the address.

Code: Select all

Jul 29 13:35:54 remotehost xinetd[6595]: bind failed (Address already in use (errno = 98)). service = nrpe
Jul 29 13:35:54 remotehost xinetd[6595]: Service nrpe failed to start and is deactivated.
Jul 29 13:35:54 remotehost xinetd[6595]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.

In this case, you cannot start nrpe as embeded service in xinetd since this is a bug in xinetd. To fix this, you can start nrpe as standalone daemon. Before you started nrpe as standalone daemon, you need to verify the configuration in /usr/local/nagios/etc/nrpe.cfg. The following are two parameters that you need to take care of. The value for allowed_hosts should be the ip of nagios monitoring host and the server_port is 5666.

Code: Select all

allowed_hosts=10.1.8.2

server_port=5666

You need to make sure xinetd is not running or you need to remove /etc/xinetd.d/nrpe and restart xinetd daemon.

Then, you can issue the following command to start nrpe as standalone daemon.

Code: Select all

[admin@remotehost]$ /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d

You should see the following log in /var/log/messages.

Code: Select all

Jul 29 14:18:31 remotehost nrpe[5947]: Starting up daemon
Jul 29 14:18:31 remotehost nrpe[5947]: Listening for connections on port 5666
Jul 29 14:18:31 remotehost nrpe[5947]: Allowing connections from: 10.1.2.2

In this case, you can now verify the nrpe connection by running check_nrpe from nagios monitoring host as following.

Code: Select all

[admin@monitoringhost ~]$ /usr/local/nagios/libexec/check_nrpe -H 10.1.2.12
NRPE v2.12

'CHECK_NRPE: Error - Could not complete SSL handshake.' should now be resolved.

[sebastiaopburnay]

Hey!

Sorry for the latency in my reply. There have been a lot of other issues.

I took your advice, but somehow those actions were ineffective.

So, I used a fresh Virtual Machine and followed the instructions on the NRPE manual.

It worked fine. Thank you for your support.

With my best regards,
sebastiaopburnay

[bulbul]

I was just skimming through the posts and so thought I would put what I did when I had a similar issue. Sorry if I am on a tangent since I have to run. I used nrpe to query a nsclient++ on a windows machine and I found that the reason I was getting the ssl handshake issue was because I had ssl turned on. I disabled it and it started working. I hate having non ssl but then that was the only way to go for me

;# USE SSL SOCKET
; This option controls if SSL should be used on the socket.
use_ssl=0