NRPE problem

[maronggang]

I encounted a problem about the nrpe. The detail is as follows:

$ ./check_nrpe -H 127.0.0.1
CHECK_NRPE: Socket timeout after 10 seconds.

$ ./check_nrpe -H 127.0.0.1 -t 20
CHECK_NRPE: Error - Could not complete SSL handshake.

It is OK after adding the parameter "-n".
$ ./check_nrpe -n -H 127.0.0.1
NRPE v2.15

The OS of remote host installed nrpe is solaris.
$ uname -a
SunOS sun1 5.11 11.1 sun4v sparc sun4v

I checked the OS log file "/var/adm/messages". It showes:
Aug 3 09:18:35 sun1 nrpe[24574]: [ID 421412 daemon.error] Could not read request from client, bailing out...

Hope offer me your help. Thanks!

[Box293]

The -n is required because when it was compiled on the Solaris box the ssl libraries were not found.

This guide shows you a full install and it looks like it includes the ssl stuff:

https://lucamerello.wordpress.com/2014/ ... -and-nrpe/

[maronggang]

Hi, Box293:
Thanks!
The problem is still occur after installing the nrpe according to the guide that you give me.
The attachments are the log of my installation.
No error info after checking the logs.
Please offer me your help! Thank U!

[Box293]

I did find there were some work arounds in this document:

https://assets.nagios.com/downloads/nag ... _Agent.pdf

Can you please post your /etc/nagios/nrpe.cfg file.

[maronggang]

Hi, Box293

I have uploaded the file.

[tgriep]

Can you run the following and post back so we can check to see if SSL was compiled in?

Code: Select all

/export/home/nagios/nagios/nrpe -V
/export/home/nagios/nagios/libexec/check_nrpe -V

[maronggang]

Please check it.
Thank U.

Code: Select all

nagios@sun2:~/nagios/bin$ /export/home/nagios/nagios/bin/nrpe -V

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE!  **
**      Read the NRPE SECURITY file for more information     **
***************************************************************

Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>

Options:
 -n            = Do not use SSL
 <config_file> = Name of config file to use
 -4            = use ipv4 only
 -6            = use ipv6 only
 <mode>        = One of the following operating modes:
   -i          =    Run as a service under inetd or xinetd
   -d          =    Run as a standalone daemon
   -d -s       =    Run as a subsystem under AIX

Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios.  It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.

Code: Select all

nagios@sun2:~/nagios/libexec$ /export/home/nagios/nagios/libexec/check_nrpe -V
/export/home/nagios/nagios/libexec/check_nrpe: illegal option -- V

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]

Options:
 -n         = Do no use SSL
 -u         = Make socket timeouts return an UNKNOWN state instead of CRITICAL
 <host>     = The address of the host running the NRPE daemon
 <bindaddr> = bind to local address
 -4         = user ipv4 only
 -6         = user ipv6 only
 [port]     = The port on which the daemon is running (default=5666)
 [timeout]  = Number of seconds before connection times out (default=10)
 [command]  = The name of the command that the remote daemon should run
 [arglist]  = Optional arguments that should be passed to the command.  Multiple
              arguments should be separated by a space.  If provided, this must be
              the last option supplied on the command line.

Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here.  Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin.  This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.

[lmiltchev]

Can you restart nrpe, run the following commands on the client (remote machine), and show us the output?

Code: Select all

netstat -at | grep nrpe
ps -ef| grep [n]rpe
./check_nrpe -H 127.0.0.1

[maronggang]

Pls check it. Additional, the commcand "netstat -at | grep nrpe" can not execute.

nagios@sun2:~/nagios$ ps -ef|grep nrpe
nagios 15718 1 0 09:05:44 ? 0:00 bin/nrpe -n -c etc/nrpe.cfg -d
nagios 15735 15706 0 09:07:14 pts/1 0:00 grep nrpe
nagios@sun2:~/nagios$


nagios@sun2:~/nagios/libexec$ ./check_nrpe -H 127.0.0.1
CHECK_NRPE: Socket timeout after 10 seconds.

nagios@sun2:~/nagios/libexec$ netstat -na|grep 5666
127.0.0.1.61532 127.0.0.1.5666 130880 0 139264 0 TIME_WAIT
*.5666 *.* 0 0 128000 0 LISTEN
*.5666 *.* 0 0 128000 0 LISTEN
nagios@sun2:~/nagios/libexec$

nagios@sun2:~/nagios$ netstat -at | grep nrpe
netstat: illegal option -- t
usage: netstat [-anv] [-f address_family] [-T d|u]
netstat [-n] [-f address_family] [-P protocol] [-T d|u] [-g | -p | -s [interval [count]]]
netstat -m [-v] [-T d|u] [interval [count]]
netstat -i [-I interface] [-an] [-f address_family] [-T d|u] [interval [count]]
netstat -r [-anv] [-f address_family|filter] [-T d|u]
netstat -M [-ns] [-f address_family] [-T d|u]
netstat -D [-I interface] [-f address_family] [-T d|u]

[lmiltchev]

nagios@sun2:~/nagios$ ps -ef|grep nrpe
nagios 15718 1 0 09:05:44 ? 0:00 bin/nrpe -n -c etc/nrpe.cfg -d

The nrpe process is still running without ssl ("-n" flag)... Kill the process and start it with ssl:

Code: Select all

kill -9 15718
/bin/nrpe -c /etc/nrpe.cfg -d

then test your check without passing the "-n" flag:

Code: Select all

./check_nrpe -H 127.0.0.1

Did this work?