Port checking difficulties

[rdubya]

I'm trying to check if a port is listening and haven't had much success.

I first tried using the check_listen_tcp_udp.sh script out on the host that is running the service I want to monitor
https://exchange.nagios.org/directory/P ... sh/details

This is my command definition out on the remote host;

Code: Select all

command[check_nexus_listen]=/usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp

This runs successfully on my remote host;

Code: Select all

# /usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp
OK -  Listening on :::8070 (protocol: tcp)

This is the service as defined on my nagios server;

Code: Select all

define service{
        use                     generic-service
        host_name               nexusfirewall
        service_description     Nexus listening port
        check_command           check_nrpe!check_nexus_listen
}

I use nrpe for other commands successfully on this server but this one fails when I run the test;

Code: Select all

[root@engmon objects]# /usr/local/nagios/libexec/check_nrpe -H  10.177.177.220 -c check_total_procs
PROCS OK: 381 processes | procs=381;600;700;0;
[root@engmon objects]#  /usr/local/nagios/libexec/check_nrpe -H  10.177.177.220 -c check_nexus_listen
NRPE: Unable to read output

I was not able to resolve this and thought to change my method by checking the port from *outside* of the remote host with the pre-existing tcp_check command.
I am able to successfully check a port on the remote host from the nagios server;

Code: Select all

# /usr/local/nagios/libexec/check_tcp -H 10.177.177.220 -p 8070
TCP OK - 0.001 second response time on 10.177.177.220 port 8070|time=0.001022s;;;0.000000;10.000000

This is the pre-existing command definition in commands.cfg on the nagios server;

Code: Select all

# 'check_tcp' command definition
define command{
        command_name    check_tcp
	command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
        }

This is how the service is defined in localhost.cfg;

Code: Select all

define service{
        use                     local-service
        host_name               engmon
        service_description     tcp8070 on Nexusfirewall
        check_command           check_tcp!10.177.177.220!8070
}

This doesn't work, the services pages shows this failure;

Code: Select all

tcp8070 on Nexusfirewall UNKNOWN	08-23-2016 15:06:04	0d 1h 3m 25s	4/4	check_tcp: Port must be a positive integer 

I've invested a pretty good amount of time with the docs and with Google, but I'm still missing something. Any help would be apprecieated.
I'm also interested in thoughts related to the merits of checking whether the port is listening from the client, or contactable via an external command.

Thanks, Rob

[rkennedy]

What are the permissions on check_listen_tcp_udp.sh? Most likely, the nagios user cannot execute it.

As for the check_tcp part, your $ARG1$ is becoming 10.177.177.220, and $ARG2$ 8070. Change it to this - check_command check_tcp!8070 and it should work.

[ssax]

This is likely related to pathing issues, please run these commands (su - nagios first) on the remote host and see if you get anything different:

Code: Select all

su - nagios
/usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp

I will work on updating the script to fix the path issues (if that's the case) and post it when I'm done.

[ssax]

Please try using this script instead on the remote server (unzip it first):

check_listen_tcp_udp.zip

(2.22 KiB) Downloaded 166 times

Let us know the results.

[rdubya]

Sorry about not getting back, I had an unrelated migration/recovery/migration that displaced EVERYTHING.
But back to topic.

check_tcp
On the client side, everything is owned by root anyhow. Not optimal but this is an inherited system and I plan on doing some cleanup in the coming month or so if I can scrape up the time. In the meantime, permissions are probably not in play here. Again, other command with the same permissions run without issue.

check_listen_tcp_udp.sh
Thanks for the updated script. The output is a little different but this has always run fine on the client.

New script

Code: Select all

[root@nexusfirewall plugins]# /usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp
OK -  Listening on 0.0.0.0:8070 (protocol: tcp)

Old script

Code: Select all

[root@nexusfirewall plugins]# /usr/lib64/nagios/plugins/check_listen_tcp_udp.sh_ -p 8070 -P tcp
OK -  Listening on :::8070 (protocol: tcp)

Server:
in /usr/local/nagios/etc/objects/commands.cfg

Code: Select all

define command{
        command_name    check_tcp_listen
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_listen_tcp_udp.sh $ARG1$ $ARG2$
}

Client:

Code: Select all

command[check_nexus_listen]=/usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp

I've also tried it with the second argument removed in both of these configs and I get the same error.

Code: Select all

[root@engmon objects]# /usr/local/nagios/libexec/check_nrpe -H 10.177.177.220 -c check_nexus_listen
NRPE: Unable to read output

I'll also add that in between config changes I'm restarting nagios on the Server and nrpe on the Client.

[ssax]

When you ran that /usr/local/nagios/libexec/check_nrpe -H 10.177.177.220 -c check_nexus_listen at the end, was it using the new script or the old one?

[rdubya]

Yes, the new one.
The one ending in "_" is the old script (I renamed it but left it available).

This is from nrpe.cfg on the client;

Code: Select all

#Custom scripts
command[check_nexus_listen]=/usr/lib64/nagios/plugins/check_listen_tcp_udp.sh -p 8070 -P tcp

[ssax]

On the remote device, "su - nagios" first before running it and post the output:

Code: Select all

su - nagios
/usr/lib64/nagios/plugins/check_listen_tcp_udp.sh_ -p 8070 -P tcp

Thank you

[rdubya]

There is no nagios user, this is what I meant when I said I'd be "doing some cleanup" earlier in the thread. Is there a requirement for this plugin to use the nagios user?

[ssax]

Not required but by default the NRPE checks run as the nagios user unless you changed it, did you change it? If so, su - to them and see if that works.