Page 1 of 1

Replace NSClient++ with Powershell or WSL over SSH?

Posted: Thu Oct 24, 2019 1:59 am
by chadbaldwin
Out of curiosity, has the topic of replacing NSClient++ with direct SSH + Powershell come up?

Although I've been using it for years, I'm not a huge fan of NSClient++, it works well, and I've never really had a problem with it. I just don't like having extra services and such to update, configure etc. There's also a bit of a learning curve for setting it up, configuring it, and using it.

I recently came across a few discoveries...may not be new to everyone, but these were all new to me:
- Windows 10 supports a native OpenSSH client/server
- Powershell supports being used as the default shell for SSH connections
- You can perform Powershell remoting over SSH
- PowerShell can run on Linux systems

So with all that said...I decided to (as a personal challenge / just for the hell of it) start replacing some NSClient++ checks with direct Powershell to Powershell (over SSH) commands to see how well that will work. The only down side is that it requires specifying a username as part of the initial command, and I've also had to set up pub/priv key authentication...which is fairly easy to set up. But it does look like it should work.

My other thought was to use WSL (Windows Subsystem for LInux). Not sure if that has been looked into either as a native replacement for a 3rd party service like NSClient++.

Re: Replace NSClient++ with Powershell or WSL over SSH?

Posted: Thu Oct 24, 2019 10:38 am
by mbellerue
My other thought was to use WSL (Windows Subsystem for LInux). Not sure if that has been looked into either as a native replacement for a 3rd party service like NSClient++.
I wanted to address this first, because this would add a ton of additional configuration and updating to your life. As you're probably aware, running WSL isn't like running Linux in a virtual machine, it's like having a separate OS running next to your main OS, with access to everything your main OS has access to. So now you have to lock down Windows and Linux on the same machine. Not to mention whatever extra services are installed and running by default in whatever distro you choose to run in WSL.

The other piece is doing Powershell-to-Powershell over SSH. This requires setting up Powershell on your Nagios system. This isn't something we've really tested for. But if I understand correctly, this also requires installing .Net on the Linux system in question as well. That's where I, personally, start to get a little worried. I don't know what hooks .Net is going to throw into the system, and how it's going to affect Nagios. If you're going to go this route, test environments are your friend (Everyone has a test environment. Some people also have separate production environments :lol: ).

Another option here is to use the check_by_ssh plugin. Since you can have full blown OpenSSH running on Windows, with Powershell as the default shell, nothing's stopping you from setting up check_by_ssh, and providing Powershell commands, or a path to a Powershell script to execute.

And finally, if you're just looking for a replacement for NSClient++, you should definitely check out NCPA.

Re: Replace NSClient++ with Powershell or WSL over SSH?

Posted: Thu Oct 24, 2019 11:55 am
by chadbaldwin
:lol: I know I know...Like I said, this was all out of curiosity to see if either of those routes may have some merit in the future as I just think they're really cool features/technologies. It would be cool to run commands on natively running systems, rather than 3rd party extensions. I still use NSClient++ regularly and it works great and it will probably be a long time before I switch away from it since it's been very stable and it works. I don't manage Nagios in a corporate production environment anymore, that was part of my old job. So security and such are not huge concerns when I'm just using Nagios to monitor a few computers on my home network :lol:

I suppose this was more a question for debate purely because it seemed like an interesting topic haha.

As far as installing Powershell in LInux, it was extremely easy, I had it downloaded, and running within a few lines on a Raspberry Pi (which is where I'm running my nagios instance), and it didn't seem to have any affect on Nagios running. You can also spin it up in seconds within a docker container, which would keep it isolated from Nagios, but I haven't been working with Docker long enough to know how to make that work reliably.

As far as WSL...that was a complete afterthought when I wrote this post, that's why it's just a quick line at the end haha; but you make a great point about locking down both the Windows AND now the linux side of it. I hadn't thought of that. It just came across my mind as a possibility, and I've been looking for reasons to use WSL other than for every day testing and quick scripts here and there.

Re: Replace NSClient++ with Powershell or WSL over SSH?

Posted: Thu Oct 24, 2019 4:05 pm
by lmiltchev
You could use standalone powershell scripts if you wish but in my opinion, it is worth keeping NSClient++ or using NCPA for basic (most common) checks. If you needed to run some "custom" PS scripts, you could always call them remotely (from your Nagios server) via NSClient++ (check_nrpe) or NCPA (check_ncpa.py).

Let us know if you have any further questions. Thanks!

Re: Replace NSClient++ with Powershell or WSL over SSH?

Posted: Thu Oct 24, 2019 5:33 pm
by chadbaldwin
Yup! That's what I'm doing now. I was just having some fun with these various technologies to see if they had a future in regards to Nagios.

Also, I'm wondering if I perhaps posted in the wrong area of the forum. I wasn't intending this to be a proposed change to Nagios itself, but more as a discussion topic for fun on the idea with other community members. Hopefully I posted in the right section.

Re: Replace NSClient++ with Powershell or WSL over SSH?

Posted: Fri Oct 25, 2019 8:51 am
by lmiltchev
Yes, this is the right forum for general ideas/discussions. If you have a specific issue, with a specific product, e.g. Nagios Core, Nagios XI, etc., it is better to post it in the appropriate forum, instead of here. Thanks!