Nagios Xi Trial (VM): can't get nrpe to work against Windows

[stf_792]

I am running trial Nagios Xi VMWare appliance.

So far everything is working except NRPE

Initially it started with a need to monitor scheduled tasks on the Windows Server. I found an article that involved powershell script to be run on the monitored system. After I was not able to get it to work, I started to troubleshoot and finally got stuck.

Here where I am right now:

I have two windows 2008R2 servers, firewall is disabled on both servers. One is running nsclient that was recommended by nagios xi (.3.xx) another ran latest .4.3, but since I was not able to make it work, I downgraded it to match.
debug is set to 1, and logged into the nsclient.log file

Nagios Xi server with firewall disabled, nrpe running as xinetd

from the server console, when I run:

check_nrpe -H 127.0.0.1 - I am just getting back to the prompt
or
check_nrpe -H my.win.server.ip -c alias_cpu - also just back to console prompt and nothing in nsclient.log.
nsclient.log has lots of entries for nsclient++, nothing for nrpe.

I can ping both windows servers from nagios console, and nmap returns 5666/tcp open nrpe when I run it against both windows servers.

What am I missing???

Thanks.

[jolson]

On your Windows Servers, you should have nsc.ini/nsclient.ini files. Can you please post them to this thread? They contain the configuration profile used by NSClient.

The file should be located in C:\Program Files\NSClient or similar.

Just to clear a few things up:

Nagios Xi server with firewall disabled, nrpe running as xinetd

No need to disable the firewall on your Nagios XI box, since it's the device doing the communicating. Feel free to start it back up if you'd like.

In this instance, you are using the check_nrpe plugin, which does not run through xinetd. NRPE will be run through xinetd if it is installed on a Linux box and is listening for connections (Your Nagios XI box likely has an NRPE listener (which uses xinetd) and a check_nrpe plugin (which does not use xinetd).

After you post your configurations, we will review them and make any potentially necessary adjustments. Thank you!

[jdalrymple]

Let me help you mostly by clearing up some of the parts and pieces of the process.

NRPE stands for Nagios Remote Plugin Executor - by itself it's more a concept than a thing.

nrpe is a deamon that runs on a UNIX or Linux like server and responds to NRPE queries.

check_nrpe generates NRPE queries, it is the only component that you'll utilize on the Nagios server itself.

nsclient++ or nscp is sort of an omnibus monitoring solution for Windows (and Linux) platforms that can speak the NRPE language and thus respond to NRPE queries from check_nrpe on the Nagios XI server.

So...

I have two windows 2008R2 servers, firewall is disabled on both servers.

NSClient++ typically takes care of this. You need ports 12489 and 5666 TCP opened to the Nagios server. 5666 is specific to NRPE, 12489 is optional for other things.

I downgraded it to match.
debug is set to 1, and logged into the nsclient.log file

While our documentation/wizards indicate to use version such and such - we can confirm stability and recommend using the latest stable version available from http://nsclient.org.

Nagios Xi server with firewall disabled, nrpe running as xinetd

Neither the firewall nor the nrpe daemon matter

check_nrpe -H my.win.server.ip -c alias_cpu - also just back to console prompt and nothing in nsclient.log.
nsclient.log has lots of entries for nsclient++, nothing for nrpe.

I can ping both windows servers from nagios console, and nmap returns 5666/tcp open nrpe when I run it against both windows servers.

What am I missing???

Looks like nothing - but we are missing something, your nsclient.ini, please kindly provide that for us to review.
Also for testing purposes, leave off "-c alias_cpu" and just run `check_nrpe -H <IP>`

[stf_792]

nsc.ini

Code: Select all

[modules]
NRPEListener.dll
NSClientListener.dll
NSCAAgent.dll
CheckWMI.dll
FileLogger.dll
CheckSystem.dll
CheckDisk.dll
CheckEventLog.dll
CheckHelpers.dll
;# NSCLIENT++ MODULES
;# A list with DLLs to load at startup.
;  You will need to enable some of these for NSClient++ to work.
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
; *                                                               *
; * N O T I C E ! ! ! - Y O U   H A V E   T O   E D I T   T H I S *
; *                                                               *
; ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
;FileLogger.dll
;CheckSystem.dll
;CheckDisk.dll
;NSClientListener.dll
;NRPEListener.dll
;SysTray.dll
;CheckEventLog.dll
;CheckHelpers.dll
;CheckWMI.dll
;CheckNSCP.dll
;
; Script to check external scripts and/or internal aliases.
;CheckExternalScripts.dll
;
; NSCA Agent if you enable this NSClient++ will talk to NSCA hosts repeatedly (so dont enable unless you want to use NSCA)
;NSCAAgent.dll
;
; LUA script module used to write your own "check deamon".
;LUAScript.dll
;
; RemoteConfiguration IS AN EXTREM EARLY IDEA SO DONT USE FOR PRODUCTION ENVIROMNEMTS!
;RemoteConfiguration.dll
; Check other hosts through NRPE extreme beta and probably a bit dangerous! :)
;NRPEClient.dll
; Extreamly early beta of a task-schedule checker
;CheckTaskSched.dll

[crash]
; Archive crash dump files if a crash is detected
;archive=1

; Submit crash reports to a crash report server (this overrrides archive)
;submit=0

; Restart service if a crash is detected
;restart=1

[Settings]
;# OBFUSCATED PASSWORD
;  This is the same as the password option but here you can store the password in an obfuscated manner.
;  *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this file can still figure out the 
;  password. Its just a bit harder to do it at first glance.
;obfuscated_password=Jw0KAUUdXlAAUwASDAAB
;
;# PASSWORD
;  This is the password (-s) that is required to access NSClient remotely. If you leave this blank everyone will be able to access the daemon remotly.
;password=secret-password
;
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to the all daemons.
;  If leave this blank anyone can access the deamon remotly (NSClient still requires a valid password).
;  The syntax is host or ip/mask so 192.168.0.0/24 will allow anyone on that subnet access
;allowed_hosts=127.0.0.1/32
;
;# USE THIS FILE
;  Use the INI file as opposed to the registry if this is 0 and the use_reg in the registry is set to 1 
;  the registry will be used instead.
use_file=1
allowed_hosts=xxxxx
password=xxxxx
;
; # USE SHARED MEMORY CHANNELS
;  This is the "new" way for using the system tray based on an IPC framework on top shared memmory channels and events.
;  It is brand new and (probably has bugs) so dont enable this unless for testing!
;  If set to 1 shared channels will be created and system tray icons created and such and such...
;shared_session=0


[log]
;# LOG DEBUG
;  Set to 1 if you want debug message printed in the log file (debug messages are always printed to stdout when run with -test)
debug=1
;
;# LOG FILE
;  The file to print log statements to
file=nsclient.log
;
;# LOG DATE MASK
;  The format to for the date/time part of the log entry written to file.
date_mask=%Y-%m-%d %H:%M:%S
;
;# LOG ROOT FOLDER
;  The root folder to use for logging.
;  exe = the folder where the executable is located
;  local-app-data = local application data (probably a better choice then the old default)
;root_folder=exe


[NSClient]
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to NSClient deamon.
;  If you leave this blank the global version will be used instead.
;allowed_hosts=
;
;# NSCLIENT PORT NUMBER
;  This is the port the NSClientListener.dll will listen to.
;port=12489
;
;# BIND TO ADDRESS
;  Allows you to bind server to a specific local address. This has to be a dotted ip adress not a hostname.
;  Leaving this blank will bind to all avalible IP adresses.
;bind_to_address=
;
;# SOCKET TIMEOUT
;  Timeout when reading packets on incoming sockets. If the data has not arrived withint this time we will bail out.
;socket_timeout=30

[NRPE]
;# NRPE PORT NUMBER
;  This is the port the NRPEListener.dll will listen to.
port=5666
;
;# COMMAND TIMEOUT
;  This specifies the maximum number of seconds that the NRPE daemon will allow plug-ins to finish executing before killing them off.
;command_timeout=60
;
;# COMMAND ARGUMENT PROCESSING
;  This option determines whether or not the NRPE daemon will allow clients to specify arguments to commands that are executed.
allow_arguments=1
;
;# COMMAND ALLOW NASTY META CHARS
;  This option determines whether or not the NRPE daemon will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow_nasty_meta_chars=1
;
;# USE SSL SOCKET
;  This option controls if SSL should be used on the socket.
;use_ssl=1
;
;# BIND TO ADDRESS
;  Allows you to bind server to a specific local address. This has to be a dotted ip adress not a hostname.
;  Leaving this blank will bind to all avalible IP adresses.
; bind_to_address=
;
;# ALLOWED HOST ADDRESSES
;  This is a comma-delimited list of IP address of hosts that are allowed to talk to NRPE deamon.
;  If you leave this blank the global version will be used instead.
allowed_hosts=10.8.8.234
;
;# SCRIPT DIRECTORY
;  All files in this directory will become check commands.
;  *WARNING* This is undoubtedly dangerous so use with care!
;script_dir=scripts\
;
;# SOCKET TIMEOUT
;  Timeout when reading packets on incoming sockets. If the data has not arrived withint this time we will bail out.
;socket_timeout=30

[Check System]
;# CPU BUFFER SIZE
;  Can be anything ranging from 1s (for 1 second) to 10w for 10 weeks. Notice that a larger buffer will waste memory 
;  so don't use a larger buffer then you need (ie. the longest check you do +1).
;CPUBufferSize=1h
;
;# CHECK RESOLUTION
;  The resolution to check values (currently only CPU).
;  The value is entered in 1/10:th of a second and the default is 10 (which means ones every second)
;CheckResolution=10
;
;# CHECK ALL SERVICES
;  Configure how to check services when a CheckAll is performed.
;  ...=started means services in that class *has* to be running.
;  ...=stopped means services in that class has to be stopped.
;  ...=ignored means services in this class will be ignored.
;check_all_services[SERVICE_BOOT_START]=ignored
;check_all_services[SERVICE_SYSTEM_START]=ignored
;check_all_services[SERVICE_AUTO_START]=started
;check_all_services[SERVICE_DEMAND_START]=ignored
;check_all_services[SERVICE_DISABLED]=stopped

[External Script]
;# COMMAND TIMEOUT
;  This specifies the maximum number of seconds that the NRPE daemon will allow plug-ins to finish executing before killing them off.
;command_timeout=60
;
;# COMMAND ARGUMENT PROCESSING
;  This option determines whether or not the NRPE daemon will allow clients to specify arguments to commands that are executed.
allow_arguments=1
;
;# COMMAND ALLOW NASTY META CHARS
;  This option determines whether or not the NRPE daemon will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow_nasty_meta_chars=1
;
;# SCRIPT DIRECTORY
;  All files in this directory will become check commands.
;  *WARNING* This is undoubtedly dangerous so use with care!
;script_dir=c:\my\script\dir

[Script Wrappings]
vbs=cscript.exe //T:30 //NoLogo scripts\lib\wrapper.vbs %SCRIPT% %ARGS%
ps1=cmd /c echo scripts\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -
bat=scripts\%SCRIPT% %ARGS%

[External Scripts]
;check_es_long=scripts\long.bat
;check_es_ok=scripts\ok.bat
;check_es_nok=scripts\nok.bat
;check_vbs_sample=cscript.exe //T:30 //NoLogo scripts\check_vb.vbs
;check_powershell_warn=cmd /c echo scripts\powershell.ps1 | powershell.exe -command -
check_ms_win_tasks=cmd /c echo scripts/powershell/check_ms_win_tasks.ps1 $ARG1$; exit $LastExitCode | powershell.exe -command –

[External Alias]
alias_cpu=checkCPU warn=80 crit=90 time=5m time=1m time=30s
alias_cpu_ex=checkCPU warn=$ARG1$ crit=$ARG2$ time=5m time=1m time=30s
alias_mem=checkMem MaxWarn=80% MaxCrit=90% ShowAll=long type=physical type=virtual type=paged type=page
alias_up=checkUpTime MinWarn=1d MinWarn=1h

alias_disk=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED
alias_disk_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED ignore-unreadable
alias_volumes=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED
alias_volumes_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED ignore-unreadable 

alias_service=checkServiceState CheckAll
alias_service_ex=checkServiceState CheckAll "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc
alias_process=checkProcState "$ARG1$=started"
alias_process_stopped=checkProcState "$ARG1$=stopped"
alias_process_count=checkProcState MaxWarnCount=$ARG2$ MaxCritCount=$ARG3$ "$ARG1$=started"
alias_process_hung=checkProcState MaxWarnCount=1 MaxCritCount=1 "$ARG1$=hung"

alias_event_log=CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

alias_file_size=CheckFiles "filter=size > $ARG2$" "path=$ARG1$" MaxWarn=1 MaxCrit=1 "syntax=%filename% %size%" max-dir-depth=10
alias_file_age=checkFile2 filter=out "file=$ARG1$" filter-written=>1d MaxWarn=1 MaxCrit=1 "syntax=%filename% %write%"

alias_sched_all=CheckTaskSched "filter=exit_code ne 0" "syntax=%title%: %exit_code%" warn=>0
alias_sched_long=CheckTaskSched "filter=status = 'running' AND most_recent_run_time < -$ARG1$" "syntax=%title% (%most_recent_run_time%)" warn=>0
alias_sched_task=CheckTaskSched "filter=title eq '$ARG1$' AND exit_code ne 0" "syntax=%title% (%most_recent_run_time%)" warn=>0

alias_updates=check_updates -warning 0 -critical 0

check_ok=CheckOK Everything is fine!

[Wrapped Scripts]
;check_test_vbs=check_test.vbs /arg1:1 /arg2:1 /variable:1
;check_test_ps1=check_test.ps1 arg1 arg2
;check_test_bat=check_test.bat arg1 arg2
;check_battery=check_battery.vbs
;check_printer=check_printer.vbs
;check_updates=check_updates.vbs


; [includes]
;# The order when used is "reversed" thus the last included file will be "first"
;# Included files can include other files (be carefull only do basic recursive checking)
;
; myotherfile.ini
; real.ini


[NSCA Agent]
;# CHECK INTERVALL (in seconds)
;   How often we should run the checks and submit the results.
;interval=5
;
;# ENCRYPTION METHOD
;   This option determines the method by which the send_nsca client will encrypt the packets it sends 
;   to the nsca daemon. The encryption method you choose will be a balance between security and 
;   performance, as strong encryption methods consume more processor resources.
;   You should evaluate your security needs when choosing an encryption method.
;
; Note: The encryption method you specify here must match the decryption method the nsca daemon uses 
;       (as specified in the nsca.cfg file)!!
; Values:
;	0 = None	(Do NOT use this option)
;	1 = Simple XOR  (No security, just obfuscation, but very fast)
;   2 = DES
;   3 = 3DES (Triple DES)
;	4 = CAST-128
;	6 = xTEA
;	8 = BLOWFISH
;	9 = TWOFISH
;	11 = RC2
;	14 = RIJNDAEL-128 (AES)
;	20 = SERPENT
;encryption_method=14
;
;# ENCRYPTION PASSWORD
;  This is the password/passphrase that should be used to encrypt the sent packets. 
;password=
;
;# BIND TO ADDRESS
;  Allows you to bind server to a specific local address. This has to be a dotted ip adress not a hostname.
;  Leaving this blank will bind to "one" local interface.
; -- not supported as of now -- 
;bind_to_address=
;
;# LOCAL HOST NAME
;  The name of this host (if empty "computername" will be used.
;hostname=
;
;# NAGIOS SERVER ADDRESS
;  The address to the nagios server to submit results to.
;nsca_host=192.168.0.1
;
;# NAGIOS SERVER PORT
;  The port to the nagios server to submit results to.
;nsca_port=5667
;

;# CHECK COMMAND LIST
;  The checks to run everytime we submit results back to nagios
;  Any command(alias/key) starting with a host_ is sent as HOST_COMMAND others are sent as SERVICE_COMMANDS
;  where the alias/key is used as service name.
;
[NSCA Commands]
;my_cpu_check=checkCPU warn=80 crit=90 time=20m time=10s time=4
;my_mem_check=checkMem MaxWarn=80% MaxCrit=90% ShowAll type=page
;my_svc_check=checkServiceState CheckAll exclude=wampmysqld exclude=MpfService
;host_check=check_ok

;# REMOTE NRPE PROXY COMMANDS
;  A list of commands that check other hosts.
;  Used by the NRPECLient module
[NRPE Client Handlers]
check_other=-H 192.168.0.1 -p 5666 -c remote_command -a arguments

;# LUA SCRIPT SECTION
;  A list of all Lua scripts to load.
;[LUA Scripts]
;scripts\test.lua

[jdalrymple]

I'm going to recommend up front that you UNINSTALL this older version with nsc.ini and install the newest stable now. The reason I suggest this is because eventually this will no longer be supported anyway, and if we're going to fumble with your config file now is as good of a time as any to get it into the modern nsclient.ini format. In addition to that your nscp service is simply misbehaving by not logging any data. You clearly have it configured to do so. I have definitely seen corrupted installs of nscp that I just couldn't fix and the best solution was to just uninstall and reinstall. I promise this is not me just trying to waste your time, I've seen it with my own two eyes and no amount of fiddling with the config made it work, however uninstall and reinstall did. Also there is no reason not to re-enable your Windows Firewall, go ahead and do that.

[stf_792]

I will install latest nsclient on the windows server, but what bothers me a bit that I am not getting any response when I run check_nrpe -H 127.0.0.1 on the server.

https://assets.nagios.com/downloads/nag ... utions.pdf told me that I should see a reply similar to NRPE v2.14 when I run /usr/local/nagios/libexec/check_nrpe -H localhost

I am no seeing that

all I am seeing is

Code: Select all

[root@localhost /]# /usr/local/nagios/libexec/check_nrpe -H localhost
[root@localhost /]#
[root@localhost /]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1
[root@localhost /]#

[jdalrymple]

No doubt - that is weird. Sorry, I mostly ignored it because your topic seemed like the concern was more towards the Windows end of things. Admittedly if check_nrpe isn't working right locally it won't grab remote data either.

What if you run it without arguments, do you get the help output?

Code: Select all

[jdalrymple@localhost ~]$ /usr/local/nagios/libexec/check_nrpe
Incorrect command line arguments supplied

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]

Options:
 -n         = Do no use SSL
 -u         = Make socket timeouts return an UNKNOWN state instead of CRITICAL
 <host>     = The address of the host running the NRPE daemon
 <bindaddr> = bind to local address
 -4         = user ipv4 only
 -6         = user ipv6 only
 [port]     = The port on which the daemon is running (default=5666)
 [timeout]  = Number of seconds before connection times out (default=10)
 [command]  = The name of the command that the remote daemon should run
 [arglist]  = Optional arguments that should be passed to the command.  Multiple
              arguments should be separated by a space.  If provided, this must be
              the last option supplied on the command line.

Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here.  Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin.  This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.

[stf_792]

does not look correct.

Code: Select all

[root@localhost /]# /usr/local/nagios/libexec/check_nrpe
[root@localhost /]#
[root@localhost /]#

I rebooted server hosting nagios too. same thing is happening.

in case it may help

Code: Select all

[root@localhost /]# cat  /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags           = REUSE
        socket_type     = stream
        port            = 5666
        wait            = no
        user            = nagios
        group           = nagios
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1
        per_source      = UNLIMITED
        instances       = UNLIMITED
}
[root@localhost /]#

last two lines added by me

also since nagios Xi came prepackaged here is nrpe.cfg from my server

Code: Select all

[root@localhost /]# cat /usr/local/nagios/etc/nrpe.cfg
#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad ([email protected])
#
# Last Modified: 11-23-2007
#
# NOTES:
# This is a sample configuration file for the NRPE daemon.  It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#############################################################################


# LOG FACILITY
# The syslog facility that should be used for logging purposes.

log_facility=daemon



# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number.  The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.

pid_file=/var/run/nrpe.pid



# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

server_port=5666



# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#server_address=127.0.0.1



# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios



# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
# supported.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address.  I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=127.0.0.1



# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed.  This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

dont_blame_nrpe=1



# BASH COMMAND SUBTITUTION
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments that contain bash command substitutions of the form
# $(...).  This option only works if the daemon was configured with both
# the --enable-command-args and --enable-bash-command-substitution configure
# script options.
#
# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow bash command substitutions,
#         1=allow bash command substitutions

allow_bash_command_substitution=0



# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo.  For this to work, you need to add
# the nagios user to your /etc/sudoers.  An example entry for alllowing
# execution of the plugins from might be:
#
# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password.  If you do this, make sure you don't give
# random users write access to that directory or its contents!

# command_prefix=/usr/bin/sudo



# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on

debug=0



# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.

command_timeout=60



# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
# seen where a network problem stops the SSL being established even though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.

connection_timeout=300



# WEEK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
# were not applied). The random number generator will be seeded from a file
# which is either a file pointed to by the environment valiable $RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness

#allow_weak_random_seed=1



# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.

#include=<somefile.cfg>



# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).

#include_dir=<somedirectory>
#include_dir=<someotherdirectory>



# COMMAND DEFINITIONS
# Command definitions that this daemon will run.  Definitions
# are in the following format:
#
# command[<command_name>]=<command_line>
#
# When the daemon receives a request to return the results of <command_name>
# it will execute the command specified by the <command_line> argument.
#
# Unlike Nagios, the command line cannot contain macros - it must be
# typed exactly as it should be executed.
#
# Note: Any plugins that are used in the command lines must reside
# on the machine that this daemon is running on!  The examples below
# assume that you have plugins installed in a /usr/local/nagios/libexec
# directory.  Also note that you will have to modify the definitions below
# to match the argument format the plugins expect.  Remember, these are
# examples only!


# The following examples use hardcoded command arguments...

command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200


# The following examples allow user-supplied arguments and can
# only be used if the NRPE daemon was compiled with support for
# command arguments *AND* the dont_blame_nrpe directive in this
# config file is set to '1'.  This poses a potential security risk, so
# make sure you read the SECURITY file before doing this.

#command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
#command[check_load]=/usr/local/nagios/libexec/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=/usr/local/nagios/libexec/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
[root@localhost /]#

[jdalrymple]

The most bizarre thing is that we have 7 or 8 zillion people out there running the VM image (many in production) and nobody else has encountered a broken check_nrpe. Do any of your plugins work properly?

Code: Select all

ls -l /usr/local/nagios/libexec | grep nrpe

I think you're going to end up getting to reinstall the plugin. Easy enough to do though, just treat it like any other server, download the appropriate package and run fullinstall.

[stf_792]

As far as I can see. everything else is working.

looks like permissions are correct.

Code: Select all

[root@localhost /]# ls -l /usr/local/nagios/libexec | grep nrpe
-rwxrwxr-x 1 nagios nagios      0 Jul 15 12:22 check_nrpe

This is one of those things that I would prefer to resolve, rather than deal with it when it resurface later when system may become production.

Is there any log that can be checked on the Nagios Server? Is there a "debug" mode that can produce a log?