Issue with Check_nrpe

[rkennedy]

When installing NSClient++ there is an option for selection 'insecure mode' - this might be the route you need to go in order to establish the connection.

Here's a screen shot of the option to look for -

[druid]

I already have insecure = true on my windows client's nsclient.ini file.

Do I need to have NSclient installed on the nagios server?

[rkennedy]

Can you attach your nsclient.ini for us to take a look at?

[druid]

nsclinet.ini

Code: Select all

; Undocumented section


[/settings/default]

; ALLOWED HOSTS - A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 222.174.46.250

; PASSWORD - Password used to authenticate against server
password = paszword


; Undocumented section
[/settings/NRPE/server]

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  none	The server will not send a client certificate request to the client, so the client will not send a certificate. peer	The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert	if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert	Alias for peer and fail-if-no-cert. workarounds	Various bug workarounds. single	Always create a new key when using tmp_dh parameters. client-once	Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer   
verify mode = peer-cert

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  default-workarounds	Various workarounds for what I understand to be broken ssl implementations no-sslv2	Do not use the SSLv2 protocol. no-sslv3	Do not use the SSLv3 protocol. no-tlsv1	Do not use the TLSv1 protocol. single-dh-use	Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).   
ssl options = no-sslv2


; Undocumented section
[/modules]

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; NSClientServer - A server that listens for incoming check_nt connection and processes incoming requests.
NSClientServer = 1

; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1

; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1

; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1

; CheckNSCP - Use this module to check the healt and status of NSClient++ it self
CheckNSCP = 1

; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1


; A list of templates for wrapped scripts.
[/settings/external scripts/wrappings]

; WRAPPING - An external script wrapping
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; WRAPPING - An external script wrapping
bat = scripts\\%SCRIPT% %ARGS%

; WRAPPING - An external script wrapping
An alias is an internal command that has been predefined to provide a single command without arguments. Be careful so you don't create loops (ie check_loop = check_a, check_a=check_loop)

; WRAPPING - An external script wrapping
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -


[/settings/external scripts/alias]

; ALIAS - Query alias
alias_volumes = check_drivesize

; ALIAS - Query alias
alias_up = check_uptime

; ALIAS - Query alias
alias_sched_all = check_tasksched show-all "syntax=${title}: ${exit_code}" "crit=exit_code ne 0"

; ALIAS - Query alias
alias_process_hung = check_process "filter=is_hung" "crit=count>0"

; ALIAS - Query alias
alias_process = check_process "process=$ARG1$" "crit=state != 'started'"

; ALIAS - Query alias
alias_file_size = check_files "path=$ARG1$" "crit=size > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${size}" max-dir-depth=10

; ALIAS - Query alias
alias_event_log = check_eventlog

; ALIAS - Query alias
alias_service_ex = check_service "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc

; ALIAS - Query alias
alias_disk = 

; ALIAS - Query alias
alias_cpu_ex = check_cpu "warn=load > $ARG1$" "crit=load > $ARG2$" time=5m time=1m time=30s

; ALIAS - Query alias
alias_file_age = check_files "path=$ARG1$" "crit=written > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${written}" max-dir-depth=10

; ALIAS - Query alias
alias_cpu = check_cpu "warn=load > 80" "crit=load > 90" time=5m time=1m time=30s

; ALIAS - Query alias
alias_process_stopped = check_process "process=$ARG1$" "crit=state != 'stopped'"

; ALIAS - Query alias
alias_service = check_service

; default - Alias for default. To configure this item add a section called: /settings/external scripts/alias/default
default = 

; ALIAS - Query alias
alias_mem = check_memory

; ALIAS - Query alias
alias_volumes_loose = check_drivesize

; ALIAS - Query alias
alias_process_count = check_process "process=$ARG1$" "warn=count > $ARG2$" "crit=count > $ARG3$"

; ALIAS - Query alias
alias_check_c = check_drivesize "crit=free_pct<10%" "warn=free_pct<20%" drive=all-drives

; ALIAS - Query alias
alias_disk_loose = check_drivesize

; ALIAS - Query alias
alias_sched_task = check_tasksched show-all "filter=title eq '$ARG1$'" "detail-syntax=${title} (${exit_code})" "crit=exit_code ne 0"

; ALIAS - Query alias
alias_sched_long = check_tasksched "filter=status = 'running'" "detail-syntax=${title} (${most_recent_run_time})" "crit=most_recent_run_time < -$ARG1$"


; A list of scripts available to run from the CheckExternalScripts module. Syntax is: <command>=<script> <arguments>
[/settings/external scripts/scripts]

; default - Alias for default. To configure this item add a section called: /settings/external scripts/scripts/default
default = 


; A set of filters to use in real-time mode
[/settings/eventlog/real-time/filters]

; default - Filter for default. To configure this item add a section called: /settings/eventlog/real-time/filters/default
default = 

[Box293]

This option is causing your problem:

Code: Select all

verify mode = peer-cert

Comment it out, save it and restart the NSClient++ service.

[druid]

Changing verify-mode did the trick. I was able to get all Windows host checks working.

However when copying over a linux host config file, the checks are failing with the error"(Return code of 255 is out of bounds)".

In nrpe.cfg on the server I have:
command[check_load]=/usr/local/nagios/libexec/check_load -w 5 -c 10

on the linus hosts cfg file I have a service defined with:
check_command check_nrpe!check_load

On the linux host, I have iptables rules to accept ssh and nrpe traffic from the nagios server and also the nagios server IP in nrpe.cfg's allowed hosts.

[druid]

Nevermind, I am able to get checks on the linux host working now. Thank you all for the help!

[rkennedy]

No problem, we're here to help. As this is resolved, I am going to close this thread out. Feel free to open another one if you ever need assistance!