NRPE unable to read output when trying to monitor CIFS

[dlukinski]

Hello XI support

We are having issues with monitoring cifs and java by NRPE (Unable to read output)
- works for same hosts when monitoring httpd and sshd

Please help

Thank you

[rkennedy]

We will need more information then this. Can you show us the check_commands that your services are running?

[dlukinski]

We will need more information then this. Can you show us the check_commands that your services are running?

Here you go (screenshot attached)
- produces errors for the host where CIFS is running (accessible via SNMP). NRPE works for httpd from the same host

[WillemDH]

It is possible this means the nagios or nrpe user need sudo to check the service. Check your visudo.

You can test if it is the case by logging in as root, then su nagios and run the full command.

[rkennedy]

Thanks @Willem!

@dlukinski - Willem is right, this is most likely related to permissions to execute the command in question. Can you run su nagios on the client machine, and try to execute the check_init_service plugin. Let us know the full input / output if it has issues.

[dlukinski]

Thanks @Willem!

@dlukinski - Willem is right, this is most likely related to permissions to execute the command in question. Can you run su nagios on the client machine, and try to execute the check_init_service plugin. Let us know the full input / output if it has issues.

Thank you, this is becoming tricky

- we really cannot count on monitoring account ever granted sudo permisisons / cannot even test this case for the same security reason.
- is there any workaround for not to use sudo OR list of plugins to use one with?

I am to install some test servers, where I would have root access to try similar checks with by adding nagios to sudoers

[rkennedy]

- we really cannot count on monitoring account ever granted sudo permisisons / cannot even test this case for the same security reason.
- is there any workaround for not to use sudo OR list of plugins to use one with?

For what you're looking to monitor, a user will NEED permissions to see if the service is running or not. There really isn't a way around this. They do not need full sudo access, just for what you're looking to check.

Let us know how your testing goes, and if you have any further questions.

[dlukinski]

- we really cannot count on monitoring account ever granted sudo permisisons / cannot even test this case for the same security reason.
- is there any workaround for not to use sudo OR list of plugins to use one with?

For what you're looking to monitor, a user will NEED permissions to see if the service is running or not. There really isn't a way around this. They do not need full sudo access, just for what you're looking to check.

Let us know how your testing goes, and if you have any further questions.

Which restricted commands check_init plugin uses (is there a list) ?

[hsmith]

check_init_service is a cleartext batch script:

Code: Select all

#!/bin/sh

PROGNAME=`basename $0`

print_usage() {
        echo "Usage: $PROGNAME"
}

print_help() {
        echo ""
        print_usage
        echo ""
        echo "This plugin checks the status of services normally started by the init process."
        echo ""
        support
        exit 0
}


case "$1" in
        --help)
                print_help
                exit 0
                ;;
        -h)
                print_help
                exit 0
                ;;
        *)

                if [ $# -eq 1 ]; then
                        /sbin/service $1 status
                        ret=$?
                        case "$ret" in
                             0)
                                exit $ret
                                ;;
                             *)
                                exit 2
                                ;;
                        esac
                else
                        echo "ERROR: No service name specified on command line"
                        exit 3
                fi
                ;;
esac

Looking at it, this should be the only thing your user needs access to:

Code: Select all

 /sbin/service

[dlukinski]

check_init_service is a cleartext batch script:

Code: Select all

#!/bin/sh

PROGNAME=`basename $0`

print_usage() {
        echo "Usage: $PROGNAME"
}

print_help() {
        echo ""
        print_usage
        echo ""
        echo "This plugin checks the status of services normally started by the init process."
        echo ""
        support
        exit 0
}


case "$1" in
        --help)
                print_help
                exit 0
                ;;
        -h)
                print_help
                exit 0
                ;;
        *)

                if [ $# -eq 1 ]; then
                        /sbin/service $1 status
                        ret=$?
                        case "$ret" in
                             0)
                                exit $ret
                                ;;
                             *)
                                exit 2
                                ;;
                        esac
                else
                        echo "ERROR: No service name specified on command line"
                        exit 3
                fi
                ;;
esac

Looking at it, this should be the only thing your user needs access to:

Code: Select all

 /sbin/service

Please close this thread

Thank you