check_nrpe vs other check_ commands

[hchen]

Hello,
I noticed that XI uses check_nrpe command to call other check commands which are defined in the nrpe.cfg to perform the checks, and I also noticed that I can use those check commands directly without problems, for example check_tcp, in this case I don't even need to modify nrpe.cfg and restart nrpe service. So what's the benefits for using check_nrpe and why we are doing it.
Much appreciated for your reply.

[rkennedy]

This is probably a better question for whomever originally setup your Nagios system.

You are correct, check_tcp can run directly from the XI machine, no need to use an agent -

Code: Select all

[root@xi libexec]# ./check_tcp -H google.com -p 80
TCP OK - 0.076 second response time on google.com port 80|time=0.076207s;;;0.000000;10.000000

Now, if someone is sending all of their check_tcp commands through check_nrpe, I would assume the network isn't accessible from the Nagios machine, so they're essentially "proxying" it through the NRPE agent.

[hchen]

Thanks for the prompt response.

I setup them up and they are installed by the official fullinstall script. All check commands come with this installation.

Sorry but I don't quiet understand what are the benefits for using "check_nrpe -c check_tcp" in stead of using check_tcp, for security reasons or for easy customization?

I ran some tests as follow:

1. Original Setup, on a agent server (Linux, named agent1.test.com), user nagios has /bin/bash shell.
In "Core Config Manager" on NagiosXI, I setup 2 check commands to agent1.test.com

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H agent1.test.com -t 30 -c check_tcp -a '9000'

response with "NRPE: Command check_tcp not defined"

Code: Select all

/usr/local/nagios/libexec/check_tcp -H agent1.test.com -p 9000

response with "TCP OK"

so I added a new line to /usr/local/nagios/etc/nrpe/common.cfg on the agant server.

Code: Select all

command[check_tcp]=/usr/local/nagios/libexec/check_tcp -p $ARG1$

and check_nrpe command works OK now.

2. Original Setup, on the agent server, set user nagios's shell to /sbin/nologin and do the tests above, same results, apparently, I think set the shell to /sbin/nologin for user nagios is more secure to me, and I don't see problems so far.

To me, I don't see the benefits of using check_nrpe, in stead I found there are 77 check commands but it only has 15 entries in the common.cfg file, and it's convenient to use check_tcp or other check commands directly. However, on "Core Config Manager", all check commands set to check_nrpe by default, there's must be a reason of doing this. What is it?

Thank you.

[rkennedy]

Sorry but I don't quiet understand what are the benefits for using "check_nrpe -c check_tcp" in stead of using check_tcp, for security reasons or for easy customization?

The simple answer is as an agent, some checks need to run in a different network in order to succeed properly. If you didn't want your whole DMZ exposed, then you could use a single agent to monitor all of the metrics within and report back to Nagios.

While check_tcp can be ran against remote machines, some Nagios commands are required to run locally. (for example, checking the disk, or memory) This would require an agent such as NRPE to check those metrics.

2. The nagios user is still used for internal calls, and for the application. Off the top of my head - I don't think this will affect anything, but if you see issues due to permissions or such, this could be something that needs to be changed back.

[hchen]

Thanks again, I think I understand how it works now.

[rkennedy]

Awesome. Are we good to mark this thread resolved?

[hchen]

Yes, please.

[rkennedy]

Will do! Feel free to create a new one if you have questions in the future.