Please try commenting out this line in your nsclient.ini under the [/settings/NRPE/server] section and restart the nsclient++ service, test it again, and send the output again:Non-standard buffer length (hope you have recompiled check_nrpe changing #define MAX_PACKETBUFFER_LENGTH = 8192
Code: Select all
;payload length = 1024For future readers, this is how it is initially setup:
- Note: It's up to you to adjust allow arguments and/or allow nasty characters in the nsclient.ini per your business requirements
*** Make sure that you have known-good backups/vm snapshots before making any modifications just in case you need to revert and try it on a test system first.
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
1. Install NRPE maint branch on the nagios XI server:
Code: Select all
cd /tmp
wget https://github.com/NagiosEnterprises/nrpe/archive/maint.zip
unzip maint.zip
cd nrpe-maint
./configure
make all
make installCode: Select all
[root@ssc66xid nrpe-maint]# /usr/local/nagios/libexec/check_nrpe -V
NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 3.1.0
Last Modified: 2017-04-19
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: OpenSSL 0.9.6 or higher required2. Edit your nsclient.ini on the remote machine and set:
Code: Select all
[/settings/NRPE/server]
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ca = ${certificate-path}/ca_cert.pem
certificate = ${certificate-path}/client_cert.pem
certificate key = ${certificate-path}/client_cert.key
dh =
verify mode = peer-cert
ssl options = no-sslv2,no-sslv3
; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = 0
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = 1
; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = 1
; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = false3. Add these files on your nsclient.ini server:
Code: Select all
NSCLIENT_INSTALL_DIRECTORY\security\ca_cert.pem
NSCLIENT_INSTALL_DIRECTORY\security\client_cert.pem
NSCLIENT_INSTALL_DIRECTORY\security\client_cert.keyCode: Select all
ca_cert.pem <- This is your CA certificate (not the private key) and every CA certificate of the chain will need to be in there.
client_cert.pem <- This is your NSClient++ server's certificate (without the private key).
client_cert.key <- This is your NSClient++ server's private key for the certificate.4. Restart the NSClient++ service.
5. Test from your XI server:
- Change the paths and X.X.X.X as neccessary
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H X.X.X.X -2 -S TLSv1.2+ -L 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' -d0 -C /path/to/your/xiserver.crt -K /path/to/your/xiserver_private.key -A /path/to/your/ca_cert.pem -g /var/log/messages -s-1Code: Select all
/path/to/your/xiserver.crt <- XI server's certificate (without private key)
/path/to/your/xiserver_private.key <- XI server's private key
/path/to/your/ca_cert.pem <- This is the same file as the one in step 3.Run that command and then look at the output of this command on the XI server:
Code: Select all
tail -n200 /var/log/messagesTo enable debugging on the remote server you can adjust your [/settings/log] section:
Code: Select all
; LOG SECTION - Configure log properties.
[/settings/log]
; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log
; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S
; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = trace