NRPE: Monitor network connectivity from host?

[ripprapp]

Hi,
I have a Linuxserver with an NRPE client installed. I want that NRPE client being able to ping serveral other IP-adresses.

This to check that the network connectivity is ok from the actual host.

I run the agent as a special nrpeuser and not as root.

Maybe this is really easy, but I am new to the monitor world so...

Any ideas?

[agriffin]

NRPE clients are run on a Nagios server to poll other machines for check results. Those other machines need to run the NRPE server, which may seem backwards if you don't know how this works under the hood. You should make sure your machine has the NRPE server installed, and configure it to use the standard check_ping plugin. Documentation is available here (PDF).

[ripprapp]

Hi!
Thanks. Great doc.

As nrpeuser I can execute for instance the check_ntp as below.

nrpeuser@suse-server:/<path>/plugins> ./check_ntp -H 127.0.0.1
NTP OK: Offset -1.311302185e-06 secs|offset=-0.000001s;60.000000;120.000000;

But I am not allowed to to do the check_icmp command.

nrpeuser@suse-server:/opt/op5/plugins> ./check_icmp -H 127.0.0.1

Warning: This plugin must be either run as root or setuid root.
To run as root, you can use a tool like sudo.
To set the setuid permissions, use the command:
chmod u+s yourpluginfile
check_icmp: Failed to obtain ICMP socket: Operation not permitted


I played around trying to give nrpeuser rights to use the command using sudoers but did not succeed...

And how should that be specified when running it using check_nrpe anyway?

[agriffin]

It's probably easier to do this with normal file permissions. Make sure it's owned by root and then change its permissions to 4555 (chmod 4555 check_icmp). If you still want to use sudo you need a line like this in your sudoers file:

Code: Select all

nrpeuser ALL = NOPASSWD: /<path>/<plugins>/check_ntp

Note however, that check_ping does the same thing and doesn't require root permissions at all.

[ripprapp]

Hi,
Thanks for good answers! It sounds wiser to go with check_ping...

I have defined the command in the contrib.cfg file as:
command[check_ping]=/<path>/plugins/check_ping -H 10.3.1.20 -w 200,40% -c 300,50%

Then I can run this command as nrpeuser:
nrpeuser@suse-server:/> /<path>/nrpe/libexec/check_nrpe -H 127.0.0.1 -c check_ping
PING OK - Packet loss = 0%, RTA = 0.29 ms|rta=0.287000ms;200.000000;300.000000;0.000000 pl=0%;40;50;0

I guess this mean I can run the check_ping test using NRPE.

However, I do not want to "hardcode" the IP-adr I want to ping (10.3.1.20 above). I would like to have it like an argument I can pass to the agent when running a check.

Typically I am guessing it should look something like:
command[check_ping]=/<path>/plugins/check_ping -H $ARG1$ -w 200,40% -c 300,50%

But how should I pass the $ARG1$ argument to the agent in such case?

[jsmurphy]

You can pass the argument as such:
./check_nrpe -H <nrpe host addr> -c check_ping -a <ip addr of $ARG1$>

The -a switch tells it that everything that follows separated by white space is a separate argument. In Nagios it will look something like:

command definition {
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ $ARG2$
}

service definition {
# Regular service stuff
check_command check_nrpe!check_ping!-a 127.0.0.1 #IP to ping from the NRPE server goes here
}

It's also worth noting that check_ping and check_icmp are fundamentally different in one very important way... the mechanism used by check_icmp is more efficient and cant hit an OS limitation (I can't remember what resource it maxed out... available pipes or forks or something). This shouldn't affect SLES/SuSE servers, it does however affect many other linux distros.

[ripprapp]

Aha... First of all thanks for the input!

On the Remote Linux Host:
command[check_ping]= /<path>/plugins/check_ping -H $ARG1$ -w 200,30% -c 300,40% -p 3

On Monitoring Host I can now run:
[nrpeuser@suse-linux ~]$ /<path>/plugins/check_nrpe -H 10.2.11.142 -c check_ping -a 10.16.0.1

But what you mention about check_ping makes me a bit scared... I guess I should use check_icmp?
We have RedHat, CentOS, Ubuntu and some Debian Linuxinstallations that I eventually want to run these check on.

Therefore I created the check_icmp on the Remote Linux Host:
command[check_icmp]= /<path>/plugins/check_icmp -H $ARG1$ -w 200,30% -c 300,40% -p 3

I had to change the ownership and rights on the file
From:
-rwxr-xr-x 1 nrpeuser nrpeuser 61248 Aug 31 2011 check_icmp

To:
-r-sr-xr-x 1 root root 61248 Aug 31 2011 check_icmp

From my Monitoring Host I can then run the check as:
[nrpeuser@Centos-linux ~]$ /<path>/plugins/check_nrpe -H 10.2.11.142 -c check_ping -a 10.16.0.1
PING OK - Packet loss = 0%, RTA = 1.94 ms|rta=1.939000ms;200.000000;300.000000;0.000000 pl=0%;30;40;0

Is this the "best practise" way to do it?

I am thinking security wise for instance... Changing files to root?

[jsmurphy]

Security wise it shouldn't make a massive difference... Either way you are going to need to ensure that execute access is delegated to the NRPE user. It really depends if you are in a multi-user environment and you are worried that some one might be able to change to the nrpeuser and then do something unwanted with your Nagios binaries. As long as you have restricted access to NRPE by only allowing certain hosts to connect (and have SSL enabled) I think you will be fine. Though for extra safety you may want to disabled arguments on DMZ servers depending on your companies set up and security policies.

The problem with check_ping, in my experience, showed up when it was running pings to over 1000 devices in ~10 minute intervals. So if you are expecting a large number of devices to be monitored via ping then I would suggest investing the time getting check_icmp working instead.