nagios check_http fails on gui but not from commandline

[paulm2]

I am runnining Nagios corewith nrpe and xinetd on centos 7 this is a new install on our aws testbench

running http_check on the master from cmd via nrpe:
centos-nagios etc]$ sudo /usr/local/nagios/libexec/check_nrpe -H x.x.x.x check_http
NRPE v3.2.1

running http_check on the agent fails???:
agent-nagios ~]$ sudo /usr/lib64/nagios/plugins/check_http -H localhost
connect to address localhost and port 80: Connection refused
HTTP CRITICAL - Unable to open TCP socket

trying localhost by ip on agent:
agent-nagios ~]$ sudo /usr/lib64/nagios/plugins/check_http -H 127.0.0.1
connect to address 127.0.0.1 and port 80: Connection refused


Also Fails on master nagios gui :
Host Status:
DOWN
(for 0d 0h 41m 52s)
Status Information:
connect to address x.x.x.x and port 80: Connection refused
HTTP CRITICAL - Unable to open TCP socket

aws and local firewalls are allowing port 80 (as proved with the master to agent call that works)
nrpe file contains the following (I have seen this on sites with and without a comma seperator but it only works without on this server):
group = nagios
server = /usr/sbin/nrpe
server_args = -c /etc/nagios/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 x.x.x.x


on the client: (shoukld this xinetd?? as nrpe is not running when
test ~]$ grep 5666 /etc/services
nrpe 5666/tcp # nrpe (nagios)

I am obviously missing something (probably glaringly obvious) can someone enlighten me
Thanks in advance

[paulm2]

update - if I submit a passive check from nagios GUI for either check_ping or check_http it works, I assume this means it sends the same message as the host status check that would be done automatically from nagios anyway so why will the automatic check not work? where can I find the config for the automatic checks?

[mbellerue]

Hi @paulm2, welcome to the forums!

There's a lot going on here, so I'm going to go step by step because I want to make sure you have the best possible understanding of Nagios, agents, and plugins.

running http_check on the master from cmd via nrpe:
centos-nagios etc]$ sudo /usr/local/nagios/libexec/check_nrpe -H x.x.x.x check_http
NRPE v3.2.1

First couple of things. check_http can be run from the Nagios system itself to check a website. It will reach out to the website, perform a check, and return the results. Where as check_nrpe is a way for Nagios to reach out to the NRPE agent running on a remote server and execute a plugin. By executing the plugin like this, it's basically no different than executing the check_http plugin on host x.x.x.x. Which can be a valid way to monitor a site.

If that is your goal, you will want something like,

Code: Select all

sudo /usr/local/nagios/libexec/check_nrpe -H x.x.x.x -c myhttpcheck -a '-I x.x.x.x' 

In your remote server's nrpe.cfg (or common.cfg, depending on your config file setup) file you would have an entry like this,

Code: Select all

command[myhttpcheck]=/usr/lib64/nagios/plugins/check_http $ARG1$

running http_check on the agent fails???:
agent-nagios ~]$ sudo /usr/lib64/nagios/plugins/check_http -H localhost
connect to address localhost and port 80: Connection refused
HTTP CRITICAL - Unable to open TCP socket

Here it's possible that your web server is not listening on localhost. Try using -I x.x.x.x (that's a capital i).

Also Fails on master nagios gui :
Host Status:
DOWN
(for 0d 0h 41m 52s)
Status Information:
connect to address x.x.x.x and port 80: Connection refused
HTTP CRITICAL - Unable to open TCP socket

Nagios will need to be able to reach whatever x.x.x.x is. If it's accessed over a site-to-site VPN, then the Nagios server will need to know that route. If it's just a public IP address, try running a ping against it to make sure Nagios can talk to it. You can also try nmap x.x.x.x -p 80,443 to see if the common web ports are open.

update - if I submit a passive check from nagios GUI for either check_ping or check_http it works, I assume this means it sends the same message as the host status check that would be done automatically from nagios anyway so why will the automatic check not work? where can I find the config for the automatic checks?

The ability to submit a passive check is more of a troubleshooting tool. It allows you to submit your own check result via the passive check process. Passive checks are simply checks that Nagios does not initiate. They are initiated on the server you are monitoring, and only the results are passed to the Nagios server. You can read more about passive checks here,
https://assets.nagios.com/downloads/nag ... hecks.html

Whew. That's a lot to take in. Read through that. Ask more questions. Experiment. Let me know how it goes.

[paulm2]

Thanks for the detailed reply
It appears I dont have the required port (80) open on the agent I have allowed it within AWS (temporarily tested allowing any connection) and have dropped iptables, EPEL is not running but there still appears to be something preventing the connection on port 80 for http and similarly for ping port 22 any ideas what setting would prevent the connection on port 80 ??

[paulm2]

Thanks that, pointed me in the correct direction - turns out AWS was the issue I had set the specific security group for testing to allow all, but another more stringent security group is also on the instance - it appears if aws sees this it defaults to just the more secure (stringent) rule - hence completely confusing my test results.
Useful to note is that even localhost calls will succomb to this so pinging self will also fail in this situation

[mbellerue]

Perfect! Is there anything else we can help with, or should I close this thread?

[paulm2]

sorry for the slow response - all good this end many thanks mbellerue please close this call

[scottwilkerson]

sorry for the slow response - all good this end many thanks mbellerue please close this call

Great!

Locking thread