NRPE 4.0.3 and the NSClient - CHECK_NRPE: Invalid packet ver

[tony]

We are planning to upgrade from Nagios XI version 5-6-14 to 5.7.4

We use the NSClient version 0.4.4.23 to monitor our Windows Servers checked from Nagios XI using check_nrpe.
The default check_nrpe command is – “check_nrpe –H $HOSTADDRESS$ -t 30 –c $ARG1$ $ARG2$”

Nagios XI version 5.7.4 has upgraded NRPE from version 3 to version 4.

I have tested the upgrade in a DEV environment and the NSClient service check output are now returning

OK - CHECK_NRPE: Invalid packet version received from server

Previous to the upgrade check_nrpe v3.2.1.
The output was
I (0.4.4.23 ……) seem to be doing fine

After the upgrade check_nrpe v4.0.3
The output is now
CHECK_NRPE: Invalid packet version received from server
I (0.4.4.23 ……) seem to be doing fine

I have seen the other support links

https://support.nagios.com/forum/viewto ... 16&t=60277

https://support.nagios.com/forum/viewto ... 16&t=60069

Where it is suggested to modify the check_nrpe command to include the -2 argument – which forces check_nrpe to use version 2 packet type.

My questions are as follows:

1. Will the -2 switch mean that we are now using NRPE version 2 packets and if so are we not open to vulnerabilities that NRPE version 3 and 4 resolved?

2. Do you know if or when the NSClient will be compatible with NRPE 4 packet types?

3. My understanding is that we will need two check_nrpe commands:

A new command with the -2 argument for the windows servers using NSClient but for Linux servers using NRPE version 3.2.1 we will need a command without the -2

Linux check_nrpe –H $HOSTADDRESS$ -t 30 –c $ARG1$ $ARG2$
Windows check_nrpe_v2 –H $HOSTADDRESS$ -t 30 –c $ARG1$ $ARG2$ –2

4. Our Linux servers use NRPE version 3.2.1 – will they also have issue with NRPE version 4.
Or will they need a customised command with the -3 argument to enforce only version 3 packets, until we can upgrade the nrpe to version 4.

5. If I run the check_nrpe command in Core Configuration Manager using the Run Check command – if the nsclient command has arguments in $ARG2$ it always returns the following error:

Failed to validate filter see log for details

Even though it works in the GUI and the service check output is OK.

Check command - check_nrpe -H 192.168.1.11 -t 30 -c $ARG1$ $ARG2$

$ARG1$ = check_cpu
$ARG2$ = -a "warning=load>=95%" "critical=load>=98%" "time=1m" "time=5m" "time=15m" "filter=core = 'total'" "top-syntax=%(status): %(list)" "detail-syntax=%(time) load %(load)%"

If the command has no arguments in in $ARG2$ it runs correctly from Core Configuration Manager using the Run Check command

Note: this command runs correctly in Nagios XI version 5.6.14

[benjaminsmith]

Hi Tony,

Some good questions here. Please see my answers below and just let me know if you need clarification on anything.

1. Using the older packet options is related to the packet size used during communications. It's also true that NRPE version 3 added increased SSL security, but these are separate settings.

See: NRPE - v3 Compatibility With Previous Versions

2. NSClient is another project outside of Nagios Enterprises, it looks like the issue has been opened already on Github, but I don't see an official reply from the developer.

3. That's probably going to be the easy way to set this up. However, you can pass the -2 option has an argument in the check command as well.

4. There's an option for version 3 packets as well if you have any issues with those systems and cannot update the agent.

Added -3 option to force check_nrpe to use NRPE v3 packets

See: https://github.com/NagiosEnterprises/nr ... ANGELOG.md

5. The Run Check Command is very restrictive when passing arguments due to security updates. We are working on improving this and a bug report has been filed.

Regards,
Benjamin

[tony]

Basically this confirms what I have feared.

That the upgrade to XI version 5.7.4 with NRPE 4 breaks checks that use the NSClient.

These checks now:

- Return "OK - CHECK_NRPE: Invalid packet version received from server" in the GUI - not good
- And will no longer run in CCM with the Run Check command - not good

This did not happen with XI 5.6.14 with NRPE 3 and I would consider this to be a bug in NRPE 4.

This disadvantages customers that use the NSClient.

Basically I will have to change 10s of thousands service checks.

Is there any plan to address this bug and resolve the issue I am sure that many other customers will be affected by this change.

[benjaminsmith]

Hi Tony,

That the upgrade to XI version 5.7.4 with NRPE 4 breaks checks that use the NSClient.

Did you try adding the version 2 option to those checks? The steps are covered in the following knowledgebase article.

https://support.nagios.com/kb/article/n ... s-786.html

If you apply those changes to the check command, it will change all of the checks or you can use the Bulk Mods Tool to make changes to large numbers of hosts and services.

Let me know if the issue is resolved for you after making that change.

Regards,
Benjamin

[tony]

The 2 issues I am having now did not happen with the previous version of Nagios XI 5.6.14 with NRPE 3 and I would consider this to be a bug as functionality is now different.

These checks now:

- Return "OK - CHECK_NRPE: Invalid packet version received from server" in the GUI - not good
- And will no longer run in CCM with the Run Check command - not good

[tony]

Also adding the -2 will not fix the issue where the command no longer runs in Core Configuration Manager

[benjaminsmith]

HI Tony,

We have a bug report open on the Run Check command issue the CCM and are working to resolve it. In order to improve security in the web interface, the way data was passed was tightened causing this feature to fail for some checks.

For the time being, I would recommend testing the command by cutting and pasting the full check command into the shell. Also, f you could share the check command, I can add to our internal notes for development and testing.

Thanks,
Benjamin

[tony]

As requested

I have carried out some further investigations regarding why the NSClient checks will no longer run in Core Configuration Manager with the Run Check command.
Basically it no longer likes the “quotes” in the arguments, however this is valid syntax.
And our current version of Nagios XI is also affected - version 5.6.14
If I use the NSClient check_cpu as an example - https://docs.nsclient.org/0.5.0/samples ... #check-cpu

The following nrpe command which worked now returns - Failed to validate filter see log for details
$USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
$ARG1$ - check_cpu
$ARG2$ - -a "warning=load>=95%" "critical=load>=98%" "time=1m" "time=5m" "time=15m" "filter=core = 'total'" "top-syntax=%(status): %(list)" "detail-syntax=%(time) load %(load)%"
Returns - Failed to validate filter see log for details

If I remove the quotes and also spaces, it returns just OK with no values for the load and time ranges, which is still not correct, however at least it returned OK.
$USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
$ARG1$ - check_cpu
$ARG2$ -a warning=load>=95% critical=load>=98% time=1m time=5m time=15m filter=core='total' top-syntax=%(status):%(list) detail-syntax=%(time)load%(load)%
Returns - OK

If I shorten the command and run the following, it will return more that OK but for load however, I am interest in total.
$USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
$ARG1$ - check_cpu
$ARG2$ -a warning=load>=95% critical=load>=98% time=1m time=5m time=15m
Returns - OK: CPU load is ok.|'total 1m'=1%;95;98 'total 5m'=1%;95;98 'total 15m'=1%;95;98

I have attached the commands that I use in a spreadsheet showing which ones are not working.

[tony]

Here is a better link to the syntax of the NSClient check_cpu command - https://docs.nsclient.org/reference/win ... #check_cpu

[benjaminsmith]

Hi Tony,

I tested that first variation of the check_cpu command and it did work for me from the Run Check Command. Open up the NSClient configuration file on the remote host and check for the following option under the NRPE server area. If you do not have the allow nasty character option set, try adding it, restart NSClient and let me know it works.

Code: Select all

[/settings/NRPE/server]
allow arguments = 1
allow nasty characters = 1