NRPD - Unconfigured Objects - Auto Configure rules.

[Interrex]

Hi.

I have started to test out NRDP for my Win10 clients with passive checks and using certificate over SSL/TLS.
We will add about 2500 clients over a few months, and they are located on different sites with different contacts, host groups, etc.

1. Is it possible to get the client register with their FQDN, not the IP, when sending the passive checks to my NagiosXI NRDP server?

2. In the Unconfigured Objects - Autoconfigure Settings: I'm wondering if it's possible to create multiple rules for the different template rules based upon a "uniq key" hostname / ip etc. Like hostA get's templateA and hostB gets templateB

3. The rules in question 2 is possible to create with curl requests to the API, is it possible to link the unconfigured objects (NRDP passive checks) with the hosts created in the API, is the passive service checks possible to link to a host group with multiple hosts, and will it work for all the hosts then?

4. In the NCPA client, is it possible to get both Active and Passive checks to go over https using certificate?

I think I will start there, and I guess there will be more questions later.
Any suggestion to a best practice setup is welcome.

Thanks.

[dchurch]

1. Is it possible to get the client register with their FQDN, not the IP, when sending the passive checks to my NagiosXI NRDP server?

Yes. The hostname that is sent during a passive check is contained in C:\Program Files (x86)\Nagios\NCPA\etc\ncpa.cfg, under the [nrdp] header, under the key hostname: E.g.

Code: Select all

[nrdp]
hostname = myhost1.example.com
# -OR-
hostname = 192.168.0.201

While this hostname is technically arbitrary, it helps a lot when configuring hosts to be something that the Nagios XI server can resolve, such as a FQDN or an IP address.

2. In the Unconfigured Objects - Autoconfigure Settings: I'm wondering if it's possible to create multiple rules for the different template rules based upon a "uniq key" hostname / ip etc. Like hostA get's templateA and hostB gets templateB

If you're talking about auto-assigning a template, or auto-assigning a template or a host group (or contact group, etc) based on rules such as a Regex matching the hostname, then that's not possible given the current Nagios XI interface.

What you can do is use the Bulk Modifications tool (it's under Core Config Manager) to change the template for a bunch of hosts at once. There's also a tool to mass-add hosts to host groups. ... or an API call like you describe below.

3. The rules in question 2 is possible to create with curl requests to the API, is it possible to link the unconfigured objects (NRDP passive checks) with the hosts created in the API, is the passive service checks possible to link to a host group with multiple hosts, and will it work for all the hosts then?

As long as the hostname is the same, it should automatically detect what host is being referred to.

This also includes passive checks that come in for a pre-configured host; they still may show up as unconfigured objects, but it won't add a new host if the hostname is the same as one already in the system when (auto?)-configuring that Unconfigured Object. It'll instead link it to the existing host.

4. In the NCPA client, is it possible to get both Active and Passive checks to go over https using certificate?

Client-side (passive check):

As long as the value under [nrdp] => parent (in ncpa.cfg) starts with "https://" it'll go over HTTPS. I think it also checks the certificate's validity, so you'll want the value to include the FQDN that matches the certificate (NOT the IP address). E.g.

Code: Select all

[nrdp]
parent = https://my-xi-instance.example.com/nrdp/

Client-side (active check):

You don't really need to use a custom SSL certificate since the software generates one for you already, but...

If you specify [listener] => certificate (in ncpa.cfg), it'll load that certificate. The path is relative to the NCPA install base (/usr/local/ncpa in Linux, C:\Program Files (x86)\Nagios\NCPA in Windows)
e.g. If you specify in ncpa.cfg:

Code: Select all

[listener]
certificate = etc/host-cert.crt,etc/host-key.key

It'll load /usr/local/ncpa/etc/host-cert.crt and /usr/local/ncpa/etc/host-key.key and present it for incoming SSL connections (5693/tcp).

It may be required to restart the service(s) after modifying this configuration.

[Interrex]

Thank you for your answers, very helpfull.

I have been playing around with the different config options.
I belive I will go for NRDP and passive checks for my clients, and change the host check to Ping instead of the Agent Version.
After installation, create the host with Curl commands to the API in a script.
The applied templates with user groups etc. in the curl command will be based upon the installation config and location.
Autoconfigure the Unconfigured Objects config and they will match the existing host and get the correct template rules.

Under the NCPA silent installation, how can I set the hostname as an variable as the computers hostname? or will that be the default name ?

I'm trying to setup the NRDP passive checks, and I can not figure out how the critical syntax will be for the process. I want to get Critical if it's not running. I have created this, so I can see if it's running, but it's always OK. %HOSTNAME%|Process running = processes?name=someprocess.exe
What will be the rest of the line? I have tried a lot of combinations, not figuring it out.. based upon https://support.nagios.com/kb/article.php?id=782 and the Dev Guide https://nagios-plugins.org/doc/guidelin ... HOLDFORMAT

[dchurch]

Under the NCPA silent installation, how can I set the hostname as an variable as the computers hostname? or will that be the default name ?

It's the NRDPHOSTNAME variable.

Code: Select all

ncpa-2.2.2.exe /S /NRDPHOSTNAME='myhostname.example.com'

I'm trying to setup the NRDP passive checks, and I can not figure out how the critical syntax will be for the process. I want to get Critical if it's not running.

The "critical" and "warning" thresholds accept lower and upper bounds in the form of [LOWER]:[UPPER]. That is, if critical=1:5, then if it's outside the range of 1-5 (for example 0 or 7), it'll consider it "critical." When UPPER is empty, it assumed it's Infinity.

I was able to lab up an NRDP passive configuration by using the following syntax:

Code: Select all

%HOSTNAME%|Slack Running = processes --check=true --name=slack.exe --warning 2: --critical 1:

That means, if 0 slack.exe processes are running, it's a critical. If only 1 is running, it's a warning, and if 2 or more are running, it's an OK.

Note: Apparently "processes --foo=bar" means the same as "processes?foo=bar" when calling the NCPA API.

[Interrex]

I was able to lab up an NRDP passive configuration by using the following syntax:

Code: Select all

%HOSTNAME%|Slack Running = processes --check=true --name=slack.exe --warning 2: --critical 1:

That means, if 0 slack.exe processes are running, it's a critical. If only 1 is running, it's a warning, and if 2 or more are running, it's an OK.

I did not get that syntax to work for me, I never came around spaces in the application name.
This one solved it for me:
%HOSTNAME%|Some Application = processes?name=Some Application.exe&status=running&check=1&critical=1:2

There's two things right now that creates an issue regarding automatic in creating the monitoring.
1. How to update the nrdp.cfg file on the client.
Is there a way for NRDP to get the host config from the nagios server ? Then I do not not want static files on my clients.
If I need to tweak on some of the checks, is it possible to do the tweaking on the server side, and the clients get updated config from the server?

2. How to handle soft and hard state, as I understand passive checks are treated as hard state.
Will it work if I teak the Max check attempts for the service to 3, and the if I get error 3 times from the client it will get hard state?

[ssax]

1. Yes, if you setup NRDS (and use the NRDS agent):

https://assets.nagios.com/downloads/nag ... h_NRDS.pdf

2. If you edit the service and set is_volatile to Off and apply configuration it should show soft states for services when the results come in, that way it would go through the standard max_check_attempts.

[Interrex]

Great. I will have a look at it.

Will it be possible to use NRDS with NCPA or do I need NSclent as well for windows clients?

[ssax]

Only the NRDS agent works for centralized configs, NCPA/NSClient++ do not support it at this time.

[Interrex]

Hi.

I'm struggling to get everything working as I want...

I realy liked the way NCPA and NRDP was working, the only thing I need to solve is how to update the nrdp.cfg files under:
c:\Program Files (x86)\Nagios\NCPA\etc\ncpa.cfg.d\ in a smooth way from the Nagios server.

Do you know if this is a function in the roadmap for NCPA ?

Is it possible to make NRDS use the NCPA client as an "plugin" and create the commands in the NRDS config on the Nagios server?

Any suggestion on how others have solved this ?

[ssax]

Do you know if this is a function in the roadmap for NCPA?

NRDS support is on the roadmap for NCPA, development started implementing it in NCPA but it isn't finished yet.

Is it possible to make NRDS use the NCPA client as an "plugin" and create the commands in the NRDS config on the Nagios server?

No, they are not compatible, NRDS would need to updated to support it on both ends.

We do offer paid custom development, if that is something you're interested in you can contact [email protected] (or call) to get more information/a quote.

Any suggestion on how others have solved this ?

They either switch to NRDS or use some other config management solution such as ansible/chef/etc in order to deploy the new plugins/configs. You could do it through group policy as well but those things are outside the scope of our support.

If you have Ansible you can also do this to auto install NCPA/auto register it in XI which you could then use to deploy the plugins/configs:

https://support.nagios.com/kb/article/n ... l-819.html