Error while checking NRPE remotely

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Post Reply
JBracaloni
Posts: 1
Joined: Tue Oct 08, 2024 6:06 am

Error while checking NRPE remotely

Post by JBracaloni »

Hello everyone,

I am new to the Nagios environment, and I've recently discovered about NRPE to execute external scripts on my windows machine.
This is my nsclient.ini confoguration:

Code: Select all

# If you want to fill this file with all avalible options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help

; Undocumented section
[/settings/default]

; PASSWORD - Password used to authenticate against server
password = REDACTED

; ALLOWED HOSTS - A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 0.0.0.0/0

; Undocumented section
[/settings/NRPE/server]

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  default-workarounds       Various workarounds for what I understand to be broken ssl implementations no-sslv2     Do not use the SSLv2 protocol. no-s
slv3    Do not use the SSLv3 protocol. no-tlsv1 Do not use the TLSv1 protocol. single-dh-use    Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the 
DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).   
ssl options = 

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  none      The server will not send a client certificate request to the client, so the client will not send a certificate. peer    The server sends a 
client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert      if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used togethe
r with peer. peer-cert  Alias for peer and fail-if-no-cert. workarounds Various bug workarounds. single Always create a new key when using tmp_dh parameters. client-once       Only request a client certificate on the initial TLS/SSL ha
ndshake. This flag must be used together with verify-peer   
verify mode = none

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true

; Undocumented section
[/modules]

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; NSClientServer - A server that listens for incoming check_nt connection and processes incoming requests.
NSClientServer = 1

; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1

; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1

; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1

; CheckNSCP - Use this module to check the healt and status of NSClient++ it self
CheckNSCP = 1

; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1

; A list of templates for wrapped scripts.
%SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; POWERSHELL WRAPPING - 
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -

; BATCH FILE WRAPPING - 
bat = scripts\\%SCRIPT% %ARGS%

; VISUAL BASIC WRAPPING - 
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%


; A list of aliases available.
An alias is an internal command that has been predefined to provide a single command without arguments. Be careful so you don't create loops (ie check_loop=check_a, check_a=check_loop)
[/settings/external scripts/alias]

; alias_volumes_loose - Alias for alias_volumes_loose. To configure this item add a section called: /settings/external scripts/alias/alias_volumes_loose
alias_volumes_loose = check_drivesize

; alias_volumes - Alias for alias_volumes. To configure this item add a section called: /settings/external scripts/alias/alias_volumes
alias_volumes = check_drivesize

; alias_sched_all - Alias for alias_sched_all. To configure this item add a section called: /settings/external scripts/alias/alias_sched_all
alias_sched_all = check_tasksched show-all "syntax=${title}: ${exit_code}" "crit=exit_code ne 0"

; alias_process_stopped - Alias for alias_process_stopped. To configure this item add a section called: /settings/external scripts/alias/alias_process_stopped
alias_process_stopped = check_process "process=$ARG1$" "crit=state != 'stopped'"

; alias_service - Alias for alias_service. To configure this item add a section called: /settings/external scripts/alias/alias_service
alias_service = check_service

; alias_process_hung - Alias for alias_process_hung. To configure this item add a section called: /settings/external scripts/alias/alias_process_hung
alias_process_hung = check_process "filter=is_hung" "crit=count>0"

; alias_process_count - Alias for alias_process_count. To configure this item add a section called: /settings/external scripts/alias/alias_process_count
alias_process_count = check_process "process=$ARG1$" "warn=count > $ARG2$" "crit=count > $ARG3$"

; alias_process - Alias for alias_process. To configure this item add a section called: /settings/external scripts/alias/alias_process
alias_process = check_process "process=$ARG1$" "crit=state != 'started'"

; alias_mem - Alias for alias_mem. To configure this item add a section called: /settings/external scripts/alias/alias_mem
alias_mem = check_memory

; alias_file_size - Alias for alias_file_size. To configure this item add a section called: /settings/external scripts/alias/alias_file_size
alias_file_size = check_files "path=$ARG1$" "crit=size > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${size}" max-dir-depth=10

; alias_disk - Alias for alias_disk. To configure this item add a section called: /settings/external scripts/alias/alias_disk
alias_disk = check_drivesize

; alias_cpu_ex - Alias for alias_cpu_ex. To configure this item add a section called: /settings/external scripts/alias/alias_cpu_ex
alias_cpu_ex = check_cpu "warn=load > $ARG1$" "crit=load > $ARG2$" time=5m time=1m time=30s

; alias_file_age - Alias for alias_file_age. To configure this item add a section called: /settings/external scripts/alias/alias_file_age
alias_file_age = check_files "path=$ARG1$" "crit=written > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${written}" max-dir-depth=10

; alias_cpu - Alias for alias_cpu. To configure this item add a section called: /settings/external scripts/alias/alias_cpu
alias_cpu = check_cpu

; alias_event_log - Alias for alias_event_log. To configure this item add a section called: /settings/external scripts/alias/alias_event_log
alias_event_log = check_eventlog

; alias_service_ex - Alias for alias_service_ex. To configure this item add a section called: /settings/external scripts/alias/alias_service_ex
alias_service_ex = check_service "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc

; alias_up - Alias for alias_up. To configure this item add a section called: /settings/external scripts/alias/alias_up
alias_up = check_uptime

; alias_disk_loose - Alias for alias_disk_loose. To configure this item add a section called: /settings/external scripts/alias/alias_disk_loose
alias_disk_loose = check_drivesize

; alias_sched_task - Alias for alias_sched_task. To configure this item add a section called: /settings/external scripts/alias/alias_sched_task
alias_sched_task = check_tasksched show-all "filter=title eq '$ARG1$'" "detail-syntax=${title} (${exit_code})" "crit=exit_code ne 0"

; alias_sched_long - Alias for alias_sched_long. To configure this item add a section called: /settings/external scripts/alias/alias_sched_long
alias_sched_long = check_tasksched "filter=status = 'running'" "detail-syntax=${title} (${most_recent_run_time})" "crit=most_recent_run_time < -$ARG1$"
I want to launch the powershell scripts from my UNIX PC on the same LAN as the NRPE Client. To do so, I am launching

Code: Select all

check_nrpe
as reported here: https://nsclient.org/docs/howto/external_scripts/

This is the cmd I am launching:

Code: Select all

$ ./check_nrpe -H 192.168.XX.XX -2 -t 50 -g /tmp/trial2.txt -n
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).
By looking at the log file created in the tmp folder I can see:

Code: Select all

[1728383864] Error: (!log_opts) Could not complete SSL handshake with 192.168.XX.XX: unknown security bits
[1728383864] Error: (!log_opts) Could not complete SSL handshake with 192.168.XX.XX: dh key too small
When doing:

Code: Select all

$ ./check_nrpe -H 192.168.XX.XX -g /tmp/trial3.txt    
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.XX.XX: 1
Same error in the trial2.txt log file.

However, check_nt plugin seems to work fine as I get:

Code: Select all

$ ./check_nt -H 192.168.XX.XX -p 12489 -v CLIENTVERSION -s REDACTED
NSClient++ 0.5.2.39 2018-02-04
I am forced to use this specific version for compatibility with other programs.
What I am supposed to do to resolve this issue?

Many thanks
kg2857
Posts: 317
Joined: Wed Apr 12, 2023 5:48 pm

Re: Error while checking NRPE remotely

Post by kg2857 »

Try adding -2 to the check_nrpe command in the shell. Use -h for other options.
lebsack2
Posts: 1
Joined: Thu Nov 21, 2024 4:31 am

Re: Error while checking NRPE remotely

Post by lebsack2 »

The error you’re encountering indicates a problem with the SSL handshake, likely due to the configuration of the NSClient++ on the Windows machine. A common solution is to adjust the SSL settings. You can try increasing the DH key size in the NSClient++ configuration. Look for the following settings in your NSC.ini file:

[/settings/NRPE/server]
ssl_dh_key_size=2048

After making this change, restart the NSClient++ service. This should help address the "dh key too small" error and allow the SSL handshake to complete successfully.
Post Reply