NCPA support

[BanditBBS]

Where is the proper place to ask some questions regarding NCPA? I'm about to put my foot down here and insist I get to use an agent and quit using WMI and have a few questions.

Feel free to respond and then lock this thread

[sreinhardt]

Why you could post said questions right here!

[BanditBBS]

Ok, you asked for it.....

1.) In the docs it says this:

Hostname Hijinks

%HOSTNAME% is a magic word that gets replaced by what is specified in the [nrdp] hostname’s declaration.

This might seem backwards at first, but it allows for some flexibility. If you wanted a certain NCPA agent to exist in a remote network, and do all the monitoring on this network, and just send it’s results back, you would do

computer1|cpu usage = /agent/plugin/<plugin that checks cpu on remote system> computer2|cpu usage = /agent/plugin/<plugin that checks cpu on other remote system> %HOSTNAME%|cpu usage = /agent/cpu/percent

This will make the NCPA send back results under hostnames computer1, computer2 and itself. Allowing you to put a bunch of checks for different computers on this particular NCPA agent.

Does that mean I can install NCPA on my gearman workers that are behind firewalls and have machines return passive checks to them and then those gearman workers(using NCPA, not gearman) can then return the data to the nagios server and it'll be under the proper hostname? Thsi way only one fw hole needs opened.

2.) Is NCPA considered beta or production?

3.) I tested installing in passive mode and by default the "update configs" and "update plugins" is not checked and updating the config from GUI is not option, when will that be re-enabled?

4.) In reference to #3, if I script the install, am I able to set those options in the configuration file?

5.) In all your testing, have you seen even a single instance of this agent affecting anything on the server(response time, runaway memory, etc)

6.) Do you see any issue using this on 600+ servers in passive mode? Each server will have 5+ services on them. Will that be to much of a load for NRDS?

[sreinhardt]

1) While not tested, yes I think you could have ncpa call gearman or have gearman report to ncpa in someway. Although I'm not 100% sure on why you would do this opposed to having ncpa do the checks itself and report back to nagios, avoiding both scheduling within nagios\gearman, and additional firewall openings.

2) Technically it is prod at this point, although still being a little fresh it gets plenty of updates.

3) There are several fixes being patched up in github, I know passive issues are a large part of that, so likely very soon.

4) Yes you should be able to, or use nrds to keep all the configs on the nagios system.

5) Not as of yet, I run it on several instances for testing and personal production systems. Nothing like a true enterprise prod system, but I keep a pretty close eye on my systems. It actually seems to be a really light agent as far as resources go!

6) You might want a hefty ncpa server if that is just a single one running all those checks, if its distributed then it shouldn't be an issue at all(different subnets?). As for the nagios\(nsca\nrdp\nrds) server side of things, this would be well within reasonable limits and actually should be far lighter on your nagios system receiving these checks than actively checking even with gearman. We have several clients that I know of, that push far more results back than ~3500.

Note: I might be a little optimistic about it, but it really does seem to be doing a damn fine job for every instance that I have tried.

[BanditBBS]

1.) You misunderstood, but I kinda of like you answer anyway(LOL). The docs seem to suggest I can have a NCPA listener on a machine that receives passive results and then fwds those results on to NRDS. This usage is mainly due to firewalls and very very strict security in the retail world...think back to the recent Target point of sale hack. This would require far less hole sin the firewall.

2.) Ok

3.) Cool

4.) That's what I meant

5.) Good

6.) The bulk of the checks would be on the same subnet as my XI server, so would be reporting directly back to it.

[BanditBBS]

One more question......

Is it possible to assign multiple NRDS configs to a single host?

Example: All my windows boxes use a standard configuration in NRDS. Then there is one machine that needs to run a special check and I create a new config for it. Am I able to tell that host to use both configurations or do I need to mirror all the settings into the second configuration and then just use that one on that host?

[sreinhardt]

1) Oh I see, yes as far as I know that should work fine. I can check with Nick once he's in a bit later today just to be 100% certain. I totally see what you mean with the more restrictive firewall settings being a good but tricky thing with nagios. Would I be correct in believing this is what you mean? Also you can run multiple hosts active checks through the same gearman(now ncpa) worker machine just by adding the additional checks\config options.

Internal box 1(running its own passive checks) -> NCPA listener machine -> firewall -> Nagios system

On the target note, having their headquarters here and being into the security community, I know a few of the forensics and red team members, needless to say they are a little busy as of late.

6) Ok, that would fall under the distributed thought process, and should not be an issue at all. If your existing nagios systems doing active checks with or without gearman can handle it, I would highly doubt you will have issues when doing passive checks instead. At the absolute worst(most difficult?), I'm fairly confident that we could work your gearman processes into reaping and handling the results instead of core, yet again slimming the resources needed!

+1) I am honestly not sure, last time we looked into something along these lines I think it was decided that you would have to merge into a single config and manage it that way. Unfortunately it's not quite as flexible and robust as puppet\chef. I will check around and get back to you though.

[BanditBBS]

1.) Done asking ?'s. I think we're good and would just have to test

6.) Done

+1) Bah....sometimes I think you guys leave out great little features just to mess with me!

[sreinhardt]

You might be done asking questions, but after talking with Nick, you need some more answers that are going to be rather difficult to describe over the forum, but here goes.

To start off with forwarding checks from a subnet to a central ncpa server and having that forward back to nagios. This is already implemented and working with nrdp, and is planned for expansion to nsca although not currently implemented. Basically the end machines will run their checks, and forward the results to the central ncpa\nrdp(all in ncpa agent) using the standard nrdp tokenization. The central server then basically just proxies the information back to nagios, which responds with xml, and is then reverse proxied to the end client. If nrdp is acceptable vs nsca then you are all set, no need to wait for additional features!

+1) This is where it gets tricky depending on what you expect to happen. If you are ok with all of the end clients having nrds access to the nagios server, this is already done and setup. However I have a feeling you would rather be able to have the same central ncpa system store configs for each of the end clients it forwards checks for. Presently this is not available as far as Nick and I know, you might be able to setup a nrds server on the ncpa server(s) and handle it that way. However, Nick does like the idea of having the central ncpa server be able to negotiate newer versions for all clients or at least proxy this communication between them just like with nrdp forwarding. This is not implemented though....

Oh and love the PM to trevor!!

[BanditBBS]

The problem I have with NRDP(S) is the scheduled task. NCPA uses services instead and that is very much preferred here.

p.s. I have to make sure someone is messing with Trevor