Nagios Support Forum

Clarification: check_init_service will exist on the target host, not the XI server, and is installed by the steps of the Installing The XI Linux Agent instructions.

It's been a couple of months and I'm just getting back around to this. Even with the sudo'er modification, I'm still getting the same error. Has anyone found a workaround for this?

Thanks!

Jason Manous

Could you run setroubleshootd and see what results you get? I happened to stumble across this:
http://danwalsh.livejournal.com/7995.html

I am getting this error as well. It would appear to happen on CentOS 5.5 systems, but not RHEL v4 (and possibly v5) systems. I installed the agent per the documentation.

I ran the check_init_service on the remote server and the command runs fine. The checked /var/run/syslogd.pid and the pid matches the running pids as well as the pids detected by the check_init_service plugin.

I am not running selinux.

I would like to get this fixed, so let me know what other steps you would like me to take.

When I run the check_init_service as user nagios on the remote system, I get the following output:

[root@remote-server libexec]# su - nagios
[nagios@remote-server ~]$ cd /usr/local/nagios/libexec/
[nagios@remote-server libexec]$ ./check_init_service syslog
/etc/init.d/functions: line 141: /var/run/syslogd.pid: Permission denied
syslogd dead but pid file exists
/etc/init.d/functions: line 141: /var/run/klogd.pid: Permission denied
klogd dead but pid file exists
[nagios@remote-server libexec]$

So this appears to be a permission issue where the nagios user can't read files in the /var/run directory. The permissions for the directory are ok, but the syslogd.pid file are not.

What is the suggested way to fix this? I thought that check commands were run via sudo by the agent.

We'll have to do some investigating on this and see if we can recreate it. We'll let you know what we find out.

Oh, in addition to my sudoers file edit, you need to preface the check command with 'sudo' when you actually run it. As in, 'sudo /usr/local/nagios/libexec/check_init_service blahblaharguments'. This includes the command definition in the NRPE config on the target server once you've tested directly.

I get an "NRPE: unable to read output" error in the NagiosXI web interface for the service. This error occurs when I preface the check_init_service command in /usr/local/nagios/etc/nrpe/common.cfg with either sudo or /usr/bin/sudo, was that the correct place to edit it?

I "su - nagios" on the remote server and ran the service command prefaced with sudo and did not get the permissions error. So prefacing with sudo would do the trick, but I think my sudoers file is not right. My sudoers file has:

# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
nagios ALL=NOPASSWD: /sbin/service
nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/check_init_service

Is this correct, am I editing things correctly relative to you post?

I also tried uncommenting the sudo related line in nrpe.cfg, but now I get the same error about unable to read output.

I figured it out.

I had to do the following:

In nrpe.cfg on remote server:
--uncomment the line: command_prefix=/usr/bin/sudo

In sudoers file:
add: nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/
change: Defaults requiretty to: Defaults !requiretty

The primary problem is that Centos was not allowing nagios/nrpe user to sudo run a command as root because it was not connecting to a tty (the default requiretty statement causes this issue.)

The above changes make the command work, although the "defaults !requiretty" may be all that is needed, but I didn't test that. Overall this can create a security problem on the remote server if stuff is editable in /use/local/nagios/libexec by a malicious user.