Page 1 of 1
Communication breakdown?
Posted: Mon Apr 28, 2014 12:19 pm
by barkingdoggy
I have Nagios actively monitoring a Windows machine running NSClient++ v. 0,4,2,88. Nagios actively communicates with NSClient++ using NRPE. I want to have Nagios passively monitor the Windows eventlog using NSCA. I have implemented and tested NSCA on the Nagios/server-side using
http://nagios.sourceforge.net/download/ ... _Setup.pdf as a guide.
On the Windows machine, the nsclient.ini file looks like this:
Code: Select all
[/modules]
CheckSystem=enabled
CheckDisk=enabled
CheckEventLog=enabled
NSCAClient=enabled
NSClientServer=enabled
NRPEServer = enabled
[/settings/default]
allowed hosts=10.11.10.20
password=secret
[/settings/NRPE/server]
allow arguments = true
allow nasty characters = false
[/settings/eventlog/real-time]
enabled=true
filter=id = 1000 and category = 0
destination=NSCA
[/settings/NSCA/client/targets/default]
address=nsca://10.11.10.20:5667
;encryption=aes256
;password=secret
From the Windows command line, I can run without error:
Code: Select all
C:\Program Files\NSClient++>nscp nsca message="This is a test message."
Submission successful
But on the Nagios/server I get an error in the syslog:
Code: Select all
Apr 23 10:59:35 ubuntuserver nsca[9593]: Handling the connection...
Apr 23 10:59:36 ubuntuserver nsca[9593]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?
I've got "decryption_method=0" in the nsca.cfg file on the Nagios machine. [I first tried "encryption=aes256" (NSClient.ini)and "decryption_method=16" (nsca.cfg) and got the same syslog error.]
How do I troubleshoot this issue?
TIA!
Re: Communication breakdown?
Posted: Mon Apr 28, 2014 1:20 pm
by slansing
You need to make sure both Nagios and the windows server are using the same encryption, in the nsclient.ini file you should see a section under NSCA which allows you to set the encryption method, as well as a password. Make sure this matches, and restart nsclient to cause the changes to take effect. You will need to do this on the nagios server as well in the nsca.cfg file and restart the daemon.
https://nsclient.org/nscp/wiki/doc/usage/nagios/nsca
Re: Communication breakdown?
Posted: Mon Apr 28, 2014 4:15 pm
by barkingdoggy
Thanks for the reply. Just checked the nsclient.ini file on the Windows box and the nsca.cfg file on the Nagios box. No passwords and no encryption on both/each. Restarted the NSClient++ service on the Windows box and rebooted the Nagios box. Ran the command: nscp nsca message="This is a test message." from the command prompt on the Windows box. "Submission successful" returned. On the Nagios box, the syslog shows:
Apr 28 17:03:22 ubuntuserver nsca[3055]: Handling the connection...
Apr 28 17:03:23 ubuntuserver nsca[3055]: Received invalid packet type/version from client - possibly due to client using wrong password or crypto algorithm?
I read where nsca looks for tabs to separate fields in messages. Could that be why it is puking (no tabs), rather than crypto?
Re: Communication breakdown?
Posted: Mon Apr 28, 2014 4:47 pm
by slansing
Hmm, what version of NSClient++ are you running, and what version of NSCA on the Nagios server? Having a different server version of NSCA can cause issues. But it looks like it is making the connection fine, usually we would see an invalid package CRC error if it was a version issue. Can you attach your entire nsc/nsclient.ini file? And the nsca config from the nagios server? I would like to take a look at them.
Re: Communication breakdown?
Posted: Tue Apr 29, 2014 7:45 am
by barkingdoggy
NSCA version is 2.9.1. NSClient++ version is 0,4,2,88. As I said, I implemented and tested NSCA on the Nagios machine using
http://nagios.sourceforge.net/download/ ... _Setup.pdf as a guide.
Here's the entire nsclient.ini file:
Code: Select all
[/modules]
CheckSystem=enabled
CheckDisk=enabled
CheckEventLog=enabled
NSCAClient=enabled
NSClientServer=enabled
NRPEServer = enabled
[/settings/default]
allowed hosts=10.11.100.20
;password=secret
[/settings/NRPE/server]
allow arguments = true
allow nasty characters = false
[/settings/eventlog/real-time]
enabled=true
filter=id = 1000 and category = 0
destination=NSCA
[/settings/NSCA/client/targets/default]
address=nsca://10.11.100.20:5667
;encryption=aes256
;password=secret
Here's the nsca.cfg file without the commented lines...
Code: Select all
log_facility=daemon
pid_file=/var/run/nsca.pid
server_port=5667
nsca_user=nagios
nsca_group=nogroup
debug=1
command_file=/var/lib/nagios3/rw/nagios.cmd
alternate_dump_file=/var/run/nagios/nsca.dump
aggregate_writes=0
append_to_file=0
max_packet_age=30
decryption_method=0
Thanks for your assistance.
Re: Communication breakdown?
Posted: Tue Apr 29, 2014 4:59 pm
by tmcdonald
Let's run a tcpdump on port 5667 on the Nagios box and see exactly what is being sent:
then send a test from Windows, and kill the tcpdump. Post output here. You might have to yum install tcpdump first.
Also, is that your full nsclient.ini file? Could you expand it for us?
Re: Communication breakdown?
Posted: Fri May 02, 2014 1:56 pm
by barkingdoggy
tcpdump output:
Code: Select all
sudo tcpdump -vvv -A dst port 5667
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:48:58.212123 IP (tos 0x0, ttl 128, id 27254, offset 0, flags [DF], proto TCP (6), length 52)
10.11.100.200.51201 > 10.11.100.20.nsca: Flags [S], cksum 0xc886 (correct), seq 606971717, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4jv@....[
.d.
.d....#$-.E...... .................
14:48:58.212750 IP (tos 0x0, ttl 128, id 27255, offset 0, flags [DF], proto TCP (6), length 40)
10.11.100.200.51201 > 10.11.100.20.nsca: Flags [.], cksum 0x4a89 (correct), seq 606971718, ack 2341622318, win 256, length 0
E..([email protected]
.d.
.d....#$-.F..R.P...J.........
14:48:58.324339 IP (tos 0x0, ttl 128, id 27256, offset 0, flags [DF], proto TCP (6), length 760)
10.11.100.200.51201 > 10.11.100.20.nsca: Flags [P.], cksum 0x3c1c (correct), seq 0:720, ack 133, win 256, length 720
E...jx@.....
.d.
.d....#$-.F..R.P...<......
K.n..:s..\.r.. ...2..0R..=wW.....`9|B.W..a..Pi.>N".. .n.guF.:}+...V.....ARSk".!b.7.c.EY-.....N'......[E.E.....U?.Qj.1....Ev='<<0...&..VSx...X......p..V.G...d.......rM...$......7.....* ...q...x.....<......qt~..........]......K,.2r.kZ5j.......".(.j.c}.
....}.S...|.<.5cI..+(.....X^1)....'...t.?.6.|d7.........,a..A......^.......G..F...|....uS.....g..>..y...x/[email protected].;...{..14S..>..x..B.......S.p.Y.%RA...Cl.{.e9|.A.!c./.;L4.M.L...).....`....#..{...l.Kk.g~....,&..9.'.. ...{.G.....9wi.P.....4.=.
14:48:58.324366 IP (tos 0x0, ttl 128, id 27257, offset 0, flags [DF], proto TCP (6), length 40)
10.11.100.200.51201 > 10.11.100.20.nsca: Flags [F.], cksum 0x4734 (correct), seq 720, ack 133, win 256, length 0
E..([email protected]
.d.
.d....#$-....R.P...G4........
14:48:59.322930 IP (tos 0x0, ttl 128, id 27259, offset 0, flags [DF], proto TCP (6), length 40)
10.11.100.200.51201 > 10.11.100.20.nsca: Flags [.], cksum 0x4733 (correct), seq 721, ack 134, win 256, length 0
E..(j{@....b
.d.
.d....#$-....R.P...G3........
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
That is the full nsclient.ini file. Is it missing something?
Re: Communication breakdown?
Posted: Fri May 02, 2014 2:19 pm
by slansing
Yes, it's missing quite a bit, it almost looks like it was manually stripped. You should have a bit of commented text at the top that shows you how to expand it so you can see the full definitions, which we will want for NSCA. I'd recommend you install nsclient++ version 0.3.9, it is a bit older, but it is solid and it works for all purposes you would need at this point. It will come pre-populated with an nsclient.ini file with the necessary definitions.
Re: Communication breakdown?
Posted: Fri May 02, 2014 4:30 pm
by barkingdoggy
I installed nsclient++ version 0.3.9. FWIW, it creates an NSC.ini file instead of nsclient.ini. The header of the NSC.ini file says I have to edit it and enable dlls. It's going to take me some time to figure this out. It will take me a few days, but I'll report back.
Re: Communication breakdown?
Posted: Mon May 05, 2014 9:11 am
by tmcdonald
We will keep this post open for you.