Nagios Support Forum

Ok, I have two secure zones(actually 30+, but all fall into these two), PCI and DMZ. I want to give them all the options possible to choose from when deciding how we are going to finally monitor the machines in those zones.

I do have a gearman worker in each zone and they can easily handle all of my *nix monitoring as I am using nrpe.

My problem is with my windows monitoring. They don't like NSClient and won't let me install that, so as you should be aware from previous threads, I use WMI for my windows monitoring. The issue with that, it requires one heck of a lot of ports to be opened. I can't do that for all the "sub" zones within PCI and DMZ. My thoughts are to use NRDS, which if I need to open a port back to the primary XI server, that is just one port I need opened but for a ton of "sources".

In one of my previous threads regarding NCPA someone mentioned forwarding NRDS results(or I totally misunderstood what I read). Is there a method for me to install something on a server that receives all the NRDS results from all the PCI servers and then that sends the NRDS check results through the firewall(and only the one hole) to the XI server?

NRPE within the restricted area, have it run all the WMI checks and (though I shudder to say this) enable command args in NRPE for easier configuration. That or look into a Squid proxy?

tmcdonald wrote:NRPE within the restricted area, have it run all the WMI checks and (though I shudder to say this) enable command args in NRPE for easier configuration. That or look into a Squid proxy?

I want to shoot this entire sentence down, but I can't grasp it good enough to argue it! LOL

Only passive agents can get installed on my windows servers. NCPA isn't an option yet, so it has to be NRDS. I was specifically asking if there was a way to send NRDS results to a server and then have it fwd those checks to the XI server. I guess I could install XI on the server and just have it fwd everything over to the main XI server, is there any other method?

In regards to your statement, how/why would I use nrpe to run WMI checks?

I am almost positive I misunderstood what you were asking for. I thought you needed some sort of pivoting proxy hence running arbitrary commands through NRPE as a poor-man's proxy. Didn't realize NRDS was a requirement, just thought we were throwing out ideas. Feel free to shoot down using whatever ammunition you deem appropriate. I hear rhyming is very in these days.

tmcdonald wrote:I am almost positive I misunderstood what you were asking for. I thought you needed some sort of pivoting proxy hence running arbitrary commands through NRPE as a poor-man's proxy. Didn't realize NRDS was a requirement, just thought we were throwing out ideas. Feel free to shoot down using whatever ammunition you deem appropriate. I hear rhyming is very in these days.

If I wasn't so busy right this moment I'd try and be funny like Benhank and think of a good rhyme!

Have any response to what my questions actually is? I know what I asked is an option, I'd have to install XI and just have it fwd everything back to the main XI server. Is there a method to do this without actually having to install XI on the intermediate server?

Without knowing enough about how NSCA and NRDP do their forwarding on the backend, I can't give you a great answer regarding those two. Setting up a squid proxy should let you just forward any traffic coming in on a port or range of ports out to a single server/port. I'm no squid expert but it's widely-used enough that it should work. Didn't really get any ideas from the rest of the tech room.

BanditBBS wrote:My problem is with my windows monitoring. They don't like NSClient and won't let me install that, so as you should be aware from previous threads, I use WMI for my windows monitoring. The issue with that, it requires one heck of a lot of ports to be opened.

Here's an idea which will require some testing but may be a viable solution.

• Implement a Rapsberry PI in the secure zone running linux
  Allow SSH sessions to the PI from your core network
  Issue all of your WMI checks via check_by_ssh
  This way the PI is executing the WMI checks at that end and resolves the port issue

A Raspberry PI might not be powerful enough, not sure but it is on my "to do / to play with" list.

I always make the mistake of including too much information in my questions and making them more difficult to answer than they should be, LOL.

I have a RHEL6 server I could use, no need for a Pi, plus for a ton of WMI checks I think it would be a little under powered. However, WMI isn't my issue here and I shouldn't have en mentioned it in my opening post. I have some things I need to install NRDS on the windows servers that WMI can't handle. I just wanted ideas on getting the NRDS result back out of my protected zone to my main XI server with as few of holes through the firewall as possible.

That explain it better?

Don't worry, I often over complicate things

With NRDS, I believe that the results are all sent via http port 80.

Have a look at this video
http://exchange.nagios.org/directory/Ad ... 29/details
At about 1 minute 30 seconds you can see the URL that the NRDS client needs to reach.

Box293 wrote:Don't worry, I often over complicate things

With NRDS, I believe that the results are all sent via http port 80.

Have a look at this video
http://exchange.nagios.org/directory/Ad ... 29/details
At about 1 minute 30 seconds you can see the URL that the NRDS client needs to reach.

Yeah, I actually use it already but from corporate machines not PCI. That's my whole question, I really don't want to and may be stopped from security team from opening port 80 from all the PCI servers to the main XI server. Was wanting a slick way to actually fwd them without having to install an XI server in PCI and have it send outbound transfers to the main one. That would require only 1 hole in the firewall, but I don't want to have to worry about yet another XI server.