NRPE configuration question

[rferebee]

Hello,

One of my Linux admins noticed some errors in our NRPE log file:

@nagiosxi:/var/log>sudo cat messages| grep -E "not allowed to talk"
Apr 16 13:05:25 nagiosxi nrpe[49782]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:06:11 nagiosxi nrpe[50771]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:06:23 nagiosxi nrpe[50954]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:06:50 nagiosxi nrpe[51566]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:08:37 nagiosxi nrpe[55638]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:08:58 nagiosxi nrpe[56072]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:10:23 nagiosxi nrpe[59130]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:11:10 nagiosxi nrpe[60194]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:11:21 nagiosxi nrpe[60382]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:11:48 nagiosxi nrpe[61034]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:13:36 nagiosxi nrpe[63350]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:13:57 nagiosxi nrpe[63781]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:15:22 nagiosxi nrpe[409]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:16:08 nagiosxi nrpe[1512]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:16:18 nagiosxi nrpe[1685]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:16:47 nagiosxi nrpe[2314]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:18:35 nagiosxi nrpe[4803]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:18:55 nagiosxi nrpe[5235]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:20:21 nagiosxi nrpe[7131]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:21:07 nagiosxi nrpe[8233]: Host 10.131.86.58 is not allowed to talk to us!
Apr 16 13:21:17 nagiosxi nrpe[8404]: Host 10.131.86.60 is not allowed to talk to us!
Apr 16 13:21:44 nagiosxi nrpe[8932]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:23:33 nagiosxi nrpe[11530]: Host 10.231.86.58 is not allowed to talk to us!
Apr 16 13:23:54 nagiosxi nrpe[11984]: Host 10.131.86.58 is not allowed to talk to us!

Now, the IP addresses listed in the errors are my other XI servers. One is a fail over mirror and the other is a test environment. As far as I know NRPE is working in the checks we are using it in, but should I allow NRPE communication between my various XI servers?

This is what the NRPE.conf file looks like now:

# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
# supported.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=127.0.0.1,::1

My Linux admin recommended we change the allow_hosts line to this:

allowed_hosts=127.0.0.1,10.131.86.58,10.231.86.58,10.131.86.60

Would that be best practice?

[npolovenko]

Hello, @rferebee.

As far as I know NRPE is working in the checks we are using it in

That is unlikely. If hosts are not allowed to talk to the NRPE agent, they will not be able to run NRPE checks. So nrpe checks should be failing on your failover and recovery XI servers(10.231.86.58 and 10.131.86.60).
I'd recommend adding these two IP addresses to the configuration. If your nrpe is xinetd based then you need to add these IP addresses to this file instead:

/etc/xinetd.d/nrpe

But otherwise, you can add them the way your linux admin suggested.
https://support.nagios.com/kb/article/n ... e-615.html
Don't forget to restart NRPE after you make this change.

[rferebee]

It looks like we're using inetd.d to monitor NRPE:

root@nagiosxi> cd /etc/xinetd.d
root@nagiosxi> ls
chargen-dgram chargen-stream daytime-dgram daytime-stream discard-dgram discard-stream echo-dgram echo-stream nrpe nsca rsync tcpmux-server time-dgram time-stream
root@nagiosxi> cat nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
disable = yes
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
only_from = 127.0.0.1 10.131.86.58 10.131.86.60 10.231.86.58
}

Is there a reason we'd be using one versus the other? I'm sorry, I'm still learning so I don't know the difference between the two.

[npolovenko]

@rferebee, The difference is insignificant. Some versions of nrpe use xinetd and the latest version runs as a standalone daemon. In practice, the only difference for you would be the command to use to restart nrpe and config the file to add allowed hosts to.

[rferebee]

Is there a way to stop the error messages in the log file? What would happen if I added the IP addresses into both locations: /nagios/etc/nrpe.cfg and /etc/xinetd.d/nrpe?

[npolovenko]

@rferebee, The reason why you're seeing these messages in the log is because these XI hosts are trying to connect to the NRPE server
(10.131.86.60 and 10.131.86.58). You can either add them to allowed hosts in the nrpe.cfg file or /etc/xinetd.d/nrpe depending on the installation, or you can delete/stop nrpe checks on these two XI servers. Then they'll stop trying to connect and there won't be any more errors.
Since you have this file -> /etc/xinetd.d/nrpe, im guessing your nrpe is running under xinetd. But feel free to modify both files: nrpe.cfg and /etc/xinetd.d/nrpe, it's not going to do any damage either way.

[rferebee]

Thanks for the help. I made the change to the nrpe.cfg file and restarted the NRPE service.

I'm seeing an issue with a CentOS server we just added to Nagios for monitoring though. The Status is coming back as Unknown for all the checks except Ping. Also, the Status Information column says, "NRPE Plugin for Nagios".

Is that referring to the CentOS box we're attempting to monitor or the Nagios XI box itself? I had my Linux guys install the NRPE plugin on the box as well as add our Nagios IPs into the config file then restart the service, but it's still not working.

[rferebee]

It looks like it might be the syntax of the checks themselves.

I'm looking at some other checks we have that are working and modifying them and now they're working. That's a little discouraging because I used the checks from the built in Linux Wizard.

[npolovenko]

@rferebee, So after you modified the syntax of these checks they are working? Can you show me the syntax before and after? Preferably in screenshots.
These unknown errors could've been caused by Nagios IP not allowing to talk to the nrpe agent.

[rferebee]

Attached are two examples.

Disk Usage vs. Disk Check

Load vs. Check Load

All 4 checks are using check_NRPE, but Disk Usage and Load are added directly from the Linux Server wizard built into XI and the syntax/arguments don't work.

Disk Check and Check Load are working.

Thank you!