Hi everybody iam trying to do a check to machine, that it is behind a firewall, and i am using nrpe + proxy windows (with nsclient) http://blog.medin.name/blog/2012/12/02/securing-nrpe-with-certificate-based-authentication/ .
The machine that i want to check execute de command but in the OMD machine i dont get the answer.
OMD (with check-mk) ------------------------------------------------------------------------------------------------------- :
./check_nrpe -H 192.168.152.163 -c r_check_host
Windows proxy --------------------------------------------------------------------------------------------------------------- :
NSCLIENT.INI
If you want to fill this file with all avalible options run the following command:
nscp settings --generate --add-defaults --load-all
If you want to activate a module and bring in all its options use:
nscp settings --activate-module --add-defaults
For details run: nscp settings --help
; Undocumented section
[/modules]
; CheckDisk - CheckDisk can check various file and disk related things. The current version has commands to check Size of hard drives and directories.
CheckDisk = 1
; Event log Checker. - Check for errors and warnings in the event log. This is only supported through NRPE so if you plan to use only NSClient this wont help you at all.
CheckEventLog = 1
; Check External Scripts - A simple wrapper to run external scripts and batch files.
CheckExternalScripts = 1
; Helper function - Various helper function to extend other checks. This is also only supported through NRPE.
CheckHelpers = 1
; Check NSCP - Checkes the state of the agent
CheckNSCP = 1
; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1
; NRPE server - A simple server that listens for incoming NRPE connection and handles them.
NRPEServer = 1
; NRPE client - Acceso Cliente.
NRPEClient = 1
; Undocumented section
[/settings/default]
; ALLOWED HOSTS - A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 127.0.0.1,192.168.152.161,192.168.152.129
; A list of aliases available. An alias is an internal command that has been “wrapped” (to add arguments). Be careful so you don’t create loops (ie check_loop=check_a, check_a=check_loop)
[/settings/external scripts/alias]
; alias_cpu - Alias for alias_cpu. To configure this item add a section called: /settings/external scripts/alias/alias_cpu
alias_cpu = checkCPU warn=80 crit=90 time=5m time=1m time=30s
; alias_cpu_ex - Alias for alias_cpu_ex. To configure this item add a section called: /settings/external scripts/alias/alias_cpu_ex
alias_cpu_ex = checkCPU warn=$ARG1$ crit=$ARG2$ time=5m time=1m time=30s
; alias_disk - Alias for alias_disk. To configure this item add a section called: /settings/external scripts/alias/alias_disk
alias_disk = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED
; alias_disk_loose - Alias for alias_disk_loose. To configure this item add a section called: /settings/external scripts/alias/alias_disk_loose
alias_disk_loose = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED ignore-unreadable
; alias_event_log - Alias for alias_event_log. To configure this item add a section called: /settings/external scripts/alias/alias_event_log
alias_event_log = CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 “filter=generated gt -2d AND severity NOT IN (‘success’, ‘informational’) AND source != ‘SideBySide’” truncate=800 unique descriptions “syntax=%severity%: %source%: %message% (%count%)”
; alias_file_age - Alias for alias_file_age. To configure this item add a section called: /settings/external scripts/alias/alias_file_age
alias_file_age = checkFile2 filter=out “file=$ARG1$” filter-written=>1d MaxWarn=1 MaxCrit=1 “syntax=%filename% %write%”
; alias_file_size - Alias for alias_file_size. To configure this item add a section called: /settings/external scripts/alias/alias_file_size
alias_file_size = CheckFiles “filter=size > $ARG2$” “path=$ARG1$” MaxWarn=1 MaxCrit=1 “syntax=%filename% %size%” max-dir-depth=10
; alias_mem - Alias for alias_mem. To configure this item add a section called: /settings/external scripts/alias/alias_mem
alias_mem = checkMem MaxWarn=80% MaxCrit=90% ShowAll=long type=physical type=virtual type=paged type=page
; alias_process - Alias for alias_process. To configure this item add a section called: /settings/external scripts/alias/alias_process
alias_process = checkProcState “$ARG1$=started”
; alias_process_count - Alias for alias_process_count. To configure this item add a section called: /settings/external scripts/alias/alias_process_count
alias_process_count = checkProcState MaxWarnCount=$ARG2$ MaxCritCount=$ARG3$ “$ARG1$=started”
; alias_process_hung - Alias for alias_process_hung. To configure this item add a section called: /settings/external scripts/alias/alias_process_hung
alias_process_hung = checkProcState MaxWarnCount=1 MaxCritCount=1 “$ARG1$=hung”
; alias_process_stopped - Alias for alias_process_stopped. To configure this item add a section called: /settings/external scripts/alias/alias_process_stopped
alias_process_stopped = checkProcState “$ARG1$=stopped”
; alias_sched_all - Alias for alias_sched_all. To configure this item add a section called: /settings/external scripts/alias/alias_sched_all
alias_sched_all = CheckTaskSched “filter=exit_code ne 0” “syntax=%title%: %exit_code%” warn=>0
; alias_sched_long - Alias for alias_sched_long. To configure this item add a section called: /settings/external scripts/alias/alias_sched_long
alias_sched_long = CheckTaskSched “filter=status = ‘running’ AND most_recent_run_time < -$ARG1$” “syntax=%title% (%most_recent_run_time%)” warn=>0
; alias_sched_task - Alias for alias_sched_task. To configure this item add a section called: /settings/external scripts/alias/alias_sched_task
alias_sched _task = CheckTaskSched “filter=title eq ‘$ARG1$’ AND exit_code ne 0” “syntax=%title% (%most_recent_run_time%)” warn=>0
; alias_service - Alias for alias_service. To configure this item add a section called: /settings/external scripts/alias/alias_service
alias_service = checkServiceState CheckAll
; alias_service_ex - Alias for alias_service_ex. To configure this item add a section called: /settings/external scripts/alias/alias_service_ex
alias_service_ex = checkServiceState CheckAll “exclude=Net Driver HPZ12” “exclude=Pml Driver HPZ12” exclude=stisvc
; alias_up - Alias for alias_up. To configure this item add a section called: /settings/external scripts/alias/alias_up
alias_up = checkUpTime MinWarn=1d MinWarn=1h
; alias_updates - Alias for alias_updates. To configure this item add a section called: /settings/external scripts/alias/alias_updates
alias_updates = check_updates -warning 0 -critical 0
; alias_volumes - Alias for alias_volumes. To configure this item add a section called: /settings/external scripts/alias/alias_volumes
alias_volumes = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED
; alias_volumes_loose - Alias for alias_volumes_loose. To configure this item add a section called: /settings/external scripts/alias/alias_volumes_loose
alias_volumes_loose = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED ignore-unreadable
; default - Alias for default. To configure this item add a section called: /settings/external scripts/alias/default
default =
[/settings/NRPE/server]
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true
allow nasty characters = true
allowed hosts = 0/0
[/settings/NRPE/client/handlers]
r_check_host = query --host=192.168.152.129 --command check_host -n
r_check_cpu = query --host=192.168.152.163 --command check_cpu MaxWarn=70 time=1m
Machine (behind a firewall , It has a nrpe plugin)
syslog :
Apr 14 14:53:06 ubuntu nrpe[6861]: INFO: SSL/TLS NOT initialized. Network encryption DISABLED.
Apr 14 14:53:06 ubuntu nrpe[6862]: Starting up daemon
Apr 14 14:53:06 ubuntu nrpe[6862]: Warning: Daemon is configured to accept command arguments from clients!
Apr 14 14:53:06 ubuntu nrpe[6862]: Listening for connections on port 5666
Apr 14 14:53:06 ubuntu nrpe[6862]: Allowing connections from: 192.168.152.163,127.0.0.1
Apr 14 14:54:36 ubuntu nrpe[6866]: Connection from 192.168.152.163 port 21440
Apr 14 14:54:36 ubuntu nrpe[6866]: Host address is in allowed_hosts
Apr 14 14:54:36 ubuntu nrpe[6866]: Handling the connection…
Apr 14 14:54:36 ubuntu nrpe[6866]: Host is asking for command ‘check_host’ to be run…
Apr 14 14:54:36 ubuntu nrpe[6866]: Running command: /usr/lib/nagios/plugins/check_host localhost
Apr 14 14:54:36 ubuntu nrpe[6866]: Command completed with return code 0 and output: OK - localhost responds to ICMP. Packet 1, rta 0.109ms|pkt=1;;0;5 rta=0.109;1000.000;1000.000;;
Apr 14 14:54:36 ubuntu nrpe[6866]: Return Code: 0, Output: OK - localhost responds to ICMP. Packet 1, rta 0.109ms|pkt=1;;0;5 rta=0.109;1000.000;1000.000;;
Apr 14 14:54:36 ubuntu nrpe[6866]: Connection from 192.168.152.163 closed.
Apr 14 15:01:42 ubuntu dhclient: DHCPREQUEST of 192.168.152.129 on eth0 to 192.168.152.254 port 67
Apr 14 15:01:42 ubuntu dhclient: DHCPACK of 192.168.152.129 from 192.168.152.254
Apr 14 15:01:42 ubuntu dhclient: bound to 192.168.152.129 – renewal in 852 seconds.
nrpe.cfg:
···
#############################################################################
Sample NRPE Config File
Written by: Ethan Galstad (nagios@nagios.org)
Last Modified: 11-23-2007
NOTES:
This is a sample configuration file for the NRPE daemon. It needs to be
located on the remote host that is running the NRPE daemon, not the host
from which the check_nrpe client is being executed.
#############################################################################
LOG FACILITY
The syslog facility that should be used for logging purposes.
log_facility=daemon
PID FILE
The name of the file in which the NRPE daemon should write it’s process ID
number. The file is only written if the NRPE daemon is started by the root
user and is running in standalone mode.
pid_file=/var/run/nagios/nrpe.pid
PORT NUMBER
Port number we should wait for connections on.
NOTE: This must be a non-priviledged port (i.e. > 1024).
NOTE: This option is ignored if NRPE is running under either inetd or xinetd
server_port=5666
SERVER ADDRESS
Address that nrpe should bind to in case there are more than one interface
and you do not want nrpe to bind on all interfaces.
NOTE: This option is ignored if NRPE is running under either inetd or xinetd
#server_address=127.0.0.1
NRPE USER
This determines the effective user that the NRPE daemon should run as.
You can either supply a username or a UID.
NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_user=nagios
NRPE GROUP
This determines the effective group that the NRPE daemon should run as.
You can either supply a group name or a GID.
NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_group=nagios
ALLOWED HOST ADDRESSES
This is an optional comma-delimited list of IP address or hostnames
that are allowed to talk to the NRPE daemon.
Note: The daemon only does rudimentary checking of the client’s IP
address. I would highly recommend adding entries in your /etc/hosts.allow
file to allow only the specified host to connect to the port
you are running this daemon on.
NOTE: This option is ignored if NRPE is running under either inetd or xinetd
allowed_hosts=192.168.152.163,127.0.0.1
COMMAND ARGUMENT PROCESSING
This option determines whether or not the NRPE daemon will allow clients
to specify arguments to commands that are executed. This option only works
if the daemon was configured with the --enable-command-args configure script
option.
*** ENABLING THIS OPTION IS A SECURITY RISK! ***
Read the SECURITY file for information on some of the security implications
of enabling this variable.
Values: 0=do not allow arguments, 1=allow command arguments
dont_blame_nrpe=1
COMMAND PREFIX
This option allows you to prefix all commands with a user-defined string.
A space is automatically added between the specified prefix string and the
command line from the command definition.
*** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
Usage scenario:
Execute restricted commmands using sudo. For this to work, you need to add
the nagios user to your /etc/sudoers. An example entry for alllowing
execution of the plugins from might be:
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
This lets the nagios user run all commands in that directory (and only them)
without asking for a password. If you do this, make sure you don’t give
random users write access to that directory or its contents!
command_prefix=/usr/bin/sudo
DEBUGGING OPTION
This option determines whether or not debugging messages are logged to the
syslog facility.
Values: 0=debugging off, 1=debugging on
debug=1
COMMAND TIMEOUT
This specifies the maximum number of seconds that the NRPE daemon will
allow plugins to finish executing before killing them off.
command_timeout=60
CONNECTION TIMEOUT
This specifies the maximum number of seconds that the NRPE daemon will
wait for a connection to be established before exiting. This is sometimes
seen where a network problem stops the SSL being established even though
all network sessions are connected. This causes the nrpe daemons to
accumulate, eating system resources. Do not set this too low.
connection_timeout=300
WEEK RANDOM SEED OPTION
This directive allows you to use SSL even if your system does not have
a /dev/random or /dev/urandom (on purpose or because the necessary patches
were not applied). The random number generator will be seeded from a file
which is either a file pointed to by the environment valiable $RANDFILE
or $HOME/.rnd. If neither exists, the pseudo random number generator will
be initialized and a warning will be issued.
Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
#allow_weak_random_seed=1
INCLUDE CONFIG FILE
This directive allows you to include definitions from an external config file.
#include=<somefile.cfg>
INCLUDE CONFIG DIRECTORY
This directive allows you to include definitions from config files (with a
.cfg extension) in one or more directories (with recursion).
#include_dir=
#include_dir=
COMMAND DEFINITIONS
Command definitions that this daemon will run. Definitions
are in the following format:
command[<command_name>]=<command_line>
When the daemon receives a request to return the results of <command_name>
it will execute the command specified by the <command_line> argument.
Unlike Nagios, the command line cannot contain macros - it must be
typed exactly as it should be executed.
Note: Any plugins that are used in the command lines must reside
on the machine that this daemon is running on! The examples below
assume that you have plugins installed in a /usr/local/nagios/libexec
directory. Also note that you will have to modify the definitions below
to match the argument format the plugins expect. Remember, these are
examples only!
The following examples use hardcoded command arguments…
command[check_host]=/usr/lib/nagios/plugins/check_host localhost
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
The following examples allow user-supplied arguments and can
only be used if the NRPE daemon was compiled with support for
command arguments AND the dont_blame_nrpe directive in this
config file is set to ‘1’. This poses a potential security risk, so
make sure you read the SECURITY file before doing this.
#command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
#command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
PLEASE YOU COULD HELP US !!! THANKS A LOT …
(some info is also found inside the mailing list archive)