NRPE, the Nagios Remote Plugin Executor, is a Unix and Linux client for executing plugins on remote hosts. As part of Naemon's backward compatibility with Nagios plugins, OP5 works with NRPE.
NRPE is used in combination with a set of local plugins. While there are only a few plugins shipped with the OP5 NRPE packages, you can use any of the plugins located on the OP5 Monitor server. The default plugin directory in OP5 Monitor is:
If security between your servers is a vital concern, OP5 suggests SNMPv3 as an NRPE alternate for monitoring Linux systems. SNMPv3 provides better authentication and encryption out of the box, as NRPE provides very little. SNMPv3 is compatible with existing plugins, though it can a lot more work to configure.
There are ways to tighten NRPE security via SSL. We provide the following as a thorough presentation of a fallback approach.
Download and install NRPE using the package repository for your operating system, such as:
- RPM packages for Linux distributions based on Red Hat Enterprise (such as RHEL and CentOS);
- DEB packages for Linux distributions based on Debian and its family of derivatives that use 'dpkg';
- Portable source code for local compiling.
Before we can use the NRPE agent for monitoring with OP5 Monitor, we need to configure the agent. This configuration file is located in '
The port where NRPE should listen
Add the IP of your OP5 Monitor server on this line.
Separate multiple addresses with commas, but avoid using whitespace. Example:
The user that executes the NRPE daemon
The user that executes the NRPE daemon
The group that executes the NRPE daemon
Set this value to 1 if you need to debug the NRPE.
The default time out for a check command. Increments are in seconds.
Set this value to 1 so you can send arguments to NRPE from OP5.
NRPE comes with a few predefined commands. Those commands are located in:
You may add your own commands and you should do that in your own file in:
You must set the
.cfg extension (suffix) on configuration files. Otherwise it will not be loaded into NRPE when the daemon restarts.
NRPE commands have the following syntax:
There are two sides to NRPE command definitions, with a single equal-sign (
=) as their separator:
The string between the square brackets (in this case,
||The command-line syntax you want to execute. The executable needs to be available on the local host. This also applies to any plugins you may wish to call remotely.|
The command-line syntax you want to execute. The executable needs to be available on the local host. This also applies to any plugins you may wish to call remotely.
The following steps will add a command that looks for a process named 'smsd' using the plugin 'check_procs', which is installed by default with NRPE:
- Log into the host as root where you have NRPE installed NRPE;
- Create a new configuration file in the directory
- Edit the new file to add a command definition:
command[proc_smsd]=/opt/plugins/check_procs -w 1: -c 2:2 -C smsd
- Save the file and restart NRPE:
service nrpe restart
The only plugin used with NRPE is 'check_nrpe'. To use the plugin with the NRPE command formatting and definitions, use the following syntax in your service definition:
/opt/plugins/check_nrpe -H $HOSTADDRESS$ -C proc_smsd
The NRPE agent is designed to listen to messages from allowed hosts, then run the selected commands on its host target. We already discussed that '127.0.0.1' is a default listening point ? it listens to itself over the network, a common configuration for Unix agents.
NRPE can also listen for OP5 commands to be run against targets without NRPE installed. Such checks are called indirect checks, therefore using this approach is known as Indirect Mode or Bastion Mode. The host with the NRPE agent installed becomes a bastion, able to talk to outpost targets on its side of a firewall or are otherwise incapable of talking directly to the Monitor server.
- Determine the processes and the ports that are open on the final target;
- Create a host in OP5 Monitor for the bastion server, adding it to hostgroups and services based on NRPE configuration;
- Create a host in OP5 Monitor for the outpost server. In the Advanced screen, note the bastion server as its parent;
- Back on the bastion host entry, mark the outpost server as its child;
- Write an NRPE command that would be run against the final target;
- Add the command to 'nrpe.cfg' on the bastion server so that the command will succeed;
- Place the above command into a check_nrpe command's argument value for the bastion host.
Let's imagine a web server on the other side of a firewall from our OP5 Monitor infrastructure. We need to make sure this remote web server is taking requests. The firewall allows access to Monitor only through one port hole to a bastion server running NRPE. We then write an NRPE 'check_http' check and make that the command to run against the outpost.
|start||tcp 5666||middle||tcp 443||end|
|OP5 Monitor server||check_nrpe||bastion host||check_http||outpost web server|
While this works, it is exceedingly inconvenient compared to using an OP5 poller. You need to configure every check command for the outpost targets as nested in another 'check_nrpe'. This is a lot of extra work. Using a poller makes better use of child-parent relationships and allows easy swapping between hostgroups.