NRPE

About

NRPE, the Nagios Remote Plugin Executor, is a Unix and Linux client for executing plugins on remote hosts. As part of Naemon's backward compatibility with Nagios plugins, OP5 works with NRPE.

NRPE is used in combination with a set of local plugins. While there are only a few plugins shipped with the OP5 NRPE packages, you can use any of the plugins located on the OP5 Monitor server. The default plugin directory in OP5 Monitor is: /opt/plugins.

Caveat

If security between your servers is a vital concern, OP5 suggests SNMPv3 as an NRPE alternate for monitoring Linux systems. SNMPv3 provides better authentication and encryption out of the box, as NRPE provides very little. SNMPv3 is compatible with existing plugins, though it can a lot more work to configure.

There are ways to tighten NRPE security via SSL. We provide the following as a thorough presentation of a fallback approach.

Installing NRPE

Download and install NRPE using the package repository for your operating system, such as:

  • RPM packages for Linux distributions based on Red Hat Enterprise (such as RHEL and CentOS);
  • DEB packages for Linux distributions based on Debian and its family of derivatives that use 'dpkg';
  • Portable source code for local compiling.

Configuring NRPE

Before we can use the NRPE agent for monitoring with OP5 Monitor, we need to configure the agent. This configuration file is located in '/etc/nrpe.conf'.

NRPE main configuration file settings

Setting Default Description
server_port 5666 The port where NRPE should listen

server_port

allowed_hosts 127.0.0.1 Add the IP of your OP5 Monitor server on this line.
Separate multiple addresses with commas, but avoid using whitespace. Example:
allowed_hosts=1.2.3.4,1.2.3.5 
nrpe_user nobody The user that executes the NRPE daemon

allowed_hosts

nrpe_user

nobody

The user that executes the NRPE daemon

nrpe_group nobody The group that executes the NRPE daemon

nrpe_group

debug 0 (zero) Set this value to 1 if you need to debug the NRPE.

debug

command_timeout 60 (sixty) The default time out for a check command. Increments are in seconds.

command_timeout

dont_blame_nrpe

0 (zero)

Set this value to 1 so you can send arguments to NRPE from OP5.

NRPE Commands

NRPE comes with a few predefined commands. Those commands are located in:

/etc/nrpe.d/op5_commands.cfg

You may add your own commands and you should do that in your own file in:

/etc/nrpe.d/

You must set the .cfg extension (suffix) on configuration files. Otherwise it will not be loaded into NRPE when the daemon restarts.

NRPE command formatting and definitions

NRPE commands have the following syntax:

command[foo]=/opt/foo --args

There are two sides to NRPE command definitions, with a single equal-sign (=) as their separator:

Syntax segment Desription
command[foo] The string between the square brackets (in this case, foo) will be the name of this command. Typically this gets passed as the first argument to the 'check_nrpe' plugin. Do not use whitespace in command names.
/opt/foo --args The command-line syntax you want to execute. The executable needs to be available on the local host. This also applies to any plugins you may wish to call remotely.

/opt/foo --args

The command-line syntax you want to execute. The executable needs to be available on the local host. This also applies to any plugins you may wish to call remotely.

Adding commands to NRPE

The following steps will add a command that looks for a process named 'smsd' using the plugin 'check_procs', which is installed by default with NRPE:

  1. Log into the host as root where you have NRPE installed NRPE;
  2. Create a new configuration file in the directory /etc/nrpe.d/;
  3. Edit the new file to add a command definition: command[proc_smsd]=/opt/plugins/check_procs -w 1: -c 2:2 -C smsd
  4. Save the file and restart NRPE: service nrpe restart

Plugins used with NRPE

The only plugin used with NRPE is 'check_nrpe'. To use the plugin with the NRPE command formatting and definitions, use the following syntax in your service definition:

/opt/plugins/check_nrpe -H $HOSTADDRESS$ -C proc_smsd

Bastion Mode

The NRPE agent is designed to listen to messages from allowed hosts, then run the selected commands on its host target. We already discussed that '127.0.0.1' is a default listening point ? it listens to itself over the network, a common configuration for Unix agents.

NRPE can also listen for OP5 commands to be run against targets without NRPE installed. Such checks are called indirect checks, therefore using this approach is known as Indirect Mode or Bastion Mode. The host with the NRPE agent installed becomes a bastion, able to talk to outpost targets on its side of a firewall or are otherwise incapable of talking directly to the Monitor server.

Procedure

  1. Determine the processes and the ports that are open on the final target;
  2. Create a host in OP5 Monitor for the bastion server, adding it to hostgroups and services based on NRPE configuration;
  3. Create a host in OP5 Monitor for the outpost server. In the Advanced screen, note the bastion server as its parent;
  4. Back on the bastion host entry, mark the outpost server as its child;
  5. Write an NRPE command that would be run against the final target;
  6. Add the command to 'nrpe.cfg' on the bastion server so that the command will succeed;
  7. Place the above command into a check_nrpe command's argument value for the bastion host.

Diagram

Let's imagine a web server on the other side of a firewall from our OP5 Monitor infrastructure. We need to make sure this remote web server is taking requests. The firewall allows access to Monitor only through one port hole to a bastion server running NRPE. We then write an NRPE 'check_http' check and make that the command to run against the outpost.

start tcp 5666 middle tcp 443 end
OP5 Monitor server check_nrpe bastion host check_http outpost web server

Bastion Caveat

While this works, it is exceedingly inconvenient compared to using an OP5 poller. You need to configure every check command for the outpost targets as nested in another 'check_nrpe'. This is a lot of extra work. Using a poller makes better use of child-parent relationships and allows easy swapping between hostgroups.