Guides‎ > ‎NRPE‎ > ‎Proxying or Double Hopping‎ > ‎

NRPE

Consider the following scenario:
  • Nagios (Host_A) wants to execute a check on Host_C (CentOS 6.5)
  • Host_C is not directly contactable by Host_A however it can contact Host_B (CentOS 6.5)
  • Host_B will receive a NRPE request and it's command definition will allow it run it's own NRPE request to Host_C

Host_A ---> Host_B ---> Host_C

In all examples I'm using Host_xxx instead of an IP Address. Please replace any examples with an IP Address. This just makes it easier to read.


Host_C

Host_C is running CentOS 6.5 and has the NRPE client installed as per these instructions.

On Host_C, define the following commands in /usr/local/nagios/etc/nrpe.cfg

command[proxy_check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[proxy_check_load]=/usr/local/nagios/libexec/check_load -w $ARG1$ -c $ARG2$
command[proxy_check_swap]=/usr/local/nagios/libexec/check_swap -w $ARG1$ -c $ARG2$
command[proxy_check_cpu_stats]=/usr/local/nagios/libexec/check_cpu_stats.sh -w $ARG1$ -c $ARG2$
command[proxy_check_mem]=/usr/local/nagios/libexec/custom_check_mem -n -w $ARG1$ -c $ARG2$

Host_C has allowed Host_B to connect to it as per the only_from setting in /etc/xinetd.d/nrpe .

Then restart the NRPE service:

service xinetd restart

The next step will be to test this from Host_B.


Host_B

Host_B is running CentOS 6.5 and has the NRPE client installed as per these instructions.

Host_B has allowed Host_A to connect to it as per the only_from setting in /etc/xinetd.d/nrpe .

When logged onto Host_B, it is able to run NRPE checks against Host_C, here is an example:

Command:

/usr/local/nagios/libexec/check_nrpe -H Host_C -c proxy_check_load -a 15,10,5 30,20,10

Output:

OK - load average: 0.00, 0.01, 0.05|load1=0.000;15.000;30.000;0; load5=0.010;10.000;20.000;0; load15=0.050;5.000;10.000;0;

Great, we know there is communication from Host_B to Host_C.


Now we need to configure NRPE on Host_B to listen for requests from Host_A to execute checks on Host_C.

On Host_B, define the following command in /usr/local/nagios/etc/nrpe.cfg

command[proxy_check]=/usr/local/nagios/libexec/check_nrpe -t 60 -H $ARG1$ -c $ARG2$ -a $ARG3$ $ARG4$

Then restart the NRPE service:

service xinetd restart

The next step will be to test this from Host_A.


Host_A

Host_A is the nagios server. Lets execute check_nrpe to Host_B to execute the command proxy_check which in turn will contact Host_C.

Command:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_load 15,10,5 30,20,10

Output:

OK - load average: 0.00, 0.01, 0.05|load1=0.000;15.000;30.000;0; load5=0.010;10.000;20.000;0; load15=0.050;5.000;10.000;0;


How easy was that!

The other checks work in a similar fashion:

Command:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_users 5 10

Output:

USERS OK - 1 users currently logged in |users=1;5;10;0


Command:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_swap 50 20

Output:

SWAP OK - 100% free (1639 MB out of 1639 MB) |swap=1639MB;0;0;0;1639


Command:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_cpu_stats 85 95

Output:

CPU STATISTICS OK: user=0.00% system=0.20% iowait=0.00% idle=99.80% | user=0.00% system=0.20% iowait=0.00%;85;95 idle=99.80%


Command:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_mem 20 10

Output:

OK - 1664 / 1841 MB (90%) Free Memory, Used: 401 MB, Shared: 16 MB, Buffers: 0 MB, Cached: 224 MB | total=1841MB free=1664MB used=401MB shared=16 buffers=0MB cached=224MB


Very Important Notes

One of the problems you may face when trying to implement this solution is passing any arguments that have a minus sign. This is why I am not using a command from Host_A like this:

check_nrpe -H Host_B -c proxy_check -a Host_C proxy_check_users -w 5 -c 10

The -w and -c cause issues with the check_nrpe plugin.

Normally this can be overcome with quotes like "-w 5 -c 10" however because we are proxying to another host things start to get complicated. Eventually you'll turn on debugging on Host_B and see errors like nrpe[1616]: Error: Request contained illegal metachars! and you'll discover there is no easy way around this.

That is why I've defined the commands on Host_C with -w $ARG1$ -c $ARG2$ so we end up just sending the values we need and that is an acceptable way to make this work.

Keep in mind if you had a check on Host_C that needed more arguments, you'll need to create another proxy command on Host_B.



In relation to the Host_A IP Address. In the scenario where Host_A is and Host_B have the internet between them, the IP Address that Host_B will see requests coming from is more than likely the WAN IP of the firewall at the Host_A site.


Can I Also Query NSClient++ On Windows From NRPE???

Yes, yes you can!

Host_D

Host_D is running Windows 2008 R2 and has NSClient++ 0.4.1.105 installed as per these instructions.

Host_D has allowed Host_B to connect to it as per:

[/settings/default]
; ALLOWED HOSTS - A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 127.0.0.1, HOST_B_IP_ADDRESS

Restart the NSClient++ service if you make any changes to nsclient.ini.

The next step will be to add an extra command to Host_B.

Host_B

Host_B is already configured as per the previous steps however we need to add an extra command.

On Host_B, define the following command in /usr/local/nagios/etc/nrpe.cfg

command[proxy_check_nsclient]=/usr/local/nagios/libexec/check_nrpe -t 60 -H $ARG1$ -c $ARG2$ -a $ARG3$

Then restart the NRPE service:

service xinetd restart

The next step will be to test this from Host_A.

Command:

check_nrpe -H Host_B -c proxy_check_nsclient -a Host_D CheckMem "ShowAll type=physical MaxWarn=1536 MaxCrit=1792"

Output:

CRITICAL: physical memory: Total: 2G - Used: 600M (29%) - Free: 1.41G (71%) > critical|'physical memory %'=29%;99;99 'physical memory'=614228K;1;1.7;0;2096632


How easy was that!

*Most* checks work in a similar fashion:


Command:

check_nrpe -H Host_B -c proxy_check_nsclient -a Host_D CheckCPU "warn=80 crit=90 time=1m time=5m time=15m"

Output:

OK CPU Load ok.|'1m'=0%;80;90 '5m'=0%;80;90 '15m'=0%;80;90


Command:

check_nrpe -H Host_B -c proxy_check_nsclient -a Host_D CheckDriveSize "ShowAll MinWarn=10G MinCrit=5G Drive=C:"

Output:

OK: C:: 16.9G|'C: %'=72%;83;91 'C:'=16.93G;10;5;0;59


Command:

check_nrpe -H Host_B -c proxy_check_nsclient -a Host_D CheckServiceState "ShowAll Spooler=stopped"

Output:

CheckServiceState "ShowAll Spooler=stopped"


Some More Very Important Notes

Querying NSClient++ from NRPE is not going to work for all types of checks. For example Performance Counters need to be enclosed in quotes because they have spaces in their names. As I've highlighted previously this does not work well with NRPE.

There are some ways around it. For example you could add an alias in nsclient.ini that specifies the counter you want and then the command would be the name of the alias (instead of CheckCounter). This gets around the problem but it does require more configuring.

So this problem does not affect just Performance Counters, any argument that has spaces present the same problem.