[WIP] NSCP query method using NSCP's NRPEServer and its local check_nrpe.exe

nscp
nsclient

(Yannick Charton) #1

:pencil2: PR to Howto rewrite in progress…

Introduction

In other to query NSClient++, 2 documented solutions exist:

  • Query the HTTP API locally or remotely (requires a running NSClient++ service)
  • Run a local CLI check (does not require NSClient++ as a service)

These methods have their advantages and disadvantages. One thing to note: if you rely on performance counter delta calculations such as CPU utilization, you should not use the CLI sample call as the results will be wrong. However, at the time of writing, the NSCP HTTP/REST API is still new and in heavy development, and the check_nscp_api plugin is not compatible with its lastest version. I also noticed some instability of the REST API calls.

In order to get ride of the disadvantages of the above solutions, and waiting for a more stable check method using the NSCP REST API, I have implemented a third method to query NSClient++ : querying the NSCP’s NRPE Server locally using its embedded check_nrpe.exe, and through the icinga2 agent.

NSCLient++ with its own local check_nrpe

The Windows setup already allows you to install the NSClient++ package. In addition to the Windows plugins you can use the nscp_nrpe command provided by the Icinga Template Library (ITL).

The initial setup for the NSClient++ NRPE Server and the required arguments is the described in the ITL chapter for the nscp_nrpe CheckCommand.

Although it is possible to query the NSCP NRPE Server remotely, so from an Icinga2 master/satellite, we won’t cover this possibility, as:

  • the NRPE protocol v1/v2 are not secure and the v3 available with nagios-plugins is currently not supported by NSCP
  • checking locally using the check_nrpe.exe plugin provided by the NSCP package itself is more secure as no other communications other than the ones between the icinga2 client and master/satellite are established

icinga2_distributed_windows_nscp_nrpe

Add the following include statement on all your nodes (master, satellite, client):

vim /etc/icinga2/icinga2.conf

include <nscp-local>

The CheckCommand definitions will automatically determine the installed path to the check_nrpe.exe binary.

Based on the master with clients scenario we’ll now add a local nscp check which queries the NSClient++ NRPE Server to check the cpu usage.

Define a host object called icinga2-client3.localdomain on the master.

[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf

object Host "icinga2-client3.localdomain" {
    check_command = "hostalive"
    address = "1.2.3.4"
    vars.client_endpoint = name //follows the convention that host name == endpoint name
    vars.os_type = "Windows"
}

The service checks are generated using a classic service definition:

[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim services.conf

apply Service "Cpu usage" {
  import "generic-service"
  check_command = "nscp_nrpe"
  vars.nscp_nrpe_command = "check_cpu"
  command_endpoint = host.vars.client_endpoint
  vars.nscp_nrpe_arguments += [
   "time=1m",
   "time=5m",
   "time=15m",
   "warn=(load>80)",
   "crit=(load>90)",
   "show-all",
  ]
  assign where host.vars.client_endpoint && host.vars.os_type == "Windows"
}

Validate the configuration and restart Icinga 2.

[root@icinga2-master1.localdomain /]# icinga2 daemon -C
[root@icinga2-master1.localdomain /]# systemctl restart icinga2

The new service “Cpu usage” will be visible in Icinga Web 2.

icinga2_distributed_windows_nscp_nrpe_check_cpu_icingaweb2

nscp_nrpe

check_nrpe.exe is part of the NSClient++ installation, and can be found in its installation path.

Although it is possible to query the NSCP NRPE Server remotely using the check_nrpe official plugin, so from an Icinga2 master/satellite, we won’t cover this possibility, as:

  • the NRPE protocol v1/v2 are not secure and the v3 available with nagios-plugins is currently not supported by NSCP
  • checking locally using the check_nrpe.exe plugin provided by the NSCP package itself is more secure as no other communications other than the ones between the icinga2 client and master/satellite are established

Verify that the ITL CheckCommand is included in the icinga2.conf configuration file:

You can enable the nscp_nrpe check commands by adding the following include directive in your
icinga2.conf configuration file:

include <nscp>

TODO: separate from nscp_local
FILE: command-nscp-nrpe.conf (2.1 KB)

You can also optionally specify an alternative installation directory for NSClient++ by adding
the NscpPath constant in your constants.conf configuration
file:

const NscpPath = "C:\\Program Files (x86)\\NSClient++"

check_nrpe.exe runs queries against the NSClient++ NRPEServer. Therefore NSClient++ needs to have
the NRPEServer module enabled, configured and loaded.

The nsclient.ini configuration file can be manually edited OR you can execute commands in a command prompt to make the required changes in
the configuration file. So, enable and configure the NRPEServer using the following CLI commands:

Log onto your remote windows machine as an administrator.
Open a command prompt with administrative rights and run the following commands:

cd "C:\Program Files\NSClient++"
./nscp settings --activate-module NRPEServer --add-defaults
./nscp settings --path /settings/NRPE/server --key "allow arguments" --set true
./nscp settings --path /settings/NRPE/server --key "allow nasty characters" --set true
./nscp settings --path /settings/NRPE/server --key insecure --set false
./nscp settings --path /settings/NRPE/server --key "allowed hosts" --set "127.0.0.1"
./nscp settings --path /settings/NRPE/server --key "port" --set "5666"

Then, restart the nscp service to apply the changes.

In the same way, depending on what you would like to check, you will need to enable some other NSCP modules, like CheckSystem (the most important one), CheckDisk, CheckNet, CheckTaskSched, CheckWMI, CheckEventLog, …

Let’s test the NRPE server and the check_nrpe.exe binary by sending a query:

C:\Program Files\NSClient++>./check_nrpe.exe host=127.0.0.1 port=5666 command=check_cpu argument="time=1m" argument="time=5m" argument="time=15m" argument="warn=(load>70)" argument="crit=(load>90)" argument="show-all" ssl=1
OK: 1m: 3%, 5m: 0%, 15m: 0%|'total 1m'=3%;70;90 'total 5m'=0%;70;90 'total 15m'=0%;70;90

Note:

  • to be able to use the check_cpu command, you will need CheckSystem to be enabled.

The check_nrpe.exe program can be integrated with the nscp_nrpe CheckCommand object:

Custom attributes:

Name Description
nscp_nrpe_host Optional. The hostname/IP of the host running the NRPE daemon. Defaults to “127.0.0.1”.
nscp_nrpe_port Optional. The port of the host running the NRPE daemon. Defaults to 5666.
nscp_nrpe_timeout Optional. Number of seconds before connection times out. Defaults to 10.
nscp_nrpe_command Required. The name of the command that the remote daemon should run. Refer to the NSCP documentation for the available commands.
nscp_nrpe_arguments Optional. The command line argument(s). Refer to the NSCP documentation for the arguments available for the specified command.
nscp_nrpe_ssl Optional. Initiate a ssl handshake with the NRPE server. Defaults to true.
nscp_nrpe_insecure Optional. Use the insecure legacy mode. Refer to the NSCP documentation.
nscp_nrpe_payload_length Optional. Length of payload (has to be same as on the server). Refer to the NSCP documentation.
nscp_nrpe_buffer_length Optional. Length of payload to/from the NRPE agent. This is a hard specific value so you have to ‘configure’ (read recompile) your NRPE agent to use the same value for it to work. Refer to the NSCP documentation.

nscp_nrpe_arguments can be used to pass required thresholds and filters to the executed check. Usually, it takes the format of an array of arguments.