NRPE – Nagios Remote Plugin Executor

on our setup the server is running on nrpe V 2.15 and the client is running on V 3.1.0. on my server ./check_nrpe -H client_ip -n -u -t 30 -c check_load CHECK_NRPE: Error receiving data from daemon. with Error: Could not complete SSL handshake with : 1 but i get a valid result when i remove the -n. is it possible to not to remove the -n and still get a valid result?

I tried to compile this on Ubuntu 14.04 and got an error, anybody know how to fix it? ./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu --prefix=/etc/nagios3 --enable-command-args make all gcc -g -O2 -I/usr/include/openssl -DHAVE_CONFIG_H -I ../include -I ./../include -o nrpe ./nrpe.c ./utils.c ./acl.c -L/usr/lib/x86_64-linux-gnu -lssl -lcrypto -lnsl ./nrpe.c: In function ‘init_ssl’: ./nrpe.c:319:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 4 has type ‘int’ [-Wformat=] sslprm.cert_file, ERR_error_string(x, NULL)); ^ ./nrpe.c: In function ‘handle_conn_ssl’: ./nrpe.c:1754:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 4 has type ‘int’ [-Wformat=] remote_host, ERR_reason_error_string(x)); ^ ./nrpe.c: In function ‘main’: ./nrpe.c:168:9: warning: ignoring return value of ‘getcwd’, declared with attribute warn_unused_result [-Wunused-result] getcwd(config_file, sizeof(config_file)); ^ ./nrpe.c: In function ‘set_stdio_sigs’: ./nrpe.c:553:7: warning: ignoring return value of ‘chdir’, declared with attribute warn_unused_result [-Wunused-result] chdir("/"); ^ ./nrpe.c: In function ‘my_system’: ./nrpe.c:1994:6: warning: ignoring return value of ‘pipe’, declared with attribute warn_unused_result [-Wunused-result] pipe(fd); /* create a pipe */ ^ In file included from ./nrpe.c:27:0: ../include/config.h:110:28: warning: ignoring return value of ‘seteuid’, declared with attribute warn_unused_result [-Wunused-result] #define SETEUID(id) seteuid(id) ^ ./nrpe.c:2026:3: note: in expansion of macro ‘SETEUID’ SETEUID(0); /* get root back so the next call works correctly */ ^ ./nrpe.c:2050:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(fd[1], buffer, strlen(buffer) + 1); ^ ./nrpe.c:2058:10: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(fd[1], buffer, bytes_read); ^ ./nrpe.c:2061:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(fd[1], "", 1); ^ ./nrpe.c: In function ‘write_pid_file’: ./nrpe.c:2267:8: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(fd, pbuf, strlen(pbuf)); ^ In file included from ./nrpe.c:27:0: ./nrpe.c: In function ‘remove_pid_file’: ../include/config.h:110:28: warning: ignoring return value of ‘seteuid’, declared with attribute warn_unused_result [-Wunused-result] #define SETEUID(id) seteuid(id) ^ ./nrpe.c:2286:2: note: in expansion of macro ‘SETEUID’ SETEUID(0); /* get root back so we can delete the pid file */ ^ gcc -g -O2 -I/usr/include/openssl -DHAVE_CONFIG_H -I ../include -I ./../include -o check_nrpe ./check_nrpe.c ./utils.c -L/usr/lib/x86_64-linux-gnu -lssl -lcrypto -lnsl ./check_nrpe.c: In function ‘connect_to_remote’: ./check_nrpe.c:926:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 4 has type ‘int’ [-Wformat=] rem_host, ERR_reason_error_string(x)); ^ ./check_nrpe.c: In function ‘alarm_handler’: ./check_nrpe.c:1457:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(STDOUT_FILENO, msg1, sizeof(msg1) - 1); ^ ./check_nrpe.c:1458:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(STDOUT_FILENO, text, lth1); ^ ./check_nrpe.c:1459:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(STDOUT_FILENO, msg2, sizeof(msg2) - 1); ^ ./check_nrpe.c:1460:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(STDOUT_FILENO, timeout_txt, lth2); ^ ./check_nrpe.c:1461:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(STDOUT_FILENO, msg3, sizeof(msg3) - 1);

Is there a firm release date scheduled for 3.0? You mentioned back at the end of April a few weeks but I am not aware of it being released as of June. We are eagerly anticipating the security vulnerability fix outlined here: https://www.tenable.com/plugins/index.php?view=single&id=73757

Responding to review by @stefanlasiewski : I started working for Nagios fairly recently and am in charge of development for core, plugins, ndo, nsca, and nrpe. I've been putting quite a lot of work into most of those and nrpe, in particular, has gotten a lot of attention. The new version 3.0 (which should be released in a few weeks) addresses the payload size. It will handle 64K. I wasn't aware of that particular security vulnerability, but I am now. Thank you. It will be addressed for the 3.0 release. Other things that will be in 3.0: o Better signal handling o A bunch of bug fixes o Major update to SSL/TLS processing o Some code changes and major configure changes to handle multiple platforms, including different Linux distributions, AIX, HP-UX, Solaris, Mac OS X, and the *BSD's. So yes, NRPE was not getting the attention it deserved but it is now!

This tool works, but it hasn't received an update since 2013. Functionally, NRPE can only handle a payload of 1024 bytes, which limits the amount of data that you can receive on your Nagios server. There have been a couple security reports with NRPE since the last release (See https://www.opsview.com/resources/blog/nagios-nrpe-security-vulnerability ), and it's not clear if Nagios.com ever patched their code in response to these reports.

Nrpe is excelent. I think i got a error on version 2.15. It did´nt obey the user on nrpe.fg to fork and execute local checks. It uses always nagios.

This is a very useful tool to monitor remote servers and performs better than using SSH. However I believe this issue still applies http://legalhackers.com/advisories/nagios-nrpe.txt Not a big deal if you restrict access to the nagios server and keep arguments disabled, but still... I hope to see a new version out soon with a fix.

Version: 2.14, 2.15 Source: nrpe-2.1[4|5].tar.gz Platform: Centos 6.5 x64 (Nagios client) Compile1: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios Compile2: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios --with-cacert-file --with-privatekey-file Conf file: /opt/nagios/etc/nrpe.cfg log_facility=daemon pid_file=/var/run/nrpe.pid server_port=5666 nrpe_user=nagios nrpe_group=nagios allowed_hosts=127.0.0.1,10.0.194.9 cert_file=/opt/nagios/etc/server.crt # ient, /var/log/message reports unknown option when restart nrpe daemon: Nov 17 11:30:30 localhost nrpe[1111]: Unknown option specified in config file '/opt/icinga/etc/nrpe.cfg' - Line 92 Nov 17 11:30:30 localhost nrpe[1111]: Unknown option specified in config file '/opt/icinga/etc/nrpe.cfg' - Line 93 Nov 17 11:30:30 localhost nrpe[1111]: Unknown option specified in config file '/opt/icinga/etc/nrpe.cfg' - Line 94 Nov 17 11:30:30 localhost nrpe[1112]: Starting up daemon Nov 17 11:30:30 localhost nrpe[1112]: Server listening on 0.0.0.0 port 5666. Nov 17 11:30:30 localhost nrpe[1112]: Server listening on :: port 5666. Nov 17 11:30:30 localhost nrpe[1112]: Listening for connections on port 0 Nov 17 11:30:30 localhost nrpe[1112]: Allowing connections from: 127.0.0.1,10.0.194.9 Question: Do these parameters exist in the tarball? (i.e. --with-cacert-file --with-privatekey-file) Hope to hear from you soon.

Why does this page says compatible with upto Nagios 3.0? NRPE used to work with Nagios 3.0 in our environment. But ever since we upgraded to Nagios core 4.0.7 NRPE started giving error: Aug 13 08:55:25 web1 xinetd[6076]: START: nrpe pid=4422 from=::ffff:210.21.7.1 Aug 13 08:55:25 web1 xinetd[4422]: FAIL: nrpe address from=::ffff:210.21.7.1 Aug 13 08:55:25 web1 xinetd[6076]: EXIT: nrpe status=0 pid=4422 duration=0(sec) Note: IP is allowed in xinetd config.

why is it I'm getting this using NRPE 2.15? # /usr/local/nagios/libexec/check_nrpe -H localhost CHECK_NRPE: Error - Could not complete SSL handshake. but, when I try #/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 NRPE v2.15 Solution - you need to add your server IP to the allowed_hosts parameter under nrpe.cfg file on the host being monitored. allowed_hosts=127.0.0.1,

why is it I'm getting this using NRPE 2.15? # /usr/local/nagios/libexec/check_nrpe -H localhost CHECK_NRPE: Error - Could not complete SSL handshake. but, when I try #/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 NRPE v2.15

Works likle a dream on Linux. Initially, the compile failed on AIX due to missing SSL libraries. To get around this, I modified the line below in the 'configure' script and that seemed to fix it... soext="a"

Flexibility of NRPE is beyond any other plugin .. Very much useful...

This is one of the basic packages I use in every large environment, for Nagios or Icinga monitoring and easy admin checking. Three are 3 small bugs: * NRPE should have its own user, not share the "nagios" user. That causes confusion with ownership of configuration files and the "nagios" user itself. * NRPE should have its config files in /etc/nrpe, not /etc/nagios. Again, this causes confusion with who manages the files in /etc/nagios and makes source control and package management much more awkward. * The default location of "/usr/lib/nagios/plugins" should be set based on architecture. It's /usr/lib64/nagios/plugins on most x86_64 systems.

Listing is up to date.

Not sure why this page hasn't been updated with the latest version - you can find it here: http://www.nagios.org/news/77-news-announcements/345-nrpe-214-released

NRPE is hands down, the best remote plugin executor for Nagios.

I use NRPE on few hosts, it works good! Just use it - and you'll be happy. VisMon