References

Nagios: http://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf

NRPE: http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf

Prepare system

/etc/hosts

The host table must include information about the current host, for example

10.3.1.16 wiki-uh.gutzmann.com wiki

/etc/sysconfig/network

The hostname should be set up accordingly in /etc/sysconfig/network:

HOSTNAME="wiki.gutzmann.com"

/etc/services

Add the NRPE port to /etc/services:

vi /etc/services

locate "5670" and insert before:

nrpe            5666/tcp                # NRPE

/etc/resolv.conf

Out of context: You should consider using a fast DNS server. I found that Google DNS is much faster than those of most hosting providers.

vi /etc/resolv.conf

Insert the line

nameserver 8.8.8.8

before all other nameserver directives.

Install latest updates

yum update

Install prerequisites

Some of the packages may already have been installed. If during the installation on your particular server you find any other missing packages, please be so kind to add a comment to this post.

yum install bind-utils php chrony openssl-devel make gcc wget

Make sure that Perl is installed by typing "perl -v". If it's missing, add it by:

yum install perl

Start CHRONY (Time Protocol)

It's important that all servers show the correct time:

systemctl enable chronyd
systemctl start chronyd 

Apache

If Apache is installed on the client and you want to have it monitored, make sure that an "index.html" exists:

touch /var/www/html/index.html

Firewall settings

Consider setting up your firewall for dynamic DNS names.

General approach

The following procedure must be modified if you use alternate configuration files for iptables, as displayed in /etc/sysconfig/system-config-firewall.

Add the following line to /etc/sysconfig/iptables, replacing the monitoring server name as required:

vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp -s monitor-a.gutzmann.com --dport 5666 -j ACCEPT

Restart the firewall:

systemctl restart iptables

Using additional iptables files in /etc/sysconfig/system-config-firewall

On the Gutzmann servers, we use a number of additional iptables files for easier system management. /etc/sysconfig/system-config-firewall looks like this:

# Configuration file for system-config-firewall
--enabled
--custom-rules=ipv4:filter:/etc/sysconfig/iptables_local
--custom-rules=ipv4:filter:/etc/sysconfig/iptables_gutzmann

Server specific changes are applies to /etc/sysconfig/iptables_local only.

The changes are then:

vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m tcp -p tcp -s monitor-a.gutzmann.com --dport 5666 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s monitor-b.gutzmann.com --dport 5666 -j ACCEPT

Reread the rule sets and restart the firewall:

lokkit -v

Install Nagios NRPE client

 

yum install nrpe nagios-plugins nagios-plugins-nrpe

 

Set up NRPE

Set up xinetd

NRPE will be managed by xinetd, which means that the NRPE configuration file written to /etc/xinetd.d must be modified. If you change the xinetd configuration, you must reload xinetd. Changes to the NRPE configuration will be read by xinetd on the fly, so there is no need to restart NRPE afterwards or include it in the system startup.

vi /etc/xinetd.d/nrpe
...
        disable         = no
        only_from       = 127.0.0.1 monitor-a.gutzmann.com monitor-b.gutzmann.com

Stop and disable the NRPE standalone demon:

systemctl disable nrpe
systemctl stop nrpe

Reload xinetd:

systemctl reload xinetd
systemctl status xinetd

The status should show that a new service has been added:

Reconfigured: new=1 old=0 dropped=0 (services)

Test NRPE locally

Next, check to make sure the NRPE daemon is functioning properly. To do this, run the check_nrpe plugin that was installed for testing purposes.

/usr/lib64/nagios/plugins/check_nrpe -H 127.0.0.1

The command returns the NRPE version installed, like this:

NRPE v2.14

Customize NRPE commands

The NRPE configuration can be found in /etc/nagios/nrpe.cfg. Instead of adding commands there, I recommend to put them into a separate conf file inside /etc/nagios. This information must be provided in the main configuration file, however:

vi /etc/nagios/nrpe.cfg
...
include_dir=/etc/nagios

Now add commands to NRPE by creating an additional configuration file in /etc/nagios/local.cfg. Here is an example:

cat >> /etc/nagios/local.cfg << @@EOF
command[check_root]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /
command[check_opt]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /opt
@@EOF

These are examples only. You can add others, but keep in mind to "yum install" the respective plugins. Refer to /etc/nagios/nrpe.cfg for instructions.

Now test the new commands:

/usr/lib64/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_root

Grant NRPE access to your Nagios servers

By default, access is allowed from the local machine only. You can add other hosts in /etc/xinetd.d/nrpe. See above for an example; multiple ip addresses or names must be separated by spaces.

Test NRPE from the Nagios monitoring server

At your Nagios monitoring server (not the one you're installing the NRPE client on!), run the following command, replacing the ip address with the name or address of the actual client:

/usr/local/nagios/libexec/check_nrpe -H 10.3.1.17 -c check_load

If you see an error message indicating that check_nrpe was not found, check that you added the command to /usr/local/nagios/etc/objects/commands.cfg; see "1 - Installation - Nagios Server (CentOS 6.4)".

If you see the error message "CHECK_NRPE: Error - Could not complete SSL handshake.", you should check:

  • Went something wrong with the firewall configuration? Try "telnet 10.3.1.17 5666" from the Nagios server (replace the IP address with the name or address of your NRPE client). Enter "QUIT" do stop the telnet session (there are more correct ways, but this will do).
  • Check all configuration files if you accidentally entered sample data from this How-To.
  • Make sure you added the server address to the "only" clause (a comma-delimited list) in the clients xinetd NRPE configuration - and reload xinetd.
  • Make sure that you actually testing from the Nagios monitoring server and not from the host you just installed NRPE Client on.
  • No labels