In this recipe, we'll learn how to install and run an NRPE (Nagios Remote Plugin Executor) server on a target host, roma.example.net. We'll use this to check the load average on that host with the check_load plugin.
The plugins for these checks will be executed on the target server by the NRPE daemon, but the results will be returned to our Nagios Core monitoring server, olympus.example.net. This requires installing the check_nrpe plugin on the monitoring server and the full Nagios Plugins set (but not Nagios Core itself) on the target server.
This is a reasonably long and in-depth recipe as it involves installing a total of three software packages on two servers.
You will need a monitoring server with Nagios Core 4.0 or newer installed. You should also have a UNIX-like target host that you intend to monitor that can run the NRPE daemon. Most modern UNIX-like systems including Linux and BSD should be able to do this. Both the monitoring server and the target host will need internet connectivity and you should already be monitoring the target host itself with a host definition to which we'll be adding service checks.
If your servers don't have a direct gateway to the internet, you can work around this by uploading the relevant files after downloading them onto a workstation, or another machine with internet access.
You should understand the basics of configuring, compiling, and installing software from source. In most cases, a simple ./configure, make, and make install will be all that's necessary and the recipe will walk you through this. You will need to have make(1) installed along with any other tools needed for the process, including a C compiler like gcc(1).
You should also have a good grasp on how hosts and services interrelate in Nagios Core, which is discussed in the recipes in Chapter 1, Understanding Hosts, Services, and Contacts, and how Nagios Core uses commands and plugins, discussed in Chapter 2, Working with Commands and Plugins. You should not need an in-depth understanding of the use of any particular plugin; the recipe will demonstrate the usage of the plugins to which it refers.
Finally, you should be able to configure any firewalls to allow connectivity from the Nagios Core server to the server being monitored with the TCP destination port 5666.
This first part of the recipe is done on the target server.
- Download and inflate the latest Nagios Plugins package. At the time of writing, the link is available at http://nagiosplugins.org/download/.
$ wget http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz $ tar -xzf nagios-plugins-2.1.1.tar.gz
- Configure, compile, and install the plugins, the same way you would on a new monitoring server. You will need to have
rootprivileges for the commandmake installcall.$ cd nagios-plugins-2.1.1 $ ./configure $ make # make install
You may need to install some shared libraries and headers on the system to do this for certain plugins, such as a
libsslimplementation. The output of the./configurescript should alert you of any such problems. - Download and inflate the latest version of NRPE from the Nagios Exchange website. At the time of writing, the link is available at: http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details.
$ wget http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz $ tar -xzf nrpe-2.15.tar.gz
- Enter the
nrpe-2.15source directory and configure, compile, and install the daemon and a stock configuration for it. You will need to haverootprivileges for both the makeinstall-daemonand themake install-daemon-configcalls.$ cd nrpe-2.15 $ ./configure $ make all # make install-daemon # make install-daemon-config
If you do not already have a
nagiosuser on the target host, you may need to create one before the daemon installs properly:# groupadd nagios # useradd -r -g nagios nagios
- Edit the newly installed file at
/usr/local/nagios/etc/nrpe.cfgand find the line beginning withallowed_hosts. Add a comma and the IP address of your monitoring server to this line. In this case, we've added the IP address192.0.2.11:allowed_hosts=127.0.0.1,192.0.2.11
- Start the
nrpedaemon and check it's running by searching the process table withpgrep(1)orps(1):# /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d # pgrep nrpe 18593 # ps -e | grep [n]rpe nagios 18593 1 0 21:55 ? 00:00:01 nrpe
If you would like the nrpe daemon to start on boot, add an init script appropriate to your system. An example init-script is generated at ./configure time in the source directory. Versions are also generated for Debian-derived systems and SUSE systems in init-script.debian and init-script.suse respectively. Exactly how this should be done will depend on your particular system, for which you may need to consult its documentation.
This next part of the recipe is done on the monitoring server.
- Again, download the latest version of NRPE, the same way as was done for the target server:
$ wget http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz $ tar -xzf nrpe-2.15.tar.gz
- Again, configure and build the software. However, note that this time the
installline is different, as we're installing thecheck_nrpeplugin rather than thenrpedaemon:$ cd nrpe-2.15.tar.gz $ ./configure $ make all # make install-plugin
- Check that the plugin has been correctly installed. It should be saved at
/usr/local/nagios/libexec/check_nrpe:$ ls /usr/local/nagios/libexec/check_nrpe /usr/local/nagios/libexec/check_nrpe
- Move to the directory containing the Nagios Core object configuration. By default, this is
/usr/local/nagios/etc/objects.$ cd /usr/local/nagios/etc/objects - Edit an appropriate file for defining new commands. For the default installation,
/usr/local/nagios/etc/objects/commands.cfgis a good choice. Add the following definition to the end of this file:define command { command_name check_nrpe command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ } - Edit the file defining the target host as an object. The definition might look something like this:
define host { use linux-server host_name roma.example.net alias roma address 192.0.2.61 } - Beneath the definition for the host, after any other services defined for it, add the following service definition:
define service { use generic-service host_name roma.example.net service_description LOAD check_command check_nrpe!check_load } - Validate the configuration and restart the Nagios Core server:
# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg # /etc/init.d/nagios reload
With this done, a new service with the description LOAD should appear in the web interface, ready to be checked, and with an appropriate status, including the load average as read from the nrpe daemon on the target host, as shown in the following screenshot:
We can see more detail about how the check was performed and its results in the details page for the service:
If the load average on roma.example.net exceeds the limits defined for the check_load command in /usr/local/nagios/etc/nrpe.cfg on the target host, the service will enter WARNING or CRITICAL states, and will send notifications if configured to do so, all in the same manner as a non-NRPE service.
The NRPE plugin and daemon are used to run Nagios Core plugins on the target host rather than on the monitoring server itself. The results of the check are then passed back to the monitoring server and recorded and analyzed by Nagios Core the same way as if the service was running a plugin on the monitoring server, for example, check_http or check_ssh.
The recipe we followed does four main things:
- We installed the latest Nagios Plugins package to the target host, including the
check_loadplugin. This is necessary, because the plugin is actually run on the target host and not on the monitoring server as is the case with plugins that check network services. - We installed the
nrpedaemon to the target host along with a stock configuration filenrpe.cfg. This is the network service through which thecheck_nrpeplugin will request commands to be run on the target host. The plugins will be run by this process, typically as thenagiosuser. - We installed the
check_nrpeplugin to the monitoring host and defined a command of the same name to use it. The command accepts one argument in the$ARG1$macro; its value is the command that should be run on the target host. In this case, we suppliedcheck_loadfor this argument. - We set up a service to monitor the output of the standard
check_loadplugin viacheck_nrpe.
Like other Nagios Core plugins, the check_nrpe program can be run directly from the command line. If we wanted to test the response of the configuration we've arranged in the preceding recipe, we might run the following:
$ /usr/local/nagios/libexec/check_nrpe -H roma.example.net -c check_load OK - load average: 0.00, 0.00, 0.00|load1=0.000;15.000;30.000;0; load5=0.000;10.000;25.000;0; load15=0.000;5.000;20.000;0;
In this case, the state of OK and the load average values, as retrieved by check_load, were returned by the nrpe daemon as the result of the check_nrpe call.
It's very important to note that this simple configuration of NRPE is not completely secure by default. The recipes listed under See also for this recipe provide some basic means to secure NRPE instances from abuse. These should be used in concert with a sensible firewall policy.
Of course, check_load is not the only plugin that can be run on the target server this way. If we inspect the file /usr/local/nagios/etc/nrpe.cfg on the target host, near the end of the file we find some other example definitions of commands that check_nrpe will run upon requests issued from the monitoring server:
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10 command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20 command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1 command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
We recognize check_load as the second of these. Note that it already includes some thresholds for WARNING and CRITICAL alerts in its -w and -c parameters.
If we also wanted to check the number of processes on this server, we could add a service check for roma.example.net, defined like this:
define service {
use generic-service
host_name roma.example.net
service_description PROCS
check_command check_nrpe!check_total_procs
}This service will generate a WARNING alert if the number of processes exceeds 150 and a CRITICAL alert if it exceeds 200. Again, the plugin is run on the target server and not the monitoring server.
Another useful and common application of check_nrpe is to make remote checks on database servers with plugins like check_mysql and check_pgsql in the case where the servers do not listen on network interfaces for security reasons. Instead, they listen only on localhost or UNIX sockets and are hence inaccessible to the monitoring server. To work around this problem, we could add a new command definition to the end of nrpe.cfg on the target server as follows:
command[check_mysql]=/usr/local/nagios/libexec/check_mysql -u nagios -d nagios -p wGG7H233bq
A corresponding check that uses the check_mysql command can then be made on the monitoring server:
define service {
use generic-service
host_name roma.example.net
service_description MYSQL
check_command check_nrpe!check_mysql
}See the Monitoring database services recipe in Chapter 5, Monitoring Methods, for some detail on how to use the check_mysql and check_pgsql plugins.
NRPE is thus useful not just for making checks of system properties or hardware, but for any plugin that needs to be run on the target host rather than on the monitoring host.
Finally, it's important to note that the command definitions included in the default nrpe.cfg file are intended as examples; you will probably want to fine-tune the parameters for some of them and remove the ones you don't use along with adding your own.
- The Setting the listening address for NRPE recipe in this chapter
- The Setting allowed client hosts for NRPE recipe in this chapter
- The Creating new NRPE command definitions securely recipe in this chapter
- The Giving limited sudo(8) privileges to NRPE recipe in this chapter
- Monitoring database services, Chapter 5, Monitoring Methods