Nagios/NRPE Monitoring of Internal Private Network Hosts [RESOLVED]



  • Hi all,

    I'm trying to monitor certain NRPE checks (such as IOUtil and Load) on hosts that are behind a pfsense firewall. We have an extenally hosted nagios server, issuing the checks and recieving the results etc.

    I have created a check_nrpe command on the nagios server, that references -H <ip of="" pfsense="" wan="">, I then make services that pass -p and -c to that command, port is custom and command is the command setup in the NRPEv2 package installed in pfSense.

    I created the hosts in Nagios, and set their host check to a custom check_ping commang that is defined on the pfSense box. The host notifications work fine

    I've then created a service in Nagios that calls a custom definiton on the pfsense box, that runs check_nrpe2 on the pfsense box. The idea is to get pfsense to run a check_nrpe command against the private host but its not working. There isn't a check_nrpe entry in the list, only check_nrpe2.

    So it looks like this:

    External Nagios server issues this:
    check_nrpe -H "WAN of pfSense" -p "1111" -c "check_apex1_load"

    NRPEv2 on the pfSense box has the following command defined in it:
    Name - check_apex1_load
    Command - check_nrpe2
    Warning - 15,10,5
    Critical - 30,25,20
    Extra Args - -H "Private IP of host" -p "1111" -c "check_load"

    The private host behind the firewall has normal NRPE running on it, listening and will respond to check_load with normal exit parameters and values etc..

    However, all I get as an output back to the External Nagios server is:

    (No output returned from plugin)
    NRPE Plugin for Nagios
    Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
    Version: 2.15
    Last Modified: 09-06-2013
    License: GPL v2 with exemptions (-l for more info)
    SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
    \nUsage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command></command>] [-a <arglist...>]
    \nOptions:
    -n = Do no use SSL
    -u = Make socket timeouts return an UNKNOWN state instead of CRITICAL
     <host>= The address of the host running the NRPE daemon
     <bindaddr>= bind to local address
    -4 = user ipv4 only
    -6 = user ipv6 only
    [port] = The port on which the daemon is running (default=5666)
    [timeout] = Number of seconds before connection times out (default=10)
    [command] = The name of the command that the remote daemon should run</bindaddr></host></arglist...></timeout></port></bindaddr></host>
    

    Why is this? Can I not monitor private hosts in this way? The whole point of them being private is that they never see the internet, the private addresses are only accessible after connecting to a VPN. The pfSense box is the only thing in this entire configuration with a public address. Ideas?

    I've never used check_nrpe2 before, I dont know how it differs to check_nrpe? Can I still put a host into it like I have? Will this even work in theory?

    Thanks,
    Dave.</ip>



  • Sounds similar to an issue I remember from before.

    https://forum.pfsense.org/index.php?topic=73091.0



  • Hi,

    Now resolved. There were quite a few things at play here. First was the use of SSL in the original check_nrpe from our external nagios server, and not in the second nrpe fired off from the firewall. Then there was the lack of the firewalls IP in allowed hosts. Then there was selinux on the private hosts that kept denying nrpe bind to our custom port.

    It also doesnt help that the private hosts do not have internet outbound for security purposes. So troubleshooting and downloading packages etc, very time consuming.

    Thanks.