LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-23-2011, 08:50 AM   #1
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Rep: Reputation: Disabled
Check_NRPE from Ubuntu server to OpenWRT router. Connection refused by host


Hi everyone!

I am trying to monitorize an OpenWRT (Backfire 10.03, r23115) router from an Ubuntu server, but I am having some problems.

I have installed Nrpe (2.12) on the remote host (OpenWRT), I have executed the program as a deamon (/usr/sbin/nrpe -d) but when I start the NRPE deamon, I don't get anything about NRPE executing netstat -at or ps -ef.
I would need to install check_nrpe on OpenWRT to find out if NRPE is working, but I can't find any ipk package with it.


Now, once in the monitoring host when I try to reach the remote host from the server:

/usr/local/nagios/libexec/check_nrpe -H ip_remote_host

I get: Connection refused by host

Even, trying with localhost:

/usr/local/nagios/libexec/check_nrpe -H localhost

I get the same error: Connection refused by host

I have installed Nagios Plugins and the check_nrpe plugin.
I have edited the /etc/nrpe.cfg file:

allowed_hosts=127.0.0.1 ip_server

So, I don't exactly know if it is remote host's fault, monitoring host's fault or both.

I hope someone could help me. Any answer will be very apreciated.

Thank you very much in advance.

urikndla

pd: I am pretty newbie about the whole Nagios world.
pd2 : English is not my native language, please excuse possible typing errors.
 
Old 05-24-2011, 08:33 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
Is "ip_server" the name of your remote host?

Your entry in nrpe.cfg should be:
Code:
allowed_hosts=127.0.0.1,ip_server
That is to say it should be comma delimited NOT space delimited as you have it.

Verify /etc/hosts on your local host has 127.0.0.1 as localhost. (It should but you should check the assumption - you authorized the IP but then specified the name in your check_nrpe.)

In nrpe.cfg check the port you defined. Typically it is:
Code:
server_port=5666
Run "lsof -i :<port>" to see if there is an nrpe process LISTENing on the port specified above (e.g. lsof -i :5666). If not then check_nrpe definitely won't work and you should focus your efforts on starting nrpe.

Note that nrpe can be run as a standalone daemon or via xinetd. If you're using the xinetd setup (which would be indicated by the above lsof showing xinetd rather than nrpe as the LISTENing process then be sure you've set up /etc/xinetd.d/nrpe properly.

Any time you have an error check /var/log/messages. I've found it usually has good information as to what happened when a remote connection was attempted.
 
1 members found this post helpful.
Old 05-24-2011, 08:42 AM   #3
brownie_cookie
Member
 
Registered: Mar 2011
Location: Belgium
Distribution: CentOS release 5.5 (Final), Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
Posts: 416
Blog Entries: 2

Rep: Reputation: 12
here is a very usefull link for installing NRPE on both REMOTE and MONITORING host.
maybe you should look into that, it certainly helped me !!

but if it says 'Connection refused', maybe it's because of a firewall issue?
have you installed xinetd?
 
Old 05-24-2011, 10:08 AM   #4
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi!

MensaWater, ip_server is just a name to hide the Ip from the server, which is the monitoring host. So, the remote host's /etc/nrpe.cfg file has (coma delimited now): allowed_hosts=127.0.0.1,ip_server

I have checked /etc/hosts and it is all ok and also is the server port (5666).

I don't get nothing about nrpe or xinetd executing lsof -i:5666, as happens with netstat -at.


Brownie_cookie, I tried to follow the steps in NRPE.pdf, but the problem is that it is for Fedora, and all the procedure is different for OpenWRT. I installed the nrpe with: opkg install nrpe_2.12-1_brcm47xx.ipk

So, despite I have xinetd succesfully installed, I don't know how to install the NRPE deamon as a service under xinetd in OpenWRT. I tried to copy this file (/etc/xinetd.d/nrpe) from another debian distribution where I have nrpe succesfully running, but obviously didn't work. Then I decided to run it as a standalone deamon.


I guess the question is, how do I start nrpe in OpenWRT? I would prefer to use xinetd, but then, I don't know how to install NRPE as a service under xinetd. I don't understand why /usr/sbin/nrpe -c /etc/nrpe.cfg -d doesn't work.

Thank you for your time!!

urikndla
 
Old 05-25-2011, 08:52 AM   #5
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
I haven't worked with OpenWRT.

The link here talks about setting up another package called Munin in OpenWRT and has information about how to setup xinetd for that. You can ignore the Munin specific information and perhaps use the Xinetd details it provides for setting up nrpe. Comparing the xinetd.d/nrpe you copied from ubuntu with the one shown in the link ought to give you a good idea how it should be setup on OpenWRT.

http://munin-monitoring.org/wiki/OpenWRT-HowTo
 
Old 05-26-2011, 04:59 AM   #6
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi MensaWater,

I have followed the instructions of the link you gave me. After checking on my /etc/xinetd.d/nrpe, I tried to execute it and this is what I got:

root@OpenWrt:/# /etc/xinetd.d/nrpe
/etc/xinetd.d/nrpe: line 3: service: not found
/etc/xinetd.d/nrpe: line 16: flags: not found
/etc/xinetd.d/nrpe: line 16: port: not found
/etc/xinetd.d/nrpe: line 16: socket_type: not found
/etc/xinetd.d/nrpe: wait: line 16: Illegal number: =
/etc/xinetd.d/nrpe: line 16: user: not found
/etc/xinetd.d/nrpe: line 16: group: not found
/etc/xinetd.d/nrpe: line 16: server: not found
/etc/xinetd.d/nrpe: line 16: server_args: not found
/etc/xinetd.d/nrpe: line 16: log_on_failure: not found
/etc/xinetd.d/nrpe: line 16: disable: not found
/etc/xinetd.d/nrpe: line 16: only_from: not found


This is my /etc/xinetd.d/nrpe file:

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
port = 5666
socket_type = stream
wait = no
user = nagios
group = nagios
server = /usr/sbin/nrpe
server_args = -c /etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1, 137.226.45.177
}

Can you see any evident mistake?

About the entry on /etc/services file, there is no such file in OpenWRT and I had to create it for myself, do you think that could be the cause of the "line 3: service: not found" error?

What about /etc/init.d/nrpe? Should't that start nrpe? This is making me crazy, why such a difference with debian...xD

Thanks again for your time!
 
Old 05-26-2011, 08:57 AM   #7
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
/etc/xinetd.d/nrpe isn't something you execute. The errors you got are because you tried to execute it.

xinetd is a daemon (an enhancement of the earlier inetd) that has the purpose of LISTENing for connections. It used to be for every service you ran that had to LISTEN for connections you'd have to run their daemons all the time. This took up unnecessary processing power and memory for something all the time that might not be used all the time. A good example was ftpd for ftp - if you only have someone ftp into your server once a week there seems little reason to have ftpd sitting there doing all it does all the time just to LISTEN on port 21. Instead inetd or xinetd can listen on port 21 and if it sees a request for a connection it launches ftpd at the time the connection is requested. Inetd/xinetd can do this LISTEN for many different services so can free up a lot of resources that would otherwise be tied up by all those individual daemons when not actually in use.

nrpe can be run in daemon mode OR via xinetd just like ftpd and various other services. In inetd you had a single file with multiple lines each of which was designed to do this LISTEN for the service they described. In xinetd you instead have a file for each service so you can put more granularity into it. The xinetd.d/nrpe is just a specification file. When xinetd runs it LISTENs on the port (typically 5666) you specify in that file. If a connection is requested it then executes the command (listed as "server" in that file) with the server_args listed in that file so in your case it would execute:
/usr/sbin/nrpe -c /etc/nrpe.cfg --inetd
But again that is ONLY executed when there is a request for port 5666 (typically from your Nagios master). After this is done the process would go away.

On most servers I have seen nrpe in /usr/local/nagios/bin rather than /usr/sbin and the config file is in /usr/local/nagios/etc but that isn't required. What version of nrpe are you running. My /etc/xinetd.d/nrpe on RHEL5 is:
Code:
# default: on
# description: NRPE
service nrpe
{
   flags           = REUSE
   socket_type     = stream
   wait            = no
   user            = nagios
   server          = /usr/local/nagios/bin/nrpe
   server_args     = -c /usr/local/nagios/etc/nrpe.cfg -i
#
#  Main LOG definitions are in /etc/xinetd.conf. Entries can be put in this
#  /etc/xinetd.d/nrpe configuration file that overrides those.
#  Commented out original "log_on_failure" and added new entry.
#  Added log_on_success with nothing after the equal sign to prevent it from
#  writing to syslog when it is just running normally.   Commenting out that
#  line will make it do full logging on both success and failure.
#  Note you also have to modify the log debug from 0 to 1 in the nrpe.cfg file
#  in /usr/local/nagios/etc to get full debugging messages.
#  MensaWater 13-Sep-2010
#
#  log_on_failure  += USERID
   log_on_failure  = USERID HOST
   log_on_success  =
   disable         = no
   only_from       = 10.0.12.54
}
After you modify files in /etc/xinetd.d you should run "ps -ef |grep xinetd" to get the process ID (PID) then run "kill -1 <pid>" (or kill -s SIGHUP <pid>). This tells the xinetd program to reread everything.

As to /etc/services - I found that if I didn't have port 5666 defined in /etc/services on RHEL5 it wouldn't start nrpe at all. Since I don't know OpenWRT so I don't know if it should have that file or if it uses something in a different location. In the link I posted yesterday there is a comment about this being the old way of doing things and a link to a newer way. Did you look at that other link on the site?



Is there /var/log/messages or equivalent in OpenWRT? If so have you examine that?
 
1 members found this post helpful.
Old 05-26-2011, 10:42 AM   #8
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
I guess I didn't know exactly how xinetd works and I shouldn't have executed it. Thanks for your explanation MensaWater!

The link to the newer way, wasn't so useful, it is just one script, I did look at it. And about /etc/services, as I see in the Munin tutorial there is an /etc/services file, so I copied it from debian and I added the line for nrpe.

There is no file like /var/log/messages, however, I had a look at dmesg and there is nothing about nrpe or xinetd.

My version of nrpe is nrpe_2.12-1_brcm47xx.ipk, and it was automatically installed in /usr/sbin/nrpe and his config file in /etc/nrpe.cfg by executing opkg install <file>.

Back to xinetd, I can't kill the process because I don't get any reference to xinetd in ps -ef, does it mean it is not running? If xinetd was running it should necessary be in the output of ps -ef, isn't it? When I execute snmpd, it is inmediately in ps's output, but not with nrpe or xinetd.

Nagios-plugins work just fine and they were installed the same way as nrpe or xinetd.

About your /etc/xinetd.d/nrpe file, I have one doubt, why don't you have the port number? Should I remove it?
 
Old 05-26-2011, 01:42 PM   #9
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
I found a link that says:
Quote:
By default, syslogd in OpenWRT does not save to a file; there'd be nothing stopping the file from growing indefinitely and filling all RAM. Instead it's kept in a fixed-size buffer in memory, and read with the logread command.
You might try running logread command mentioned.

If xinetd isn't running then you'd have to troubleshoot why that is.

In the munin link I see:
Quote:
xinetd startup file
If you installed xinetd vi ipkg, then make sure /etc/init.d/S??xinetd exists. I've noticed that "ipkg install xinetd" installs /etc/init.d/xinetd, which will NOT be run at startup. Simply linking /etc/init.d/xinetd to /etc/rc.d/S70xinetd (ln -s /etc/init.d/xinetd /etc/rc.d/S70xinetd) solves the problem
.

However I don't see where it ever tells you to start xinetd. You should be able to start it by running:
/etc/init.d/xinetd start (or /etc/rc.d/S70xinetd start - assuming you linked it as discussed above).
Run that then check to be sure xinetd is running. If it is then run the check to see if port 5666 is listening.

As to whether the PORT should be in the xinetd.d/nrpe file: As noted before mine came from a RHEL5 installation and that was getting the port from /etc/services (which is why it failed for me before I addded it there). Since the Munin example includes a port I suspect yours should as well. However, you should first focus on getting xinetd running because until it is there is nothing actually trying to run nrpe. (Alternatively you could try running nrpe as a stand alone daemon and ignore xinetd altogether.)
 
1 members found this post helpful.
Old 05-27-2011, 04:36 AM   #10
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
Logread definitely worked! Thanks a lot! Reading the file I noticed that I had a wrong line in /etc/xinetd.d/nrpe. I had to remove the coma from only_from, and now I have xinetd running.

This is my lsof output now, seems ok:

root@OpenWrt:~# lsof -i:5666
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 1895 root 5u IPv4 962347 0t0 TCP *:nrpe (LISTEN)

And this, my netstat -at output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:nrpe 0.0.0.0:* LISTEN

Now, I have xinetd running in the remote host but when I try to reach it from the monitoring host, I get: CHECK_NRPE: Error - Could not complete SSL handshake.

Last edited by urikndla; 05-27-2011 at 08:42 AM.
 
Old 05-27-2011, 09:09 AM   #11
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
That's good. It shows both that xinetd is running and that xinetd is LISTENing on port 5666.

Even though you got an error with the SSL handshake it does show that xinetd did launch nrpe so that part is working.

Is the check_nrpe version on your Nagios master 2.12 like the one on your OpenWRT client? Older versions of check_nrpe didn't do SSL.

You can test without SSL by using the -n flag in your check_nrpe command - that tells it not to use SSL.
 
1 members found this post helpful.
Old 05-27-2011, 09:27 AM   #12
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
Yes, they have both nrpe 2.12. Nagios-plugins version is 1.4.15.

I downloaded the package from:

http://sourceforge.net/projects/nagi...pe-2.12.tar.gz

If I try to execute check_nrpe without SSL with the -n flag, this is what I get:

/usr/local/nagios/libexec/check_nrpe -H 192.168.5.110 -n
CHECK_NRPE: Error receiving data from daemon.

By the way, I don't have nrpe on the nagios host and I guess that if there is no nrpe.cfg file to read, check_nrpe will not work, but is this error normal?

/usr/local/nagios/libexec/check_nrpe -H localhost -n
Connection refused by host

I just don't know where else to look at and I thought it could be relevant.

pd: How can I put code in this messages? It will be more understandable.

Last edited by urikndla; 05-27-2011 at 09:32 AM.
 
Old 05-27-2011, 09:39 AM   #13
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
These are the iptables from the client:

root@OpenWrt:/etc/xinetd.d# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:nrpe

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

nrpe seems to be reachable.
 
Old 05-27-2011, 01:55 PM   #14
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,003
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
The error on localhost is normal since you're not running anything to connect to there (e.g. nrpe on the Nagios master). As you surmised you have to setup nrpe.cfg there and also have xinetd on the Nagios master listen for nrpe just as it does on any other nrpe client.

However, you only need to do that if you want to check "localhost" or the master itself with check_nrpe. There is no npre configuration (or xinetd for nrpe) required on the master to run the check_nrpe command against other clients.

The error you got "CHECK_NRPE: Error receiving data from daemon" with the -n flag tells me that nrpe is running on the client and is requiring SSL.

You need to run the command then check the logs on both the master (/var/log/messages) and the openWRT client (checklog) to see if you can get some other information. You can try amending your xinetd.d/nrpe to add the -n flag:
Code:
server_args = -c /etc/nrpe.cfg --inetd -n
That tells it not to run with SSL when it launches nrpe. You can then retry the check_nrpe with -n flag so both sides try without SSL. If that works then you know you need to focus on the SSL issue itself. You may need to install openssl on the openWRT client as it may be an issue of a missing library.
 
Old 05-30-2011, 04:09 AM   #15
urikndla
LQ Newbie
 
Registered: May 2011
Location: Montblanc, Spain
Distribution: Ubuntu 10.10
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi Mensawater!

I couldn't answer before. I don't really need nrpe on the nagios server, I just didn't know if that error was normal.

About openssl library. This is what I have in the nagios server:

Code:
dpkg --get-selections|grep ssl
libio-socket-ssl-perl				install
libnet-smtp-ssl-perl				install
libnet-ssleay-perl				install
libssl-dev					install
libssl0.9.8					install
openssl						install
openssl-blacklist				install
python-openssl					install
ssl-cert					install
And in the remote host:

Code:
root@OpenWrt:~# opkg list_installed
libopenssl - 0.9.8m-3
So, in theory, I have openssl in both hosts.

Executing check_nrpe with -n flag (and having modified server_args = -c /etc/nrpe.cfg --inetd -n) I have the exact same error I had before.

Code:
/usr/local/nagios/libexec/check_nrpe -H 192.168.5.110 -n
CHECK_NRPE: Error receiving data from daemon.
About log files, I get some errors in the remote host. This is what I get after killing and reloading xinetd when I execute /etc/init.d/xinetd start:

Code:
May 30 10:44:17 OpenWrt daemon.err xinetd[2232]: bind failed (Address already in use (errno = 125)). service = nrpe
May 30 10:44:17 OpenWrt daemon.err xinetd[2232]: Service nrpe failed to start and is deactivated.
May 30 10:44:17 OpenWrt daemon.crit xinetd[2232]: 2232 {init_services} no services. Exiting...
I supose that's why check_nrpe can't get data from daemon, but I don't know what could be the cause.

And, if I kill xinetd and I try to start nrpe as a standalone daemon with /usr/sbin/nrpe -c /etc/nrpe.cfg -d -n, this is what I get whith logread.

Code:
May 30 10:55:29 OpenWrt daemon.notice nrpe[2271]: Starting up daemon
May 30 10:55:29 OpenWrt daemon.err nrpe[2271]: Network server bind failure (126: Cannot assign requested address)
I don't know what does this bind failure error mean. I'll look at it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Could not connect to host 127.0.0.1 - connection refused adrian2009 Slackware 1 12-07-2010 06:53 AM
Sendmail connection refused by host cloudno9 Linux - Newbie 2 01-14-2010 02:21 AM
Nagios - Connection Refused by host jack.deselms Linux - Newbie 6 01-05-2010 08:12 AM
NFS problem - connection refused from distant host Agrouf Linux - Networking 4 10-17-2005 02:24 PM
Router connection refused Remphor Linux - Wireless Networking 2 08-02-2005 01:03 AM


All times are GMT -5. The time now is 01:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration