LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 11-07-2012, 09:48 PM   #1
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Rep: Reputation: Disabled
NAGIOS - NRPE check iptables errors


Anyone have some insight on this error, from the server running the nrpe client can get the correct number of tables correctly but the monitor server doesn't get it. Like it returns 0.... attached is code and screenshots please help

PHP Code:
#!/bin/bash
IPT='/sbin/iptables'
GREP='/bin/grep'
AWK='/bin/awk'
EXPR='/usr/bin/expr'
WC='/usr/bin/wc'
TABLE='PREROUTING'

STAT=0
OUTPUT
=''
CHAINS=`sudo $IPT -t nat -L "$TABLE" | $WC -l`
        if [ 
$CHAINS -eq 0 ]; then
                OUTPUT
="${OUTPUT}ERROR $CHAINS rules!"
                
STAT=2
        
else
                
OUTPUT="${OUTPUT}OK - $CHAINS in $TABLE rules"
        
fi

echo $OUTPUT

exit $STAT 
Attached Thumbnails
Click image for larger version

Name:	error.jpg
Views:	53
Size:	48.5 KB
ID:	11177  
 
Old 11-08-2012, 04:05 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Code:
sudo iptables -L -n
output please.

Also try
Code:
#!/bin/bash 
set -x
...
and watch it when it runs.
 
Old 11-08-2012, 06:45 PM   #3
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
Thanks for the quick reply, I know its pulling correctly on the box that's my firewall but I am not sure why the nrpe module is not passing the final number to the monitoring server. As my above screenshot it shows the proper values on the local box though.

Below is the table I am pulling from

PHP Code:
Chain PREROUTING (policy ACCEPT 8821 packets700K bytes)
 
pkts bytes target     prot opt in     out     source               destination
  382 19552 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.0.10:80
  128  6684 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.0.0.10:443
  143  7180 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:10.0.0.11:25
    0     0 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 to:10.0.0.11:110
   45  2701 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 to:10.0.0.11:143
    0     0 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 to:10.0.0.11:993
    0     0 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:995 to:10.0.0.11:995
  595 30940 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8081 to:10.0.0.12
  217 12972 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 to:10.0.0.10
    9   456 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:50000:50030 to:10.0.0.10
    7   360 DNAT       tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 to:10.0.0.10 
 
Old 11-09-2012, 02:17 AM   #4
dragonix
Member
 
Registered: Nov 2012
Location: Belgium
Distribution: Ubuntu 12.04
Posts: 69
Blog Entries: 6

Rep: Reputation: 1
Maybe there is something wrong with the connection between the monitoring host and the server that needs to be monitored?
It uses an SSH connection, so maybe the FW is blocking it for some reason?

Have you tried using the ip address of the server instead of 'abby'?
And I assume that you installed the plugin and client correctly (see Nagios website)?

Last edited by dragonix; 11-09-2012 at 02:28 AM.
 
Old 11-09-2012, 10:28 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Darcy and abby, which one is the nagios Server and which one is the client?

re: "but the monitor server doesn't get it"...
Code:
grep "allowed_hosts=" /usr/local/nagios/etc/nagios.cfg
on the client. Output please.

Download this -> http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf
 
Old 11-09-2012, 02:12 PM   #6
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
Darcy and abby, which one is the nagios Server and which one is the client?

re: "but the monitor server doesn't get it"...
Code:
grep "allowed_hosts=" /usr/local/nagios/etc/nagios.cfg
on the client. Output please.

Download this -> http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf
Hey Habitual,

Darcy is my Nagios box and Abby is one of the hosts I am monitoring. No firewall blocks in place on the internal network i have a few other servers that work fine except this is the only one probing with a shell script.


As far as allowed hosts , im running this off xinetd which will ignore that option and allow any internal to work with this demon.
Quote:
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=127.0.0.1
allowed_hosts=127.0.0.1
THank you for all your help so far i really appreciate it

Last edited by SernOne; 11-09-2012 at 02:13 PM.
 
Old 11-10-2012, 06:55 AM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by SernOne View Post
...allowed_hosts=127.0.0.1
THank you for all your help so far i really appreciate it
Great, now replace the 127.0.0.1 with the darcy IP
Code:
allowed_hosts=nnn.nn.nnn.nn 
on the abby host and and restart the nagios service on abby.

It's all very well documented.

Last edited by Habitual; 11-10-2012 at 06:57 AM.
 
Old 11-10-2012, 06:57 PM   #8
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
Great, now replace the 127.0.0.1 with the darcy IP
Code:
allowed_hosts=nnn.nn.nnn.nn 
on the abby host and and restart the nagios service on abby.

It's all very well documented.
Hey Habitual,

as stated above NRPE is running on my server under xinetd which doesn't required allowed_hosts=

Even when I put it in there it still does nothing plus this wouldn't cause a variable to return 0 on the other end it would just deny the connection from the nagios server to the nrpe deamon

any other ideas guys?
 
Old 11-12-2012, 12:51 AM   #9
dragonix
Member
 
Registered: Nov 2012
Location: Belgium
Distribution: Ubuntu 12.04
Posts: 69
Blog Entries: 6

Rep: Reputation: 1
maybe put some more echoes in the script, so you can see where it stops returning output or where the connection fails..
I used it a while ago, and with the use of the PDF file (see above), it worked like a charm, no issues at all :s
 
Old 11-12-2012, 06:10 PM   #10
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dragonix View Post
maybe put some more echoes in the script, so you can see where it stops returning output or where the connection fails..
I used it a while ago, and with the use of the PDF file (see above), it worked like a charm, no issues at all :s

Even with your own custom shell scripts?
 
Old 11-12-2012, 06:33 PM   #11
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by SernOne View Post
Hey Habitual,

as stated above NRPE is running on my server under xinetd which doesn't required ...
Fair enough.

Code:
grep command /usr/local/nagios/etc/nagios.cfg
on abby please.
 
Old 11-13-2012, 12:39 AM   #12
dragonix
Member
 
Registered: Nov 2012
Location: Belgium
Distribution: Ubuntu 12.04
Posts: 69
Blog Entries: 6

Rep: Reputation: 1
Quote:
Originally Posted by SernOne View Post
Even with your own custom shell scripts?
yeah, made a couple of my own and they all worked..
Not from the first moment, but with enough debugging it all worked in the end.
But it's a while ago (like 1 year and a half ago..)
 
Old 11-13-2012, 06:50 AM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by SernOne View Post
Hey Habitual,

as stated above NRPE is running on my server under xinetd which doesn't required allowed_hosts=
The documentation says the value to edit is actually "only_from"...
Code:
Install the NRPE daemon as a service under xinetd.
make install-xinetd
Edit the /etc/xinetd.d/nrpe file and add the IP address of the monitoring server to the only_from directive.
only_from = 127.0.0.1 <nagios_ip_address>
Add the following entry for the NRPE daemon to the /etc/services file.
nrpe  5666/tcp  # NRPE
Restart the xinetd service.
service xinetd restart
on Page 5
Pages 6-10 discuss testing.

It's only 18 pages, it is almost mandatory to read it. I had the exact same issues when I setup Icinga the first time. Sorry, but it's been awhile since I had to use or configure any clients and all my "notes" are just tech recipes.

I preferred not to utilize the inetd method of installing nrpe on remote clients.
 
Old 11-13-2012, 01:09 PM   #14
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
from darcy:
Code:
 /usr/local/nagios/libexec/check_nrpe -H localhost
output.

from abby:
Code:
 /usr/local/nagios/libexec/check_nrpe -H localhost
output please.
 
Old 11-14-2012, 03:27 PM   #15
SernOne
Member
 
Registered: Oct 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
from darcy:
Code:
 /usr/local/nagios/libexec/check_nrpe -H localhost
output.

from abby:
Code:
 /usr/local/nagios/libexec/check_nrpe -H localhost
output please.
Code:
[root@abby ~]# cat /etc/xinetd.d/nrpe | grep "only_from"
        only_from       = 127.0.0.1 10.0.0.12
from abby
Code:
[root@abby ~]# /usr/local/nagios/libexec/check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.
from darcy
Code:
[root@darcy ~]# /usr/local/nagios/libexec/check_nrpe -H abby
NRPE v2.13
Its weird all my other probes for my other servers and non-custom shell scripts even for abby work completely fine and it shows that its getting the script just not pulling the variable over to darcy.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Nagios/NRPE jrb328 Linux - Software 3 05-30-2012 08:57 AM
Installing Nagios agent nrpe, problems following nrpe install steps rfreiberger Linux - Newbie 3 04-19-2010 08:43 AM
Nagios and NRPE install and36y Linux - Newbie 2 11-12-2009 10:47 AM
Nagios--- NRPE lazylark Linux - Software 1 04-11-2007 01:57 PM
Nagios NRPE twantrd Linux - Software 1 10-20-2004 08:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration