Re: [Nagios-users] puzzling no output from nrpe run of check_load
Continuing with this debugging. I think I understand the point about needing a shell permission to write output to the terminal window. I've now replaced the shell on the remote host with /bin/false and eliminated the password for the nagios user on the remote machine. If I leave the password and shell for the nagios user on the nagios server, I can execute the following there: sudo su nagios -c "/usr/lib/nagios/plugins/check_nrpe -H rm16 -c check_load" and I get the expected output. This would seem to imply that the nrpe daemon on the remote can run the check_load command and get output from it, passing it back to the nagios server, right? The configuration for the remote service on the nagios server is (in /etc/nagios3/conf.d/rm16.cfg): define service { use generic-service host_name rm16 service_description nrpe-load check_command check_nrpe!check_load } which appears to agree with the example on page 11 of the NRPE manual. Yet the nagios server is constantly showing: Current Status: UNKNOWN (for 7d 22h 37m 19s) Status Information: (No output returned from plugin) NRPE Plugin for Nagios for service state information on that remote host. The definition of the check_command seems right for a no argument command on the remote -- but is this wrong somehow? I also just tried changing the service definition to # NRPE load check define service { use generic-service host_name rm16 service_description nrpe-load check_command check_nrpe_1arg!check_load!$HOSTADDRESS$ } but the same complaint is showing up in the server output for this service, which seems a bit odd given then the command should now be check_nrpe_1arg rather than check_nrpe. thanks, Peter On Apr 30, 2012, at 10:56 AM, Eliezer Croitoru wrote: > so it seems that the check_load needs shell rights to show any output > what so ever also the --help stuff. > it's kind of understandable. > > Eliezer -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Continuing with this debugging. I think I understand the point about needing a shell permission to write output to the terminal window. I've now replaced the shell on the remote host with /bin/false and eliminated the password for the nagios user on the remote machine. If I leave the password and shell for the nagios user on the nagios server, I can execute the following there: sudo su nagios -c "/usr/lib/nagios/plugins/check_nrpe -H rm16 -c check_load" and I get the expected output. This would seem to imply that the nrpe daemon on the remote can run the check_load command and get output from it, passing it back to the nagios server, right? The configuration for the remote service on the nagios server is (in /etc/nagios3/conf.d/rm16.cfg): define service { use generic-service host_name rm16 service_description nrpe-load check_command check_nrpe!check_load } which appears to agree with the example on page 11 of the NRPE manual. Yet the nagios server is constantly showing: Current Status: UNKNOWN (for 7d 22h 37m 19s) Status Information: (No output returned from plugin) NRPE Plugin for Nagios for service state information on that remote host. The definition of the check_command seems right for a no argument command on the remote -- but is this wrong somehow? I also just tried changing the service definition to # NRPE load check define service { use generic-service host_name rm16 service_description nrpe-load check_command check_nrpe_1arg!check_load!$HOSTADDRESS$ } but the same complaint is showing up in the server output for this service, which seems a bit odd given then the command should now be check_nrpe_1arg rather than check_nrpe. thanks, Peter On Apr 30, 2012, at 10:56 AM, Eliezer Croitoru wrote: > so it seems that the check_load needs shell rights to show any output > what so ever also the --help stuff. > it's kind of understandable. > > Eliezer -- Peter N. Steinmetz, M.D.,Ph.D. Program Director, Neuroengineering Barrow Neurological Institute peternsteinm...@steinmetz.org 602-406-3258 http://steinmetz.org/peter -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
so it seems that the check_load needs shell rights to show any output what so ever also the --help stuff. it's kind of understandable. Eliezer On 30/04/2012 20:39, Peter N. Steinmetz wrote: > Thanks for the suggestion, gave that a try, or more precisely: > > sudo su nagios -c "more /proc/loadavg" > > after removing the password for user nagios and setting the shell to > /bin/false. > > This still produces no output. > > Very peculiar. I guess there must be something wrong with the authentication > or setup on these machines, but can't figure out what is going on here. > > auth.log contains > "Successful su for nagios by root" > right after this so that part seems all right. > > The systems are using ldap pam authentication for other users, though nagios > and other such system accounts are local in the /etc/passwd and /etc/passwd > files. The local accounts seem to work fine for this command if they have a > password and shell is set to /bin/bash, rather than /bin/false. > > cheers, > Peter > > > On Apr 27, 2012, at 9:22 AM, David Harbaugh wrote: > >> 'su -' makes the shell a login shell ... which requires a real shell, not >> /bin/false. >> >> What if you do this? >> >> sudo su nagios more /proc/loadavg >> >> Skip the -, which should run more directly, which should work even with >> /bin/false listed as the shell. >> >> If that works, then you should be able to modify your nagios command >> definition the same way ... > > > > > -- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > ___ > Nagios-users mailing list > Nagios-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nagios-users > ::: Please include Nagios version, plugin version (-v) and OS when reporting > any issue. > ::: Messages without supporting info will risk being sent to /dev/null -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Thanks for the suggestion, gave that a try, or more precisely: sudo su nagios -c "more /proc/loadavg" after removing the password for user nagios and setting the shell to /bin/false. This still produces no output. Very peculiar. I guess there must be something wrong with the authentication or setup on these machines, but can't figure out what is going on here. auth.log contains "Successful su for nagios by root" right after this so that part seems all right. The systems are using ldap pam authentication for other users, though nagios and other such system accounts are local in the /etc/passwd and /etc/passwd files. The local accounts seem to work fine for this command if they have a password and shell is set to /bin/bash, rather than /bin/false. cheers, Peter On Apr 27, 2012, at 9:22 AM, David Harbaugh wrote: > 'su -' makes the shell a login shell ... which requires a real shell, not > /bin/false. > > What if you do this? > > sudo su nagios more /proc/loadavg > > Skip the -, which should run more directly, which should work even with > /bin/false listed as the shell. > > If that works, then you should be able to modify your nagios command > definition the same way ... -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
'su -' makes the shell a login shell ... which requires a real shell, not /bin/false. What if you do this? sudo su nagios more /proc/loadavg Skip the -, which should run more directly, which should work even with /bin/false listed as the shell. If that works, then you should be able to modify your nagios command definition the same way ... -Original Message- From: Peter N. Steinmetz [mailto:peternsteinm...@steinmetz.org] Sent: Wednesday, April 25, 2012 12:42 PM To: Nagios Users List Subject: Re: [Nagios-users] puzzling no output from nrpe run of check_load Yes, ls -l /proc/loadavg shows: -r--r--r-- 1 root root which I believe mean any user can read it. Yet, sudo su - nagios more /proc/loadavg returns nothing when the nagios user has /bin/false for a shell, and returns the expected output when the nagios user has /bin/bash for a shell. I added the following line to /etc/sudoers: nagios ALL=(ALL) NOPASSWD: /proc/loadavg but that doesn't fix the problem. thanks, Peter On Apr 25, 2012, at 9:09 AM, Alex Griffin wrote: > Does the nagios user have read access to /proc/loadavg? > > Alex Griffin > --- > Tech Team > agrif...@nagios.com > -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Yes, ls -l /proc/loadavg shows: -r--r--r-- 1 root root which I believe mean any user can read it. Yet, sudo su - nagios more /proc/loadavg returns nothing when the nagios user has /bin/false for a shell, and returns the expected output when the nagios user has /bin/bash for a shell. I added the following line to /etc/sudoers: nagios ALL=(ALL) NOPASSWD: /proc/loadavg but that doesn't fix the problem. thanks, Peter On Apr 25, 2012, at 9:09 AM, Alex Griffin wrote: > Does the nagios user have read access to /proc/loadavg? > > Alex Griffin > --- > Tech Team > agrif...@nagios.com > -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
> On Wed, Apr 25, 2012 at 04:18:26PM -0700, Peter N. Steinmetz wrote: > >> So why is it that proper functioning of the check_load plugin on the nrpe >> server requires a shell? and password for login? It does seem that the more >> correct method of operation is a non-login shell with permissions set >> appropriately in /etc/sudoers, but somehow that is not working. > > On my NRPE-monitored servers I have a nagios account with a password > in /etc/shadow of "*", and /bin/false as shell... and it still works. > (Linux. sudoers only allows root to the plugins that need them, such as > check_ide_smart.) So this is not the whole story. > > Roger This must be true, as even when the commands run fine on the command line (with a password for the nagios accounts on the nagios monitoring and nrpe servers and /bin/bash for the shell), the nagios server is still not receiving any output from the check_nrpe!check_load command to display in its web console. Curiouser and curiouser. Peter -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
On Wed, Apr 25, 2012 at 04:18:26PM -0700, Peter N. Steinmetz wrote: >So why is it that proper functioning of the check_load plugin on the nrpe >server requires a shell? and password for login? It does seem that the more >correct method of operation is a non-login shell with permissions set >appropriately in /etc/sudoers, but somehow that is not working. On my NRPE-monitored servers I have a nagios account with a password in /etc/shadow of "*", and /bin/false as shell... and it still works. (Linux. sudoers only allows root to the plugins that need them, such as check_ide_smart.) So this is not the whole story. Roger -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Some more information and experimentation today. After reading the NRPE manual, I noticed that they refer to being able to log in as the nagios user and having a password. The configuration which is established by the package installations under ubuntu are to have the nagios user allowing password-less login (a ! character for the password field in /etc/shadow), but the shell set to /bin/false, so no logins can take place. After setting a password for user nagios on both the server and the remote nrpe server, and setting a shell such as /bin/bash, the system seems to work. So why is it that proper functioning of the check_load plugin on the nrpe server requires a shell? and password for login? It does seem that the more correct method of operation is a non-login shell with permissions set appropriately in /etc/sudoers, but somehow that is not working. thanks, Peter -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Yes, ls -l /proc/loadavg shows: -r--r--r-- 1 root root which I believe mean any user can read it. Yet, sudo su - nagios more /proc/loadavg returns nothing when the nagios user has /bin/false for a shell, and returns the expected output when the nagios user has /bin/bash for a shell. I added the following line to /etc/sudoers: nagios ALL=(ALL) NOPASSWD: /proc/loadavg but that doesn't fix the problem. thanks, Peter On Apr 25, 2012, at 9:09 AM, Alex Griffin wrote: > Does the nagios user have read access to /proc/loadavg? > > Alex Griffin > --- > Tech Team > agrif...@nagios.com > -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] puzzling no output from nrpe run of check_load
Does the nagios user have read access to /proc/loadavg? Alex Griffin --- Tech Team agrif...@nagios.com Peter N. Steinmetz wrote: > Hi, hoping someone may be able to help with this odd problem running > check_load on a remote nrpe server. > > I am running a nagios3 server on ubuntu 10.04 server (nagios3 > 3.2.0-4ubuntu2.2) and a nrpe server on ubuntu 10.10 (nagios-nrpe-server > 2.12-4ubuntu1.10.10.1, nagios-plugins 1.4.14-5ubuntu3) > > Have these both basically up and running, and the server is able to run a > check_disk command on the npre server and receives results. > > For a check_load command, however, the status information is '(No output > returned from plugin)'. > > I have looked extensively on the web for this, and it appears there are a > number of reasons this may happen. > > On the server, if I run > sudo su - nagios -c "/usr/lib/nagios/plugins/check_nrpe -H 10.41.129.36 -c > check_load" > there is nothing returned. > > If I change the user from nagios to peter, then I get the expected response. > > On the nrpe server, the same thing is happening. If I run > sudo su - nagios -c "/usr/lib/nagios/plugins/check_load -w 15,10,5 -c > 30,25,20" > there is nothing returned. If I change the user to peter it returns the > expected output. > > I've tried making the plugins all owned by nagios:nagios, that doesn't help. > I've tried adding a line for nagios to sudoers file and then adding the sudo > command prefix, that doesn't fix it when invoking the command on the nagios > server. I've also tried adding the nagios user to the admin group and that > doesn't help. > > I've enabled the debugging on the nrpe server, and for the command from the > nagios server, I see the connection and request in syslog when the user is > peter, but no such request when the user is nagios. Neither of the local > commands generate any syslog output. > > It is difficult to understand why this command, check_load, on the nrpe > server is returning output for users 'peter' and 'root' but not for user > 'nagios' when 'nagios' owns the executable. > > When I check executing the check_disk command locally on the nrpe server with > sudo su - nagios -c "/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p > /dev/sda1" > it works and returns a report. > > Curiously, if I change the nagios user to have a login shell, such as > /bin/bash, on the nrpe server, then the check_load command is returning > output, though still doesn't work from the nagios server. In neither case, > however, does the nagios user have a password. > > Both the check_load and check_disk plugins are owned by nagios:nagios and > have -rwxr-xr-x permissions, so what is the difference? > > Any suggestions appreciated. > > cheers, > Peter -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] puzzling no output from nrpe run of check_load
Hi, hoping someone may be able to help with this odd problem running check_load on a remote nrpe server. I am running a nagios3 server on ubuntu 10.04 server (nagios3 3.2.0-4ubuntu2.2) and a nrpe server on ubuntu 10.10 (nagios-nrpe-server 2.12-4ubuntu1.10.10.1, nagios-plugins 1.4.14-5ubuntu3) Have these both basically up and running, and the server is able to run a check_disk command on the npre server and receives results. For a check_load command, however, the status information is '(No output returned from plugin)'. I have looked extensively on the web for this, and it appears there are a number of reasons this may happen. On the server, if I run sudo su - nagios -c "/usr/lib/nagios/plugins/check_nrpe -H 10.41.129.36 -c check_load" there is nothing returned. If I change the user from nagios to peter, then I get the expected response. On the nrpe server, the same thing is happening. If I run sudo su - nagios -c "/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20" there is nothing returned. If I change the user to peter it returns the expected output. I've tried making the plugins all owned by nagios:nagios, that doesn't help. I've tried adding a line for nagios to sudoers file and then adding the sudo command prefix, that doesn't fix it when invoking the command on the nagios server. I've also tried adding the nagios user to the admin group and that doesn't help. I've enabled the debugging on the nrpe server, and for the command from the nagios server, I see the connection and request in syslog when the user is peter, but no such request when the user is nagios. Neither of the local commands generate any syslog output. It is difficult to understand why this command, check_load, on the nrpe server is returning output for users 'peter' and 'root' but not for user 'nagios' when 'nagios' owns the executable. When I check executing the check_disk command locally on the nrpe server with sudo su - nagios -c "/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/sda1" it works and returns a report. Curiously, if I change the nagios user to have a login shell, such as /bin/bash, on the nrpe server, then the check_load command is returning output, though still doesn't work from the nagios server. In neither case, however, does the nagios user have a password. Both the check_load and check_disk plugins are owned by nagios:nagios and have -rwxr-xr-x permissions, so what is the difference? Any suggestions appreciated. cheers, Peter --- Peter N. Steinmetz -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null