NRPEServer
NRPEServer
— NRPEServer¶A server that listens for incoming NRPE connection and processes incoming requests.
Commands (Overview):
TODO: Add a list of all external commands (this is not check commands)
Configuration (Overview):
Common Keys:
Path / Section | Key | Description |
---|---|---|
/settings/default |
allowed hosts |
ALLOWED HOSTS |
/settings/default |
bind to |
BIND TO ADDRESS |
/settings/default |
cache allowed hosts |
CACHE ALLOWED HOSTS |
/settings/default |
inbox |
INBOX |
/settings/default |
password |
PASSWORD |
/settings/default |
timeout |
TIMEOUT |
/settings/NRPE/server |
allow arguments |
COMMAND ARGUMENT PROCESSING |
/settings/NRPE/server |
allow nasty characters |
COMMAND ALLOW NASTY META CHARS |
/settings/NRPE/server |
extended response |
EXTENDED RESPONSE |
/settings/NRPE/server |
insecure |
ALLOW INSECURE CHIPHERS and ENCRYPTION |
/settings/NRPE/server |
port |
PORT NUMBER |
/settings/NRPE/server |
use ssl |
ENABLE SSL ENCRYPTION |
Advanced keys:
/settings/default
(NRPEServer)¶Key | Default Value | Description |
---|---|---|
allowed hosts |
127.0.0.1 | ALLOWED HOSTS |
bind to |
BIND TO ADDRESS | |
cache allowed hosts |
1 | CACHE ALLOWED HOSTS |
encoding |
NRPE PAYLOAD ENCODING | |
inbox |
inbox | INBOX |
password |
PASSWORD | |
socket queue size |
0 | LISTEN QUEUE |
thread pool |
10 | THREAD POOL |
timeout |
30 | TIMEOUT |
Sample:
#
#
[/settings/default]
allowed hosts=127.0.0.1
bind to=
cache allowed hosts=1
encoding=
inbox=inbox
password=
socket queue size=0
thread pool=10
timeout=30
allowed hosts
(NRPEServer, /settings/default)¶ALLOWED HOSTS
Path: /settings/default
Key: allowed hosts
Default value: 127.0.0.1
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
bind to
(NRPEServer, /settings/default)¶BIND TO ADDRESS
Path: /settings/default
Key: bind to
Default value:
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# BIND TO ADDRESS
bind to=
cache allowed hosts
(NRPEServer, /settings/default)¶CACHE ALLOWED HOSTS
Path: /settings/default
Key: cache allowed hosts
Default value: 1
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=1
encoding
(NRPEServer, /settings/default)¶NRPE PAYLOAD ENCODING
Advanced (means it is not commonly used)
Path: /settings/default
Key: encoding
Default value:
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=
inbox
(NRPEServer, /settings/default)¶INBOX
Path: /settings/default
Key: inbox
Default value: inbox
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# INBOX
inbox=inbox
password
(NRPEServer, /settings/default)¶PASSWORD
Path: /settings/default
Key: password
Default value:
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# PASSWORD
password=
socket queue size
(NRPEServer, /settings/default)¶LISTEN QUEUE
Advanced (means it is not commonly used)
Path: /settings/default
Key: socket queue size
Default value: 0
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# LISTEN QUEUE
socket queue size=0
thread pool
(NRPEServer, /settings/default)¶THREAD POOL
Advanced (means it is not commonly used)
Path: /settings/default
Key: thread pool
Default value: 10
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# THREAD POOL
thread pool=10
timeout
(NRPEServer, /settings/default)¶TIMEOUT
Path: /settings/default
Key: timeout
Default value: 30
Used by: CheckMKServer
, NRPEServer
, NSCAServer
, NSClientServer
, WEBServer
Sample:
[/settings/default]
# TIMEOUT
timeout=30
/settings/NRPE/server
(NRPEServer)¶NRPE SERVER SECTION
Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
Key Default Value Description allow arguments
0 COMMAND ARGUMENT PROCESSING allow nasty characters
0 COMMAND ALLOW NASTY META CHARS allowed ciphers
ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ALLOWED CIPHERS allowed hosts
127.0.0.1 ALLOWED HOSTS bind to
BIND TO ADDRESS ca
${certificate-path}/ca.pem CA cache allowed hosts
1 CACHE ALLOWED HOSTS certificate
${certificate-path}/certificate.pem SSL CERTIFICATE certificate format
PEM CERTIFICATE FORMAT certificate key
SSL CERTIFICATE dh
${certificate-path}/nrpe_dh_512.pem DH KEY encoding
NRPE PAYLOAD ENCODING extended response
1 EXTENDED RESPONSE insecure
0 ALLOW INSECURE CHIPHERS and ENCRYPTION payload length
1024 PAYLOAD LENGTH performance data
1 PERFORMANCE DATA port
5666 PORT NUMBER socket queue size
0 LISTEN QUEUE ssl options
VERIFY MODE thread pool
10 THREAD POOL timeout
30 TIMEOUT use ssl
1 ENABLE SSL ENCRYPTION verify mode
none VERIFY MODE Sample:
# NRPE SERVER SECTION # Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options. [/settings/NRPE/server] allow arguments=0 allow nasty characters=0 allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH allowed hosts=127.0.0.1 bind to= ca=${certificate-path}/ca.pem cache allowed hosts=1 certificate=${certificate-path}/certificate.pem certificate format=PEM certificate key= dh=${certificate-path}/nrpe_dh_512.pem encoding= extended response=1 insecure=0 payload length=1024 performance data=1 port=5666 socket queue size=0 ssl options= thread pool=10 timeout=30 use ssl=1 verify mode=none
allow arguments
(NRPEServer, /settings/NRPE/server)¶COMMAND ARGUMENT PROCESSING
This option determines whether or not the we will allow clients to specify arguments to commands that are executed.Path: /settings/NRPE/server
Key: allow arguments
Default value: 0
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # COMMAND ARGUMENT PROCESSING allow arguments=0
allow nasty characters
(NRPEServer, /settings/NRPE/server)¶COMMAND ALLOW NASTY META CHARS
This option determines whether or not the we will allow clients to specify nasty (as in |`&><’”\[]{}) characters in arguments.Path: /settings/NRPE/server
Key: allow nasty characters
Default value: 0
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # COMMAND ALLOW NASTY META CHARS allow nasty characters=0
allowed ciphers
(NRPEServer, /settings/NRPE/server)¶ALLOWED CIPHERS
The chipers which are allowed to be used.The default here will differ is used in “insecure” mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.htmlAdvanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: allowed ciphers
Default value: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # ALLOWED CIPHERS allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts
(NRPEServer, /settings/NRPE/server)¶ALLOWED HOSTS
A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: allowed hosts
Default value: 127.0.0.1
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # ALLOWED HOSTS allowed hosts=127.0.0.1
bind to
(NRPEServer, /settings/NRPE/server)¶BIND TO ADDRESS
Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: bind to
Default value:
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # BIND TO ADDRESS bind to=
ca
(NRPEServer, /settings/NRPE/server)¶CA
Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: ca
Default value: ${certificate-path}/ca.pem
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # CA ca=${certificate-path}/ca.pem
cache allowed hosts
(NRPEServer, /settings/NRPE/server)¶CACHE ALLOWED HOSTS
If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: cache allowed hosts
Default value: 1
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # CACHE ALLOWED HOSTS cache allowed hosts=1
certificate
(NRPEServer, /settings/NRPE/server)¶SSL CERTIFICATE
Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: certificate
Default value: ${certificate-path}/certificate.pem
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # SSL CERTIFICATE certificate=${certificate-path}/certificate.pem
certificate format
(NRPEServer, /settings/NRPE/server)¶CERTIFICATE FORMAT
Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: certificate format
Default value: PEM
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # CERTIFICATE FORMAT certificate format=PEM
certificate key
(NRPEServer, /settings/NRPE/server)¶SSL CERTIFICATE
Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: certificate key
Default value:
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # SSL CERTIFICATE certificate key=
dh
(NRPEServer, /settings/NRPE/server)¶DH KEY
Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: dh
Default value: ${certificate-path}/nrpe_dh_512.pem
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # DH KEY dh=${certificate-path}/nrpe_dh_512.pem
encoding
(NRPEServer, /settings/NRPE/server)¶NRPE PAYLOAD ENCODING
parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: encoding
Default value:
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # NRPE PAYLOAD ENCODING encoding=
extended response
(NRPEServer, /settings/NRPE/server)¶EXTENDED RESPONSE
Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).Path: /settings/NRPE/server
Key: extended response
Default value: 1
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # EXTENDED RESPONSE extended response=1
insecure
(NRPEServer, /settings/NRPE/server)¶ALLOW INSECURE CHIPHERS and ENCRYPTION
Only enable this if you are using legacy check_nrpe client.Path: /settings/NRPE/server
Key: insecure
Default value: 0
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # ALLOW INSECURE CHIPHERS and ENCRYPTION insecure=0
payload length
(NRPEServer, /settings/NRPE/server)¶PAYLOAD LENGTH
Length of payload to/from the NRPE agent. This is a hard specific value so you have to “configure” (read recompile) your NRPE agent to use the same value for it to work.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: payload length
Default value: 1024
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # PAYLOAD LENGTH payload length=1024
performance data
(NRPEServer, /settings/NRPE/server)¶PERFORMANCE DATA
Send performance data back to nagios (set this to 0 to remove all performance data).Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: performance data
Default value: 1
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # PERFORMANCE DATA performance data=1
port
(NRPEServer, /settings/NRPE/server)¶PORT NUMBER
Port to use for NRPE.Path: /settings/NRPE/server
Key: port
Default value: 5666
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # PORT NUMBER port=5666
socket queue size
(NRPEServer, /settings/NRPE/server)¶LISTEN QUEUE
Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: socket queue size
Default value: 0
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # LISTEN QUEUE socket queue size=0
ssl options
(NRPEServer, /settings/NRPE/server)¶VERIFY MODE
Comma separated list of verification flags to set on the SSL socket.
default-workarounds Various workarounds for what I understand to be broken ssl implementations no-sslv2 Do not use the SSLv2 protocol. no-sslv3 Do not use the SSLv3 protocol. no-tlsv1 Do not use the TLSv1 protocol. single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters). Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: ssl options
Default value:
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # VERIFY MODE ssl options=
thread pool
(NRPEServer, /settings/NRPE/server)¶THREAD POOL
parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: thread pool
Default value: 10
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # THREAD POOL thread pool=10
timeout
(NRPEServer, /settings/NRPE/server)¶TIMEOUT
Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: timeout
Default value: 30
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # TIMEOUT timeout=30
use ssl
(NRPEServer, /settings/NRPE/server)¶ENABLE SSL ENCRYPTION
This option controls if SSL should be enabled.Path: /settings/NRPE/server
Key: use ssl
Default value: 1
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # ENABLE SSL ENCRYPTION use ssl=1
verify mode
(NRPEServer, /settings/NRPE/server)¶VERIFY MODE
Comma separated list of verification flags to set on the SSL socket.
none The server will not send a client certificate request to the client, so the client will not send a certificate. peer The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert Alias for peer and fail-if-no-cert. workarounds Various bug workarounds. single Always create a new key when using tmp_dh parameters. client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer Advanced (means it is not commonly used)
Path: /settings/NRPE/server
Key: verify mode
Default value: none
Used by:
NRPEServer
Sample:
[/settings/NRPE/server] # VERIFY MODE verify mode=none