NRPEServer
A server that listens for incoming NRPE connection and processes incoming requests.

NRPEServer — NRPEServer

A server that listens for incoming NRPE connection and processes incoming requests.

Commands (Overview):

TODO: Add a list of all external commands (this is not check commands)

Configuration (Overview):

Common Keys:

Path / Section Key Description
/settings/default allowed hosts ALLOWED HOSTS
/settings/default bind to BIND TO ADDRESS
/settings/default cache allowed hosts CACHE ALLOWED HOSTS
/settings/default inbox INBOX
/settings/default password PASSWORD
/settings/default timeout TIMEOUT
/settings/NRPE/server allow arguments COMMAND ARGUMENT PROCESSING
/settings/NRPE/server allow nasty characters COMMAND ALLOW NASTY META CHARS
/settings/NRPE/server extended response EXTENDED RESPONSE
/settings/NRPE/server insecure ALLOW INSECURE CHIPHERS and ENCRYPTION
/settings/NRPE/server port PORT NUMBER
/settings/NRPE/server use ssl ENABLE SSL ENCRYPTION

Advanced keys:

Path / Section Key Default Value Description
/settings/default encoding NRPE PAYLOAD ENCODING  
/settings/default socket queue size LISTEN QUEUE  
/settings/default thread pool THREAD POOL  
/settings/NRPE/server allowed ciphers ALLOWED CIPHERS  
/settings/NRPE/server allowed hosts ALLOWED HOSTS  
/settings/NRPE/server bind to BIND TO ADDRESS  
/settings/NRPE/server ca CA  
/settings/NRPE/server cache allowed hosts CACHE ALLOWED HOSTS  
/settings/NRPE/server certificate SSL CERTIFICATE  
/settings/NRPE/server certificate format CERTIFICATE FORMAT  
/settings/NRPE/server certificate key SSL CERTIFICATE  
/settings/NRPE/server dh DH KEY  
/settings/NRPE/server encoding NRPE PAYLOAD ENCODING  
/settings/NRPE/server payload length PAYLOAD LENGTH  
/settings/NRPE/server performance data PERFORMANCE DATA  
/settings/NRPE/server socket queue size LISTEN QUEUE  
/settings/NRPE/server ssl options VERIFY MODE  
/settings/NRPE/server thread pool THREAD POOL  
/settings/NRPE/server timeout TIMEOUT  
/settings/NRPE/server verify mode VERIFY MODE  

… default

/settings/default (NRPEServer)
Key Default Value Description
allowed hosts 127.0.0.1 ALLOWED HOSTS
bind to   BIND TO ADDRESS
cache allowed hosts 1 CACHE ALLOWED HOSTS
encoding   NRPE PAYLOAD ENCODING
inbox inbox INBOX
password   PASSWORD
socket queue size 0 LISTEN QUEUE
thread pool 10 THREAD POOL
timeout 30 TIMEOUT

Sample:

#
#
[/settings/default]
allowed hosts=127.0.0.1
bind to=
cache allowed hosts=1
encoding=
inbox=inbox
password=
socket queue size=0
thread pool=10
timeout=30
allowed hosts (NRPEServer, /settings/default)

ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.

Path: /settings/default

Key: allowed hosts

Default value: 127.0.0.1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
bind to (NRPEServer, /settings/default)

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.

Path: /settings/default

Key: bind to

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# BIND TO ADDRESS
bind to=
cache allowed hosts (NRPEServer, /settings/default)

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.

Path: /settings/default

Key: cache allowed hosts

Default value: 1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=1
encoding (NRPEServer, /settings/default)

NRPE PAYLOAD ENCODING

Advanced (means it is not commonly used)

Path: /settings/default

Key: encoding

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=
inbox (NRPEServer, /settings/default)

INBOX

The default channel to post incoming messages on

Path: /settings/default

Key: inbox

Default value: inbox

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# INBOX
inbox=inbox
password (NRPEServer, /settings/default)

PASSWORD

Password used to authenticate against server

Path: /settings/default

Key: password

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# PASSWORD
password=
socket queue size (NRPEServer, /settings/default)

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.

Advanced (means it is not commonly used)

Path: /settings/default

Key: socket queue size

Default value: 0

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# LISTEN QUEUE
socket queue size=0
thread pool (NRPEServer, /settings/default)

THREAD POOL

Advanced (means it is not commonly used)

Path: /settings/default

Key: thread pool

Default value: 10

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# THREAD POOL
thread pool=10
timeout (NRPEServer, /settings/default)

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.

Path: /settings/default

Key: timeout

Default value: 30

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# TIMEOUT
timeout=30

… NRPE / server

/settings/NRPE/server (NRPEServer)

NRPE SERVER SECTION

Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
Key Default Value Description
allow arguments 0 COMMAND ARGUMENT PROCESSING
allow nasty characters 0 COMMAND ALLOW NASTY META CHARS
allowed ciphers ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ALLOWED CIPHERS
allowed hosts 127.0.0.1 ALLOWED HOSTS
bind to   BIND TO ADDRESS
ca ${certificate-path}/ca.pem CA
cache allowed hosts 1 CACHE ALLOWED HOSTS
certificate ${certificate-path}/certificate.pem SSL CERTIFICATE
certificate format PEM CERTIFICATE FORMAT
certificate key   SSL CERTIFICATE
dh ${certificate-path}/nrpe_dh_512.pem DH KEY
encoding   NRPE PAYLOAD ENCODING
extended response 1 EXTENDED RESPONSE
insecure 0 ALLOW INSECURE CHIPHERS and ENCRYPTION
payload length 1024 PAYLOAD LENGTH
performance data 1 PERFORMANCE DATA
port 5666 PORT NUMBER
socket queue size 0 LISTEN QUEUE
ssl options   VERIFY MODE
thread pool 10 THREAD POOL
timeout 30 TIMEOUT
use ssl 1 ENABLE SSL ENCRYPTION
verify mode none VERIFY MODE

Sample:

# NRPE SERVER SECTION
# Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]
allow arguments=0
allow nasty characters=0
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts=127.0.0.1
bind to=
ca=${certificate-path}/ca.pem
cache allowed hosts=1
certificate=${certificate-path}/certificate.pem
certificate format=PEM
certificate key=
dh=${certificate-path}/nrpe_dh_512.pem
encoding=
extended response=1
insecure=0
payload length=1024
performance data=1
port=5666
socket queue size=0
ssl options=
thread pool=10
timeout=30
use ssl=1
verify mode=none
allow arguments (NRPEServer, /settings/NRPE/server)

COMMAND ARGUMENT PROCESSING

This option determines whether or not the we will allow clients to specify arguments to commands that are executed.

Path: /settings/NRPE/server

Key: allow arguments

Default value: 0

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# COMMAND ARGUMENT PROCESSING
allow arguments=0
allow nasty characters (NRPEServer, /settings/NRPE/server)

COMMAND ALLOW NASTY META CHARS

This option determines whether or not the we will allow clients to specify nasty (as in |`&><’”\[]{}) characters in arguments.

Path: /settings/NRPE/server

Key: allow nasty characters

Default value: 0

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# COMMAND ALLOW NASTY META CHARS
allow nasty characters=0
allowed ciphers (NRPEServer, /settings/NRPE/server)

ALLOWED CIPHERS

The chipers which are allowed to be used.
The default here will differ is used in “insecure” mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: allowed ciphers

Default value: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# ALLOWED CIPHERS
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts (NRPEServer, /settings/NRPE/server)

ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: allowed hosts

Default value: 127.0.0.1

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
bind to (NRPEServer, /settings/NRPE/server)

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: bind to

Default value:

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# BIND TO ADDRESS
bind to=
ca (NRPEServer, /settings/NRPE/server)

CA

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: ca

Default value: ${certificate-path}/ca.pem

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# CA
ca=${certificate-path}/ca.pem
cache allowed hosts (NRPEServer, /settings/NRPE/server)

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: cache allowed hosts

Default value: 1

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# CACHE ALLOWED HOSTS
cache allowed hosts=1
certificate (NRPEServer, /settings/NRPE/server)

SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate

Default value: ${certificate-path}/certificate.pem

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# SSL CERTIFICATE
certificate=${certificate-path}/certificate.pem
certificate format (NRPEServer, /settings/NRPE/server)

CERTIFICATE FORMAT

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate format

Default value: PEM

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# CERTIFICATE FORMAT
certificate format=PEM
certificate key (NRPEServer, /settings/NRPE/server)

SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate key

Default value:

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# SSL CERTIFICATE
certificate key=
dh (NRPEServer, /settings/NRPE/server)

DH KEY

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: dh

Default value: ${certificate-path}/nrpe_dh_512.pem

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# DH KEY
dh=${certificate-path}/nrpe_dh_512.pem
encoding (NRPEServer, /settings/NRPE/server)

NRPE PAYLOAD ENCODING

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: encoding

Default value:

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# NRPE PAYLOAD ENCODING
encoding=
extended response (NRPEServer, /settings/NRPE/server)

EXTENDED RESPONSE

Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).

Path: /settings/NRPE/server

Key: extended response

Default value: 1

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# EXTENDED RESPONSE
extended response=1
insecure (NRPEServer, /settings/NRPE/server)

ALLOW INSECURE CHIPHERS and ENCRYPTION

Only enable this if you are using legacy check_nrpe client.

Path: /settings/NRPE/server

Key: insecure

Default value: 0

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# ALLOW INSECURE CHIPHERS and ENCRYPTION
insecure=0
payload length (NRPEServer, /settings/NRPE/server)

PAYLOAD LENGTH

Length of payload to/from the NRPE agent. This is a hard specific value so you have to “configure” (read recompile) your NRPE agent to use the same value for it to work.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: payload length

Default value: 1024

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# PAYLOAD LENGTH
payload length=1024
performance data (NRPEServer, /settings/NRPE/server)

PERFORMANCE DATA

Send performance data back to nagios (set this to 0 to remove all performance data).

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: performance data

Default value: 1

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# PERFORMANCE DATA
performance data=1
port (NRPEServer, /settings/NRPE/server)

PORT NUMBER

Port to use for NRPE.

Path: /settings/NRPE/server

Key: port

Default value: 5666

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# PORT NUMBER
port=5666
socket queue size (NRPEServer, /settings/NRPE/server)

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: socket queue size

Default value: 0

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# LISTEN QUEUE
socket queue size=0
ssl options (NRPEServer, /settings/NRPE/server)

VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.
default-workarounds Various workarounds for what I understand to be broken ssl implementations
no-sslv2 Do not use the SSLv2 protocol.
no-sslv3 Do not use the SSLv3 protocol.
no-tlsv1 Do not use the TLSv1 protocol.
single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: ssl options

Default value:

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# VERIFY MODE
ssl options=
thread pool (NRPEServer, /settings/NRPE/server)

THREAD POOL

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: thread pool

Default value: 10

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# THREAD POOL
thread pool=10
timeout (NRPEServer, /settings/NRPE/server)

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: timeout

Default value: 30

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# TIMEOUT
timeout=30
use ssl (NRPEServer, /settings/NRPE/server)

ENABLE SSL ENCRYPTION

This option controls if SSL should be enabled.

Path: /settings/NRPE/server

Key: use ssl

Default value: 1

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# ENABLE SSL ENCRYPTION
use ssl=1
verify mode (NRPEServer, /settings/NRPE/server)

VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.
none The server will not send a client certificate request to the client, so the client will not send a certificate.
peer The server sends a client certificate request to the client and the certificate returned (if any) is checked.
fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.
peer-cert Alias for peer and fail-if-no-cert.
workarounds Various bug workarounds.
single Always create a new key when using tmp_dh parameters.
client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: verify mode

Default value: none

Used by: NRPEServer

Sample:

[/settings/NRPE/server]
# VERIFY MODE
verify mode=none
comments powered by Disqus