NSCAServer

`NSCAServer` — NSCAServer¶

A server that listens for incoming NSCA connection and processes incoming requests.

Commands (Overview):

TODO: Add a list of all external commands (this is not check commands)

Configuration (Overview):

Common Keys:

Path / Section	Key	Description
`/settings/default`	`allowed hosts`	ALLOWED HOSTS
`/settings/default`	`bind to`	BIND TO ADDRESS
`/settings/default`	`cache allowed hosts`	CACHE ALLOWED HOSTS
`/settings/default`	`inbox`	INBOX
`/settings/default`	`password`	PASSWORD
`/settings/default`	`timeout`	TIMEOUT
`/settings/NSCA/server`	`encryption`	ENCRYPTION
`/settings/NSCA/server`	`payload length`	PAYLOAD LENGTH
`/settings/NSCA/server`	`performance data`	PERFORMANCE DATA
`/settings/NSCA/server`	`port`	PORT NUMBER
`/settings/NSCA/server`	`use ssl`	ENABLE SSL ENCRYPTION

Advanced keys:

Path / Section	Key	Default Value
`/settings/default`	`encoding`	NRPE PAYLOAD ENCODING
`/settings/default`	`socket queue size`	LISTEN QUEUE
`/settings/default`	`thread pool`	THREAD POOL
`/settings/NSCA/server`	`allowed ciphers`	ALLOWED CIPHERS
`/settings/NSCA/server`	`allowed hosts`	ALLOWED HOSTS
`/settings/NSCA/server`	`bind to`	BIND TO ADDRESS
`/settings/NSCA/server`	`ca`	CA
`/settings/NSCA/server`	`cache allowed hosts`	CACHE ALLOWED HOSTS
`/settings/NSCA/server`	`certificate`	SSL CERTIFICATE
`/settings/NSCA/server`	`certificate format`	CERTIFICATE FORMAT
`/settings/NSCA/server`	`certificate key`	SSL CERTIFICATE
`/settings/NSCA/server`	`dh`	DH KEY
`/settings/NSCA/server`	`inbox`	INBOX
`/settings/NSCA/server`	`password`	PASSWORD
`/settings/NSCA/server`	`socket queue size`	LISTEN QUEUE
`/settings/NSCA/server`	`ssl options`	VERIFY MODE
`/settings/NSCA/server`	`thread pool`	THREAD POOL
`/settings/NSCA/server`	`timeout`	TIMEOUT
`/settings/NSCA/server`	`verify mode`	VERIFY MODE

… default¶

/settings/default (NSCAServer)¶

Key	Default Value	Description
`allowed hosts`	127.0.0.1	ALLOWED HOSTS
`bind to`		BIND TO ADDRESS
`cache allowed hosts`	1	CACHE ALLOWED HOSTS
`encoding`		NRPE PAYLOAD ENCODING
`inbox`	inbox	INBOX
`password`		PASSWORD
`socket queue size`	0	LISTEN QUEUE
`thread pool`	10	THREAD POOL
`timeout`	30	TIMEOUT

Sample:

#
#
[/settings/default]
allowed hosts=127.0.0.1
bind to=
cache allowed hosts=1
encoding=
inbox=inbox
password=
socket queue size=0
thread pool=10
timeout=30

allowed hosts (NSCAServer, /settings/default)¶

ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.

Path: /settings/default

Key: allowed hosts

Default value: 127.0.0.1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1

bind to (NSCAServer, /settings/default)¶

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.

Path: /settings/default

Key: bind to

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# BIND TO ADDRESS
bind to=

cache allowed hosts (NSCAServer, /settings/default)¶

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.

Path: /settings/default

Key: cache allowed hosts

Default value: 1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=1

encoding (NSCAServer, /settings/default)¶

NRPE PAYLOAD ENCODING

Advanced (means it is not commonly used)

Path: /settings/default

Key: encoding

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=

inbox (NSCAServer, /settings/default)¶

INBOX

The default channel to post incoming messages on

Path: /settings/default

Key: inbox

Default value: inbox

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# INBOX
inbox=inbox

password (NSCAServer, /settings/default)¶

PASSWORD

Password used to authenticate against server

Path: /settings/default

Key: password

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# PASSWORD
password=

socket queue size (NSCAServer, /settings/default)¶

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.

Advanced (means it is not commonly used)

Path: /settings/default

Key: socket queue size

Default value: 0

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# LISTEN QUEUE
socket queue size=0

thread pool (NSCAServer, /settings/default)¶

THREAD POOL

Advanced (means it is not commonly used)

Path: /settings/default

Key: thread pool

Default value: 10

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# THREAD POOL
thread pool=10

timeout (NSCAServer, /settings/default)¶

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.

Path: /settings/default

Key: timeout

Default value: 30

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# TIMEOUT
timeout=30

… NSCA / server¶

/settings/NSCA/server (NSCAServer)¶

NSCA SERVER SECTION

Section for NSCA (NSCAServer) (check_nsca) protocol options.

Key Default Value Description

allowed ciphers ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ALLOWED CIPHERS

allowed hosts 127.0.0.1 ALLOWED HOSTS

bind to BIND TO ADDRESS

ca ${certificate-path}/ca.pem CA

cache allowed hosts 1 CACHE ALLOWED HOSTS

certificate ${certificate-path}/certificate.pem SSL CERTIFICATE

certificate format PEM CERTIFICATE FORMAT

certificate key SSL CERTIFICATE

dh ${certificate-path}/nrpe_dh_512.pem DH KEY

encryption aes ENCRYPTION

inbox inbox INBOX

password PASSWORD

payload length 512 PAYLOAD LENGTH

performance data 1 PERFORMANCE DATA

port 5667 PORT NUMBER

socket queue size 0 LISTEN QUEUE

ssl options VERIFY MODE

thread pool 10 THREAD POOL

timeout 30 TIMEOUT

use ssl 0 ENABLE SSL ENCRYPTION

verify mode none VERIFY MODE

Sample:
# NSCA SERVER SECTION
# Section for NSCA (NSCAServer) (check_nsca) protocol options.
[/settings/NSCA/server]
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts=127.0.0.1
bind to=
ca=${certificate-path}/ca.pem
cache allowed hosts=1
certificate=${certificate-path}/certificate.pem
certificate format=PEM
certificate key=
dh=${certificate-path}/nrpe_dh_512.pem
encryption=aes
inbox=inbox
password=
payload length=512
performance data=1
port=5667
socket queue size=0
ssl options=
thread pool=10
timeout=30
use ssl=0
verify mode=none
allowed ciphers (NSCAServer, /settings/NSCA/server)¶
ALLOWED CIPHERS

The chipers which are allowed to be used.

The default here will differ is used in “insecure” mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: allowed ciphers

Default value: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# ALLOWED CIPHERS
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts (NSCAServer, /settings/NSCA/server)¶
ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: allowed hosts

Default value: 127.0.0.1

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
bind to (NSCAServer, /settings/NSCA/server)¶
BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: bind to

Default value:

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# BIND TO ADDRESS
bind to=
ca (NSCAServer, /settings/NSCA/server)¶
CA

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: ca

Default value: ${certificate-path}/ca.pem

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# CA
ca=${certificate-path}/ca.pem
cache allowed hosts (NSCAServer, /settings/NSCA/server)¶
CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: cache allowed hosts

Default value: 1

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# CACHE ALLOWED HOSTS
cache allowed hosts=1
certificate (NSCAServer, /settings/NSCA/server)¶
SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: certificate

Default value: ${certificate-path}/certificate.pem

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# SSL CERTIFICATE
certificate=${certificate-path}/certificate.pem
certificate format (NSCAServer, /settings/NSCA/server)¶
CERTIFICATE FORMAT

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: certificate format

Default value: PEM

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# CERTIFICATE FORMAT
certificate format=PEM
certificate key (NSCAServer, /settings/NSCA/server)¶
SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: certificate key

Default value:

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# SSL CERTIFICATE
certificate key=
dh (NSCAServer, /settings/NSCA/server)¶
DH KEY

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: dh

Default value: ${certificate-path}/nrpe_dh_512.pem

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# DH KEY
dh=${certificate-path}/nrpe_dh_512.pem
encryption (NSCAServer, /settings/NSCA/server)¶
ENCRYPTION

Name of encryption algorithm to use.

Has to be the same as your agent i using or it wont work at all.This is also independent of SSL and generally used instead of SSL.

Available encryption algorithms are:

none = No Encryption (not safe)

xor = XOR

des = DES

3des = DES-EDE3

cast128 = CAST-128

xtea = XTEA

blowfish = Blowfish

twofish = Twofish

rc2 = RC2

aes128 = AES

aes192 = AES

aes = AES

serpent = Serpent

gost = GOST

Path: /settings/NSCA/server

Key: encryption

Default value: aes

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# ENCRYPTION
encryption=aes
inbox (NSCAServer, /settings/NSCA/server)¶
INBOX

The default channel to post incoming messages on parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: inbox

Default value: inbox

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# INBOX
inbox=inbox
password (NSCAServer, /settings/NSCA/server)¶
PASSWORD

Password used to authenticate against server parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: password

Default value:

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# PASSWORD
password=
payload length (NSCAServer, /settings/NSCA/server)¶
PAYLOAD LENGTH

Length of payload to/from the NSCA agent. This is a hard specific value so you have to “configure” (read recompile) your NSCA agent to use the same value for it to work.

Path: /settings/NSCA/server

Key: payload length

Default value: 512

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# PAYLOAD LENGTH
payload length=512
performance data (NSCAServer, /settings/NSCA/server)¶
PERFORMANCE DATA

Send performance data back to nagios (set this to false to remove all performance data).

Path: /settings/NSCA/server

Key: performance data

Default value: 1

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# PERFORMANCE DATA
performance data=1
port (NSCAServer, /settings/NSCA/server)¶
PORT NUMBER

Port to use for NSCA.

Path: /settings/NSCA/server

Key: port

Default value: 5667

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# PORT NUMBER
port=5667
socket queue size (NSCAServer, /settings/NSCA/server)¶
LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: socket queue size

Default value: 0

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# LISTEN QUEUE
socket queue size=0
ssl options (NSCAServer, /settings/NSCA/server)¶
VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

default-workarounds Various workarounds for what I understand to be broken ssl implementations

no-sslv2 Do not use the SSLv2 protocol.

no-sslv3 Do not use the SSLv3 protocol.

no-tlsv1 Do not use the TLSv1 protocol.

single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: ssl options

Default value:

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# VERIFY MODE
ssl options=
thread pool (NSCAServer, /settings/NSCA/server)¶
THREAD POOL

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: thread pool

Default value: 10

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# THREAD POOL
thread pool=10
timeout (NSCAServer, /settings/NSCA/server)¶
TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: timeout

Default value: 30

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# TIMEOUT
timeout=30
use ssl (NSCAServer, /settings/NSCA/server)¶
ENABLE SSL ENCRYPTION

This option controls if SSL should be enabled.

Path: /settings/NSCA/server

Key: use ssl

Default value: 0

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# ENABLE SSL ENCRYPTION
use ssl=0
verify mode (NSCAServer, /settings/NSCA/server)¶
VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

none The server will not send a client certificate request to the client, so the client will not send a certificate.

peer The server sends a client certificate request to the client and the certificate returned (if any) is checked.

fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.

peer-cert Alias for peer and fail-if-no-cert.

workarounds Various bug workarounds.

single Always create a new key when using tmp_dh parameters.

client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer

Advanced (means it is not commonly used)

Path: /settings/NSCA/server

Key: verify mode

Default value: none

Used by: NSCAServer

Sample:
[/settings/NSCA/server]
# VERIFY MODE
verify mode=none

comments powered by Disqus

`NSCAServer` — NSCAServer¶

… default¶

… NSCA / server¶

Table Of Contents

Previous topic

Next topic

This Page

Key	Default Value	Description
`allowed ciphers`	ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH	ALLOWED CIPHERS
`allowed hosts`	127.0.0.1	ALLOWED HOSTS
`bind to`		BIND TO ADDRESS
`ca`	${certificate-path}/ca.pem	CA
`cache allowed hosts`	1	CACHE ALLOWED HOSTS
`certificate`	${certificate-path}/certificate.pem	SSL CERTIFICATE
`certificate format`	PEM	CERTIFICATE FORMAT
`certificate key`		SSL CERTIFICATE
`dh`	${certificate-path}/nrpe_dh_512.pem	DH KEY
`encryption`	aes	ENCRYPTION
`inbox`	inbox	INBOX
`password`		PASSWORD
`payload length`	512	PAYLOAD LENGTH
`performance data`	1	PERFORMANCE DATA
`port`	5667	PORT NUMBER
`socket queue size`	0	LISTEN QUEUE
`ssl options`		VERIFY MODE
`thread pool`	10	THREAD POOL
`timeout`	30	TIMEOUT
`use ssl`	0	ENABLE SSL ENCRYPTION
`verify mode`	none	VERIFY MODE

default-workarounds	Various workarounds for what I understand to be broken ssl implementations
no-sslv2	Do not use the SSLv2 protocol.
no-sslv3	Do not use the SSLv3 protocol.
no-tlsv1	Do not use the TLSv1 protocol.
single-dh-use	Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).

none	The server will not send a client certificate request to the client, so the client will not send a certificate.
peer	The server sends a client certificate request to the client and the certificate returned (if any) is checked.
fail-if-no-cert	if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.
peer-cert	Alias for peer and fail-if-no-cert.
workarounds	Various bug workarounds.
single	Always create a new key when using tmp_dh parameters.
client-once	Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer

NSCAServer — NSCAServer¶

… default¶

… NSCA / server¶

`NSCAServer` — NSCAServer¶