NRPEServer¶
A server that listens for incoming NRPE connection and processes incoming requests.
Configuration¶
Path / Section | Description |
---|---|
/settings/default | |
/settings/NRPE/server | NRPE Server |
/settings/default ¶
Key | Default Value | Description |
---|---|---|
allowed hosts | 127.0.0.1 | ALLOWED HOSTS |
bind to | BIND TO ADDRESS | |
cache allowed hosts | true | CACHE ALLOWED HOSTS |
encoding | NRPE PAYLOAD ENCODING | |
inbox | inbox | INBOX |
password | PASSWORD | |
socket queue size | 0 | LISTEN QUEUE |
thread pool | 10 | THREAD POOL |
timeout | 30 | TIMEOUT |
# [/settings/default] allowed hosts=127.0.0.1 cache allowed hosts=true inbox=inbox socket queue size=0 thread pool=10 timeout=30
ALLOWED HOSTS ¶
A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
Key | Description |
---|---|
Path: | /settings/default |
Key: | allowed hosts |
Default value: | 127.0.0.1 |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # ALLOWED HOSTS allowed hosts=127.0.0.1
BIND TO ADDRESS ¶
Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.
Key | Description |
---|---|
Path: | /settings/default |
Key: | bind to |
Default value: | N/A |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # BIND TO ADDRESS bind to=
CACHE ALLOWED HOSTS ¶
If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.
Key | Description |
---|---|
Path: | /settings/default |
Key: | cache allowed hosts |
Default value: | true |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # CACHE ALLOWED HOSTS cache allowed hosts=true
NRPE PAYLOAD ENCODING ¶
Key | Description |
---|---|
Path: | /settings/default |
Key: | encoding |
Advanced: | Yes (means it is not commonly used) |
Default value: | N/A |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # NRPE PAYLOAD ENCODING encoding=
INBOX ¶
The default channel to post incoming messages on
Key | Description |
---|---|
Path: | /settings/default |
Key: | inbox |
Default value: | inbox |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # INBOX inbox=inbox
PASSWORD ¶
Password used to authenticate against server
Key | Description |
---|---|
Path: | /settings/default |
Key: | password |
Default value: | N/A |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # PASSWORD password=
LISTEN QUEUE ¶
Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.
Key | Description |
---|---|
Path: | /settings/default |
Key: | socket queue size |
Advanced: | Yes (means it is not commonly used) |
Default value: | 0 |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # LISTEN QUEUE socket queue size=0
THREAD POOL ¶
Key | Description |
---|---|
Path: | /settings/default |
Key: | thread pool |
Advanced: | Yes (means it is not commonly used) |
Default value: | 10 |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # THREAD POOL thread pool=10
TIMEOUT ¶
Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.
Key | Description |
---|---|
Path: | /settings/default |
Key: | timeout |
Default value: | 30 |
Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default] # TIMEOUT timeout=30
NRPE Server ¶
Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
Key | Default Value | Description |
---|---|---|
allow arguments | false | COMMAND ARGUMENT PROCESSING |
allow nasty characters | false | COMMAND ALLOW NASTY META CHARS |
allowed ciphers | ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH | ALLOWED CIPHERS |
allowed hosts | 127.0.0.1 | ALLOWED HOSTS |
bind to | BIND TO ADDRESS | |
ca | ${certificate-path}/ca.pem | CA |
cache allowed hosts | true | CACHE ALLOWED HOSTS |
certificate | ${certificate-path}/certificate.pem | SSL CERTIFICATE |
certificate format | PEM | CERTIFICATE FORMAT |
certificate key | SSL CERTIFICATE | |
dh | ${certificate-path}/nrpe_dh_512.pem | DH KEY |
encoding | NRPE PAYLOAD ENCODING | |
extended response | true | EXTENDED RESPONSE |
insecure | false | ALLOW INSECURE CHIPHERS and ENCRYPTION |
payload length | 1024 | PAYLOAD LENGTH |
performance data | true | PERFORMANCE DATA |
port | 5666 | PORT NUMBER |
socket queue size | 0 | LISTEN QUEUE |
ssl options | VERIFY MODE | |
thread pool | 10 | THREAD POOL |
timeout | 30 | TIMEOUT |
use ssl | true | ENABLE SSL ENCRYPTION |
verify mode | none | VERIFY MODE |
# Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options. [/settings/NRPE/server] allow arguments=false allow nasty characters=false allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH allowed hosts=127.0.0.1 ca=${certificate-path}/ca.pem cache allowed hosts=true certificate=${certificate-path}/certificate.pem certificate format=PEM dh=${certificate-path}/nrpe_dh_512.pem extended response=true insecure=false payload length=1024 performance data=true port=5666 socket queue size=0 thread pool=10 timeout=30 use ssl=true verify mode=none
COMMAND ARGUMENT PROCESSING ¶
This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | allow arguments |
Default value: | false |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # COMMAND ARGUMENT PROCESSING allow arguments=false
COMMAND ALLOW NASTY META CHARS ¶
This option determines whether or not the we will allow clients to specify nasty (as in |`&><’“\[]{}) characters in arguments.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | allow nasty characters |
Default value: | false |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # COMMAND ALLOW NASTY META CHARS allow nasty characters=false
ALLOWED CIPHERS ¶
The chipers which are allowed to be used. The default here will differ is used in “insecure” mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | allowed ciphers |
Advanced: | Yes (means it is not commonly used) |
Default value: | ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # ALLOWED CIPHERS allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ALLOWED HOSTS ¶
A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | allowed hosts |
Advanced: | Yes (means it is not commonly used) |
Default value: | 127.0.0.1 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # ALLOWED HOSTS allowed hosts=127.0.0.1
BIND TO ADDRESS ¶
Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | bind to |
Advanced: | Yes (means it is not commonly used) |
Default value: | N/A |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # BIND TO ADDRESS bind to=
CA ¶
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | ca |
Advanced: | Yes (means it is not commonly used) |
Default value: | ${certificate-path}/ca.pem |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # CA ca=${certificate-path}/ca.pem
CACHE ALLOWED HOSTS ¶
If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | cache allowed hosts |
Advanced: | Yes (means it is not commonly used) |
Default value: | true |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # CACHE ALLOWED HOSTS cache allowed hosts=true
SSL CERTIFICATE ¶
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | certificate |
Advanced: | Yes (means it is not commonly used) |
Default value: | ${certificate-path}/certificate.pem |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # SSL CERTIFICATE certificate=${certificate-path}/certificate.pem
CERTIFICATE FORMAT ¶
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | certificate format |
Advanced: | Yes (means it is not commonly used) |
Default value: | PEM |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # CERTIFICATE FORMAT certificate format=PEM
SSL CERTIFICATE ¶
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | certificate key |
Advanced: | Yes (means it is not commonly used) |
Default value: | N/A |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # SSL CERTIFICATE certificate key=
DH KEY ¶
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | dh |
Advanced: | Yes (means it is not commonly used) |
Default value: | ${certificate-path}/nrpe_dh_512.pem |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # DH KEY dh=${certificate-path}/nrpe_dh_512.pem
NRPE PAYLOAD ENCODING ¶
parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | encoding |
Advanced: | Yes (means it is not commonly used) |
Default value: | N/A |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # NRPE PAYLOAD ENCODING encoding=
EXTENDED RESPONSE ¶
Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | extended response |
Default value: | true |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # EXTENDED RESPONSE extended response=true
ALLOW INSECURE CHIPHERS and ENCRYPTION ¶
Only enable this if you are using legacy check_nrpe client.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | insecure |
Default value: | false |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # ALLOW INSECURE CHIPHERS and ENCRYPTION insecure=false
PAYLOAD LENGTH ¶
Length of payload to/from the NRPE agent. This is a hard specific value so you have to “configure” (read recompile) your NRPE agent to use the same value for it to work.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | payload length |
Advanced: | Yes (means it is not commonly used) |
Default value: | 1024 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # PAYLOAD LENGTH payload length=1024
PERFORMANCE DATA ¶
Send performance data back to nagios (set this to 0 to remove all performance data).
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | performance data |
Advanced: | Yes (means it is not commonly used) |
Default value: | true |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # PERFORMANCE DATA performance data=true
PORT NUMBER ¶
Port to use for NRPE.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | port |
Default value: | 5666 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # PORT NUMBER port=5666
LISTEN QUEUE ¶
Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | socket queue size |
Advanced: | Yes (means it is not commonly used) |
Default value: | 0 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # LISTEN QUEUE socket queue size=0
VERIFY MODE ¶
Comma separated list of verification flags to set on the SSL socket.
default-workarounds Various workarounds for what I understand to be broken ssl implementations no-sslv2 Do not use the SSLv2 protocol. no-sslv3 Do not use the SSLv3 protocol. no-tlsv1 Do not use the TLSv1 protocol. single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | ssl options |
Advanced: | Yes (means it is not commonly used) |
Default value: | N/A |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # VERIFY MODE ssl options=
THREAD POOL ¶
parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | thread pool |
Advanced: | Yes (means it is not commonly used) |
Default value: | 10 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # THREAD POOL thread pool=10
TIMEOUT ¶
Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | timeout |
Advanced: | Yes (means it is not commonly used) |
Default value: | 30 |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # TIMEOUT timeout=30
ENABLE SSL ENCRYPTION ¶
This option controls if SSL should be enabled.
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | use ssl |
Default value: | true |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # ENABLE SSL ENCRYPTION use ssl=true
VERIFY MODE ¶
Comma separated list of verification flags to set on the SSL socket.
none The server will not send a client certificate request to the client, so the client will not send a certificate. peer The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert Alias for peer and fail-if-no-cert. workarounds Various bug workarounds. single Always create a new key when using tmp_dh parameters. client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer
Key | Description |
---|---|
Path: | /settings/NRPE/server |
Key: | verify mode |
Advanced: | Yes (means it is not commonly used) |
Default value: | none |
Used by: | NRPEServer |
Sample:
[/settings/NRPE/server] # VERIFY MODE verify mode=none