10.09.2011, 19:13 UTC+2

Sie sind nicht angemeldet.

[SOLVED] NRPE version force Check "Not authorized"

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

1

10.08.2011, 16:23

[SOLVED] NRPE version force Check "Not authorized"

Hi,

When I force Check services it works for all services except 2 and those 2 fail on all machines, NRPE Version et NSC++ version, however they pass with the standard scheduling of nagios.
I got "not authorized" error but I have other services using NRPE and they all pass.

Of course I'm logged in as admin, the CGI file allows me to do everything.
Authentified with htpasswd method (working well too, I have read only users using it too)

The server is CentOS 6.0, Icinga was installed with git.
I have weathermap, nagiosQL, PNP4nagios, jasper reports, icinga-web and IDOUtils on that server too.

I see nothing unusual in /usr/local/icinga/var/icinga.log.

The message suggest that I have a right problem, so let see permissions even if the executable works well for other commands...
icinga user : icinga
icinga-command-group : icinga-cmd (icinga and apache included)
apache user : apache
icinga.cmd => user : icinga / groupe : icinga-cmd in 770 ; tried 777 with no luck
icinga.lock => user & group : icinga in 755
plugins => user & group : icinga in 750
nrpe : user & group : icinga in 775 ; placed in /usr/local/icinga/bin with symlink "nrpe" in 777 in /usr/bin/ for NRPE to be included in PATH.

NRPE
./configure --prefix=/usr/local/icinga --with-nagios-user=icinga --with-nagios-group=icinga --with-nrpe-user=icinga --with-nrpe-group=icinga
PLUGINS

./configure --prefix=/usr/local/icinga --with-nagios-user=icinga --with-nagios-group=icinga


I'm stuck on it, no matter what I do, nothing changes.


Has anyone an Idea ? I'll take every little hint. I'm sure that's right in front of me but I can't see it...

Thanks in advance.
Have a good day.

Dieser Beitrag wurde bereits 1 mal editiert, zuletzt von »bad_crow« (19.08.2011, 13:56)

Wolfgang

Erleuchteter

Beiträge: 5 598

Geschlecht: Männlich

Anzahl Nagios-Server: 2

Nagios-Version(en): 3.2.1

Icinga-Version(en): Icinga 1.0.1

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: >70

Anzahl Services: >200

Betriebssystem(e): SLES10

Plugin-Version(en): 1.4.11

Sonstige Addon's: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6

2

10.08.2011, 20:39

To execute commands you have to be an authorised contact of the object. Please check the host/service definitions of these two objects if you are contact. "not authorized" is the message in the classic UI?
Nagios-Doc: Wiki-Format (3.x) oder als (3.0.6)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

3

10.08.2011, 22:44

Hi,

Yes, that's the classic UI (nagios like).
For the contact, that's a good hint, since it's a migration from a nagios 3, I'll need to check if the account in contacts is nagiosadmin or icingaadmin which I was logged in with.
I'll do that as soon as I'll get back to work tomorrow.

Thanks for the hint.
I'll keep you posted.

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

4

11.08.2011, 09:28

Hi,



Contact was indeed nagiosadmin, changed to icingaadmin with no effect.

added icingaadmin to service contact and host contact. No change.



Is there anything else to do to "authorize" the contact ?

The thing that disturbs me most is that some checks pass... and other don't...



Any other idea ?

Wolfgang

Erleuchteter

Beiträge: 5 598

Geschlecht: Männlich

Anzahl Nagios-Server: 2

Nagios-Version(en): 3.2.1

Icinga-Version(en): Icinga 1.0.1

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: >70

Anzahl Services: >200

Betriebssystem(e): SLES10

Plugin-Version(en): 1.4.11

Sonstige Addon's: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6

5

11.08.2011, 11:24

Please check the entries in objects.cache and verify that you have the contact you expect.
Nagios-Doc: Wiki-Format (3.x) oder als (3.0.6)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

6

11.08.2011, 14:34

yep, that's in for every entry of the host, for the buggy service.

Both icingaadmin and contact group admins are defined as expected.

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

7

16.08.2011, 09:14

Anyone has another idea ? still not solved for me.

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

8

18.08.2011, 11:20

Hi.
Here is what I made since last post.
Reinstalled/upgraded nrpe, icinga (with api) and icinga web from icinga's git repo, today an hour ago.

No error in install, upgrade has gone well (version changed) but still no improvement.

I can publish every command line used during my install if this can help to diagnose what happens. Please let met now if you want them.

Wolfgang

Erleuchteter

Beiträge: 5 598

Geschlecht: Männlich

Anzahl Nagios-Server: 2

Nagios-Version(en): 3.2.1

Icinga-Version(en): Icinga 1.0.1

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: >70

Anzahl Services: >200

Betriebssystem(e): SLES10

Plugin-Version(en): 1.4.11

Sonstige Addon's: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6

9

18.08.2011, 12:08

So far I wouldn't expect that to be a installation but a configuration issue. If other checks work what is the difference between the two failing and the working ones?
Nagios-Doc: Wiki-Format (3.x) oder als (3.0.6)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

10

18.08.2011, 17:05

Well.
here are the commands
buggy one :
check_nrpe -H $HOSTADDRESS$ -u -c $ARG1$ with ARG1=CHECKVERSION

normal ones :
check_nrpe -H $HOSTADDRESS$ -u -c $ARG1$ with ARG1=check_windows_version
check_nrpe -H $HOSTADDRESS$ -u -c $ARG1$ with ARG1=check_all_services -a '/s:localhost /e:"Journaux et alertes de performance" $_HOSTSERV_AUTO$'

Everything else seems perfectly the same (same templates, same hosts, same contacts).
Checked on several other services, same result, configuration really close, some of them have a template PNP added for perf data for example.

Local command execution works perfectly fine (which expalins that normal checks (non-forced) are OK).
Thanks for trying to help.

Dieser Beitrag wurde bereits 2 mal editiert, zuletzt von »bad_crow« (18.08.2011, 17:23)

Wolfgang

Erleuchteter

Beiträge: 5 598

Geschlecht: Männlich

Anzahl Nagios-Server: 2

Nagios-Version(en): 3.2.1

Icinga-Version(en): Icinga 1.0.1

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: >70

Anzahl Services: >200

Betriebssystem(e): SLES10

Plugin-Version(en): 1.4.11

Sonstige Addon's: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6

11

18.08.2011, 17:31

Just to get you right: "check_nrpe -H $HOSTADDRESS$ -u -c $ARG1$ with ARG1=CHECKVERSION" works perfectly if they are scheduled regularly but fail if you try to force to run these commands via the classic command interface?
Please show the relevant portion from nsc.ini for "CHECKVERSION".
Nagios-Doc: Wiki-Format (3.x) oder als (3.0.6)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

12

18.08.2011, 17:48

Here is something somewhat more complete : (changed names and IP)
Sorry for the long message but at least you will have an idea of the config

Here is an example host (all NRPE enabled server are configured the same way) :

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

define host {
        host_name                       hostname
        alias                           Controleur de domaine 
        display_name                    hostname
        address                         hostaddress
        parents                         mpls
        check_command                   check-host-alive
        use                             windows-server
        _CPU_CRIT                       90%
        _CPU_WARN                       80%
        _ESP_C_CRIT                     5%
        _ESP_C_WARN                     8%
        _MEM_PAGED_CRIT                 95%
        _MEM_PAGED_WARN                 90%
        _MEM_PHYS_CRIT                  95%
        _MEM_PHYS_WARN                  90%
        _MEM_VIRT_CRIT                  95%
        _MEM_VIRT_WARN                  90%
        _SERV_AUTO                      ,"Performance Logs and Alerts"
        register                        1
}


The used host template

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

define host {
        name                            windows-server
        hostgroups                      windows-servers
        check_command                   check-host-alive
        use                             generic-host
        max_check_attempts              10
        check_interval                  5
        retry_interval                  1
        check_period                    24x7
        contact_groups                  admins
        notification_interval           0
        notification_period             24x7
        notification_options            d,u,r
        icon_image                      windows_server.jpg
        vrml_image                      windows_server.png
        statusmap_image                 windows_server.gd2
        register                        0
}



Then we pass to services :
first normal ones :

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

define service {
        host_name                       hostname1,hostname2
        service_description             Sys-Win Version
        display_name                    Sys-Win Version
        use                             generic-service,service-1jour
        check_command                   check_nrpe!check_windows_version
        register                        1
}

define service {
        host_name                       hostname1,hostname2
        service_description             Sys-Serv Controle des services demarres en automatique
        display_name                    Sys-Serv Controle des services demarres en automatique
        use                             generic-service
        check_command                   check_nrpe!check_all_services -a '/s:localhost /e:"Journaux et alertes de performance" $_HOSTSERV_AUTO$'
        register                        1
}



Buggy service (contacts have been added on your advice that's why they now differ but it didn't resolve the problem):

Quellcode

 
1
2
3
4
5
6
7
8
9
10

define service {
        host_name                       hostname1,hostname2
        service_description             Version NSCLIENT++ nrpe
        display_name                    Version NSCLIENT++ nrpe
        use                             generic-service
        check_command                   check_nrpe!CHECKVERSION
        contacts                        icingaadmin
        contact_groups                  admins
        register                        1
}


Let see the command :

Quellcode

 
1
2
3
4
5

define command {
        command_name                    check_nrpe
        command_line                    $USER1$/check_nrpe -H $HOSTADDRESS$ -u -c $ARG1$
        register                        1
}


Now service templates :

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

define service {
        name                            generic-service
        is_volatile                     0
        max_check_attempts              3
        check_interval                  3
        retry_interval                  2
        active_checks_enabled           1
        passive_checks_enabled          1
        check_period                    24x7
        obsess_over_service             1
        check_freshness                 0
        event_handler_enabled           1
        flap_detection_enabled          1
        process_perf_data               1
        retain_status_information       1
        retain_nonstatus_information    1
        notification_interval           60
        notification_period             24x7
        notification_options            w,u,r,c
        notifications_enabled           1
        register                        0
}       

define service {
        name                            local-service
        max_check_attempts              4
        check_interval                  5
        retry_interval                  1
        register                        0
}       

define service {
        name                            service-1jour
        service_description             Service execution journaliere
        check_interval                  1440
        notification_interval           0
        register                        0
}       

define service {
        name                            service-pnp
        service_description             Service avec Performance Datas
        action_url                      /pnp4nagios/graph?host=$HOSTNAME$&srv=$SERVICEDESC$' class='tips' rel='/pnp4nagios/popup?host=$HOSTNAME$&srv=$SERVICEDESC$
        register                        0
}



Contact informations :

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14

define contactgroup {
        contactgroup_name               admins
        alias                           Nagios Administrators
        members                         icingaadmin
        register                        1
}       

define contact {
        contact_name                    icingaadmin
        alias                           Icinga Admin
        email                           icingaadmin
        use                             generic-contact
        register                        1
        }

Wolfgang

Erleuchteter

Beiträge: 5 598

Geschlecht: Männlich

Anzahl Nagios-Server: 2

Nagios-Version(en): 3.2.1

Icinga-Version(en): Icinga 1.0.1

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: >70

Anzahl Services: >200

Betriebssystem(e): SLES10

Plugin-Version(en): 1.4.11

Sonstige Addon's: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6

13

18.08.2011, 18:35

Despite the long message it seems that posting #11 hasn't been answered at all :wacko:.
Nagios-Doc: Wiki-Format (3.x) oder als (3.0.6)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

14

19.08.2011, 09:45

Yep sorry, didn't see your post, seems like I was already writing when you posted it.

To summarize :
normally scheduled checks => OK
Manual execution via shell on icinga server (root user) => OK
Manual execution via shell on icinga server (icinga user) => OK
forced check via classic interface (icingaadmin (account created when installed with all CGI)) => not authorized

For the NSC.ini, I don't have direct access to it. So I have to wait for someone to give it to me (also asked for local logs).
Shouldn't take long. I hope to be able to post it before leaving work today. If lucky, maybe before lunch (it's 9.45 am here)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

15

19.08.2011, 11:08

Well, I just had a look at NSC.ini et NSC.log.
I have nothing for CHECKVERSION.
This seems to be hardcoded in NRPE and NSC protocols since there is no config and that the command works by a distant shell.
Logs are clean, only a refused access from an IP that has nothing to do with my server.

another hint, When I force check, service that work appear in icinga.log, the buggy ones don't appear. Strange isn't it ? I would expect a log to show all errors and warnings...
Seems like it's an interface based problem to me.

Forgot to let you a copy of the CGI file in last post, it may have some importance, so here it is:

Quellcode

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

main_config_file=/usr/local/icinga/etc/icinga.cfg

physical_html_path=/usr/local/icinga/share
url_html_path=/icinga
url_stylesheets_path=/icinga/stylesheets
http_charset=utf-8
show_context_help=0
use_pending_states=1
use_logging=0
cgi_log_file=/usr/local/icinga/share/log/icinga-cgi.log
cgi_log_rotation_method=d
cgi_log_archive_path=/usr/local/icinga/share/log
enforce_comments_on_actions=0
first_day_of_week=0
use_authentication=1
use_ssl_authentication=0

authorized_for_system_information=icingaadmin
authorized_for_configuration_information=icingaadmin
authorized_for_system_commands=icingaadmin
authorized_for_all_services=icingaadmin
authorized_for_all_hosts=icingaadmin
authorized_for_all_service_commands=icingaadmin
authorized_for_all_host_commands=icingaadmin

show_all_services_host_is_authorized_for=1
show_partial_hostgroups=0
default_statusmap_layout=5
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
escape_html_tags=1
persistent_ack_comments=0
action_url_target=main
notes_url_target=main
lock_author_names=1
default_downtime_duration=7200
status_show_long_plugin_output=0
tac_show_only_hard_state=0
suppress_maintenance_downtime=0
show_tac_header=1
show_tac_header_pending=1
tab_friendly_titles=1


Thanks again for your help.

Dieser Beitrag wurde bereits 1 mal editiert, zuletzt von »bad_crow« (19.08.2011, 11:20)

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

16

19.08.2011, 11:50

Added a clean host (2008R2 fresh install with latest NSclient, default config).
Command worked.

So I indeed have a config problem at NSC level. That's crazy neither Icinga nor NRPE logged the error...
Still don"t understand why command passed by shell...
I will check this out and keep you posted.

Thanks for the help.

bad_crow

Anfänger

Beiträge: 12

Anzahl Nagios-Server: 1

Nagios-Version(en): Icinga 1.5

Verteiltes Monitoring: Nein

Redundantes Monitoring: Nein

Anzahl-Hosts: 40

Anzahl Services: 300

Betriebssystem(e): CentOS

Plugin-Version(en): 1.4.15

IDO-Version: 1.4

17

19.08.2011, 13:56

Well, finally not NSC...
When I added the 2008 I created a service specially for it.
When I tried to get the buggy service to work on the newly added host, I got the bug again, with for only difference the name...
It was the ++ in the service name...
Renamed the service and everything is now working...

So problem solved.
What a shame for 2 little things...
More over, it worked with the ++ on the obsolete server which was a nagios.

Anyway, thank you very much for your help.

Ähnliche Themen

    • PNP »
    • configuring rrd graph min and max levels (27.01.2010, 21:00)
    • AddOns »
    • [solved] Problem mit mysql.so bei Installation "Business Process View" (12.12.2007, 13:23)
    • Plugins »
    • [Gelöst] Linux-Prozesse abfragen?! (21.12.2006, 15:43)
    • PNP »
    • Schwellwert-Darstellung bei PNP-Graphen (19.10.2006, 10:52)