SNRPE - Secure Nagios Remote Plugin Executor

Please note: SNRPE is not maintained any longer. Icinga 2 offers a new agent-based model for running remote checks, which is more secure and offers better performance than using (S)NRPE. For this reason, there is no need to use NRPE any longer.

Table of Content

About SNRPE

The Secure Nagios Remote Plugin Executor (SNRPE) is a wrapper around the Nagios Remote Plugin Executor (NRPE).

NRPE implements communication in an insecure way, even if encryption is enabled. SNRPE tunnels the NRPE communication through an SSH connection, using SSH for secure authentication and communication.

SNRPE is designed to work without having to install any additional software on the monitored computer. Only the (usually installed) SSH daemon is needed.

On the monitoring server, using SNRPE is as simple as replacing all references to check_nrpe with check_snrpe. Please refer to the README file in the distribution for detailed instructions.

Technically SNRPE works by having a daemon establish an SSH connection to each monitored host. The check_snrpe scripts asks this daemon for the local port number of the TCP tunnel that connects to the NRPE daemon on the remote host and then calls check_nrpe for performing the actual check.

Thus, you do not have to take care of manually assigning a local port to each monitored remote host, which makes this solution perfect for mass-deployment.

The software is licensed under the terms of the Apache License 2.0.

Getting Started

The easiest way to get started is installing the Debian package on the monitoring server. The package has been designed to work with Ubuntu 12.04 LTS (Precise Pangolin), but it might also work with other versions of Ubuntu and even with other Debian derivates. You can find the README file with configuration instructions in /usr/share/doc/nagios-snrpe-plugin/README. You can safely skip the section called "Installation", because this has already been accomplished by installing the Debian package.

On other system, you can download the bundle of binary files. SNRPE only has a few dependencies. It needs a Java runtime environment (version 6 or newer), Upstart, netcat (available as nc) and the check_nrpe executable, that it expects to be found in /usr/lib/nagios/plugins/check_nrpe. The README file in the distribution contains detailed installation and configuration instructions.

Regardless of the installation method you should consult the configuration file /etc/snrpe/snrpe.conf. This file contains comments that explain all options.

Most likely you will want to change the path to the SSH private key file. You might also want to consider strict host-key checking, however when using public-key authentication, skipping the host-key check is relatively safe (see this explanation), unless you are worried about a man-in-the-middle reporting wrong results to you.

Download

Release 1.0.0 (May 20th, 2013):

The source code can also be found in the SNRPE SVN repository.

Visit other projects on projects.marsching.org!

© 2013 Sebastian Marsching