Death 2 NRPE, Hello check_by_ssh

For the past 15 years, I have been an advocate for Nagios as its still the defacto monitoring solution for advanced monitoring of granular data. There have been many formidable opponents like Icinga, Datadog, OpenNMS, Cacti, Zabbix, Solarwinds and a host of others I cant remember. But one still stands out like a sore thumb: Nagios! - It refuses to die.

When I was attending to a clients need for Monitoring, I came across a situation where we simply could not install any agent or service on their Ubuntu & CentOS machines. However we were allowed to use our plugins to retrieve data from the Ubuntu & CentOS systems. We tried pleading, but that lead us nowhere! Instead I opted to use something from my past experience (something from over 7 years back). It was a check_by_ssh plugin that replaced that NRPE plugin completely. All I needed was to make the check_by_ssh behave like check_nrpe at the configuration layer with minimum configurations. Lets look at my check_nrpe definition and see how we can adopt some best practices.

define command{
?? command_name check_nrpe
?? command_line $USER1$/check_nrpe -n -H $HOSTADDRESS$ -t 30 -p 4334 -c $ARG1$
}        

Using the above concept, we can now create a new check_by_ssh definition just below this command definition. During the initial transitional process, its best to keep both definitions.

define command{
?? command_name check_by_ssh
?? command_line $USER1$/check_by_ssh -4 -H $HOSTADDRESS$ -t 30 -p 22 -i /home/nagios/.ssh/id_rsa -l centos -C "$ARG1$"
}        

Benefits using check_by_ssh

For one, it reduces the complexity required by nrpe during initial setup. NRPE by itself requires the nrpe.conf file to be configured correctly with permissions & service definitions. This means, every-time you upload a new monitor-plugin to a server, you need to register that plugin on the nrpe.conf. With check_by_ssh, this layer is completely removed. Simply upload the plugin to the /usr/local/nagios/libexec/ and start monitoring.

Secondly, you can get rid of additional firewall rules which allows the nrpe protocol access on port 4334 (or what ever port you configured it over).

And finally its always secured over standard SSH key authentication. Unlike the with the previous versions, you dont need to create & maintain separate set of keys over NRPE and run into compatibility issues with SSL newer versions.

Conclusion

As an alternative to NRPE, I found this to be far more convenient setting up and maintaining it over time. I wish I had implemented this years ago instead of recently. I further testing the check_by_ssh with 250 services, and did not see the CPU spike beyond 0.3 load-avg using a dual-core/2GB server. If you wish to configure Nagios with check_by_ssh instead of NRPE, I suggest you download the check_by_ssh plugin and configure it as shown above, or get in touch with me. I'm always there to help make the world a better place :)