Deploying the NSClient++ Agent through Active Directory GPOs
Deploying the NSClient++ Program through Active Directory GPOs
The NSClient++ Agent is deployed from a Microsoft Software Installer (.msi) package available and documented here. The package provides everything required to install a default NSClient++ agent. For the purposes of this article, all configurations will be applied to the Default Domain Policy Organizational Unit (OU). The OU(s) utilized in a production environment will vary depending upon the structure of the actual Active Directory domain. Save the .msi file to a shared directory. Then, open the Group Policy Management Console and edit the policy for the selected OU. The package is then selected for deployment by its shared path (<Server>\,<Share>) under the Computer Configuration > Policies > Software Settings > Software Installation policy. Upon rebooting, each server to which the GPO is applied will then install the agent. However, the configuration file will be the default installation one and not operational. The customized installation file (described below) requires a second reboot.If you also wish to support python scripting, also install the .msi file that may be downloaded here.
The .msi install will also add a Windows Firewall rule (pictured above) to allow any inbound traffic to connect to the nscp.exe process.
The following video depicts the Windows boot process and application installation, admittedly not exciting, but included as a demonstration.
Deploying the NSClient++ Agent Configuration File through Active Directory GPOs
The default configuration file -- c:\program files\nsclient++\nsclient.ini -- deployed above is not customized for a production environment. You may generate new configurations using the nsclient++ program or simply issue the following command to generate a configuration file with all options supported (but not enabled):
c:\program files\nsclient++>nscp settings --generate --add-defaults --load-all
If you have not installed the python .msi file above, you will receive an error that the python .dll file is missing; simply click through the warning an the process will complete.
A configuration file defining the live environment must be deployed to each node before the agents may communicate with the server. The nsclient.ini defines many different features (modules, Nagios Remote Plugin Executor (NRPE) Server, Nagios Service Check Acceptor (NSCA), scripts, etc.) A full description of the capabilities is beyond the scope of this article, but I will focus on modules and NRPE Server settings.
Default settings are located at the bottom of the file. These include:
allowed ciphers = [set to: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH]Modules provide the core functionality of NSClient++. To support Nagios/Icinga check_nt, check_nrpe and NSCA commands, the following apply:
allowed hosts = [set to IP address(es) of allowed Nagios/Icinga Servers]
cache allowed hosts = true
certificate = [specify path to SSL certificate)
password = [set to shared password]
timeout = 30
use ssl = [true or false; if true, requires certificate]
verify mode = none
CheckSystem = 1 (important for supporting check_nrpe Performance Counter commands)To implement the NRPE Server, the following modifications apply:
NRPEServer = 1 (for Nagios/Icinga check_nrpe commands)
NSCAClient = 1 (for Nagios/Icinga NSCA commands)
NSCAServer = 1 (for Nagios/Icinga NSCA commands)
NSClientServer = 1 (for Nagios/Icinga check_nt commands)
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTHThese settings define the ciphers allowable, whether NSClient++ accepts arguments and normally illegal characters and the port upon which it listens. By default, use ssl = TRUE requires SSL encryption; if you disable this, any check_nrpe commands issued by the Nagios/Icinga server must include the -n option to disable SSL.
allow arguments = true
allow nasty characters = true
port = 5666
The file is deployed through the GPO Computer Configuration > Preferences > Windows Settings > Files. The illustration below depicts deploying the Zabbix Agent configuration file, but the process is the same; simply substitute the nsclient.ini file in the shared folder and GPO configuration.
Nagios/Icinga NRPE Commands
Two of the most useful groups of commands check:
- Windows Service Availability
- Windows Performance Monitoring Counters
Windows Service Availability
The easiest way to implement service checks is to define a Nagios/Icinga command:
define command {
command_name check_WinNRPEService
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckServiceState -a CheckAll exclude=WLMS exclude=ShellHWDetection
}
Where:
-H $HOSTADDRESS$ -- variable for the checked IP address
-n -- no SSL Encryption
-p 5666 -- TCP port for NRPE communications
-c CheckServiceState -- specifies a Windows Service check
-a CheckAll -- specifies to check that all automatically started services are running and all disabled services are stopped
exclude=WLMS exclude=ShellHWDetection -- excludes the Windows Licensing and Shell hardware Detection Services from the check
This command will return either OK or a list of services in the critical state.
Alternatively, this is a more granular check for individual services:
define command {
command_name <<CheckServiceState>>
command_line check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckServiceState -a ShowAll $ARG1$ $ARG2$=stopped
}
Here, the "-a ShowAll $ARG1$ $ARG2$=stopped" options specify to check if the specific service name specified in variable $ARG1$ is running and that in $ARG2$ is stopped.
Full Service Check documentation is available here.
Windows Performance Monitoring Counters
Collecting Windows Performance Monitoring Counters requires at least two variables supplied to the check_nrpe command: a name and the formatted Windows Performance Counter path. However, to get the most out of the check, it may be desirable to supply additional warning and critical threshold values. If the threshold is simple (such as exceeds 0 or less than 100), a single variable -- either --MinCrit or --MaxCrit -- is supplied. If there is both a warning and critical threshold, two variables -- either --MinWarn and --MinCrit or --MaxWarn and --MaxCrit -- are supplied. Thus, there are file possible Performance Check commands:
define command {
command_name check_WinNRPEPerf_2Arg
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckCounter -a "Counter:$ARG1$=$ARG2$" ShowAll
}
define command {
command_name check_WinNRPEPerf_3ArgMax
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckCounter -a "Counter:$ARG1$=$ARG2$" ShowAll MaxCrit=$ARG3$
}
define command {
command_name check_WinNRPEPerf_3ArgMin
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckCounter -a "Counter:$ARG1$=$ARG2$" ShowAll MinCrit=$ARG3$
}
define command {
command_name check_WinNRPEPerf_4ArgMax
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckCounter -a "Counter:$ARG1$=$ARG2$" ShowAll MaxWarn=$ARG3$ MaxCrit=$ARG4$
}
define command {
command_name check_WinNRPEPerf_4ArgMin
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -n -p 5666 -c CheckCounter -a "Counter:$ARG1$=$ARG2$" ShowAll MinWarn=$ARG3$ MinCrit=$ARG4$
}
No comments :
Post a Comment