send_nsca

Paul L. Allen pla at softflare.com
Wed Jul 20 01:52:52 CEST 2005
Previous message: send_nsca
Next message: send_nsca
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Marc Powell writes: 

> If you can connect to the remote host you're monitoring from your
> nagios host directly then you should be looking at NRPE or check-by-ssh,
> not NSCA.

Sorry, but I dispute that claim.  All three methods have advantages and
disadvantages which may be important in specific circumstances.  I'll
discuss their general advantages and disadvantages even though you were
responding to the specific case where the monitored machines were directly
reachable (all of them have advantages and disadvantages even in that
situation). 

NRPE's configuration files do not remotely resemble their counterparts on
nagios.  If you're using NRPE to have a firewall check machines behind
the firewall then NRPE becomes a complete pain in the nether regions.
NRPE's security depends entirely on checking the IP address of the
monitoring server, and NRPE security is totally incompatible with a
monitoring server which is on dynamic or semi-static IP (I won't mention
any pointy-haired bosses I work for by name, or detail their clueless
ukases, but our monitoring server is on semi-static IP which means NRPE
would have no security).  NRPE scales badly (even if it's no worse than
linear, eventually you outstrip the capability of your monitoring host). 

Check_by_ssh works but, unless you are very clever, the checks of remote
machines using check_by_ssh cannot be automatically converted from direct
equivalents.  And as Andreas has pointed out, there are security issues
if somebody compromises your nagios server (but as I pointed out, it's
more likely that the monitored machines are vulnerable than the monitoring
machine).  Perhaps a bigger problem is the protocol overhead of ssh and
the load it imposes at both ends.  Check_by_ssh scales worse than NRPE
because it has more overhead. 

NSCA works, but you're stuck with passive monitoring.  Get things wrong
and you'll get lots of false alerts because of stale check results.
However, the services file on the remote monitor can be processed very
easily by a script to produce the relevant chunk of the services file on
the master nagios server.  NSCA scales a lot better than NRPE or
check_by_ssh.  NSCA has its own encryption mechanisms so it's as secure
(if you choose the right encryption method) as check_by_ssh and far more
secure than NRPE.  NSCA can cope with a monitoring host that has dynamic
or semi-static IP provided you have some sort of dynamic DNS way of
referring to the monitoring host.  NSCA is far less of a hassle to deal
with machines behind firewalls than NRPE or check_by_ssh.  If you have
more than one monitored domain which you wish to have separate passwords
then you have to run multiple instances of NRPE on different ports. 

There are advantages and disadvantages to all three mechanisms (and I
doubt I've listed all of the advantages and disadvantages for any of them).
Which one is best for you is a matter of what weight you give to those
advantages and disadvantages in your particular circumstances.  To say that
one should use check_by_ssh or NRPE simply because one can connect to the
monitored hosts directly, is (IMHO) incorrect.  If you're checking
thousands of hosts then you probably need the scalability of NSCA.  If
you're checking hosts behind firewalls without direct connections then the
complications of using NRPE may be too much work if there are lots of
hosts to monitor.  If any of the security concerns Andreas raised affect
you then check_by_ssh is not an option.  NSCA is my preferred option
because in my circumstances it's the least worst of the three for
several reasons. 

Horses for courses.  In most of the situations I can conceive of, NSCA
is the best (least worst) choice.  But I know that the situations I can
conceive of are limited by my imagination, by what I have needed to do
myself, and by what I have read of the needs of others.  I would not
(unless drunk or otherwise incapacitated - which happens frequently)
specify any of the three options as being THE correct way to do things in
a given situation.  If sober enough I would explain that there are
tradeoffs and whilst it might appear to me from the limited description of
the situation posted here that one of those seems better than the others
that  the decision has to be made by the person involved with full
knowledge of the situation and the tradeoffs.  Hosts being directly
reachable is just one of that factors that needs to be considered. 

-- 
Paul Allen
Softflare Support 



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: send_nsca
Next message: send_nsca
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list