NRPE vs. check_by_ssh

Idriss ARABBAJ arabbaj at gmail.com
Wed Mar 25 12:35:58 CET 2009


Hi Kevin,

I carefully read your speech about this subject and I found you a lot
of insist on security  offering by  ssh, but  you can also configure
nrpe to work with ssl so I think we will have no difference at this
level, then what do you think?
best regards

2009/3/25 Kevin Keane <subscription at kkeane.com>:
> I think you are comparing apples and oranges here, because in most
> situations that I can think of, the decision is dictated by the network
> topology. If you are exclusively on a trusted private network,
> check_by_ssh really doesn't offer any benefits. Conversely, if your
> topology involves the Internet or some other untrusted network (WiFi),
> then you wouldn't want NRPE in the first place.
>
> The only exception to the above that I can think of is when it comes to
> deciding between using check_by_ssh over an untrusted network, vs. NRPE
> through some other kind of tunnel or VPN. But in that case, you'd incur
> encryption overhead either way, and the comparison is very different
> from the question you asked.
>
> All that said: I don't have any first-hand experience, but I suspect
> that the impact of establishing 2200 ssh connections in a five-minute
> span (assuming that you are using a five-minute check interval) is
> pretty substantial. The main impact actually lies in establishing and
> tearing down the connections, key negotiations etc.; the encryption
> during the data phase probably has only limited impact because most
> checks only transmit a few bytes back and forth.
>
> SSH does much better with longer-duration connections when the keys are
> already exchanged. This is even more true if you have a router-based
> VPN, because in that case the overhead is offloaded to a different machine.
>
> So if you have the option of sending the checks as NRPE through one or a
> few long-term VPNs: you are probably going to be better off. Of course,
> in the big picture, your mileage may vary.
>
> Christopher McAtackney wrote:
>> Hi all,
>>
>> I was wondering if someone could give a brief overview of the pros /
>> cons of using NRPE to monitor my remote hosts versus using the
>> check_by_ssh command?
>>
>> I'm aware that check_by_ssh increases the CPU overhead, but I'm not
>> clear on the level of impact here - does this increase the load on the
>> monitoring machine in direction relation to the number of hosts being
>> monitored? For example, if I was using check_by_ssh to monitor, say,
>> 2000 services spread across 200 hosts, would I experience significant
>> slowdown on my monitoring machine?
>>
>> Cheers for any info,
>>
>> Chris
>>
>
>
> --
> Kevin Keane
> Owner
> The NetTech
> Find the Uncommon: Expert Solutions for a Network You Never Have to Think About
>
> Office: 866-642-7116
> http://www.4nettech.com
>
> This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.
>
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>



-- 
Cordialement,
Idriss ARABBAJ

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list