CustoSec:Install NSClient

From CustosecWiki
Jump to navigation Jump to search
Start Windows Installer (Step2)
Basic configuration (Step3)
TCP-Port Check in ARANSEC (Step4)
TCP-Port Check in ARANSEC (Step4)
Empty NSClient.ini (Image #5)

NSClient++ Basic Information

This is an agent is a monitoring agent which is running on remote hosts. It allows to execute monitoring scripts and programmes locally and return results. It eliminates SNMP needs and goes much beyond so called "agentless" systems, like WMI. It can be used in many different ways and is a very useful enhancement of an ARANSEC / CustoSec installation.

NSClient++ is installed on Windows Hosts and used by ARANSEC / CustoSec using the Remote Client Check. There is a documentation on NSClient++ available which describes the wide possibilities of this agent.
Please note: This client is usable on Windows Hosts only. There is a way to do the same with the NRPE-Client on Linux Hosts.

Installation of NSClient++ on a Windows Host

The following documentation is a quick "step-by-step"-guide onto installing NSClient++ on a Windows Host for usage in a typical ARANSEC / CustoSec environment. It was created based on:

  • NSClient++ Version 0.4.4.19 (stable).
  • A Windows Server 2012 R2

Download and Install

Download the latest Version in the right flavour from the documentation on NSClient++. You will get a Windows Installer file (*.msi).

Navigate to your Download folder and double click on the msi-file. This will start the installer script with a Welcome screen. Click "Next".
In the following 2 steps choose "Generic" and "Typical" (which will install everything that is needed anyway). In the next step, the installer will ask some questions, which are important. All these setting can be altered later within the configuration files, but it is much easier to do it right here:

  • Allowed Hosts: This is a comma separated list of hosts (no blanks after the comma!), that are allowed to connect to this instance of NSClient++. This means, we have to enter the IP address of your ARANSEC / CustoSec here next to the local host (see screen shot). Please note the IP6-notation for local host "::1" after the IP4 notation "127.0.0.1". Just add a comma and the IP4 address of your ARANSEC /CustoSec.
  • Password: This has to be empty. The installer script will suggest a password that is generated during the previous step, but we have to delete it. It will not be needed for our purposes and the protocols we will need.
  • Modules to load:
    • Enable common check plugins. This should be ticked since we will need these checks. It will prepare the ini-file for population with all available checks.
    • Enable NSClient server (check_nt): This should not be enabled, since we will not use this "old" check_nt. It is outdated and only needed for special cases and backward compatibility
    • Enable NRPE Server (check_nrpe): This has to be enabled, because we will use the NRPE-Server to communicate between ARANSEC/CustoSec and this instance of NSClient++. Regarding security we use the first option "Insecure legacy mode). The safe modes provided will not work with ARANSEC. CustoSec will use another version of NRPE-Check and will be able to use SSL connections. Until then, please use the "Insecure" mode.
    • Enable NSCA-client: This should be disabled. Since ARANSEC does not accept passive checks, this protocol will not be needed. Again, in CustoSec this will change, but for the time being, leave this disabled.
    • Enable Web server: This is not necessarily needed, but if you want to use the local web server to use the web interface of NSClient, you may install it right away by ticking this option.

In the end your panel will look like the screen shot. Run the rest of the installation and confirm the security prompts. After the install was completed the install script will prompt that it has finished. Confirm with "Finish". Please note: After installation, NSClient++ is automatically started. This means it is already running in the background!

Checking communication with ARANSEC/CustoSec

At this stage the host, that NSClient++ is running on, should be added in ARANSEC/CustoSec, if it does not exist yet.

To check, if the communication between our ARANSEC/CustoSec and the NSClient works, we add a service check, named "NRPE Port" (or anything else), using "check_tcp_freeport"-check (in CustoSec: Port (TCP)). We will configure it to check port no. 5666, which is the default port for NRPE communication. (See screenshot).

Using the OK Button after a submit, we can see, if the communication works.

If this check delivers an "OK", we have a connection.

Configuration of NSClient++

Now we have to configure NSClient on the Windows host. Before we start doing that, we should check and understand what we are doing:
Open open the file "nsclient.ini" in an editor. The file is located in the installation folder. This is the configuration file for NSClient++ and at this stage will look very empty (see screenshot). We are going to fill it in the next steps (See image#5).

Open a command line on this Windows host with administrator privileges ("open as administrator") and stop the running NSClient by entering net stop nscp ("nscp" is the service name of NSClient++)net start. The command line will return that the service has been successfully shut down.

NSClient++ has a very convenient half-automated set up system to enter the most important settings:

  • Open a shell as administrator and cd to /Programme/NSClient++ (or whatever your installation directory for NSClient is)
  • Enter the following command: nscp settings --generate ini --add-defaults --load-all
    • This will load all default settings into the ini file, which is setting the modules needed to status "1", which means enabled (you might want to open it and see the changes, the file has already been populated with a some settings). Note: There might be an error message saying, the system cannot load the LUA-Module. This is a bug in the install script, but we will not bother here, since we will not need the module anyway.
  • Now, we have to load the modules into the ini.file. This process will enable the module and add all new keys that the module provides into the ini.file. There are some check modules available; in this tutorial we will restrict ourselves to a few:
    • Loading: CheckSystem - Module (provides various system related checks like CPU load, process and service state, memory and any performance counters): nscp settings --activate-module CheckSystem --add-missing
    • Loading: CheckDisk - Module (provides various file and disc related checks): nscp settings --activate-module CheckDisk --add-missing
    • There are more modules available (i.e. a bundle of WMI-Checks). In case needed, please come back to us.
  • After loading the modules, NSClient++ is configured.
  • To load the new settings, the service has to be restarted by entering net stop nscp and net start nscp on the command line (admin privileges)

To Do: Check from ARANSEC / CustoSec => "Received 0 bytes from daemon .. meassage. SSL is still acitvated. Activation NRPE Module, deactivation SSL Test Check Examples.