We use check_yum to monitor Centos hosts for when pkgs need to be upgraded. We have done this for many years. I've recently built new monitoring hosts running Opsview v4.4.1 on Centos 6.5. The master and slaves generally monitor each other using nrpe - and as long as the check_ command doesn't need to run as root, everything is peachy.
Enter check_yum which doesn't want to run as the nagios user. On the target host /etc/sudoers has the following lines added:
nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_yum
nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_yum --warn-on-any-update
And nrpe is running:
# ps aux|grep nrpe|grep -v grep
nagios 19099 0.0 0.0 39240 1316 ? Ss 16:40 0:00 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d
command[check_3ware_raid_1_1]=sudo /usr/local/nagios/libexec/check_3ware_raid_1_1 $ARG1$
command[check_bind]=sudo /usr/local/nagios/libexec/check_bind $ARG1$
Here's what happens when I run the command from the monitoring server to the target server (denoted in the command line below as xxx.xxx.xxx.xxx) using check_by_ssh:
[nagios ~]$ /usr/local/nagios/libexec/check_by_ssh -H xxx.xxx.xxx.xxx -t180 -i /local/nagios/.ssh/IT-freebsd1 -l nagios -C '/usr/bin/sudo /usr/local/nagios/libexec/check_yum --warn-on-any-update'
YUM WARNING: 0 Security Updates Available. 4 Non-Security Updates Available
Looks good. Now, when I run this with check_nrpe, no joy:
[nagios ~]$ /usr/local/nagios/libexec/check_nrpe -t180 -H xxx.xxx.xxx.xxx -c check_yum -a ' --warn-on-any-update'
UNKNOWN: Security plugin for yum is required. Try to 'yum install yum-security' and then re-run this plugin. Alternatively, to just alert on any update which does not require the security plugin, try --all-updates
Note that this is a bogus error wrt the "security plugin" - the plugin is installed and the command works fine, as you can see by the execution from SSH, above.
Other nrpe commands succeed to the target host. It's just this particular command that is failing. It appears that /etc/sudoers isn't being honored, maybe? Or, I think there is a misconfiguration somewhere, but I'm at a loss for what else to twiddle with, since everything seems to be properly in place and working from the shell. I've even restarted nrpe to be sure it's read the nrpe.cfg file. I think I'm missing something, but what?
Thoughts anyone? Answers would be even better!