Hi! On Thu, 13 Jul 2006, Thomas Sluyter wrote: > Why is it that we insist on using NRPE for this? Of course it's very > practical that there's such a thing as the NRPE daemon and the > check_nrpe command. It does indeed make things easier for a lot of > people who lack deep technical insight.
Yet it's a step away from the KISS principle. > But what is to keep the expert users from using the SNMP daemon for > this practice? SNMP *can* be a security nightmare. Problem is that the protocoll allows *writing* to the machine, i.e. config changes. The danger in an unsecured NRPE is much lower: it's less complex to configure and if we assume woth the SNMPd and NRPE have no security problems in their code, a slightly wrong config can allow an attacker to compromise an SNMP machine. That's nigh impossible on an NRPE machine. Also, NRPE config is much less complex and that of an SNMPd. > There's a bunch of factors that have pushed us away from NRPE and > towards SNMP: > * The SNMP daemon is installed by default on all of our systems. > AFAIK it's also part of the default install of just about every OS > installation (with the possible exception of Windows). It isn't installed on *any* of the >1k machines I herd. Not by active choice. It simply isn't installed because we don't need it. It's not part of the default install of the Distros and OSs we use. > * We are currently already using the SNMP daemon to gather > performance info for MRTG and we will be using the SNMP daemon to > send traps to Nagios. That is an entirely different story. I can understand that people use SNMPds on host machines because SNMP is the way to go for Ciscos or other network equipment. But we're quite happy with the way NRPE and NagiosGrapher work together with RRDTool. Our network guys (who run a nationwide backbone and thus have their own monitoring solution) use SNMP for their stuff. > * Not using NRPE means one less configuration file to maintain, one > less port to open up in firewalls and one less binary to patch and > upgrade. Not for use: SNMP isn't a "it's there anyway" resource. Hence, we opted for the smaller, less complex solution, NRPE. > Do any of you know of any practical objections to using SNMP as a > substitute for NRPE? It might be that we're missing something here, > but to us it looks like a very good choice. Complexity. Both in daemon code and configuration. And that the SNMP protocol spec allows for writing to a host. Regards, Tobias -- You don't need eyes to see, you need vision. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
