Cannot parse JSON response body '403 Your not allowed

Hi,

I´m using the nscp_api check to get values from remote windows hosts. Till now all windows hosts could gather cpu, memory and disk values via NSClient. Since the latest icinga update there seems to be problem at check_cpu for all new hosts and I don´t know why. I´m getting:

UNKNOWN - Cannot parse JSON response body '403 Your not allowed', error: [json.exception.parse_error.101] parse error at line 1, column 5: syntax error while parsing value - invalid literal; last read: '403 Y'; expected end of input

I´ve tried to execute the check at my command line manually and it works perfectly:

/usr/lib/nagios/plugins# ./check_nscp_api -H lrl-nba-srv.xy.de --password gsdgsdgfsdg342 --query check_cpu
check_cpu OK: CPU load is ok. | 'total 5m'=2%;80;90 'total 1m'=2%;80;90 'total 5s'=1%;80;90

So I don´t know why icinga is displaying this error when the check manually succeeds? Also I´m using icinga2 director for all windows hosts, so the service definition and the field variables (nscp_api password) are the same at all hosts. I don´t think there could be a configuration problem. All hosts are using the same host and service template.

Is there anything I could debug further?

Hello,

if you press the inspect link under your service in icingaweb2 you will get the commandline icinga renders.
Maybe it helps you to see what is missing.

Regards,
Carsten

P.S.: Never run checks as root :slight_smile: on the commandline, better do sudo -u icinga bash before.

3 Likes

Thanks, you´re right - the check can´t get the infos locally at windows, but localhost (127.0.0.1) is set at allowed hosts like all other windows machines are set.

Run that check directly on the Windows host via Icinga Agent/command_endpoint & the nscp_api command. Right now it seems you’re querying it remotely.

Cheers from DevOpsDays,
Michael

1 Like

Yes, I´ve tried it locally at the windows machine and there the error occures - my second answer covers this. What component could affect this problem, while the nsclient configuration is the same on every host? And only for cpu?

Without seeing your config, hard to guess.

This is my nsclient.ini:

; in flight - TODO
[/settings/default]

; Undocumented key
password = xyz

; Undocumented key
allowed hosts = 127.0.0.1,10.158.129.0/24


; in flight - TODO
[/settings/NRPE/server]

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = false


; in flight - TODO
[/modules]

; Undocumented key
CheckExternalScripts = disabled

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckNSCP = enabled

; Undocumented key
CheckDisk = enabled

; Undocumented key
WEBServer = enabled

; Undocumented key
CheckSystem = enabled

; Undocumented key
NSClientServer = enabled

; Undocumented key
CheckEventLog = enabled

; Undocumented key
NSCAClient = enabled

; Undocumented key
NRPEServer = enabled

I solved it by adding the hostname itself to the allowed hosts in nsclient.ini. Thanks for helping.