Getting response '403 Your not allowed' from NSClient++ running on Windows over the REST API

Service Monitoring
1

Hello,
I have problems to monitor NSClient++ running on Windows over the REST API getting response ‘403 Your not allowed’
I want / need to monitor a Windows server with Icinga2. The build in Windows plugins like e.g. disk-windows or service-windows work well, but I have problems nit NSClient++.
If I query for externals script (I used the foo-script from the docu), it works when I call the check_nscp_api plugin directly from commandline on the server:

/usr/lib/nagios/plugins/check_nscp_api -H <nsclient++-hostname>  -P <my_port> --password <my_password> -q foo -d

When I use curl from commandline it works, too:

curl -k -v -H 'password: <my_password>' 'https://<nsclient++-hostname>:<my_port>/query/foo' | python -m json.tool
curl -k -i -v -u admin https://<nsclient++-hostname>:<my_port>/query/foo

The same is for the build in nsclient+±checks e.g. check_cpu.
I can log into the NSClient+±Webinterface https://<nsclient+±hostname>:<my_port> and execute the queries, too.

But the webclient icinga2web shows an error for the nsclient+±checks

Plugin Output
UNKNOWN - Cannot parse JSON response body '403 Your not allowed', error: [json.exception.parse_error.101] parse error at line 1, column 5: syntax error while parsing value - invalid literal; last read: '403 Y'; expected end of input

I do not understand what the problem is and hope it is formatted well and not a big isssue.

Kind regards

My environment:

##############################################

Icinga2 server / master

##############################################

:~$ uname -a
Linux <myserver_name> 5.4.0-4-amd64 #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 GNU/Linux
:~$ lsb_release -d
Description:    Debian GNU/Linux bullseye/sid

:~$ icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.11.3-1)

System information:
  Platform: Debian GNU/Linux
  Platform version: Unknown
  Kernel: Linux
  Kernel version: 5.4.0-4-amd64
  Architecture: x86_64

Build information:
  Compiler: GNU 9.2.1
  Build host: x86-csail-01

:~$ icinga2 feature list
Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb livestatus notification opentsdb perfdata statusdata syslog
Enabled features: api checker ido-mysql mainlog

:~$ icinga2 daemon -C
[2020-04-06 15:35:22 +0200] information/cli: Icinga application loader (version: r2.11.3-1)
[2020-04-06 15:35:22 +0200] information/cli: Loading configuration file(s).
[2020-04-06 15:35:22 +0200] information/ConfigItem: Committing config item(s).
[2020-04-06 15:35:22 +0200] information/ApiListener: My API identity: <myserver_name>
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 Users.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 UserGroups.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 4 Zones.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 17 Services.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 19 Notifications.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 Endpoints.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 3 HostGroups.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 Hosts.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 Downtime.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 235 CheckCommands.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 2 ApiUsers.
[2020-04-06 15:35:22 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2020-04-06 15:35:22 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2020-04-06 15:35:22 +0200] information/cli: Finished validating the configuration file(s).
```

Icinga Web 2 Version 2.7.3 
PHP Version 7.3.15-3
Copyright © 2013-2020 The Icinga Project 
Only monitoring module is enabled
    
#####################################
Service configurations on server:
```
apply Service "foo_x" {
import "generic-service"
  check_command = "nscp_api"
  vars.nscp_api_host="<nsclient++-hostname>"
  vars.nscp_api_port="<my_port>"
  vars.nscp_api_password="<my_password>"
  vars.nscp_api_query="foo"

  command_endpoint = host.vars.agent_endpoint
  assign where host.name == "<nsclient++-hostname>"
}

apply Service "nsclient_cpu" {
import "generic-service"
  check_command = "nscp_api"
  vars.nscp_api_host="<nsclient++-hostname>"
  vars.nscp_api_port="<my_port>"
  vars.nscp_api_password="<my_password>"
  vars.nscp_api_query="check_cpu"

  command_endpoint = host.vars.agent_endpoint
  assign where host.name == "<nsclient++-hostname>"
}
```
##############################################
# Icinga2 client
##############################################
```
PS E:\Program Files\ICINGA2\sbin> systeminfo.exe
Host Name:                 <nsclient++-hostname>
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600

PS E:\Program Files\ICINGA2\sbin> .\icinga2.exe  --version
icinga2.exe - The Icinga 2 network monitoring daemon (version: v2.11.2)

System information:
  Platform: Windows
  Platform version: 8.1 or greater (Server)
  Kernel: Windows
  Kernel version: 6.2
  Architecture: x86_64

Build information:
  Compiler: MSVC 19.16.27032.1
  Build host: WINBUILD2
  
PS E:\Program Files\ICINGA2\sbin> systeminfo.exe
Host Name:                 <nsclient++-hostname>
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
```
##############################################
# NSClient++
##############################################
```
PS E:\Program Files\ICINGA2\NSClient++> .\nscp.exe --version
NSClient++, Version: 0.5.2.39 2018-02-04, Platform: x64
```
#########################

nsclient.ini:
```
[/settings/default]
password = <my_password>
allowed hosts = 127.0.0.1,<myserver_ip>

[/settings/log]
file name = nsclient_debug.log
level = debug

[/settings/NRPE/server]
ssl options = no-sslv2,no-sslv3
verify mode = none
insecure = false


[/settings/WEB/server]
allowed hosts=127.0.0.1,<myserver_ip>
cache allowed hosts=true
certificate=${certificate-path}/<nsclient++-hostname>.pem
port=<my_port>
threads=10

[/modules]
CheckExternalScripts = enabled
CheckHelpers = enabled
CheckEventLog = enabled
CheckNSCP = enabled
CheckDisk =  enabled
CheckSystem = enabled
WEBServer = enabled
NRPEServer = disabled

[/settings/external scripts]
allow arguments = true

[/settings/external scripts/scripts]
foo=scripts\foo.bat
```
2

Hi there and welcome to the show!

To be honest, I don’t have a solution for your specific problem, but I can offer you two alternatives:

  • Have you considered the new Powershell-Framework, which might offer easier and more powerful ways of monitoring Windows?
  • If you want to stick with NSCP, I’d like to suggest that you use the Icinga agent to trigger nscp. I know, it would mean that you’d have to install an extra agent but the extra flexibility might be well worth your time

To be honest, I don’t know of any setup that uses the NSCP API. That might not mean much, because I don’t know all of the setups out there but what I do know is that many users are happy either with Powershell or the combination of agent and nscp.

1 Like
3

Hi Andreas and welcome to the community!

Just wanted to check in, if Thomas suggestions helped you with your issue?
Any updates?

Have a nice day
Feu

4

Hi Thomas, hi Feu,
thank you for your welcome and your suggestions, but this doesn’t solve the issue, that I can connect to the NSClient++ on command line, but not with the plugin.
I do not see where the problem of the plugin is and how to set up the environment to make it work. Any help to solve this would be highly appreciated.
Now I’m working on an alternative way to solve my monitoring tasks. A colleague suggested me to monitor the results of scripts running on the monitored server via a web server without any extra agent.

Kind regards and have nice day, too
Andreas