Passive monitoring in Nagios Core lets a remote script report a service state when polling from the monitoring server is blocked or unnecessary. NRDP provides an HTTP receiver for that handoff, so a trusted sender can post a passive result and let Nagios Core process it like any other check result.
On Debian and Ubuntu package installs, NRDP runs as a small PHP application under Apache and writes accepted external commands to /var/lib/nagios4/rw/nagios.cmd. The passive service must already exist in the running object configuration, because Nagios Core ignores passive results for unknown host and service names.
The receiver token is administrative because the submitcmd endpoint can write external commands. Keep /nrdp/ behind HTTPS, restrict source addresses or add Apache authentication, and use a token dedicated to the passive sender rather than a shared human password.
Steps to receive NRDP passive checks in Nagios Core:
- Install the Apache, PHP, curl, and certificate packages NRDP needs.
$ sudo apt update && sudo apt install --assume-yes apache2 libapache2-mod-php php-xml curl ca-certificates
- Download the NRDP release archive.
$ curl --fail --location --output /tmp/nrdp-2.0.6.tar.gz \ https://github.com/NagiosEnterprises/nrdp/archive/refs/tags/2.0.6.tar.gz
Use the latest stable tag from NagiosEnterprises/nrdp when a newer release is available.
- Extract the NRDP archive.
$ tar -xzf /tmp/nrdp-2.0.6.tar.gz -C /tmp
- Create the NRDP installation directory.
$ sudo install -d -o nagios -g nagios -m 0755 /usr/local/nrdp
- Copy the NRDP server and client files into place.
$ sudo cp -R /tmp/nrdp-2.0.6/clients /tmp/nrdp-2.0.6/server \ /tmp/nrdp-2.0.6/LICENSE.md /tmp/nrdp-2.0.6/CHANGES.md \ /usr/local/nrdp/
- Set ownership on the NRDP files.
$ sudo chown -R nagios:nagios /usr/local/nrdp
- Open the NRDP server configuration.
$ sudoedit /usr/local/nrdp/server/config.inc.php
- Configure the receiver token, HTTPS requirement, command group, and command file path.
- config.inc.php
<?php $cfg["authorized_tokens"] = array( "strong-nrdp-token" ); $cfg["external_commands_deny_tokens"] = array(); $cfg["require_https"] = true; $cfg["require_basic_auth"] = false; $cfg["valid_basic_auth_users"] = array( "nrdpuser" ); $cfg["nagios_command_group"] = "nagios"; $cfg["command_file"] = "/var/lib/nagios4/rw/nagios.cmd"; $cfg["check_results_dir"] = "/var/lib/nagios4/spool/checkresults"; $cfg["disable_external_commands"] = false; $cfg["allow_old_results"] = false; $cfg["hide_display_page"] = true; $cfg["debug"] = false; $cfg["debug_log"] = "/usr/local/nrdp/server/debug.log";
Do not reuse strong-nrdp-token. A token accepted by submitcmd can submit external commands, so expose /nrdp/ only through HTTPS and trusted network or authentication controls.
- Add the Apache worker user to the Nagios Core command group.
$ sudo usermod --append --groups nagios www-data
Source installs often use a nagcmd group instead. Match nagios_command_group to the group that owns the external command file.
- Open the Apache alias configuration for NRDP.
$ sudoedit /etc/apache2/conf-available/nrdp.conf
- Add the /nrdp/ alias.
- nrdp.conf
Alias /nrdp "/usr/local/nrdp/server" <Directory "/usr/local/nrdp/server"> Options None AllowOverride None Require all granted </Directory>
- Enable the Apache alias configuration.
$ sudo a2enconf nrdp Enabling conf nrdp. To activate the new configuration, you need to run: service apache2 reload
- Test the Apache configuration.
$ sudo apache2ctl configtest Syntax OK
- Restart Apache to load the alias and refresh www-data group membership.
$ sudo systemctl restart apache2
A reload may not replace every existing worker process after a group-membership change.
- Check that the NRDP endpoint is handled by PHP.
$ curl --fail --silent --show-error https://monitor.example.net/nrdp/ <?xml version="1.0" encoding="utf-8"?> <result> <status>-1</status> <message>NO TOKEN</message> </result>NO TOKEN means the endpoint loaded and rejected a request without an authorized token.
- Confirm that Nagios Core accepts external commands and passive service results.
$ sudo grep -E '^(check_external_commands|command_file|accept_passive_service_checks)=' /etc/nagios4/nagios.cfg check_external_commands=1 command_file=/var/lib/nagios4/rw/nagios.cmd accept_passive_service_checks=1
Enable external commands before testing NRDP if check_external_commands is 0.
Related: How to enable external commands in Nagios Core - Check the external command file permissions.
$ sudo ls -ld /var/lib/nagios4/rw /var/lib/nagios4/rw/nagios.cmd drwxrwsr-x 1 nagios nagios 4096 Jun 25 00:30 /var/lib/nagios4/rw prw-rw---- 1 nagios nagios 0 Jun 25 00:30 /var/lib/nagios4/rw/nagios.cmd
The leading p on nagios.cmd means it is a FIFO. The group should match nagios_command_group in /usr/local/nrdp/server/config.inc.php.
- Create a passive receiver test object file.
$ sudoedit /etc/nagios4/conf.d/nrdp-receive-test.cfg
- Add a passive host and service for the NRDP smoke test.
- nrdp-receive-test.cfg
define command{ command_name check_passive_placeholder command_line /bin/echo "Waiting for passive result" } define host{ use linux-server host_name web01.example.net alias Web 01 passive sender address 192.0.2.10 active_checks_enabled 0 passive_checks_enabled 1 check_command check_passive_placeholder } define service{ use generic-service host_name web01.example.net service_description NRDP Receive Test active_checks_enabled 0 passive_checks_enabled 1 check_freshness 0 check_command check_passive_placeholder }
Replace the sample host and service with objects that match the remote sender before production. Nagios Core ignores passive results for undefined hosts or services.
- Validate the Nagios Core configuration.
$ sudo nagios4 -v /etc/nagios4/nagios.cfg Nagios Core 4.4.6 ##### snipped ##### Reading configuration data... Read main config file okay... Read object config files okay... ##### snipped ##### Total Warnings: 0 Total Errors: 0 Things look okay - No serious problems were detected during the pre-flight check
Use sudo /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg on source installs that follow the upstream default layout.
Related: How to validate the Nagios Core configuration - Reload Nagios Core to load the passive test object.
$ sudo systemctl reload nagios4
Use the service name and control method from the local installation when Nagios Core was installed from source.
Related: How to manage the Nagios Core system service - Submit a passive service result through NRDP.
$ curl --fail --silent --show-error \ --data-urlencode token=strong-nrdp-token \ --data-urlencode cmd=submitcmd \ --data-urlencode 'command=PROCESS_SERVICE_CHECK_RESULT;web01.example.net;NRDP Receive Test;0;OK - passive result received through NRDP' \ https://monitor.example.net/nrdp/ <?xml version="1.0" encoding="utf-8"?> <result> <status>0</status> <message>OK</message> </result> - Confirm that Nagios Core processed the passive result.
$ curl --silent --show-error 'https://monitor.example.net/nagios4/cgi-bin/statusjson.cgi?query=service&hostname=web01.example.net&servicedescription=NRDP%20Receive%20Test' { "format_version": 0, "result": { "type_text": "Success" }, "data": { "service": { "host_name": "web01.example.net", "description": "NRDP Receive Test", "plugin_output": "OK - passive result received through NRDP", "has_been_checked": true, "check_type": 1, "accept_passive_checks": true } } }check_type 1 indicates a passive result. Use the local CGI URL and authentication method for the monitoring site.
Related: How to check Nagios Core logs
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
