Académique Documents
Professionnel Documents
Culture Documents
StartUpGuide
Nagiosistheindustrystandardformonitoringnetworkinfrastructure.TheNagiosStart
UpGuideprovidesthefoundationforinstallationandinitialconfigurationofNagios.In
addition,instructiononthethemonitoringofLinuxandWindowsmachinesisprovided.
CopyrightandTrademarkInformation
NagiosisaregisteredtrademarkofNagiosEnterprises.LinuxisaregisteredtrademarkofLinusTorvalds.Ubuntu
registeredtrademarkswithCanonical.WindowsisaregisteredtrademarkofMicrosoftInc.Allotherbrandnames
andtrademarksarepropertiesoftheirrespectiveowners.
Theinformationcontainedinthismanualrepresentsourbesteffortsataccuracy,butwedonotassumeliabilityor
responsibilityforanyerrorsthatmayappearinthismanual.
DateofManualVersion:February2,2011
Table of Contents
Introduction................................................................................................................................................1
NagiosMonitoringSolutions............................................................................................................1
CriticalDecisions............................................................................................................................1
NagiosTerminology...................................................................................................................................9
ServiceandHostCheckOptions....................................................................................................13
BasicNagiosConfiguration.....................................................................................................................15
InstallingFromSource....................................................................................................................15
InitialSetUp...................................................................................................................................17
NagiosCheckTriangle....................................................................................................................19
AdministrationTasks................................................................................................................................23
Authentication.................................................................................................................................23
ScheduledDowntime.....................................................................................................................27
HostGroups....................................................................................................................................30
ServiceGroups...............................................................................................................................33
MonitoringPublicPorts...........................................................................................................................35
check_ping......................................................................................................................................36
check_tcp........................................................................................................................................36
check_http.......................................................................................................................................37
MonitorLinuxwithNRPE.......................................................................................................................41
SetUptheHosttobeMonitoredwithNRPE.................................................................................41
SetUptheNagiosServer................................................................................................................45
MonitoringWindowswithNSClient++...................................................................................................49
InstallationofNSClient++..............................................................................................................49
NSClient++andNRPE...................................................................................................................51
InternalNSClient++Functions......................................................................................................53
NSClient++andcheck_nt...............................................................................................................55
NSCLient++Password..................................................................................................................60
Introduction1
Introduction
Nagiosisbothapowerfulandflexibletoolformonitoringdevicesandapplicationsonthosedevices.Thepowerof
Nagiosisintheabilitytomonitormanydifferentnetworkdevicesatonetimeusingvariousmethodstomonitorthose
devices.TheflexibilityofNagiosprovidesanadministratorthetoolstomonitorjustaboutanythingthatisconnected
toanetwork.Inaddition,Nagiosallowstheadministratortomonitorboththeinternalsandtheapplicationprocesses
onthosedevices.Monitoringwouldnotbecompletewithoutmultiplemethodsforcontactingadministratorswhich
Nagiosalsoprovides.
Critical Decisions
These5elementsrepresentturningpointsinhowyouimplementNagios.Eachturningpointrepresentsadecision
thathasimplicationsinhowNagiosisused.Thinkaboutthesedecisionscarefullyasmakingchangesisalwaysmore
difficultthanstartingintherightdirectionthefirsttime.
1.CompileNagiosvs.InstallfromRepository
ThedecisionofhowyouinstallNagiosisanimportantone.Oneofthemajordecisionsyouneedtomakewith
Nagiosisthemethodofinstall;compilefromsource,installfromanRPMrepositoryorinstallfromaDEBrepository.
Onceyoumakeachoiceyouwillneedtostickwithit.Thereasonforthisisthateachinstallationmethodcreates
differentpathstotheconfigurationfilesandtothebinaries.Forexample:
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction2
NAGIOS
Compile
CentOS
Debian/Ubuntu
ProgramLocation
ConfigurationFile
/usr/local/nagios/bin/nagios
/usr/local/nagios/etc/nagios.cfg
/usr/bin/nagios
/etc/nagios/nagios.cfg
/usr/bin/nagios3
/etc/nagios3/nagios.cfg
Plugins
/usr/local/nagios/libexec
/usr/lib/nagios/plugins
/usr/lib/nagios/plugins
FromthisbriefexampleyoucanseethelocationiscompletelydifferentforeachoptionandinthecaseofUbuntuthe
binaryisnameddifferently.ThismeansthatanyadditionalprogramsthatyouimplementwithNagioswillhaveto
coincidewiththeselocationsortheadministratorwillneedtoediteachlinethatindicatesapathinanyadditional
configurationfiles...notnice.
IntheendthedecisioninhowtoinstallNagiosreallyisrelatedtosimplicityofyourinstallandwhatyouwantto
monitor.Foraverysimplesetupitwillworkfine,butifyouwanttogetseriousaboutwhatNagiosanddo,compile.
InordertoprovideinstructionsthatworkacrossmultipleLinuxdistributions,theNagiosStartUpGuide
providesdocumentationforcompilingNagiosandNagiosplugins.
2.MonitorPublicInformationvs.InternalInformation
Publicportsareportsthatareaccessibletoanyone,likeportsforawebserver(80),FTPserver(21)ormailserver
(25).Publicportscanbemonitoredalsobemonitoredbyanyone!Whenaserviceisstartedonaserverthatisa
publicservice,everyonehasaccesstothepublicportunlessfirewallrulespreventit.
Theimplicationstomonitoringpublicportsarethattheyareeasytomonitorbutmaynotprovideallofthedetailthat
isdesired.Theotherimplicationisthattherearenofirewallissuestomonitoringpublicports.TheNagiosserver
firewalliscompletelyblockedtoincomingtrafficunlessitisrelatedtoaconnectionestablishedbytheNagiosserver.
ThismeansyouhavegreatersecurityforaNagiosserverthatisaccessiblefromtheInternet.Italsomeanstheclient
beingmonitoredismoresecureasspecialaccessfortheNagiosserverdoesnothavetobeadded.Insummary,
monitoringpublicportsoffergreatersecuritybutlessinformation.
Incontrast,monitoringinternalaspectsofamachinerequiresanagenttobeinstalledontheclient.Theonlywayto
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction3
monitorinternalaspectsofamachineistoinstallanagent,meaningapieceofsoftwarethatfunctionsasadaemon
allowingconnectionsfromtheNagiosserversothatinternalpluginsorscriptsmaybeexecutedandthatinformation
recordedandprovidedtotheNagiosserveronconnection.Hereareseveralagentsthatcanbeused:
SSHthedaemonallowsconnectionsfromtheNagiosserverandreturnsinformationgeneratedbypluginsorscripts
NSCLient++thisagentisinstalledonaWindowsserverorworkstationsothatcommandsexecutedontheWindows
machinecangeneratedinformationandreturnthatinformationtotheNagiosserverwhentheNagiosserverconnects
totheWindowsmachine
NRPE(NagiosRemotePluginExecutor)theNRPEagentisinstalledontheremotemachinetoallowNagiosto
connectandobtaininformationgeneratedbypluginsthathaveexecutedinternallyorscriptsthathaveexecuted
SNMP(SimpleNetworkManagementProtocol)WhenSNMPisusedtomonitorremoteserversanagentmustbe
installedinorderforinformationprovidedinternallycanbecollectedbytheNagiosserver.Note,thisisnotthecase
whenSNMPgeneratestrapsandsendstheinformationtoanothermachine.
check_mkThecheck_mkagentmustbeaddedtotheWindowsorLinuxboxinorderforcheck_mktocollectthe
informationandprovideittotheNagiosserver.
Eachoftheseagentsoperateonseparateportsandwhichmeansthefirewallonthemachinetobemonitoredmustbe
alteredtoallowNagiostoconnectandretrieveinformation.
Insummary,monitoringinternalaspectsofamachineprovidesgreaterinformationbutrequiresanagenttobe
installedaswellassecuritytobealteredtoallowtheNagiosservertoconnect.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction4
3.Activevs.PassiveChecks
Thereareseveralaspectstoconsiderwhendecidingonusingactiveorpassivechecks.Note,youcanusebothifyou
choose.ActivechecksareinitiatedbytheNagiosserver.TheNagiosserverdeterminesthetimeandthefrequencyfor
thechecks.Activechecksthatuseonlypublicportsrequirenomodification.However,wheninternalaspectsare
monitoredtheserverthatismonitoredmustnotonlyhaveanagentinstalledtoinitiateanyinternalpluginsorscripts
onthemachinebutthefirewallwillneedtobemodifiedtoallowNagiostoconnectontheagentports.
Passivechecksrequirethattheservertobemonitorednotonlyinitiatesthescripttocheckinternalaspectsbutalso
initiatetheconnectiontotheNagiosserver.Thisisthetypeofconnectionyouwouldwanttouseifasecurityevent
occurredontheserverthatismonitored.Anysecurityeventswouldrequireimmediatenotificationtominimizethe
impact.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction5
4.NagiosAccessiblefromInternetvs.Not
ManyadministratorsdonotuseafirewallontheNagiosserverasitisonaninternalnetwork,orVPN,soitisnot
considerednecessary.Inreality,NagiosshouldalwayshaveafirewallinordertoprotectitasacompromisedNagios
serverhasgraveimplicationsforanetworkthatitismonitoring.
IfaNagiosserverisaccessiblefromtheInternetsecurityshouldbecarefullyconsidered.Severalaspectsof
securitymustbeimplemented:
*limitedaccesstothewebinterface
*limitedaccesstoSSHoranyothermethodsofconnectingtotheserver
*SSLforpasswordauthentication
*ModSecuritytoprotectauthentication,SQLinjectionandlimitaccess
5.NagiosCorevs.XI
NagiosCoreistheOpenSourceversionofNagioswhichcanbefreelydownloadedandimplementedinanywaythe
administratorseesfit.TheNagiosCoreisextremelyflexibleandprovidesyouaccesstocreate,configureand
implementatwill.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction6
OneofthebiggestadvantagesofNagiosCoreisthatbythetimeyougetpluginsworking,yesthatdoessound
ominous,youareabletotroubleshootwhenproblemsoccur.Thisadvantagecannotbeoverstatedasbecominga
Nagiosmechanicisanextremelyvaluableassettoanyorganization.NagiosCoreallowstheadministratoralmost
unlimitedabilitiesincreatingandmonitoringdevicesandservicesonthosedevices.Coreprovidesthestructureto
implementalloftheaspectsofXIbuttodoitinawaythatfitstheorganization.
ThegreatestdisadvantageofNagiosCoreisdevelopingthenecessaryskillstomonitorthedevicesandtheaspectsof
thosedevicesthatarenecessary.Ittakesagreatdealoftimeandmeticulousimplementationofscriptsandpluginsto
arriveattheworkingNagiosmonitoringsystemthatmanyorganizationsneed.Thisiscompoundedbythefactthat
mostorganizationsdonothaveanyideaofhowcomplexsomeimplementationscanbeforNagiosandtheir
expectationsforstaffareoftennotrealistic.
TheXIinterfaceisthecommercialversionthatprovideswizardsforsettingupthepluginsmakingitmucheasierto
setupquicklyandalsoimplementchecksthatyoumaynottotallyunderstandhowtheywork.
ThegreatestadvantageofXIisthatitgetsanorganizationupandrunningquickly.Thewizardsworkverywelland
provideintuitivesupportinimplementingNRPE,SNMP,NSCLient++,etc.However,thisisnotanautomaticsetup
assomebasicinformationandunderstandingarerequired.
TherearethreedisadvantagestoXI.First,ofcourse,itisacommercialversionthatmustbepurchased.Thedemo
doesallowtheusefor7devices,however.Thesecondmoreimportantdisadvantageisthatifyoursetupbreaksor
thereisanerror,itmustbecorrected.Thatcreatesapainfulsituationinthattheorganizationmusteitherpurchase
supportorwaituntiltheadministratorcanfigureitout.Thethirddisadvantageisthattheinterfaceisstructuredina
certainwaythatmaynotbewhatanorganizationneeds.NagiosCoreallowsyoutoimplementadesignthatworksin
aspecialwayneededbyanorganization.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction7
Insummary,ifanorganizationisshortontimeandhastheresources,XIisagreatchoice.Ontheotherhand,ifan
organizationhasthetimeandtherightpeopletheresultscanbemoreproductiveandprobablysavemoneyinthelong
run.
Conclusion:
Turningpointsdeterminemanysignificantdecisions.Givecarefulthoughttohowtheseturningpointsareselected
andconsiderthelongtermbecauseitiseasiertoimplementaninstallationbyplanningahead
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
Introduction8
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology9
Nagios Terminology
plugins
Nagiosusesplugins,orcompiledexecutablesthatcanusedtocheckservicesandhostsonyournetwork.Pluginscan
bedevelopedusingPerl,shellscripts,etc.PluginsprovidecommunicationbetweentheNagiosdaemonandthehosts
andserviceoptionsyouwanttocheck.Therearemanydifferentpluginsavailable.Eachpluginmustbeconfigured
specificallyforthehostandserviceyouchoosetoevaluate.Pluginsdonotcomeinthenagiospackagebutare
providedinaseparatepackagecallednagiosplugins.Youcandownloadfromtheselocations.
NagiosPlugins
OfficialNagiosPlugins
NagiosPluginDownloads
NagiosExchange
http://nagiosplugins.org/
http://www.nagios.org/download/
http://exchange.nagios.org/
Currentlythepluginsprovidedinthenagiospluginspackageprovidesabout70plugins.Thiscertainlyprovidesyou
withadequatepluginstogetstarted.
Ifyouneedtofindoutmoreinformationaboutaspecificpluginyoucanusethiscommand:
./check_pinghelp
check_pingv1.4.15(nagiosplugins1.4.15)
Copyright(c)1999EthanGalstad<nagios@nagios.org>
Copyright(c)20002007NagiosPluginDevelopmentTeam
<nagiosplugdevel@lists.sourceforge.net>
Usepingtocheckconnectionstatisticsforaremotehost.
Usage:
check_pingH<host_address>w<wrta>,<wpl>%c<crta>,<cpl>%
[ppackets][ttimeout][4|6]
Options:
h,help
Printdetailedhelpscreen
V,version
Printversioninformation
4,useipv4
UseIPv4connection
6,useipv6
UseIPv6connection
H,hostname=HOST
hosttoping
w,warning=THRESHOLD
warningthresholdpair
c,critical=THRESHOLD
criticalthresholdpair
p,packets=INTEGER
numberofICMPECHOpacketstosend(Default:5)
L,link
showHTMLinthepluginoutput(obsoletedbyurlize)
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology10
t,timeout=INTEGER
Secondsbeforeconnectiontimesout(default:10)
host
Ahostisaserver,switch,router,printeroranyothernetworkdevicethatyouwanttomonitor.NagiosrequiresanIP
AddressforthehostoraFQDN(FullyQualifiedDomainName)todeterminetheexactlocationofthedevice.Each
hostmustalsohaveauniquenamethatwilltiethehostnamereferencetotheIPAddressofFQDN.Thehost
informationisrequiredfortheservicedefinition.
service
ServicesrefertochecksthatoccuronadevicewhichmaymonitorinternalaspectsofthedevicelikeCPUusageor
memoryandalsorefertochecksonapplicationswhichexistonthedevicesuchasMySQLorPostfix.
contact
ContactsaretheindividualadministratorsthatarenotifiedbyNagiosbecauseofahostorserviceproblemusingthe
contactgroup.Thecontactinformationprovidesawaytocommunicatetotheadministrator.Contactsisalsoawayto
managewhichadministratorscanseehostsandservicesonthewebinterfaceastheymustbelistedascontactsin
ordertoviewspecificinformationondevices.
contactgroup
Thesegroupsaretheconnectionbetweendetectedproblemsandcommunicationswithindividualsinthegroup.
Reachability
Nagioshastheabilitytodetermineifahostisinadownstateorifitisinanunreachablestate.Thepractical
implicationsofbothofthesestatesisthesame,stuffdoesnotwork.However,thetroubleshootingaspectisquite
different.Ifahostisdown,thenofcoursetheadministratorneedstoinvestigatethehostspecifically.However,ifa
networkdeviceisdownorsoheavilyloadeditrestrictscommunicationthenthenetworkadministratorneedstofocus
onthenetworkdevicesandrelatedissues.Soreachabilityisconcernedwiththeoverallnetworkhealthandhowit
impactsyourmonitoredhosts.
Nagiosisabletodiscernthenetworkstructureandhowitaltersthesedownstatesandunreachablestatesby
understandingthepathfordatapacketsonthenetwork.Inotherwords,Nagiosneedstoknowhow
equipmentisconnectedbecausethatwillhelpdeterminethesituation.Thisisdonebymakingareferencetothe
parent/childrelationshipsofconnectednetworkdevices.
NagiosneedstobeabletostarttracingthepathofthedatapacketfromtheNagiosserver(hostname)tothenext
deviceandthenextdevice.Sothefirststepinsettingthisupiscreatinganentryfor
Nagiosinthehosts.cfgfile.
definehost{
host_name
}
nagios
OfcourseyouwanttoprovidethehostnameofyourNagiosserverwhichyoucandeterminewiththecommand:
hostname
ThenextstepinconfigurationistolookattheIPAddressandhostnameofthenextnetworkdevice.IfNagiosis
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology11
connectedtoaswitchthenthatshouldbealsoconfiguredwithahostdefinition.Thedifferenceisthatyouwanttotell
Nagiosthattheparentofthatswitchdeviceisthehostnamenagios.
definehost{
host_name
parents
}
ciscoswitch
nagios
YoucanonlyadddevicesthathavetheabilitytobeassignedanIPAddressand/orahostname.
ThekeyinthedesignisrecognizingthenetworkconfigurationandtellingNagioswhichistheparent,ornetwork
device,directlyabovethehostyouareworkingwith.Onceyourdatapackethitsyourexternalinterfaceonyourrouter
youcannotspecifyroutersontheInternetasthepathwillvarydependinguponbestroute.Soifyouweretracingthe
datapacketpathfromNagiostoaremotedeviceyouwouldneedtoindicatetheIPAddressoftheexternalrouter
connectingthedevicetotheInternet.
VolatileService
Avolatileserviceisaservicethatwillautomaticallyreturnitselftoan"OK"statuswhenitischecked.Oritisa
servicethatneedstobecheckedbyanadministratoroneachoccurrence,likeasecurityevent.
flapping
AflappingstateiswhenaserviceorhostchangesfromanOKstatetoCRITICALstaterapidly.Thesechanging
stateswillsendmultitudesofnotificationstoadministratorswhichcanbenonproductive.Whenflappingisdetected
Nagioswillrecognizethechangingstatesandmoveintoastateofflappingwhichprovidesadditionaloptionsforan
administratorwhichcouldallowunwantednotifications.
InordertodetectthisflappingstateNagiossavesinmemory21checksforeachhostandservice.Nagiosreviewsthe
last20changestodetermineifthehostorserviceischangingstatesbasedonapercentage.Inthisreviewofstatesthe
morerecentchecksareprovidedagreaterweightthantheolderchecksasthisisprobablymoreimportanttoan
administrator.Nagiosalsoprovidestwothresholdsfora
serviceandahostsothatanadministratorcansetan
upperandlowerthresholdwhichmeansthatwhenthe
serviceorhostgoesabovetheupperthresholdNagios
recognizesthisasstateflappingwhichmeans
notificationswillbestopped,anentryinthelogis
createdandacommentisplacedinthewebinterfacesoit
canbereviewedbyadministrators.Oncethepercentage
goesbelowthelowerlimitthecommentisremovedand
theserviceisreturnedtoanormalstatewithnotifications
enabled.Thisprocesstakesaperiodoftimeoroccur.
Hereisanexampleofaservicethatisflapping.Ifyou
lookcloselyyoucanseethepercentageofstatechange.
Notificationsforthisservicearebeingsuppressed
becauseitwasdetectedashavingbeenflappingbetween
differentstates(24.4%change>=20.0%threshold).
Whentheservicestatestabilizesandtheflappingstops,
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology12
notificationswillbereenabled.
Tomakechangestothesettingsforflapdetection,firstaccessthenagios.cfgfilewhichprovidesglobalsettings.The
firstsettingthatcanbealteredisthatanadministratorcanturnflappingoffbychangingthevalueto0.The
thresholdsmaybemodifiedtomeetspecificrequirementsfortheorganization.Rememberthesethresholdsare
percentagessothelowendis5%,oronestatechangeandtheupperendis20%whichequalsfivestatechanges.
enable_flap_detection=1
low_service_flap_threshold=5.0
high_service_flap_threshold=20.0
low_host_flap_threshold=5.0
high_host_flap_threshold=20.0
Specificchangescouldbemadewiththespecificserviceaswell.Theflap_detection_enabledmustbeincludedto
allowtheoverrideoftheglobalsettings.Thetwothresholdsthenmaybemodifiedtomeettheneedsoftheservice.
defineservice{
usegenericservice
host_namecentos
service_descriptionSMTP
check_commandcheck_smtp
flap_detection_enabled1
low_flap_threshold10.0
high_flap_threshold30.0
}
Thereisanotheroptionthatisavailablewithflapping.Thisoptionallowsanadministratortocontrolwhichstates
indicatedflapping.Thestatesavailableareo(OK),w(WARNING),c(CRITICAL)andu(UNKNOWN).Statesthat
arenotlistedarenottakenintoaccounttodetermineflapping.
flap_detection_options
o,w,c,u
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology13
AsyoucanseeinthisillustrationyoucanalsoDisableflapdetectionforthishostundertheHostCommands.
Thisprovidestheoptiontojustperformthetaskasithappens.Hereistheverificationbeforeyoucommitthechange.
port21
port22
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
NagiosTerminology14
WEB
SMTP
SecureWeb
port80
port25
port443
ThesepublicservicesallowNagiostonotonlychecktoseeiftheportisopenbuttoverifythecorrectapplicationis
runningonthespecificport.Thiscanbedonebecauseeachofthesepublicservicesrunspecificprotocolswhich
providetheinformationneededtomonitorthemcorrectlyandtodifferentiatethemfromotherservicesonthesame
port.
ChecksUsingSSH
NagioscanconnecttoaclientserverusingSSHandthenexecutealocalplugintocheckinternalfunctionsofthe
serverlikeCPUload,memory,processes,etc.TheadvantageofusingSSHisthatchecksaresecureintheconnection
andthetransferofinformation.ThedisadvantageforSSHchecksarethattheytakemoreresourcesthanothercheck
types.
NagiosRemotePluginExecutor
NRPE,NagiosRemotePluginExecutor,executespluginsinternallyontheclientandthenreturnsthatinformationto
theNagiosserver.TheNagiosserverconnectsonport5666inordertoexecutetheinternalcheck.NRPEisprotected
bythexinetddaemonontheclientsothatanadministratorcanrestricttheconnectionstotheNRPEplugins.
MonitoringwithSNMP
SNMP,SimpleNetworkManagementProtocol,isusedextensivelyinnetworkdevices,serverhardwareandsoftware.
SNMPisabletomonitorjustaboutanythingthatconnectstoanetwork,thatistheadvantage.Thedisadvantageis
thatitisnoteasytoworkwith.ThecomplexityofSNMPismadeevenworsebythefactthatvendorswrite
proprietorytoolstomonitorSNMPthatarenoteasilyaccessedusingNagios.SNMPcanbemonitoreddirectlyusing
NagiospluginsorthedeviceitselfcanmonitorySNMPandsendinformationtoSNMPtrapswhichcanbelocatedon
theNagiosserver.ThedifficultiesarefurtheraggrevatedwhenusingtrapsastheSNMPtrapinformationmustbe
translatedintodatathatNagioscanunderstand.
NagiosServiceCheckAcceptor
NSCA,NagiosServiceCheckAcceptor,employsadaemonontheNagiosserverwhichwaitsforinformation
generatedbypassivecheckswhichexecuteindependentlyontheclientbeingmonitoredbyNagios.Theadvantageof
NCSAisthatservicesaremonitoredlocallyindependentoftheNagiosserverandthensenttotheNagiosserverso
thisisagoodoptionwhenafirewallbetweentheNagiosserverandtheclientpreventothertypesofcommunication.
Thedisadvantageisthatpassivechecksusepluginsbutoftenrequirescriptstoexecuteontheclient.
CommunicationcanbeencryptedbetweentheclientandtheNagiosserverandapasswordwillberequiredto
completecommunication.
AnotheruseforNSCAisdistributedmonitoring.Distributedmonitoringallowsawidegeographicalbaseofnetwork
devicestobemonitoredbymultipleNagiosserverswhichuseNSCAtosendservicechecksandhostcheckstoa
centralNagiosserver.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration15
Prerequisitestocompile.
WhenyoucompilesoftwareitwillrequireacompilerlikeGCC.Inordertocompileanapplicationitrequiresthe
sourcecode.Thissourcecodeiswhattheprogrammerhasdevelopedinaneditor.Thecompilertakesthesource
codeandconvertsitintobinarycodethattheservercanuse.Ortoputitanotherway,thesourcecodeistakenand
builtintoobjectcodewhichcanthenbeexecutedfromthecomputerhardware.Itistypicalthatthesourcecodewill
havedependenciesaswell.Dependenciesareapplicationsthatarerequiredtobeinstalledbeforethesourcecodewill
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration16
workproperly.Severalofthefilesinstalledwithyuminthisexamplearedependenciesthatmustbeavailable.Note
thatdependingontheLinuxdistributionthesedependencyapplicationsmaybecalledbydifferentnames.
yuminstallyhttpdphpgccglibcglibccommongdgddevel
Addtherequiredusersandgroups.
useraddnagios
groupaddnagcmd
usermodaGnagcmdnagios
Thetarballsarecompressedsoinordertocompilethesemustbeexpandedintothedirectoriesthatcontainthesource
code.
tarzxvfnagios3.2.3.tar.gz
tarzxvfnagiosplugins1.4.15.tar.gz
MoveintothedirectorycreatedwhentheNagiossourcewasuncompressedandruntheconfigurescriptusingthe
groupthatwascreatedearlier.
cdnagios3.2.3
./configurewithcommandgroup=nagcmd
ThemakecommandwillcompiletheNagiossourcecode.
makeall
Nowmakewillinstallthebinaries,theinitscript,theconfigfiles,setthepermissionsontheexternalcommand
directoryandverifythewebconfigurationfilesareinstalled.Thesemicolonsallowyoutorunallthecommands
fromoneline.
makeinstall;makeinstallinit;makeinstallconfig;makeinstall
commandmode;makeinstallwebconf
Editthecontacts.cfgandandaddtheemailfortheprimarynagiosadministrator,
nagiosadmin.
vi/usr/local/nagios/etc/objects/contacts.cfg
Createapasswordforthenagiosadminwhichwillbeneededinordertologinto
thewebinterface.
htpasswdc/usr/local/nagios/etc/htpasswd.usersnagiosadmin
NagiosPlugins
MoveintothedirectorycreatedwhentheNagiospluginssourcewasuncompressedandruntheconfigurescriptusing
thegroupthatwascreatedearlier.Note:Ifyouwanttousecheck_snmpbesuretoinstallnetsnmpbeforeyou
compiletheplugins.
Eithercompilenetsnmp(seetheSNMPchapter)orinstallitwithyum.
yuminstallynetsnmp
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration17
cd/usr/local/src
cdnagiosplugins1.4.15
./configurewithnagiosuser=nagioswithnagiosgroup=nagios
Nowmakewillinstallthebinaries.
make
makeinstall
Initial Set Up
Thefirststepistoaddacontactemailforthenagiosadmin.Theusernagiosadminbydefaultistheonlyuserableto
accessthewholewebinterface.Thiscanbechangedbutthedefaultuserisnagiosadmin.
ChangetheContactInformation
Edit/usr/local/nagios/etc/objects/contacts.cfg(RPMrepository
/etc/nagios/objects/contacts.cfg).
Placeyouremailintheemaillocation.
definecontact{
contact_namenagiosadmin;Shortnameofuser
usegenericcontact;Inheritdefaultvalues
aliasNagiosAdmin;Fullnameofuser
emailyour_email;<<*****CHANGETHISTOYOUREMAIL
}
Pre-Flight Check
Thepreflightcheckprovidesawaytoverifyalloftheconfigurationfileswhichexistinthe
/usr/local/nagios/etc/objectsdirectory.Thiscommandreadsandverifiestheinitialsetup.
nagiosv/usr/local/nagios/etc/nagios.cfg
Nagios3.0.6
Copyright(c)19992008EthanGalstad(http://www.nagios.org)
LastModified:12012008
License:GPL
Readingconfigurationdata...
Runningpreflightcheckonconfigurationdata...
Checkingservices...
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration18
Checked8services.
Checkinghosts...
Checked1hosts.
Checkinghostgroups...
Checked1hostgroups.
Checkingservicegroups...
Checked0servicegroups.
Checkingcontacts...
Checked1contacts.
Checkingcontactgroups...
Checked1contactgroups.
Checkingserviceescalations...
Checked0serviceescalations.
Checkingservicedependencies...
Checked0servicedependencies.
Checkinghostescalations...
Checked0hostescalations.
Checkinghostdependencies...
Checked0hostdependencies.
Checkingcommands...
Checked24commands.
Checkingtimeperiods...
Checked5timeperiods.
Checkingforcircularpathsbetweenhosts...
Checkingforcircularhostandservicedependencies...
Checkingglobaleventhandlers...
Checkingobsessivecompulsiveprocessorcommands...
Checkingmiscsettings...
TotalWarnings:0
TotalErrors:0
ThingslookokayNoseriousproblemsweredetectedduringthepreflightcheck
Bydefaultitshouldrunandyoushouldbeabletologintothewebinterfaceafteryoucreatethenagiosadminuser.
htpasswdc/usr/local/nagios/etc/htpasswd.usersnagiosadmin
Newpassword:
Retypenewpassword:
Addingpasswordforusernagiosadmin
Nowlogintothewebinterfacewithhttp://ip_address/nagios
EliminatinganHTTPError
WhenyousetuptheNagiosserverandeitherreviewyourlogfilesin/var/log/nagios/nagios.logorreviewtheweb
interfaceyoumayinitiallyseeanerrorrelatedtothewebserver.Theerrorisrelatedtothefactthatyoudonothavea
anindex.htmlfilethatexists.Note:Ifyoudonotseetheerroritisbecauseyouhavethenecessaryfilessoyou
canskipthisstep.Hereiswhatitwilllooklikeinthelog.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration19
WARNING:HTTP/1.1403Forbidden5240bytesin0.001secondresponsetime
Sep2610:00:18nagiosnagios:SERVICEALERT:localhost;HTTP;WARNING;HARD;4;HTTP
Hereiswhatitwilllooklikeinthewebinterface.
Youcaneasilyeliminatetheerrorbycreatinganindex.htmlfile.CreateasimpleHTML.
vi/var/www/html/index.html
<HTML>
<BODY>
NagiosServer
</BODY>
</HTML>
chmod755/var/www/html/index.html
chownapache:apache/var/www/html/index.html
Thesethreedefinitionsarealllocatedinthreeseparatefiles,hosts.cfg,services.cfgandcommands.cfg.Youmayneed
tocreatehosts.cfgandservices.cfgastheyarenotcreatedbydefault.Thesefilesmustbelocatedin:
/usr/local/nagios/etc/objects
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration20
HostDefintion
NagiosneedstoknowanIPAddressofthehostyouwanttocheck.Thisisconfiguredinthehosts.cfgfile.The
hosts.cfgfiledoesnotexistinitiallysoyouwillneedtocreateit.Inthisexamplethehost_nameiswin2008anditis
tiedtotheaddress192.168.3.114.ThisistheinformationNagiosmusthavetoknowwheretopointarequestand
howtorecordinformationforaspecifichost.
Createthefile,hosts.cfg,in/usr/local/nagios/etc/objects
definehost{
usewindowsserver
host_namewin2008
aliasWindowsServer
address192.168.3.114
}
ServiceDefinition
Thesecondpartofthetriangleistheservicedefinition.Nagiosneedstoknowwhatserviceyouwanttocheck,sothat
serviceorpluginmustbedefined.Inthisexamplethehostwin2008,whichNagiosknowsnowistiedtotheIP
Address192.168.3.114,isbeingcheckedwiththepingplugin.Soyoucanseethehost_namedetermineswhichhost
thepluginactsuponandthentheservice_descriptionisreallythetextthatshowsupinthewebinterface.The
check_command,definestheparametersoftheplugin.Hereyoucanseethatcheck_pingisthepluginanditis
followedbytwodifferentsectionsofoptionsdividedby!.Thefirstsection,60.0,5%,providesawarninglevelif
packetsaretakelongerthan60millisecondsorifthereisgreaterthana5%lossofpacketswhenthepingcommandis
performed.ThesecondsectionisthecriticallevelwhereaCRITICALstatewillbecreatedifpacketstakelonger
than100millisecondsorifthereismorethan10%packetloss.
Createthefile,services.cfg,inthe/usr/local/nagios/etc/objectsdirectory.
defineservice{
usegenericservice
host_namewin2008
service_descriptionPing
check_commandcheck_ping!60.0,5%!100.0,10%
}
CommandDefinition
Thecommanddefinitionsarelocatedinthecommands.cfgfilewhichiscreatedbydefaultintheobjectsdirectory.
Manycommandsarealreadydefinedsoyoudonothavetodoanything.Thecheck_pingcommandisoneexample
thathasbeendefined.Thecommand_name,check_ping,iswhatispartoftheservicedefinition.The
command_linespecificallydefineswherethepluginislocatedwiththe$USER1$macro.Thisisequaltosayingthat
theplugincheck_pingislocatedin/usr/local/nagios/libexec(ifyoucompiled).Theother4optionsincludethehost,
usingthe$HOSTADDRESS$macro,awarninglevel(w)usingthe$ARG1$macro,thecriticallevel(c)usingthe
$ARG2$macroandthenumberofpingstousebydefault(p5).
Editthisfile,/usr/local/nagios/etc/objects/commands.cfgasitwillbecreatedbydefault.
#'check_ping'commanddefinition
definecommand{
command_namecheck_ping
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration21
command_line$USER1$/check_pingH$HOSTADDRESS$w$ARG1$c$ARG2$p5
}
IneachoftheelementsoftheNagiostriangleyoucanseetheimportanceofthetermdefinitionaseachelement
mustbeclearlydefinedandeachelementisdependentupontheotherdefinitions.
Important:
Youwillhavecreatedtwoconfigurationfileswhichdidnotexistpreviously.Youmustcreateapathtothosefilesin
themainnagiosconfigurationfilefoundat:
/usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/hosts.cfg
cfg_file=/usr/local/nagios/etc/objects/services.cfg
Youwillseeotherpathshavebeenalsocreated.Anytimeyoucreateanewconfigurationfilethisshouldbeentered
inthenagios.cfgfile.
Runthepreflightchecktoverifyalloftheconfigurationfileswhichexistinthe/usr/local/nagios/etc/objects
directory.Thiscommandreadsandverifiestheinitialsetup.
nagiosv/usr/local/nagios/etc/nagios.cfg
ImportantPathstoNotewhenyoucompileNagiosonaCentOSserver.
NAGIOS
Program Location
Configuration File
Plugins
Compile
/usr/local/nagios/bin/nagios
/usr/local/nagios/etc/nagios.cfg
/usr/local/nagios/libexec
NRPE
Program Location
Configuration File
Compile
/usr/local/nagios/bin/nrpe
/usr/local/nagios/etc/nrpe.cfg
NSCA
Program Location
Configuration File
compile
/usr/local/nagios/bin/nsca
/usr/local/nagios/etc/nsca.cfg
WEB
Web Pages
cgi Configuration
Compile
/usr/local/nagios/share
/usr/local/nagios/etc/cgi.cfg
Web Server
Program Location
CentOS
/usr/sbin/httpd
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/nagios.cfg
/usr/local/nagios/libexec
cgi Files
htpasswd Database
Compile
/usr/local/nagios/etc
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
BasicNagiosConfiguration22
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks23
Administration Tasks
Authentication
Authenticationistheprocessthatallowsuserstoaccessthewebinterface.Authenticationiscontrolledbytheuseofa
databaseusingthehtpasswdcommand.Thedatabase,calledhtpasswd.users,islocatedinthe/usr/local/nagios/etc
directory.Thenameandlocationofthedatabaseisdeterminedbytheconfigurationoptionsfoundin
/etc/httpd/conf.d/nagios.conf.Inthisexample,fromaCentOSinstall,youcanseethatseveraldirectoriesrequire
authenticationfromthisdatabase.
ScriptAlias/nagios/cgibin"/usr/local/nagios/sbin"
<Directory"/usr/local/nagios/sbin">
#SSLRequireSSL
OptionsExecCGI
AllowOverrideNone
Orderallow,deny
Allowfromall
#Orderdeny,allow
#Denyfromall
#Allowfrom127.0.0.1
AuthName"NagiosAccess"
AuthTypeBasic
AuthUserFile/usr/local/nagios/etc/htpasswd.users
Requirevaliduser
</Directory>
Alias/nagios"/usr/local/nagios/share"
<Directory"/usr/local/nagios/share">
#SSLRequireSSL
OptionsNone
AllowOverrideNone
Orderallow,deny
Allowfromall
#Orderdeny,allow
#Denyfromall
#Allowfrom127.0.0.1
AuthName"NagiosAccess"
AuthTypeBasic
AuthUserFile/usr/local/nagios/etc/htpasswd.users
Requirevaliduser
</Directory>
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks24
Accessismaintainedthroughthedatabasebutthepermissionsauserhasoncetheyauthenticatearedeterminedby
contacts,contactgroupsandcgipermissionsdeterminedfromthecgi.cfgfile.Animportantpointtorememberwhen
settinguppermissionsisthatthecontactisonlyabletoseethehostorservicethattheyareresponsiblefor.Makesure
contactnamesmatchtheusercreatedforaccesstothewebinterface.
Thesesettingsrepresentthedefaultsettingsinthe/usr/local/nagios/etc/cgi.cfgfileforpermissionstotheweb
interface.Theusernagiosadministhedefaultnagiosuserwithaccessandunlimitedpermissionstotheweb
interface.Thedefaultsdemonstratewhyitissoimportanttocorrectlysetupthenagiosadminuseraspartofthe
initialconfiguration.
use_authentication=1
use_ssl_authentication=0
#default_user_name=guest
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
#authorized_for_read_only=user1,user2
Scenario:TurnOffAllAuthentication
Turningoffallauthenticationisnotrecommendedunderanycircumstances.Itisonlydemonstratedhereinorderto
aidintheunderstandingofhowNagiosauthenticationworks.Thesechangesallowanyonetomakechangestothe
Nagiosinterface,hostsandservices.
SecurityTip
Warning,thisisaserioussecurityissueandshouldnotbeimplemented.
Therearetwostepsrequiredtoturnoffallsecurity.Editthecgi.cfgfilelocatedin/usr/local/nagios/etcandchangethe
use_authenticationtoa0.
use_authentication=0
Thesecondsteprequiredistoaccessthe/etc/httpd/conf.d/nagios.conffileandcommentoutthelinesthatrequire
authenticationfortheNagiosdirectories.
ScriptAlias/nagios/cgibin"/usr/local/nagios/sbin"
<Directory"/usr/local/nagios/sbin">
#SSLRequireSSL
OptionsExecCGI
AllowOverrideNone
Orderallow,deny
Allowfromall
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks25
#Orderdeny,allow
#Denyfromall
#Allowfrom127.0.0.1
#AuthName"NagiosAccess"
#AuthTypeBasic
#AuthUserFile/usr/local/nagios/etc/htpasswd.users
#Requirevaliduser
</Directory>
Alias/nagios"/usr/local/nagios/share"
<Directory"/usr/local/nagios/share">
#SSLRequireSSL
OptionsNone
AllowOverrideNone
Orderallow,deny
Allowfromall
#Orderdeny,allow
#Denyfromall
#Allowfrom127.0.0.1
#AuthName"NagiosAccess"
#AuthTypeBasic
#AuthUserFile/usr/local/nagios/etc/htpasswd.users
#Requirevaliduser
</Directory>
RestartNagiosandthewebserver.
Scenario:CreateaViewOnlyAccount
Thisscenariowillcreateauserthatcanviewallhostsandservicesbutnotbeallowedtomakeanychangestothose
hostsorservices.Thisistypicallythesettingsyoumaychooseformanagementtoreviewthestatusofhostsand
services.
Createtheuserinthehtpasswd.usersdatabase.
htpasswdhtpasswd.usersmanagement
Newpassword:
Retypenewpassword:
Makemodificationstothe/usr/local/nagios/etc/cgi.cfgfilebyaddingtheuserseparatedbyacomma,withoutspaces.
Theuserhasglobalaccess,whichmeanstheyarenotrequiredtobelistedascontactsforhostsandservices.Theuser
isalsoaddedtothereadonlylist.
authorized_for_all_services=nagiosadmin,management
authorized_for_all_hosts=nagiosadmin,management
authorized_for_read_only=management
RestartNagiosandthewebserver.
Scenario:CreateSystemAdministratorwithNoContactInformation
Inthisscenariothesettingswillallowausertohavefullaccesstoallsettingsonallhostsandservicesjustlikethe
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks26
nagiosadminuser.However,thisuserisnotassociatedwithanycontactinformationsowillnotbenotifiedatany
time.Thisaccountisstrictlyadministrationonly.
htpasswdhtpasswd.usersjohn
Newpassword:
Retypenewpassword:
Editthecgi.cfgfileandaddjohntoeachofthelistsindicatedbelow.
authorized_for_system_information=nagiosadmin,john
authorized_for_configuration_information=nagiosadm,john
authorized_for_system_commands=nagiosadmin,john
authorized_for_all_services=nagiosadmin,john
authorized_for_all_hosts=nagiosadmin,john
authorized_for_all_service_commands=nagiosadmin,john
authorized_for_all_host_commands=nagiosadmin,john
RestartNagiosandthewebserver.
Scenario:CreateanAdministratorwithLimitedAccess
Thisuserwillonlybeallowedtoaccessthehostsandservicesthattheyareassociatedwithviacontactinformation.
Thismaybethetypeofsettingsusedwhenanorganizationhasdividedresponsibilitiesforrouters,Windowsservers
andLinuxserversforexample.
htpasswdhtpasswd.userssue
Newpassword:
Retypenewpassword:
Createanewcontactentryincontacts.cfgandspecifythecontact_name,aliasandemailcontactinformationforthe
user.
definecontact{
contact_namesue
usegenericcontact
aliasRouterAdmin
emailsue@example.com
}
Addtheusertoagrouporcreateanewgroupinthecontacts.cfgfile.Thisexampleshowsauseraddedtoanew
contactgroupcalledrouteradmins.Bycreatinganewgroupitenablesanadministratortoassignthatgrouptoa
seriesofdevices,likerouters.
definecontactgroup{
contactgroup_namerouteradmins
aliasRouterAdministrators
memberssue
}
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks27
Atthispointyouwillneedtoeditthehostsandservicesandaddthecontact_groupsrouteradminswhichwill
overridethedefaultsettingsinthetemplate.Thiswillenableonlythoseusersinthiscontactgroupaccesstothese
hostsandservicesunlesstheyhaveglobalaccessfromthecgi.cfgfile.
definehost{
usegenericswitch
host_namecisco
aliasciscorouter
address192.168.5.220
contact_groupsrouteradmins
}
defineservice{
usegenericservice
host_namecisco
service_descriptionPING
check_commandcheck_ping!200.0,20%!600.0,60%
normal_check_interval5
retry_check_interval1
contact_groupsrouteradmins
}
RestartNagiosandthewebserver.
Scheduled Downtime
IfyouaregoingtoworkonaserverordeviceandneedtoscheduledowntimesoNagiosdoesnotnotifyadministrators
thatcanbeperformedatthewebinterface.Whenyouselectthehostorservicethatwillbedownyouhaveanoption
toscheduledowntime.WhendowntimeisscheduledNagioswillplaceacommentinthewebinterfaceinorderto
communicatethefacttoalladministratorswhoaccessthewebinterface.
Therearetwotypesofdowntime.Fixeddowntimeallowsforandexactstartandendtimewhenthehostorservice
willbeunavailable.Flexibledowntimeallowsforastarttimebutanopenendedstartuptimeastheexacttimecannot
bedeterminedbasedonthenatureofthesituation.
Triggereddowntimeiswhenthedowntimeofaparentwilltriggerdowntimeforallofit'schildren.Inotherwords,
thedowntimeforaswitch,willimpactallofthedevicesconnectedtoit.
SchedulingDowntimeforaHost
Inordertoscheduledowntimeforahost,selecthostdetailsfromthewebinterface.Ontherighthandsideyouwill
noticetheyellowclockspermitschedulingforhostorservices.Selectthehostoption.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks28
Onceyouhaveselectedthehost,CommandOptionsappearsandprovidesaplacetoexplainwhythedowntimeto
otheradministratorsinthecommentarea,whichisagoodideainmostsituations.IfyouselectaFixedtimeyou
willenterthestartandendofthedowntime.Ifthismachinethatprovidednetworkconnectionwithotherdevicesyou
maywanttonotifydownstreamdeviceswithatriggeredbyoptionthatiscreatedbythisdevicegoingdown.Oryou
maychoosetodonothing.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks29
OntheNagiosinterfaceontheleftmenu,ifyouselectDowntimeyouwillseealistofallscheduleddowntimesfor
hostsandservices.Rememberitmaytakeafewminutestoallowthedevicestoshowup.
Hereishowthehostlookswithdowntime(thisistheexfoliationfrontend),notetheyellowclockwhichisan
indicatorofscheduleddowntime.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks30
Ifyouselecttheclockyouwillseethedetailsonthehostlistitasbeinginascheduleddowntime.
AtthispointitwillbelistedintheDowntimemenu.Noteyoucancancelbydeletingthedowntime.
NotificationsandDowntime
Notificationsfordowntimeshouldstopinthedowntimeperiod.Ifthenotificationsdonotstopverifythatyoudonot
havethedoptionsetforyourcontacts.Thedoptionwillsendnotificationsondowntime.
Host Groups
Oftenyouwillwanttocreateagroupofdevicesthathavesimilarmonitoringneeds.Thehostgroupallowsyoutothen
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks31
createservicechecksthatmonitorallofthedevicesinthehostgroup.Specificallywhatthismeansisthatthe
servicesdefinedforthegroupwillbeavailableforallhostsinthegroupwithoutmakingindividualconfigurations.
Nagioswillalsolistthehoststogetherinthewebinterfaceiftheyareinthesamehostgroup.
DefineEachHost
Inordertosetupahostgroup,eachservermustbedefinedasahost.Inthisexample,3Ubuntuserversaredefined.
definehost{
uselinuxserver
host_nameub
aliasUbuntuServer
address192.168.5.180
}
definehost{
uselinuxserver
host_nameub1
aliasUbuntuServer
address192.168.5.181
}
definehost{
uselinuxserver
host_nameub3
aliasUbuntuServer
address192.168.5.183
}
DefineHostGroups
Createhostgroups.cfgintheobjectsdirectoryandcreateanentryinnagios.cfgtothelocationofhostgroups.cfg.
cfg_file=/usr/local/nagios/etc/objects/hostgroup.cfg
Definethehostgroup,inthisexamplethehostgroupubuntu_serversisdefinedwiththethreemembersthatwere
definedinhosts.cfgfile.
definehostgroup{
hostgroup_nameubuntu_servers
aliasUbuntuServers
membersub,ub1,ub3
}
DefineServicesfortheGroup
Theadvantageofthehostgroupisthatyoucancreateoneservicedefinitionandaddthattothewholegroupof
servers.Thisisexactlythesameasaregularservicedefinitionexceptyouusehostgroup_nameinsteadofhost.
defineservice{
usegenericservice
hostgroup_nameubuntu_servers
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks32
service_descriptionPing
check_commandcheck_ping!60.0,5%!100.0,10%
}
defineservice{
usegenericservice
hostgroup_nameubuntu_servers
service_descriptionSSHServer
check_commandcheck_tcp!22
}
defineservice{
usegenericservice
hostgroup_nameubuntu_servers
service_descriptionWebServer
check_commandcheck_tcp!80
}
NowifyougotothewebinterfaceandselectHostgroupsyouwillhaveagroupofserversthatareallrelatedwith
thesameservicechecks.
Ifyouwanttoaddindividualservicechecksforoneoftheserversinthehostgroupthatwouldbedoneasaregular
servicedefinitionusingthehost.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks33
Service Groups
Nagioscombinesdevicesthatarecheckingthesameservicesintogroupinordertomakethesetupfasterandmore
efficient.Thisallowsanadministratortogroupmachinesbasedonservices.Eachoftheseservicesmustbe
configuredasservicechecksforeachhost.Oncethatiscompletetheservicesmaybegroupedinthe
servicegroups.cfg.Theothermajoradvantageisthattheadministratormaymanageallthoseintheservicegroupwith
servicegroupcommandsinthewebinterface.
Youwillneedtocreateafilecalledservicegroups.cfgandputanentryinnagios.cfgtoindicatewhereitis.Notethe
entriesareinpairs(firsthost,thenservice)host,service,host2,service2.
defineservicegroup{
servicegroup_nameweb
aliasWebServers
membersub,HTTP,ub1,HTTP,ub3,HTTP
}
Defineeachhostwithanormalservicecheck.
defineservice{
usegenericservice
host_nameub
service_descriptionHTTP
check_commandcheck_http
}
defineservice{
usegenericservice
host_nameub1
service_descriptionHTTP
check_commandcheck_http
}
defineservice{
usegenericservice
host_nameub3
service_descriptionHTTP
check_commandcheck_http
}
ThisnowallowstheadministratortogrouptheseservicesandviewthemasagroupwhenServiceGroupsisselected
inthewebinterface.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
AdministrationTasks34
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts35
OK
WARNING
CRITICAL
UNKNOWN
thestatsisasexpected
awarninglimithasbeenreached
acriticallimithasbeenreached
thestatusisunknown,misconfiguration
InorderforNagiostoprovidethesefourlevelsofstatussettings,warningandcriticallimitsmustbeestablished.An
importantaspectofsettingtheselimitsisthateachnetworkwillhavedifferentequipmentandvaryingneedssothese
settingsshouldreflecttheindividualnetwork.Anothersetting
TypicalOptions
h,
help
Printdetailedhelpscreen
V,
version
Printversioninformation
H
hostname=ADDRESS Hostname,IPAddress,orunixsocket(mustbeanabsolutepath)
w
warning=DOUBLE Responsetimetoresultinwarningstatus(seconds)
c
critical=DOUBLE
Responsetimetoresultincriticalstatus(seconds)
t
timeout=INTEGER Secondsbeforeconnectiontimesout(default:10)
v
verbose
Showdetailsforcommandlinedebugging(Nagiosmaytruncateoutput)
4
useipv4
UseIPv4connection
6
useipv6UseIpv6connection
check_tcp,check_udp
p
port=INTEGER
Portnumber(default:none)
E
escape
Canuse\n,\r,\tor\insendorquitstring.Mustcomebeforesend
orquitoptionDefault:nothingaddedtosend,\r\naddedtoendofquit
s
send=STRING
Stringtosendtotheserver
e
expect=STRING
Stringtoexpectinserverresponse(mayberepeated)
A
all
Allexpectstringsneedtooccurinserverresponse.Defaultisany
q
quit=STRING
Stringtosendservertoinitiateacleancloseoftheconnection
r
refuse=ok|warn|crit
AcceptTCPrefusalswithstatesok,warn,crit(default:crit)
M
mismatch=ok|warn|crit
Acceptexpectedstringmismatcheswithstatesok,warn,crit(default:warn)
j
jail
HideoutputfromTCPsocket
m
maxbytes=INTEGER
Closeconnectiononcemorethanthisnumberofbytesarereceived
d
delay=INTEGER
Secondstowaitbetweensendingstringandpollingforresponse
D
certificate=INTEGER
Minimumnumberofdaysacertificatehastobevalid.
S
ssl
UseSSLfortheconnection.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts36
check_ping
Pingisastandardmethodofcheckingtoseeifanetworkdeviceisup.
UniqOptions
p
packets=INTEGER
numberofICMPECHOpacketstosend(Default:5)
Hereisaservicedefinitionwithawarninglevelof60millisecondsor5%packetlossandacriticallevelof100
millisecondsor10%loss.Thisdemonstratesthatthesettingsneedtobespecifictothedeviceorthenetworkas
networksvary.Thedefaultis5packetsintheping.
defineservice{
usegenericservice
host_namecentos
service_descriptionPing
check_commandcheck_ping!60.0,5%!100.0,10%
}
Thecommanddefinitioncanincludethesettingsforwarningandcriticallevelifyouwanttomakethemstandardfor
allusesofpingonanetwork.
definecommand{
command_namecheckhostalive
command_line$USER1$/check_pingH$HOSTADDRESS$w3000.0,80%c
5000.0,100%p5
}
check_tcp
Thispluginwillprovidetheflexibilityyouneedifyouneedtomonitoraportjusttoverifythattheportisavailable.
Hereisanexampleofportmapservicechecks.
defineservice{
usegenericservice
host_namecentos
service_descriptionPortmap
check_commandcheck_tcp!111
}
definecommand{
command_namecheck_tcp
command_line$USER1$/check_tcpH$HOSTADDRESS$p$ARG1$$ARG2$
}
Notethatacommonproblemwithcheck_tcpisthatoftenthepisaddedtotheservicedefinition.Thiswillcreate
theerrorPortmustbeapositiveintegerifthecommanddefinitionalreadyhasthep.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts37
Ifyouhaveanyproblemsrunthecommandfromthecommandlinetoexperiment.
./check_tcpH192.168.5.1p111
TCPOK0.000secondresponsetimeonport111|
time=0.000386s;;;0.000000;10.000000
check_http
Acommonpublicportthatoftenischeckisport80,http.Thereareasignificantnumberofoptionswiththisplugin
togetoutofitasmuchaspossible.
I
IPaddress=ADDRESS
IPaddressorname(usenumericaddressifpossibletobypassDNS
lookup).
p
port=INTEGER
Portnumber(default:80)
S
ssl
ConnectviaSSL.Portdefaultsto443
sni
EnableSSL/TLShostnameextensionsupport(SNI)
C
certificate=INTEGER
Minimumnumberofdaysacertificatehastobevalid.Portdefaultsto443
e,expect=STRING
Commadelimitedlistofstrings,atleastoneofthemisexpectedin
thefirst(status)lineoftheserverresponse(default:HTTP/1.)Ifspecifiedskipsallotherstatuslinelogic(ex:3xx,
4xx,5xxprocessing)
s
string=STRING
Stringtoexpectinthecontent
u
url=PATH
URLtoGETorPOST(default:/)
P
post=STRING
URLencodedhttpPOSTdata
j
method=STRING
(HEAD,OPTIONS,TRACE,PUT,DELETE)SetHTTPmethod.
N
nobody
Don'twaitfordocumentbody:stopreadingafterheaders.
M
maxage=SECONDS
WarnifdocumentismorethanSECONDSold.thenumbercanalsobeof
theform"10m"forminutes,"10h"forhours,or"10d"fordays.
T
contenttype=STRING
specifyContentTypeheadermediatypewhenPOSTing
l
linespan
Allowregextospannewlines(mustprecederorR)
r
regex,ereg=STRING
SearchpageforregexSTRING
R
eregi=STRING
SearchpageforcaseinsensitiveregexSTRING
invertregex
ReturnCRITICALiffound,OKifnot
a
authorization=AUTH_PAIR Username:passwordonsiteswithbasicauthentication
b
proxyauthorization=AUTH_PAIRUsername:passwordonproxyserverswithbasicauthentication
A
useragent=STRING
Stringtobesentinhttpheaderas"UserAgent"
k
header=STRING
Anyothertagstobesentinhttpheader.Usemultipletimesforadditional
headers
L
link
WrapoutputinHTMLlink(obsoletedbyurlize)
f
onredirect=<ok|warning|critical|follow|sticky|stickyport>
m,pagesize=INTEGER<:INTEGER> Minimumpagesizerequired(bytes):Maximumpagesizerequired(bytes)
Thisisthestandardwaytousethecheck_http.Itcheckstoverifycommunicationisavailableonport80ofaweb
server.Thisisinfact,abettercheckontheserverthanthecheck_pingwhichcanonlydetermineiftheserverisup.
Thissimplecheckprovidessomepeaceofmindandaplacetostart.
defineservice{
usegenericservice
host_namecentos
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts38
service_descriptionHTTP
check_commandcheck_http
}
ThesetwochecksarerelatedtotheSSLoptionswiththewebserver.Notethatthecheckschangetoport443ifyou
usethessloption,theyaretestingtoseeifthewebservercanservesecurepagesandifthewebservercertificateis
validforthenext21days.Thefirstcheckwilltestforaresponsewithinalimitedtimeframe,5secondsforawarning
ormorethan10secondsforacriticalstate.
defineservice{
usegenericservice
host_namecentos
service_descriptionSecureHTTP
check_commandcheck_http!w5c10ssl
}
Thischeckisfocusedonthecertificate.Inthisexample,ifthecertificateisgoodformorethan21daysanOKis
returned.Awarningstateistriggeredifthecertificatehaslessthan21daysbeforeitexpires.Acriticalstateis
triggeredwhenthecertificatehasexpired.
defineservice{
usegenericservice
host_namecentos
service_descriptionCertificate
check_commandcheck_http!C21
}
BothoftheservicechecksabovewillreturnthefollowingoutputintheNagioswebinterface.
OKCertificatewillexpireon05/25/201223:59.
Thisusageofcheck_httpallowsyoutochecktoseeifadirectoryrequiringauthorizationwithusernameandpassword
isworkingcorrectly.Notethatthecheck_httphasbeenredefinedtocheck_http_authsothatadditionalargumentscan
beused.TheservicedefinitionincludestheIPAddressoftheserver,thedirectorythatrequiresauthentication(
u/sales)andtheusernameandpasswordrequiredtoaccessthedirectory.Eachisseparatedbya!.Notethe
commanddefinitionincluded.
defineservice{
usegenericservice
host_namecentos
service_descriptionSalesAuthorization
check_commandcheck_http_auth!192.168.5.1u/sales!tom!
user_password
}
definecommand{
command_namecheck_http_auth
command_line$USER1$/check_httpH$ARG1$a$ARG2$:$ARG3$
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts39
}
Iftheuserloginisnotcorrectwarningwillbeissuedwiththe401AuthorizationRequired.Thisenablesyouto
verifypasswordchangesandintegrity.However,leavingaplaintextpasswordintheNagiosconfigfilesisnotthe
bestidea.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringPublicPorts40
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE41
cd/usr/local/src
wgethttp://sourceforge.net/projects/nagios/files/nrpe2.x/nrpe2.12/nrpe
2.12.tar.gz/download
tarzxvfnrpe2.12.tar.gz
cdnrpe2.12
Youwillneedtoinstallsupportforssl,xinetdandcompilingtools.
yuminstallymod_sslopenssldevelxinetdgccmake
./configurewithssl=/usr/bin/opensslwithssllib=/usr/lib
***Configurationsummaryfornrpe2.1203102008***:
GeneralOptions:
NRPEport:5666
NRPEuser:nagios
NRPEgroup:nagios
Nagiosuser:nagios
Nagiosgroup:nagios
make
makeinstall
makeinstallplugin
makeinstalldaemon
makeinstalldaemonconfig
makeinstallxinetd
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE42
InstalltheDaemonxinetd
ThexinetdsuperdaemonhasreplacedinetdonmostLinuxdistributionstoday.xinetdhasbecomemorepopular
becauseofsecurityrestrictionsthatcanbeplacedonthosewhoaccessthedaemonsmanagedbyxinetd.xinetdalso
providesbetterprotectionfromdenialofserviceattacks,betterlogmanagement,andmoreflexibility.Bothinetdand
xinetdonlyworkwithdaemonsthatprovideconnectionsoveranetwork.
HowtoProtecttheNRPEDaemon
Serverdaemonsmustbeprotectedtobeeffective.Thereisnoperfectorcompleteoption,buttherearedefiniteways
tominimizetherisk.
LimitConnectionstoDaemons
Connectionstodaemonscanbelimitedbyusingseveralpowerfultools.Iptablesfirewallisprobablythemost
flexibleandpowerfultoolthananadministratorhasaccessto.However,itisatthesametimethemost
complex.Tcp_wrappersisatoolthatiseasytouseandworkswithmostdaemonstolimitaccesstodaemons
tospecificsubnetsorIPAddresses.
2. LimittheNumberofConnections
Yournetworkandhardwarecanonlyhandlealimitednumberofconnectionssafely.Whenconnectionspush
yourresourcestothelimityouwilloftenseevulnerabilitiesappearthatwouldnotnormallyexist.When
resourcesbegintofailsomeoptionsandsecurityprogramscannotfunctiontotheirfullextent.
1.
Youwillneedtoinstallxinetdandmakesureyouhaveafilein/etc/xinetd.dcallednrpeontheclientanditlookslike
this:
#default:off
#description:NRPE(NagiosRemotePluginExecutor)
servicenrpe
{
flags=REUSE
type=UNLISTED
port=5666
socket_type=stream
wait=no
user=nagios
group=nagios
server=/usr/sbin/nrpe
server_args=c/usr/local/nagios/etc/nrpe.cfginetd
log_on_failure+=USERID
disable=no
only_from=127.0.0.1192.168.5.50
}
Thesearethetwomostimportantlines.Bydefaultalldaemonsmonitoredbyxinetdaredisabledsothedefaultline
saysdisable=yes.Theonly_fromlineallowsyoutodeterminewhichmachinescanmonitorthisserverusing
NRPE,thisiswhereyouwillentertheIPAddressfortheNagiosserveraswellasthelocalhost.
disable=no
only_from=127.0.0.1192.168.5.50
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE43
Edit/etc/servicesandaddthisline:
nrpe5666/tcp#NagiosRemoteMonitoring
Restartxinetdandviewthelogat/var/log/daemon.log
servicexinetdrestart
tail/var/log/daemon.log
Lookforerrorstocorrect.
Editthe/usr/local/nagios/etc/nrpe.cfg.
Changeyourallowed_hostsaddresstoreflectthenagiosmonitoringserver.Youshouldalsoallowthelocalhostso
thatyoucandotestingifnecessary.
allowed_hosts=127.0.0.1192.168.5.180
Thebasicpluginsthatarerunningforyouinitiallyaretheselistedbelow.
command[check_users]=/usr/local/nagios/libexec/check_usersw5c10
command[check_load]=/usr/local/nagios/libexec/check_loadw15,10,5c30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_diskw20c10p/dev/hda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procsw5c10sZ
command[check_total_procs]=/usr/local/nagios/libexec/check_procsw150c200
Changeownershiponthe/usr/local/nagios/etc/nrpe.cfg
chownnagios/usr/local/nagios/etc/nrpe.cfg*
Firewall
YouwillneedtoverifythatthefirewallwillallowyourNagiosservertoaccesstheLinuxserveryouaretestingon
port5666.
IftheLinuxservertobemonitoredisCentOSitprobablyhasthelokkitinterfacetomanagethefirewall.Atthe
commandlinetype:
lokkit
ThefirewallinterfacewillopensoyoucanmanagetheportsthatareopenontheLinuxmachine.Usethetabtogoto
theCustomizeoption.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE44
Theportsyouwanttoenterthatarenotinthedefaultoptionscanbeaddedbyusingtheportnumberfollowedbya
colonandwhetheritistcporudp.Inthisexample5666:tcphasbeenaddedtoenabletheNagiosserveraccessonthis
port.
Saveyourchanges.
tcp_wrappers
Nowsetupyourtcp_wrappers.
Editthe/etc/hosts.allowfilefirstandmakesurethatyoumaintainyourSSHconnectiontomanagetheserverandthen
addalineforNRPEforyourNagiosservertohaveaccess.
#hosts.allowThisfiledescribesthenamesofthehostswhichare
#allowedtousethelocalINETservices,asdecided
#bythe'/usr/sbin/tcpd'server.
#
SSHD:192.168.5.51
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE45
NRPE:192.168.5.51
Nowedit/etc/hosts.deny.UsetheonelinetodenyALLhostsandALLservices.Thiswillthenonlyallowwhatis
in/etc/hosts.allow.
#Theportmaplineisredundant,butitislefttoremindyouthat
#thenewsecureportmapuseshosts.denyandhosts.allow.Inparticular
#youshouldknowthatNFSusesportmap!
ALL:ALL
Thiscompletesthebasicconfigurationofthehostthatyouwillmonitor.
cd/usr/local/src
wgethttp://sourceforge.net/projects/nagios/files/nrpe2.x/nrpe2.12/nrpe
2.12.tar.gz/download
tarzxvfnrpe2.12.tar.gz
cdnrpe2.12
Youwillneedtoinstallsupportforssl,xinetdandcompilingtools.
yuminstallymod_sslopenssldevelxinetdgccmake
./configurewithssl=/usr/bin/opensslwithssllib=/usr/lib
***Configurationsummaryfornrpe2.1203102008***:
GeneralOptions:
NRPEport:5666
NRPEuser:nagios
NRPEgroup:nagios
Nagiosuser:nagios
Nagiosgroup:nagios
make
makeinstall
makeinstallplugin
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE46
DoaManualCheckoftheRemoteHost
Inordertoverifythattheremotehostisfunctioningcorrectlydoamanualcheck.Remembertoallowport5666/tcp
ontheremotehost.UsethefullpathtocheckiftheNagiosservercancontacttheremotehost.
/usr/local/nagios/libexec/./check_nrpeH192.168.5.49ccheck_users
USERSOK2userscurrentlyloggedin|users=2;5;10;0
Ifyouseeoutputthatissimilaritisfunctioningcorrectly.
CreatetheHostFiles
InordertomonitorremoteLinuxboxesyouwillneedtosetupyourtemplatecalledlinuxboxoruseatemplatethat
isalreadyavailable.Thenyouwillneedtocreateahostentryforeachremoteboxyouwillmonitor.
definehost{
namelinuxbox
usegenerichost
check_period24x7
check_interval5
retry_interval1
max_check_attempts10
check_commandcheckhostalive
notification_period24x7
notification_interval30
contact_groupsadmins
register0
}
definehost{
uselinuxbox
host_namedg
aliasBase
address192.168.5.178
}
ConfigureServices
Eachserviceyouwanttomonitorontheremotehostmustbeenteredindividually.Hereisanexampleofmonitoring
CPUloadonthehostdg.Note:Theservice_descriptionshouldbeenteredcarefullyasyoumaydecidetouse
otheraddonsforNagiosthatarecasesensitivetothenamesoftheservices.Thecheck_nrpecommandisusedto
accesstheremoteserverandthenexecutetheNagiospluginthatisontheremoteserverandretrievetheinformation.
defineservice{
usegenericservice
host_namedg
service_descriptionCPULoad
check_commandcheck_nrpe!check_load
}
Oncethisiscompleteyoumustrestartyournagiosserverwith:
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE47
servicenagiosrestart
Ifyougeterrorscorrectthem.
NowyoucancheckyourconnectionbyrunningthefollowingcommandandusingtheIPAddressoftheremotebox
youwanttomonitor.YoushouldgetthereturnNRPEandversionnumberifallisworking.
/usr/local/nagios/libexec/./check_nrpeH192.168.5.178
NRPEv2.12
IfyougetthisreturnthenyouhavecommunicationbetweentheNagiosmonitoringserverandtheremotehost.
CreatetheNRPECommandDefinitions
BeforeyoucanexecutecommandsforNRPEontheNagiosserveryouwillneedtoeditthecommands.cfganddefine
thecommandsforNRPE.Herearetwoexamplesthatyoucanuse.
#NRPECommands
definecommand{
command_namecheck_nrpe
command_line$USER1$/check_nrpeH$HOSTADDRESS$c$ARG1$
}
definecommand{
command_namecheck_nrpe2
command_line$USER1$/check_nrpeH$HOSTADDRESS$c$ARG1$a$ARG2$
}
ConfiguretheChecks
OntheNagiosserveryoucanmonitorallofthedefaultsbyplacingtheinformationinyourservicesfile.
defineservice{
usegenericservice
host_nameclass
service_descriptionCPULoad
check_commandcheck_nrpe!check_load
}
defineservice{
usegenericservice
host_nameclass
service_descriptionUserLoad
check_commandcheck_nrpe!check_users
}
defineservice{
usegenericservice
host_nameclass
service_descriptionCheckhda1
check_commandcheck_nrpe!check_hda1
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitorLinuxwithNRPE48
}
defineservice{
usegenericservice
host_nameclass
service_descriptionCheckZombies
check_commandcheck_nrpe!check_zombie_procs
}
defineservice{
usegenericservice
host_nameclass
service_descriptionCheckProcesses
check_commandcheck_nrpe!check_total_procs
}
OnceyouhaveaddedthesetoyourserverrestartNagiosandyoushouldseethattheyareworking.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++49
Installation of NSClient++
LoginastheAdministratortotheserver.
CreateadirectoryundertheC:\driveanddownloadNSClient++intothatdrive.Unzipthefileandenterthedirectory
thatwascreated.
Onceyouinstallyouwillhavetomakeanoteofthelocationoftheinstalldirectorypath.
Hereisthecontentsofthedirectory.
OntheWindowsmachineplacethepathforthe.exefileintheruncommandandinstalltheprogram.
C:\NSClient++Win320.3.8\NSClient++.exe/install
Youwillseeasecuritywarningbutcontinuetheinstall.
Nowstarttheprogram,noteyourpathmaybedifferent.
C:\NSClient++Win320.3.8\NSClient++.exe/start
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++50
Inordertostoptheprogramusethiscommand.
C:\NSClient++Win320.3.8\NSClient++.exe/stop
Youcantestwith:
C:\NSClient++Win320.3.8\NSClient++.exe/test
Ifyoumakeanychangestotheconfiguration,stoptheserviceandrestartit.
EdittheNSC.inifilethatisintheNSClientdirectory.Notethatthefileisdividedbykeywordsplacedinbrackets.
Firstgotothe[modules]sectionandeditthechecksthatyouwanttouse.Uncommentthelinesthatyouseebelow.
TheFileLogger.dllwilllogtheactivitiesoftheNSClient++.CheckDisk.dllwillcheckforfilesizeandharddiskuse.
TheCheckSystem.dllwillcheckformemory,uptime,servicestatsandprocesses.Youwillalsoneedtouncomment
theNSClientListener.dllandtheNRPEListener.dllinordertocommunicatewithNagios.
InordertousesomeoftheoptionsavailablewithNSClient++youneedtoallowtoadditionalfeatures.Thereare
charactersthatneedtobeusedwithcommands|`&<>'\[]{}thatyouwillwantallow,nasty_meta_chars.The
allow_argumentswillallowNRPEparameterstobepassedalong.Nowtheresomesecurityissueswithenabling
thisoptionsoyouneedtoconsiderthatfactor.
Gototheglobalsection,[Settings],andbesuretolimittheaccesstotheWindowsserverthatyouaregoingto
monitor.UndertheAllowedHostssectionenterthelocalhostandanyotherconnectionsthatyouwanttoenable.
Theseaddresseswillbeseparatedbyacomma.
allowed_hosts=127.0.0.1/32,192.168.5.50
IntheWindowsfirewallopentwoports,5666forNRPEand12489forNSClient++.BothareTCPports.Youcansee
intheexamplehowitshouldlookwhenyoureviewthefirewall.
LimitaccesstotheseportstotheNagiosserveronly.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++51
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++52
Note:TheSysTrayfeatureonlyworkswithXPandoldermachines!
CheckEventLog.dll
TheNRPEHandlersrepresenttheactualcommandsthatwillbeused.
[NRPEClientHandlers]
command[check_users]=/usr/local/nagios/libexec/check_usersw5c10
check_disk1=/usr/local/nagios/libexec/check_diskw5c10
check_disk_c=injectCheckFileSizeShowAllMaxWarn=1024MMaxCrit=4096M
OnceyouhavetheremotehostsetupyouwillneedtosetuptheNagiosmonitoringserver.Firstinstallthenrpe
plugin.
NRPEFromSourceonNagiosServer
Theseinstructionspertaintotheinstallationofthepluginonlywhichisdifferentthatfortheclienttobemonitored.
NRPEpluginsonlyneedtobeinstalledontheNagiosserver.
cd/usr/local/src
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++53
wgethttp://sourceforge.net/projects/nagios/files/nrpe2.x/nrpe2.12/nrpe
2.12.tar.gz/download
tarzxvfnrpe2.12.tar.gz
cdnrpe2.12
Youwillneedtoinstallsupportforssl,xinetdandcompilingtools.
yuminstallymod_sslopenssldevelxinetdgccmake
./configurewithssl=/usr/bin/opensslwithssllib=/usr/lib
***Configurationsummaryfornrpe2.1203102008***:
GeneralOptions:
NRPEport:5666
NRPEuser:nagios
NRPEgroup:nagios
Nagiosuser:nagios
Nagiosgroup:nagios
make
makeinstall
makeinstallplugin
Onceitisupanrunningcheckyourconnection.
/usr/local/nagios/libexec/./check_nrpeH192.168.5.14
I(0.3.5.120080924)seemtobedoingfine...
Ifyouseeerrorsyouwillneedtocorrectthem,usethelogforlocatingtheerrors.
Youcanusealiaseswithexternalcommandstodochecks.Theadvantageofsettingupthealiasesisnotsomuchthe
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++54
aliasbyitselfbutitwillallowyoutousetheCheckMultiplefunctionifyouwantto.Checktoseeifyoucangetitto
workfromthecommandlineontheNagiosserverfirst.Ifthatworksyoucanproceed.
./check_nrpeH192.168.5.14cCheckCPUawarn=80crit=90time=20m
time=10stime=4
OKCPULoadok.|'20m'=0%;80;90;'10s'=0%;80;90;'4'=0%;80;90;
YouwillneedtodefineServicechecksonNagiosserverasusual.NoteNRPEisusedtomaketheconnectionand
thenrunthealiasthatyouwillsetup.
defineservice{
use
host_name
service_description
check_command
}
defineservice{
use
host_name
service_description
check_command
}
defineservice{
use
host_name
service_description
check_command
}
genericservice
winserver
CPULoad
check_nrpe!alias_cpu
genericservice
winserver
CheckServices
check_nrpe!alias_service
genericservice
winserver
FreeSpace
check_nrpe!alias_disk
OncetheWindowsserveryouwillneedtoedittheExternalAliassectionandcreateoruncommentthealiasesthat
aretherewiththelevels.
[ExternalAlias]
alias_cpu=checkCPUwarn=80crit=90time=5mtime=1mtime=30s
alias_disk=CheckDriveSizeMinWarn=10%MinCrit=5%CheckAllFilterType=FIXED
alias_service=checkServiceStateCheckAll
YoualsoneedtoverifythatthemodulessectionhastheuncommentedCheckExternalScripts.dllasyousee
belowsocheckscanbemade.
[modules]
CheckExternalScripts.dll
RestartyourNSCLient++ontheWindowsserverandnagiosontheNagiosserver.
Ifyouwantedtoperformmultiplechecksatonetime,thussavingnetworkandserverresources,youcouldusethe
CheckMultiplefunction.TheCheckMultiplefunctionwillbecomeanaliasforanynumberofcommandsthatyou
willwanttorun.Theformatshouldbelikethis:
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++55
alias=alias_namecommand=command=command=
RemovethealiasesthatyoumayhavehadpreviouslyandplacethemallontheCheckMultiplealias.
[ExternalAlias]
alias_multiple=CheckMultiplecommand=checkCPUwarn=80crit=90time=5mtime=1m
time=30scommand=CheckDriveSizeMinWarn=10%MinCrit=5%CheckAllFilterType=FIXED
command=checkServiceStateCheckAll
YouwillneedtosetupaserviceontheNagiosservertoreflectyoursettingsinthensc.inionthewindowsserver.
defineservice{
usegenericservice
host_namewinserver
service_descriptionMultiple
check_commandcheck_nrpe!alias_multiple
}
HereyoucanseethesecondlinedowntheMultiplecheckisrunning.Itchecksthenumberofchecksyouhave
enteredandthenthebadnewsrisestothetop.Inotherwordsasyoucanseeanyissueswithonecheckcantrigger
theCRITICALstate.IfyoulookcloselythetextspecificallysaystheotherchecksareOK.
[NSClient]
allowed_hosts=192.168.4.3
SecurityTip
Usetheallowed_hostsoptiontoprotectyourWindowsserversoonlytheNagiosservercanaccessthis
daemon.
IfallowedhostsisusedinthissectionitwilltakeprecedenceovertheSettingswherethereisalsoanoptiontoenter
allowed_hosts.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++56
check_netplugin
Thecheck_ntpluginisthestandardpluginthatisusedwithNSClient++andisapluginincludedinthenagiosplugins
install.
H
hostaddress
commandthatisexecuted
port,thisportisoftenchangedto12489
winteger
warninginteger
cinteger
criticalinteger
useaparameter
option,thedSHOWFAILoptionshowsonlychecksthatfail,thedSHOWALLwillshowall
passwordsenttoWindowsserver
timeout,defaultis10seconds
Thereareanumberofeasytouseservicedefinitions.Herearesomebasiconestogetstarted.Eachoftheseservices
usingcheck_ntshowthatthecheck_ntpluginisseparatedfromtheservicewith!.Thisisalsoseeninthedefault
check_netcommandsdefinitionincommands.cfg.Noteinthisexampletheportisdeterminedwithp12489.
#'check_nt'commanddefinition
definecommand{
command_namecheck_nt
command_line$USER1$/check_ntH$HOSTADDRESS$p12489v$ARG1$$ARG2$
}
Thefirstchecktotry,whichisactuallytheeasiesttogetstartedisthethetestfortheclientversion.Trythisonefirst
andonceitisrunningthenyouwillknowthatcommunicationisworkingcorrectly.
defineservice{
usegenericservice
host_namewinserver
service_descriptionNSClient++Version
check_commandcheck_nt!CLIENTVERSION
}
MonitortheuptimeoftheWindowsserverwithUPTIME.
defineservice{
usegenericservice
host_namewinserver
service_descriptionUptime
check_commandcheck_nt!UPTIME
}
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++57
CreateaserviceformonitoringCPUload.Whenyoudefinethisservicethelisaparameterthathasthreesettings.
Thefirstsetting5istheaverageloadover5minutes.Ofcourse,youcanadjustthatforyourneeds.Thesecondand
thirdsettingsarethewarninglevel80%loadandthecriticallevel90%load.Again,thesemustbeaveragesoverthe
timeperiodof5minutes.
defineservice{
usegenericservice
host_namewinserver
service_descriptionCPULoad
check_commandcheck_nt!CPULOAD!l5,80,90
}
Youcanmodifythischecksothatyoucanevaluateaveragesonvarioustimeintervals.Thesetimeintervalswillneed
tobeaddedinthreeentries.Intheexamplebelowyoucansee5,80,90and15,75,87.Thefirstentryareaverages
for5minutesandthesecondentryistheaveragesfro15minutes.Youcanalsoseetheaveragesarelowerinthe
secondentry.ThisistypicallyhowyouwouldwanttoevaluateCPULoadasspikesoverashortperiodoftimearenot
aconcernbuthighaveragesoveralongerperiodarecertainlyproblematic.
defineservice{
usegenericservice
host_namewinserver
service_descriptionCPU2Load
check_commandcheck_nt!CPULOAD!l5,80,90,15,75,87
}
Thischeckistoevaluatememoryuseontheserverwithawarningwhenitreaches80%andacriticallevelat90%.
defineservice{
usegenericservice
host_namewinserver
service_descriptionMemoryUsage
check_commandcheck_nt!MEMUSE!w80c90
}
TheC:/driveistypicallytheinstallationdriveforaWindowsmachine.Ofcoursethiswillbeonedriveorpartition
thatyouwillwanttomonitor.Theexampleshownexthastheparameter(l)forfirstthedrivecandthenthe
warninglevelw80andthecriticallevelc90.Adjusttheparameterstoyourneeds.
defineservice{
usegenericservice
host_namewinserver
service_descriptionC:\DriveSpace
check_commandcheck_nt!USEDDISKSPACE!lcw80c90
}
Ifyouwantedtomonitoranotherpartition,inthisexampledrivee,thenjustsubstitutethedriveletteryouwantto
monitor.
defineservice{
usegenericservice
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++58
host_namewinserver
service_descriptionE:\DriveSpace
check_commandcheck_nt!USEDDISKSPACE!lew80c90
}
Youcanusecheck_nttomonitoranyserviceontheWindowsmachine.Therearetwooptionsyoucanuseto
specificallymonitoraservice.ThedprovidestheoptiontoeitheruseSHOWFAILoptionshowsonlychecksthat
failortheSHOWALLthatwillshowallservices.Nowifyouareonlymonitoringoneservicewiththecheckyou
willwanttouseSHOWALL.Ifyouweretryingtomonitorallserviceswithonecheckthenyouwouldprobably
wantSHOWFAIL.
defineservice{
usegenericservice
host_namewinserver
service_descriptionW3SVC
check_commandcheck_nt!SERVICESTATE!dSHOWALLlW3SVC
}
Hereisanexampleofmonitoringexplore.exe,vmplayer.exeandnotepad.exe.Simplybychangingtheexeonthe
parameteryoucanchoosespecificapplications.
defineservice{
usegenericservice
host_namewinserver
service_descriptionExplorer
check_commandcheck_nt!PROCSTATE!dSHOWALLlExplorer.exe
}
defineservice{
usegenericservice
host_namewinserver
service_descriptionVMware
check_commandcheck_nt!PROCSTATE!dSHOWALLlvmplayer.exe
}
defineservice{
usegenericservice
host_namewinserver
service_descriptionNotepad
check_commandcheck_nt!PROCSTATE!dSHOWALLlnotepad.exe
}
Youalsohavetheoptiontoincludeallofthemissioncriticalapplicationsin
onecheck.Hereyouwanttomakesuretolisteachapplicationseparatedbya
commandasyoucansee.IfyouusetheoptionSHOWALLitwilllistboththose
thatarerunningaswellasthosethatarenot.Thebadnewsrisestothetopso
ifoneisnotrunningthecheckwillbeinthecriticalstate.Ifyoujustwant
toknowwhichonesarenotrunningthenuseSHOWFAIL.
defineservice{
usegenericservice
host_namewin2008,exchange
service_descriptionApplications
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++59
check_commandcheck_nt!PROCSTATE!dSHOWALLl
explorer.exe,notepad.exe,nsclient++.exe,vmwareplayer.exe
}
HereyoucanseethattheCriticalstateislistedbecauseonlyoneapplicationoutofthelistisnotrunning.Badnews
risesuptothetop.
event_logMonitoring
TheeventlogonaWindowsservercanbeacriticalaspectoflocatinginformationontheserver.Hereisanexample
oftheservicecheckusingNRPEandthealias_event_log.
defineservice{
usegenericservice
host_namewin2008
service_descriptionNRPEEventLogNew
check_commandcheck_nrpe!alias_event_log
}
Notethatifoneelementhasaproblemitwillcreateacriticalstateasyouseehere.
HereistheactualoutputthatyoucanfindinthelogsoftheNagiosserver.
Nov409:13:43nag2nagios:SERVICENOTIFICATION:nagiosadmin;win2008;NRPEEvent
LogNew;CRITICAL;notifyservicebyemail;warning:COM+:(2),error:WinMgmt:
(1),error:WinMgmt:(1),warning:storflt:TheVirtualStorageFilterDriveris
disabledthroughtheregistry.Itisinactiveforalldiskdrives.(2),warning:
W32Time:NtpClientwasunabletosetamanualpeertouseasatimesourcebecause
ofDNSresolutionerrorontime.windows.com,0x9.NtpClientwilltryagainin15
minutesanddoublethereattemptintervalthereafter.Theerrorwas:Nosuchhost
isknown.(0x80072AF9)(11),warning:PlugPlayManager:Theservice
ShellHWDetectionmaynothaveunregisteredfordeviceeventnotificationsbefore
itwasstopped.(1),warning:USER32:TheprocessC:\Windows\system32\winlogon.exe
(winexamplecom)hasinitiatedtherestartofcomputerWINH366O37KOW0onbehalfof
userNTAUTHORITY\SYSTEMforthe...
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++60
NSCLient++ Password
ThepasswordfeatureallowsyoutocreateapasswordthatwillbeusedbyNagiostologintotheWindowsserver.
Thispasswordhasseveraloptions.Firstyoucanenterthepasswordinplaintextinthensc.iniandinthecommand
definitionforcheck_ntasyouseebelow.
[Settings]
password=your_password
Whenyouusethepasswordoptioninnsc.ini,youwillneedtomodifythecheck_ntcommandsothepasswordcanbe
transferred.Editthecommands.cfg
command_line check_ntH$HOSTADDRESS$p12489syour_passwordv$ARG1$
$ARG2$
Theuseoftheobfuscated_passwordoptionseemstobebroken.Inordertocreatethepasswordgotothecommand
lineontheWindowsmachineandexecutethiscommand:
NSClient++/encrypt
Youwillbeaskedtoenteryoupasswordanditwillobfuscatenotencryptthepassword.Theshorterthewordthe
shorterthepasswordthatiscreated.Thismethodisbothunreliableandundocumented.Youarebetteroffusingplain
textthanthismethodasatleastyouknowwhatisgoingon.
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108
MonitoringWindowswithNSClient++61
CopyrightbyNagiosEnterprises,LLC
Cannotbereproducedwithoutwrittenpermission.P.O.Box8154,SaintPaul,MN55108