Gervais COQUIL Boris PASCAULT Licence Pro QSSI Groupe TP B

30 novembre 2009

Nagios
Nagios, Apache, Fedora

Tp n1

Installation de Nagios Afin dinstaller Nagios il est tout dabord ncessaire dinstaller certains composants : Un serveur web (nous utiliserions Apache) :
yum install httpd

Un compilateur C :
yum install gcc

Des librairies pour le compilateur :

yum install glibc glibc-common yum install gd gd-devel

Il faut crer un nouvel utilisateur :

su -l /usr/sbin/useradd -m nagios passwd nagios

Ainsi quun nouveau groupe contenant les utilisateurs nagios et apache :

/usr/sbin/groupadd nagcmd /usr/sbin/usermod -a -G nagcmd nagios /usr/sbin/usermod -a -G nagcmd apache

Tlchargements des paquets de Nagios ainsi que des plugins :

mkdir ~/downloads cd ~/dowloads wget http://ovh.dl.sourceforge.net/project/nagios/nagios-3.x/nagios-3.0.6/nagios3.0.6.tar.gz wget http://ovh.dl.sourceforge.net/project/nagiosplug/nagios-plugins-1.4.11.tar.gz

Extraction du paquet Nagios

tar xzf nagios-3.0.6.tar.gz

Paramtres de configuration avant la compilation

./configure --with-command -group=nagcmd

Compilation et Installation
make all make make make make install install-init install-config install-commandmode

Modification du fichier contacts.cfg

vi /usr/local/nagios/etc/objects/contacts.cfg define contact{ contact_name nagiosadmin ; Short name of user use generic-contact ; Inherit default values from generic-contact template (defined above) alias Nagios Admin ; Full name of user email TO YOUR EMAIL ADDRESS ****** } root@localhost ; <<***** CHANGE THIS

Dans le fichier ci-dessus nous avons paramtr le compte admin comme tant nagiosadmin et les messages derreur seront envoys sur la boite mail root@localhost. Compilation et Installation de linterface Web de Nagios :
make install install-webconf

Association du compte nagiosadmin celui permettant la connexion linterface web :

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Redmarrage de Apache :
service httpd restart

Extraction du paquet plugins :

tar xzf nagios-plugins-1.4.11.tar.gz

Compilation et Installation des plugins :

./configure --with-nagios-user=nagios --with-nagios-group=nagios make make install

Ajout de Nagios au dmarrage du systme :

chkconfig --add nagios chkconfig nagios on

Vrification de la configuration de Nagios :

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Lancement de Nagios :
service nagios start

Paramtrage de SELinux en Pemissive mode

getenforce getenforce 0

Connexion linterface Web de Nagios : http://localhost/nagios

Nagios est donc bien install et oprationnel.

Configuration des htes Afin de pouvoir ajouter un fichier de configuration supplmentaire Nagios, il faut ajouter une ligne du style suivant :
cfg_file=/usr/local/nagios/etc/objects/gervaisboris.cfg

Dans le fichier /usr/local/nagios/etc/nagios.cfg Contenu du fichier gervaisboris.cfg concernant les htes :

define host{ use host_name Bastien, Prof alias Bastien, Prof address } define host{ use host_name alias address } define host{ use host_name alias address } define host{ use host_name alias address } define host{ use host_name alias address } linux-server Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, JulienAlpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien10.153.3.83

linux-server Fabien-Charly Fabien-Charly 10.153.3.82

linux-server Alexandre-Gael Alexandre-Gael 10.153.3.84

linux-server Julien-Bastien Julien-Bastien 10.153.3.80

linux-server Prof Prof 10.153.3.93

On utilise le template linux-server tant donn quil sagit exclusivement de machines sous Fedora. use permet de dclarer le template utilis host_name dclare le nom dhte alias lui donne un alias dans Nagios (plus simple utiliser dans certains cas) address prcise lIp de lhte distant

Ce qui donne sur linterface Web :

Limage t prise par le groupe compos de Julien-Ugo et Bastien.

Extrait du fichier templates.cfg concernant les linux-server (linux-server utilisant generic-host) :

define host{ name notifications_enabled event_handler_enabled flap_detection_enabled failure_prediction_enabled process_perf_data retain_status_information retain_nonstatus_information notification_period register }

generic-host 1 1 1 1 1 1 1 24x7 0

; ; ; ; ; ; ; ; ;

; The name of this host template Host notifications are enabled Host event handler is enabled Flap detection is enabled Failure prediction is enabled Process performance data Retain status information across program restarts Retain non-status information across program restarts Send host notifications at any time DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!

define host{ name use check_period check_interval retry_interval max_check_attempts check_command notification_period notification_interval notification_options contact_groups register }

linux-server generic-host 24x7 5 1 10 check-host-alive workhours 120 d,u,r admins 0

; The name of this host template ; This template inherits other values from the generic-host template ; By default, Linux hosts are checked round the clock ; Actively check the host every 5 minutes ; Schedule host check retries at 1 minute intervals ; Check each Linux host 10 times (max) ; Default command to check Linux hosts ; Linux admins hate to be woken up, so we only notify during the day ; Note that the notification_period variable is being overridden from ; the value that is inherited from the generic-host template! ; Resend notifications every 2 hours ; Only send notifications for specific host states ; Notifications get sent to the admins by default ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!

Configuration des groupes Les groupes permettent de rassembler les htes de manire organise. Extrait du fichier groups.cfg :
define hostgroup{ hostgroup_name Linux_1 alias Machines sous Linux (1) members Julien-Bastien, Fabien-Charly hosts that belong to this group } ; The name of the hostgroup ;Long name of the group ; Comma separated list of

define hostgroup{ hostgroup_name Linux_2 ; The name of the hostgroup alias Machines sous Linux (2) ;Long name of the group members localhost, Alexandre-Gael, Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof ; Comma separated list of hosts that belong to this group } define hostgroup{ hostgroup_name Autre alias Autres members Prof hosts that belong to this group } define hostgroup{ hostgroup_name Portables alias Portables sous Windows members MiniNeuf, Tyrael hosts that belong to this group } ; The name of the hostgroup ;Long name of the group ; Comma separated list of

; The name of the hostgroup ; Long name of the group ; Comma separated list of

hostgroup_name dclare le nom du groupe alias permet de dcrire le groupe plus en dtails members incluse les htes appartenant au groupe (chacun spar par une virgule).

Ce qui donne sur linterface Web :

L aussi limage t prise par le groupe compos de Julien-Ugo et Bastien ce qui explique la non-correspondance des noms de groupe et des membres.

Configuration des services

Pour les clients Linux :

Test du PING vers lhte distant :
define service{ use host_name service_description check_command }

local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof PING check_ping!100.0,20%!500.0,60%

Analyse de lespace disque restant (20% : ALERT, 10% WARNING) :

define service{ use host_name service_description check_command } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof Root Partition check_local_disk!20%!10%!/

Surveillance des utilisateurs connects (20 : ALERT, 50 WARNING) :

define service{ use host_name service_description check_command } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof Current Users check_local_users!20!50

Analyse du nombre de processus (250 : ALERT, 400 WARNING) :

define service{ use host_name service_description check_command } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof Total Processes check_local_procs!250!400!RSZDT

Analyse de la charge du systme:

define service{ use host_name service_description check_command } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof Current Load check_local_load!5.0,4.0,3.0!10.0,6.0,4.0

Analyse de la charge du SWAP (20 : ALERT, 10 WARNING) :

define service{ use host_name service_description check_command } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof Swap Usage check_local_swap!20!10

Surveillance de la disponibilit du SSH (WARNING sur larrt) :

define service{ use host_name service_description check_command notifications_enabled } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof SSH check_ssh 0

Surveillance de la disponibilit du serveur Web (WARNING sur larrt) :

define service{ use host_name service_description check_command notifications_enabled } local-service ; Name of service template to use Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof HTTP check_http 0

Pour la description des templates voir la partie des clients Windows

Sur linterface Web :

Image tire du TP de Julien-Ugo et de Bastien.

Pour les clients Windows :

Il est ncessaire dinstaller un agent SNMP, pour cela nous utiliserons NSClient++ Il est aussi ncessaire de modifier le fichier command.cfg afin de tester certaines spcificits des clients Windows.
# 'check_nt' command definition define command{ command_name check_nt command_line $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -s jacky -v $ARG1$ $ARG2$ }

Lattribut jacky correspond au groupe SNMP. Afin dassurer le bon fonctionnement de NSClient il faut activer le service correspondant. Sur le client Windows il faut paramtrer ladresse du client SNMP (ici notre poste Fedora avec Nagios) ainsi que le groupe, tout ceci ce fait dans le fichier : C:\Program Files\NSClient\NSC.ini
[Settings] ;# OBFUSCATED PASSWORD ; This is the same as the password option but here you can store the password in an obfuscated manner. ; *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this file can still figure out the ; password. Its just a bit harder to do it at first glance. ;obfuscated_password=Jw0KAUUdXlAAUwASDAAB ; ;# PASSWORD ; This is the password (-s) that is required to access NSClient remotely. If you leave this blank everyone will be able to access the daemon remotly. ;password=secret-password ; ;# ALLOWED HOST ADDRESSES ; This is a comma-delimited list of IP address of hosts that are allowed to talk to the all daemons. ; If leave this blank anyone can access the deamon remotly (NSClient still requires a valid password). ; The syntax is host or ip/mask so 192.168.0.0/24 will allow anyone on that subnet access allowed_hosts=10.153.3.0/24 ; ;# USE THIS FILE ; Use the INI file as opposed to the registry if this is 0 and the use_reg in the registry is set to 1 ; the registry will be used instead. use_file=1 allowed_hosts=10.153.3.81 password=jacky ; ; # USE SHARED MEMORY CHANNELS ; This is the "new" way for using the system tray based on an IPC framework on top shared memmory channels and events. ; It is brand new and (probably has bugs) so dont enable this unless for testing! ; If set to 1 shared channels will be created and system tray icons created and such and such... ;shared_session=0

On autorise les machines du sous rseau 10.153.8.0 /24 ainsi que le serveur en lui-mme et on dclare le mot de passe (groupe SNMP).

Fichier windows.cfg : Test du PING:

define service{ use host_name service_description check_command } local-service Tyrael, MiniNeuf PING check_ping!100.0,20%!500.0,60%

Test de la version de NSClient++:

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf NSClient++ Version check_nt!CLIENTVERSION

Test du temps depuis le dernier dmarrage:

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf Uptime check_nt!UPTIME

Test de la charge CPU:

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf CPU Load check_nt!CPULOAD!-l 5,80,90

Test de la charge de la RAM:

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf Memory Usage check_nt!MEMUSE!-w 80 -c 90

Test de lespace disponible sur le disque C:/ :

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf C:\ Drive Space check_nt!USEDDISKSPACE!-l c -w 80 -c 90

Test de lespace disponible sur le disque D:/ :

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf D:\ Drive Space check_nt!USEDDISKSPACE!-l d -w 80 -c 90

Test de fonctionnement du serveur Web sous Windows :

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf W3SVC check_nt!SERVICESTATE!-d SHOWALL -l W3SVC

Test de ltat du processus Explorer.exe :

define service{ use host_name service_description check_command } generic-service Tyrael, MiniNeuf Explorer check_nt!PROCSTATE!-d SHOWALL -l Explorer.exe

On utilise le template local-service pour le PING et generic-service pour tout ce qui concerne Windows.

Dtails des services dans templates.cfg :

define service{ name generic-service ; The 'name' of this service template active_checks_enabled 1 ; Active service checks are enabled passive_checks_enabled 1 ; Passive service checks are enabled/accepted parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems) obsess_over_service 1 ; We should obsess over this service (if necessary) check_freshness 0 ; Default is to NOT check service 'freshness' notifications_enabled 1 ; Service notifications are enabled event_handler_enabled 1 ; Service event handler is enabled flap_detection_enabled 1 ; Flap detection is enabled failure_prediction_enabled 1 ; Failure prediction is enabled process_perf_data 1 ; Process performance data retain_status_information 1 ; Retain status information across program restarts retain_nonstatus_information 1 ; Retain non-status information across program restarts is_volatile 0 ; The service is not volatile check_period 24x7 ; The service can be checked at any time of the day max_check_attempts 3 ; Re-check the service up to 3 times in order to determine its final (hard) state normal_check_interval 10 ; Check the service every 10 minutes under normal conditions retry_check_interval 2 ; Re-check the service every two minutes until a hard state can be determined contact_groups admins ; Notifications get sent out to everyone in the 'admins' group notification_options w,u,c,r ; Send notifications about warning, unknown, critical, and recovery events notification_interval 60 ; Re-notify about service problems every hour notification_period 24x7 ; Notifications can be sent out at any time register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE! } define service{ name local-service use generic-service max_check_attempts 4 normal_check_interval 5 retry_check_interval 1 register 0 }

; ; ; ; ; ;

The name of this service template Inherit default values from the generic-service definition Re-check the service up to 4 times in order to determine its final (hard) state Check the service every 5 minutes under normal conditions Re-check the service every minute until a hard state can be determined DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!

Configuration des switchs Plugin que nous avons utilis pour tester les interfaces du Switch (Cisco Catalyst 2960) :
#!/bin/sh # Paramtres : # $1 : Adresse Ip de l'adresse de l'hte tester # $2 : Numro de l'interface tester # 1=FastEthernet0, # 2=Serial0, # 3=Serial1, # 4=Null, # Definition des valeurs de retour possibles OK=0 WARNING=1 CRITICAL=2 UNKNOWN=3 # Test de la syntaxe de l'appel du plugin if [ $# -ne 2 ] ; then # Affichage d'un message d'erreur echo "Usage : $0 <host> <interface_number>" echo "" echo "1 = FastEthernet0" echo "2 = Serial0" echo "3 = Serial1" echo "4 = Null" exit $UNKNOWN fi # Requete SNMP retour=`snmpget $1 -c public -v 2c ifOperStatus.$2` # Est-ce que l'interface est UP ? rt=`echo $retour | grep up` # Si elle n'est pas UP : if [ -z "$rt" ] ; then # Est-ce qu'elle est DOWN ? rt=`echo $retour | grep down` # Si elle n'est ni UP ni DOWN : if [ -z "$rt" ] ; then echo "Interface $2 state is UNKNOWN !" exit $UNKNOWN fi # SI elle est DOWN : echo "Interface $2 is DOWN !" exit $CRITICAL fi # Si elle est UP : echo "Interface $2 is UP !" exit $OK

Ci-dessous la configuration de Nagios pour relever les informations du switch : switchs.cfg testant luptime, le PING ainsi que le statuts des interfaces 1 9.

define host{ use host_name alias address hostgroups } define hostgroup{ hostgroup_name alias }

generic-switch Cisco Catalyst 2960 Cisco Catalyst 2960 10.153.3.100 switches

; ; ; ; ;

Inherit default values from a template The name we\'re giving to this switch A longer name associated with the switch IP address of the switch Host groups this switch is associated with

switches Network Switches

; The name of the hostgroup ; Long name of the group

define service{ use host_name service_description check_command } define service{ use host_name service_description check_command normal_check_interval retry_check_interval determined } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use

generic-service ; Inherit values from a template Cisco Catalyst 2960 Uptime check_snmp!-C public -o sysUpTime.0

generic-service ; Inherit values from a template Cisco Catalyst 2960 ; The name of the host the service is associated with PING ; The service description check_ping!200.0,20%!600.0,60% ; The command used to monitor the service 5 ; Check the service every 5 minutes under normal conditions 1 ; Re-check the service every minute until its final/hard state is

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 1 Link Status check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 2 Link Status check_snmp!-C public -o ifOperStatus.2 -r 1 -m RFC1213-MIB

generic-service

; Inherit values from a template

host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command } define service{ use host_name service_description check_command }

Cisco Catalyst 2960 Port 3 Link Status check_snmp!-C public -o ifOperStatus.3 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 4 Link Status check_snmp!-C public -o ifOperStatus.4 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 5 Link Status check_snmp!-C public -o ifOperStatus.5 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 6 Link Status check_snmp!-C public -o ifOperStatus.6 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 7 Link Status check_snmp!-C public -o ifOperStatus.7 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 8 Link Status check_snmp!-C public -o ifOperStatus.8 -r 1 -m RFC1213-MIB

generic-service ; Inherit values from a template Cisco Catalyst 2960 Port 9 Link Status check_snmp!-C public -o ifOperStatus.9 -r 1 -m RFC1213-MIB