In this recipe, we'll show you how to automate the submission of passive checks by a remote host using the example of a monitored host, ithaca.example.net
, to submit a passive check to a Nagios Core server with information about how its BACKUP
service is performing.
For example, if the backup process gets completed successfully, we configure the monitored host to submit a passive check result, specifying that the BACKUP
service should have the OK
status. However, if there were a problem with the backup, the monitored host could send a passive check result with a WARNING
or CRITICAL
status.
In both cases, Nagios Core does no checking of its own; it trusts the results submitted by its target host.
To accomplish this setup, we'll use the NSCA add-on. We'll install the NSCA server on the Nagios Core server and the NSCA client program send_nsca
on the monitored host.
Here, we assume that you have already followed the Allowing and submitting passive checks recipe in this chapter. In this recipe, we will build on the configuration established in that recipe; specifically, we will assume that you already have a host with a service configured only to accept passive checks.
You will need to be able to install software on both the monitoring server (the NSCA server) and on the server that will submit passive checks (the NSCA client) and ideally be generally familiar with the ./configure
, make
, and make install
process to install software from source on Unix-like systems.
You should also be able to define any necessary firewall configuration to allow the NSCA client to send information to TCP port 5667
on the NSCA server. A firewall is absolutely necessary to protect the nsca
daemon from abuse.
We can set up the NSCA server on the monitoring server (in this example, olympus.example.net
) as follows:
wget(1)
or a similar tool. You can find download links on the Nagios Exchange page for NSCA at https://exchange.nagios.org/directory/Addons/Passive-Checks/NSCA--2D-Nagios-Service-Check-Acceptor/details.In this example, we're downloading and compiling the NSCA sources in our home directory on the monitoring server:
$ cd $ wget http://downloads.sourceforge.net/project/nagios/nsca-2.x/nsca-2.9.1/nsca-2.9.1.tar.gz
.tar.gz
file:$ tar xzf nsca-2.9.1.tar.gz
nsca-2.9.1
directory and configure and compile the nsca
daemon. Note that this process may prompt you to install the libmcrypt
library and its headers, perhaps in libmcrypt
and libmcrypt-dev
packages in your system's package manager:$ cd nsca-2.9.1 $ ./configure $ make
# cp src/nsca /usr/local/nagios/bin # cp sample-config/nsca.cfg /usr/local/nagios/etc
/usr/local/nagios/etc/nsca.cfg
:# vi /usr/local/nagios/etc/nsca.cfg
password
directive and define it. A random password generated by a tool such as pwgen
or makepasswd
will work fine. Don't use the following one—it's just an example!password=yV3aa6S2o
# /usr/local/nagios/bin/nsca -c /usr/local/nagios/etc/nsca.cfg --single
If it does, you should add this command to an appropriate startup script, perhaps in /etc/rc.local
so that the daemon starts when the monitoring server boots. You should consult your system's documentation to find out the best place to add this. A templated init(8)
script for /etc/init.d
should be built with the distribution in the init-script
file.
We can set up the NSCA client on the monitored server (in this example, ithaca.example.net
) as follows:
$ cd $ wget http://downloads.sourceforge.net/project/nagios/nsca-2.x/nsca-2.9.1/nsca-2.9.1.tar.gz $ tar xzf nsca-2.9.1.tar.gz $ cd nsca-2.9.1 $ ./configure $ make Install the NSCA client files manually; you will likely need root privileges for this: # cp src/send_nsca /usr/local/bin # cp sample-config/send_nsca.cfg /etc
/etc/send_nsca.cfg
new file:# vi /etc/send_nsca.cfg
password
directive and define it such that it is the same as the password given in nsca.cfg
on the monitoring server:password=yV3aa6S2o
send_nsca
program to try and submit a passive check result:# check="ithaca.example.net BACKUP 0 Backup was successful, this check submitted by NSCA " # printf "$check" | send_nsca -c / etc/send_nsca.cfg -H olympus.example.net 1 data packet(s) sent to host successfully.
Substitute the appropriate hostnames for the monitoring server (olympus.example.net
), the monitored server (ithaca.example.net
), and the service description BACKUP
.
Note that the fields are separated by
characters, which expand to literal tab characters with printf
.
If this worked correctly, you should see in the web interface that the passive check result was successfully read by the monitoring server and was applied appropriately.
The nsca
daemon installed on the monitoring server is designed to listen for submitted service checks from the send_nsca
client, provided the password is correct and the data is in the appropriate format:
<host_name> <service_description> <check_result> <check_output>
Our example passive check took this form:
ithaca.example.net BACKUP 0 Backup was successful, this check submitted by NSCA
Here, as with locally submitted passive checks, the check_result
command corresponds to a numeric value, which is one of the following values:
0
for OK
1
for WARNING
2
for CRITICAL
3
for UNKNOWN
Once received by the nsca
daemon on the monitoring server, this is translated into a passive check result command that is written to the Nagios Core external commands file at /usr/local/nagios/var/rw/nagios.cmd
and processed in the same way as a locally submitted passive check would be.
This allows us to include calls to send_nsca
at the end of scripts, such as those managing backups, to immediately and automatically send a passive check result corresponding to whether the backup script succeeded.
Because of the NSCA daemon's very simple design and very basic security checks, it's important to apply a firewall policy to ensure that only the appropriate hosts can write to the NSCA port on the host monitoring system. A password, as implemented here, is a good first step, but it is not sufficient to keep things secure. Make sure you read the SECURITY
file included in the NSCA sources to ensure that your configuration for the daemon is secure. Similar security guidelines apply to the installation of NRPE, as discussed in Chapter 6, Enabling Remote Execution.
To supplement this setup, it's often a good idea to also have Nagios Core check the freshness of its services. If we have a process that needs to run regularly, such as backups, we will likely want to be notified if we haven't received any passive checks from the host in a given period of time.
This can be managed by configuring the service to run an active check after a certain period of time has elapsed with no passive checks. The configuration might look like this, adding values for check_freshness
and freshness_threshold
:
define service { use generic-service host_name ithaca.example.net service_description BACKUP active_checks_enabled 0 passive_checks_enabled 1 check_freshness 1 freshness_threshold 86400 check_command check_dummy!1!"No backups have run for 24 hours" }
In this case, freshness_threshold
is 86400
seconds, or 24 hours; if there have been no passive checks submitted for 24 hours, check_command
will be run even though active checks are disabled. The check_command
is defined to flag a WARNING
state for the service with an appropriate explanatory message using the check_dummy
command and plugin whenever it is actually run.
Check freshness is discussed in more detail in the Nagios Core documentation in the section entitled Service and Host Freshness Checks, which you can find at https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/freshness.html.
Note that there's no reason that the status of a service has to come from the same host. You can send a passive check from one host to submit information about another host. In fact, this is the basis of a distributed monitoring setup; one host can submit check results for any number of other hosts.
This can be particularly useful for working around network connectivity or routing problems; if Nagios Core has no connectivity at all to a host it needs to monitor, but does have connectivity to an intermediate host, that host can be configured to submit checks on behalf of the unreachable host, which is a slightly complex but often necessary setup.
18.221.239.148