In this recipe, we'll show you how to automate the submission of passive checks by a remote host using the example of a monitored host, ithaca.example.net, to submit a passive check to a Nagios Core server with information about how its BACKUP service is performing.
For example, if the backup process gets completed successfully, we configure the monitored host to submit a passive check result, specifying that the BACKUP service should have the OK status. However, if there were a problem with the backup, the monitored host could send a passive check result with a WARNING or CRITICAL status.
In both cases, Nagios Core does no checking of its own; it trusts the results submitted by its target host.
To accomplish this setup, we'll use the NSCA add-on. We'll install the NSCA server on the Nagios Core server and the NSCA client program send_nsca on the monitored host.
Here, we assume that you have already followed the Allowing and submitting passive checks recipe in this chapter. In this recipe, we will build on the configuration established in that recipe; specifically, we will assume that you already have a host with a service configured only to accept passive checks.
You will need to be able to install software on both the monitoring server (the NSCA server) and on the server that will submit passive checks (the NSCA client) and ideally be generally familiar with the ./configure, make, and make install process to install software from source on Unix-like systems.
You should also be able to define any necessary firewall configuration to allow the NSCA client to send information to TCP port 5667 on the NSCA server. A firewall is absolutely necessary to protect the nsca daemon from abuse.
We can set up the NSCA server on the monitoring server (in this example, olympus.example.net) as follows:
- Download the latest version of NSCA using
wget(1)or a similar tool. You can find download links on the Nagios Exchange page for NSCA at https://exchange.nagios.org/directory/Addons/Passive-Checks/NSCA--2D-Nagios-Service-Check-Acceptor/details.In this example, we're downloading and compiling the NSCA sources in our home directory on the monitoring server:
$ cd $ wget http://downloads.sourceforge.net/project/nagios/nsca-2.x/nsca-2.9.1/nsca-2.9.1.tar.gz
- Inflate the
.tar.gzfile:$ tar xzf nsca-2.9.1.tar.gz - Move into the new
nsca-2.9.1directory and configure and compile thenscadaemon. Note that this process may prompt you to install thelibmcryptlibrary and its headers, perhaps inlibmcryptandlibmcrypt-devpackages in your system's package manager:$ cd nsca-2.9.1 $ ./configure $ make
- Install the NSCA server files manually; you will likely need root privileges for this:
# cp src/nsca /usr/local/nagios/bin # cp sample-config/nsca.cfg /usr/local/nagios/etc
- Edit the new file,
/usr/local/nagios/etc/nsca.cfg:# vi /usr/local/nagios/etc/nsca.cfg - Uncomment the
passworddirective and define it. A random password generated by a tool such aspwgenormakepasswdwill work fine. Don't use the following one—it's just an example!password=yV3aa6S2o
- Verify that the NSCA daemon runs with no errors:
# /usr/local/nagios/bin/nsca -c /usr/local/nagios/etc/nsca.cfg --singleIf it does, you should add this command to an appropriate startup script, perhaps in
/etc/rc.localso that the daemon starts when the monitoring server boots. You should consult your system's documentation to find out the best place to add this. A templatedinit(8)script for/etc/init.dshould be built with the distribution in theinit-scriptfile.
We can set up the NSCA client on the monitored server (in this example, ithaca.example.net) as follows:
- Again, download and expand the latest version of NSCA and configure and compile it:
$ cd $ wget http://downloads.sourceforge.net/project/nagios/nsca-2.x/nsca-2.9.1/nsca-2.9.1.tar.gz $ tar xzf nsca-2.9.1.tar.gz $ cd nsca-2.9.1 $ ./configure $ make Install the NSCA client files manually; you will likely need root privileges for this: # cp src/send_nsca /usr/local/bin # cp sample-config/send_nsca.cfg /etc
- Edit the
/etc/send_nsca.cfgnew file:# vi /etc/send_nsca.cfg - Uncomment the
passworddirective and define it such that it is the same as the password given innsca.cfgon the monitoring server:password=yV3aa6S2o
- Run the
send_nscaprogram to try and submit a passive check result:# check="ithaca.example.net BACKUP 0 Backup was successful, this check submitted by NSCA " # printf "$check" | send_nsca -c / etc/send_nsca.cfg -H olympus.example.net 1 data packet(s) sent to host successfully.
Substitute the appropriate hostnames for the monitoring server (
olympus.example.net), the monitored server (ithaca.example.net), and the service descriptionBACKUP.Note that the fields are separated by
printf.
If this worked correctly, you should see in the web interface that the passive check result was successfully read by the monitoring server and was applied appropriately.
The nsca daemon installed on the monitoring server is designed to listen for submitted service checks from the send_nsca client, provided the password is correct and the data is in the appropriate format:
<host_name> <service_description> <check_result> <check_output>
Our example passive check took this form:
ithaca.example.net BACKUP 0 Backup was successful, this check submitted by NSCA
Here, as with locally submitted passive checks, the check_result command corresponds to a numeric value, which is one of the following values:
0forOK1forWARNING2forCRITICAL3forUNKNOWN
Once received by the nsca daemon on the monitoring server, this is translated into a passive check result command that is written to the Nagios Core external commands file at /usr/local/nagios/var/rw/nagios.cmd and processed in the same way as a locally submitted passive check would be.
This allows us to include calls to send_nsca at the end of scripts, such as those managing backups, to immediately and automatically send a passive check result corresponding to whether the backup script succeeded.
Because of the NSCA daemon's very simple design and very basic security checks, it's important to apply a firewall policy to ensure that only the appropriate hosts can write to the NSCA port on the host monitoring system. A password, as implemented here, is a good first step, but it is not sufficient to keep things secure. Make sure you read the SECURITY file included in the NSCA sources to ensure that your configuration for the daemon is secure. Similar security guidelines apply to the installation of NRPE, as discussed in Chapter 6, Enabling Remote Execution.
To supplement this setup, it's often a good idea to also have Nagios Core check the freshness of its services. If we have a process that needs to run regularly, such as backups, we will likely want to be notified if we haven't received any passive checks from the host in a given period of time.
This can be managed by configuring the service to run an active check after a certain period of time has elapsed with no passive checks. The configuration might look like this, adding values for check_freshness and freshness_threshold:
define service {
use generic-service
host_name ithaca.example.net
service_description BACKUP
active_checks_enabled 0
passive_checks_enabled 1
check_freshness 1
freshness_threshold 86400
check_command check_dummy!1!"No backups have run for 24 hours"
}In this case, freshness_threshold is 86400 seconds, or 24 hours; if there have been no passive checks submitted for 24 hours, check_command will be run even though active checks are disabled. The check_command is defined to flag a WARNING state for the service with an appropriate explanatory message using the check_dummy command and plugin whenever it is actually run.
Check freshness is discussed in more detail in the Nagios Core documentation in the section entitled Service and Host Freshness Checks, which you can find at https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/freshness.html.
Note that there's no reason that the status of a service has to come from the same host. You can send a passive check from one host to submit information about another host. In fact, this is the basis of a distributed monitoring setup; one host can submit check results for any number of other hosts.
Tip
This can be particularly useful for working around network connectivity or routing problems; if Nagios Core has no connectivity at all to a host it needs to monitor, but does have connectivity to an intermediate host, that host can be configured to submit checks on behalf of the unreachable host, which is a slightly complex but often necessary setup.
- Using an alternative check command, Chapter 2, Working with Commands and Plugins
- The Allowing and submitting passive checks recipe in this chapter
- The Submitting passive checks in response to SNMP traps recipe in this chapter
- The Setting up an event handler script recipe in this chapter