Nagios

From Segfault
Jump to navigation Jump to search

Installation

Nagios Core is part of various distributions already.

Packages

apt-get install nagios nagios-plugins nagios-nrpe-plugin nagios-images nagios3-doc   # Debian, Ubuntu
yum install nagios nagios-plugins                                                    # Fedora

For SNMP plugins, libnet-snmp-perl and snmp might be needed too. The snmp-mibs-downloader package (from non-free) will be needed to download the information base MIB.

Source

Nagios switched[1] to git for its nagioscore development:

git clone git://git.code.sf.net/p/nagios/nagioscore nagioscore-git
git clone git://git.code.sf.net/p/nagios/nrpe nagios-nrpe-git

Install prerequisites:

sudo yum install gd-devel libpng-devel libjpeg-turbo-devel gperf openssl-devel    # Fedora
sudo apt-get install libgd2-noxpm-dev libpng12-dev libjpeg8-dev gperf libssl-dev  # Debian, Ubuntu

Create Nagios user

sudo groupadd nagios
sudo useradd -g nagios -s /bin/false -d /opt/nagios -m nagios

Build:

cd nagioscore-git
./configure --prefix=/opt/nagios
make all
sudo make install
sudo make install-commandmode
sudo make install-config
sudo make install-exfoliation
sudo install -m 755 -o root -g root daemon-init /opt/nagios/bin/nagios-init.sh

Build NRPE:

sudo yum install tcp_wrappers-devel                             # TCP wrapper support
sudo apt-get install libwrap0-dev

cd ../nagios-nrpe-git
./configure --prefix=/opt/nagios-nrpe --enable-ssl
make all
sudo make install

Post-Installation

For the CGI scripts to work, we will need a password file. For digest authentication:

$ htdigest -c /etc/nagios3/htdigest.user "Nagios Access" nagiosadmin
Changing password for user nagiosadmin in realm Nagios
New password:
Re-type new password: 

For basic authentication:

$ htpasswd -c /etc/nagios3/htpasswd.users nagiosadmin
New password:
Re-type new password:
Adding password for user nagiosadmin

Note: the user configured here has to be the same user configured in cgi.cfg:

use_authentication=1

authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin

Webserver

apache2

A very basic configuration snippet for Apache:

  Alias /nagios/stylesheets   /etc/nagios3/stylesheets
  Alias /nagios               /usr/share/nagios3/htdocs
  ScriptAlias /cgi-bin/nagios   /usr/lib/cgi-bin/nagios3
  ScriptAlias /nagios/cgi-bin   /usr/lib/cgi-bin/nagios3

    <DirectoryMatch (/usr/share/nagios3|/usr/lib/cgi-bin/nagios3)>
      Options        Indexes FollowSymLinks
      DirectoryIndex index.html index.php
      AllowOverride  AuthConfig
      Order          Allow,Deny
      Allow          From All
      AuthName       "Nagios Access"
      AuthType       Digest
      AuthUserFile   /etc/nagios3/htdigest.user
      require        valid-user
#     SetEnv TZ      "Europe/Berlin"
    </DirectoryMatch>

lighttpd

Based on a recipe to set up Nagios with lighttpd, here's a quick howto, covering the most important steps.

$ cat conf-enabled/90-nagios.conf
server.modules                += ( "mod_auth", "mod_cgi", "mod_setenv" )

# As per https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModCGI
$HTTP["url"] =~ "^/cgi-bin/" {
      cgi.assign = ( "" => "" )
}

# We may have to fiddle around with those a bit, depending on
# where or how Nagios has been installed.
alias.url += (
      "/cgi-bin"              => "/usr/lib/cgi-bin/",
      "/nagios/stylesheets"   => "/etc/nagios3/stylesheets",
      "/nagios"               => "/usr/share/nagios3/htdocs",
)

# Don't run Nagios CGIs through perl
$HTTP["url"] =~ "^/cgi-bin/nagios3" {
       cgi.assign = ( "" => "" )
}

# Nagios uses the webserver's authentication mechanism to authenticate against itself.
# Use "use_authentication=1" in cgi.cfg!
$HTTP["url"] =~ "^/nagios|^/cgi-bin/nagios3|^/pnp4nagios" {
   auth.backend                   = "htdigest" 
   auth.backend.htdigest.userfile = "/etc/nagios3/htdigest.user"
   auth.require = ( "" =>
                     (
                      "method"  => "digest",
                      "realm"   => "Nagios",
                      "require" => "user=nagios"
                     )
   )
   # Apache would provide REMOTE_USER to the CGI - Lighttpd has to emulate this via setenv
   setenv.add-environment = ( "REMOTE_USER" => "user" )  
}
  • Also, setenv.add-environment has to be at the very end of the configuration (check with lighttpd -p), otherwise it'll get overwritten again. - Is this really true?
  • We may have to adjust url_html_path in /etc/nagios3/cgi.cfg (e.g. /nagios)
  • Also, check if the webserver has write access to the command file:
$ grep nagios.cmd /etc/nagios3/nagios.cfg
command_file=/var/lib/nagios3/rw/nagios.cmd

$ chown nagios:www-data /var/lib/nagios3/rw/nagios.cmd
$ chmod g+s /var/lib/nagios3/rw/                       # When /var/lib/nagios3/rw/ is owned by "www-data",
                                                       # nagios.cmd will be owned by the same after Nagios restarts

nginx

Create a symlink in our document root:

ln -s /usr/share/nagios3/htdocs /var/www/nagios

For the CGI scripts to work, we will need fcgiwrap:

apt-get install fcgiwrap
cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/conf.d/fcgiwrap.server

Then fcgiwrap should run and create /var/run/fcgiwrap.socket where Nginx can connect to.

A configuration snippet for a Debian Nagios installation follows. Notice how we have to create aliases for stylesheets and the logos from nconf.

# Needed for fcgiwrap
include                         /etc/nginx/conf.d/fcgiwrap.server;

location /nagios {
        alias                   /usr/share/nagios3/htdocs;
        auth_basic              "Nagios Access";
        auth_basic_user_file    /etc/nagios3/htpasswd.users;
}

location /nagios/stylesheets {
        alias                   /etc/nagios3/stylesheets;
}

location /nagios/images/logos/base {
        alias                   /etc/nagios3/logos/base;
}

location /cgi-bin/nagios3 {
        root                    /usr/lib;
        auth_basic              "Nagios Access";
        auth_basic_user_file    /etc/nagios3/htpasswd.users;

        fastcgi_param           AUTH_USER $remote_user;
        fastcgi_param           REMOTE_USER $remote_user;
        include                 /etc/nginx/fastcgi_params;
        fastcgi_pass            unix:/var/run/fcgiwrap.socket;
}

Note: url_html_path should be set to /nagios for this example to work.

Configuration

To enable external commands:

We also have to pay attention to the command_file. In Debian, this is configured in nagios.cfg:

command_file=/var/lib/nagios3/rw/nagios.cmd

However the webserver may have trouble sending commands to it:

Error: Could not stat() command file '/var/lib/nagios3/rw/nagios.cmd'!
The external command file may be missing, Nagios may not be running, and/or
Nagios may not be checking external commands. An error occurred while 
attempting to commit your command for processing.

Let's have a closer look:

$ ls -l /var/lib/nagios3/rw/nagios.cmd
prw-rw---- 1 nagios nagios 0 Mar 31 02:10 /var/lib/nagios3/rw/nagios.cmd

The webserver (running as "www-data") has no write-access to the command file. chmod and chown could help, but the Debian way of things would be:

$ dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
$ dpkg-statoverride --update --add nagios nagios 0751 /var/lib/nagios3

$ service nagios3 restart
Restarting nagios3 monitoring daemon: nagios3 Waiting for nagios3 daemon to die..

$ ls -l /var/lib/nagios3/rw/nagios.cmd
prw-rw---- 1 nagios www-data 0 Mar 31 02:14 /var/lib/nagios3/rw/nagios.cmd

See also

Links

References