Icinga / nagios

NB: This was for Icinga 1.x, although most should apply to Icinga 2. See also: Experimenting with Icinga 2: a quick way to test an upgrade.

icinga-web command pipe

In Debian, I had to make sure that:

  • The pipe in /var/lib/icinga/rw/ was owned by nagios.nagios, so I added www-data to the nagios group.
  • The directory was set as nagios.www-data, but the group didn't have "execute" permissions on the directory.
  • set "temp_file=/var/cache/icinga/icinga.tmp" (and created the directory, owned by nagios.nagios), because my /tmp is mounted with noexec, and icinga 1.10 seems to do weird hacks by storing a temporary .so in the temporary directory...

icinga & nsca-ng

See: https://wiki.icinga.org/display/howtos/NSCA-ng and: https://wiki.icinga.org/display/howtos/Setting+up+NSCA+with+Icinga

In Debian: configurations in /etc/icinga/icinga.cfg

  • check_external_commands=1 => was on by default
  • command_check_interval=-1 => was set to -1 by default, meaning "as often as possible"
  • log_passive_checks=1 => was on by default, Icinga recommends this while testing only.

Packages to install: apt-get install nsca-ng-server nsca-ng-client

Configure nsca-ng-server: /etc/nsca-ng/nsca-ng.local.cfg

command_file= "/var/lib/icinga/rw/icinga.cmd"
listen = "*:5668"
tls_ciphers = "PSK-AES256-CBC-SHA"

authorize "*" {
  password = "change-me"
  services = ".+"
  hosts = ".+"
}

Enable nsca-ng-server:

# vi /etc/default/nsca-ng-server  => set variable to "yes"
# /etc/init.d/nscang-server start

Configure the client. On Debian wheezy, use the debmon packages:

deb http://debmon.org/debmon debmon-wheezy main

Then install:

#  wget -O - http://debmon.org/debmon/repo.key | apt-key add -
# apt-get update
# apt-get install nsca-ng-client
# vim /etc/send_nsca.cfg

Config:

password = "change-me"
server = "mynagiosserver.example.org"
tls_ciphers = "PSK-AES256-CBC-SHA"
delay = 2
timeout = 5

Test:

/bin/echo -e "localhost\tdummy\t0\ttestesttest.\n" | /usr/sbin/send_nsca 

IPv6 NOTE: as of 2013-09-25, nsca-ng-client does NOT support IPv6: https://github.com/weiss/nsca-ng/blob/master/TODO .. so make sure your client binds an IPv4 interface.

Passive icinga/nagios check

In /etc/icinga/objects/services_icinga.cfg

define command{
  command_name check_dummy
  command_line $USER1$/check_dummy $ARG1$ $ARG2$
}

define service{
    use                     generic-service   ; template to inherit from
    name                    passive-service   ; name of this template
    active_checks_enabled   0                 ; no active checks
    passive_checks_enabled  1                 ; allow passive checks
    check_command           check_dummy!0     ; use "check_dummy", RC=0 (OK)
    check_period            24x7              ; check active all the time
    check_freshness         1                 ; check if check result is "stale"
    freshness_threshold     93600             ; 26 hours (the backup needs time to complete)
    notification_interval   14400             ; 4 hours
    register                0                 ; this is a template, not a real service
}

define command {
    command_name    no-backup-report
    command_line    /usr/lib/nagios/plugins/check_dummy 2 "CRITICAL: Results of backup job were not reported"
}

For each host:

define service {
    use  passive-service
    host_name example.org
    service_description BACKUPS
    check_command no-backup-report
}

Notes