How do I monitor a server behind a firewall with Nagios?

Nagios comes with a client-side agent called NRPE that the Nagios server contacts on port 5666 to run remote service-checks, but what if the server is firewalled?? There is a solution, using a feature of Nagios called “passive checks”.  Its called that because Nagios will passively wait for the client servers to actively check-in with their condition.

(NOTE: This guide was written for Ubuntu 12.04.5 LTS. It shouldn’t require much change on Debian, but it will require some paths and such to be adjusted for other distributions.)

Steps:

Add a new config to Apache:

/etc/apache2/sites-available/passivechecks
<VirtualHost *:8000>
 ServerAdmin webmaster@localhost
DocumentRoot /var/www/passivechecks
 <Directory />
 Options FollowSymLinks
 AllowOverride None
 </Directory>
 <Directory /var/www/passivechecks>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 </Directory>
ErrorLog /var/log/nagios/passivechecks-error.log
LogLevel warn
CustomLog /var/log/nagios/passivechecks-access.log combined
</VirtualHost>

..and enable the new site configuration:

# a2ensite passivechecks

Enable Apache to listen on the new port. Edit /etc/apache2/ports.conf to include this:

NameVirtualHost *:80
NameVirtualHost *:8000
Listen 80
Listen 8000

..and restart Apache:

root@nagios:/var/www/passivechecks# service apache2 restart

Create the PHP script on the Nagios server to answer check-ins from remote clients and signal Nagios:

/var/www/passivechecks/passivecheck.php
<?php
// http://nagios.sourceforge.net/docs/3_0/passivechecks.html
// [<timestamp>] PROCESS_SERVICE_CHECK_RESULT;<host_name>;<svc_description>;<return_code>;<plugin_output>
$commandfile = "/var/lib/nagios3/rw/nagios.cmd";
$now = time();
$data = "[$now] PROCESS_SERVICE_CHECK_RESULT;".$_GET['hostname'].";" . $_GET['service'] . ";"
 . "0;Agent-originated check-in.\n";
file_put_contents($commandfile,$data,FILE_APPEND);

?>

Note that the PHP script needs to have permissions to write to the port:

root@nagios:/var/www/passivechecks# ls -l /var/lib/nagios3/rw/nagios.cmd
prw-rw---- 1 nagios nagios 0 May 22 18:55 /var/lib/nagios3/rw/nagios.cmd
root@nagios:/var/www/passivechecks#

So, add the Apache CGI user to the “nagios” group:

root@nagios:/var/www/passivechecks# grep ^nagios /etc/group
nagios:x:115:www-data
root@nagios:/var/www/passivechecks#

On the client machine, create a cron job to use curl to check-in every minute:

# crontab -e
#
# CRONtab for "root" user
#
# Check-in with Nagios so it knows we're alive
# (We have to do this passive check since Nagios is firewalled from
# pinging us.)
* * * * * /usr/bin/curl --connect-timeout 30 'http://nagios.example.com:8000/passivecheck.php?hostname=clientmachine1.example.com&service=imalive'

On the server, watch for a new log message to appear, acknowledging the check was run (should appear immediately):

# less /var/log/nagios3/nagios.log
[1432321021] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;clientmachine1.example.com;imalive;0;Agent-originated check-in.

Now you can define the service in your Nagios configuration. Note that since there’s no real “check_command”, we’ll use a special “check_dummy” command that comes with Nagios.
/etc/nagios3/conf.d/firewalled_servers.cfg:

define command {
 command_name passive_check
 command_line /usr/lib/nagios/plugins/check_dummy 2 "CRITICAL: Agent has not checked-in with re
}
define service {
 use generic-service ; Name of service template to use
 host_name               clientmachine1.example.com
 service_description     imalive
 check_command           passive_check
 passive_checks_enabled  1
 check_period            never
}

..Verify your configuration:

root@nagios:/var/www/passivechecks# nagios3 -v /etc/nagios3/nagios.cfg
 ...
Total Warnings: 0
Total Errors: 0

Things look okay - No serious problems were detected during the pre-flight check
root@nagios:/var/www/passivechecks#

..and restart Nagios:

root@nagios:/var/www/passivechecks# service nagios3 restart
 * Restarting nagios3 monitoring daemon nagios3 Waiting for nagios3 daemon to die...
 [ OK ]
root@nagios:/var/www/passivechecks#

References

http://nagios.sourceforge.net/docs/3_0/passivechecks.html

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *