Nagios – Kurzanleitung

Veröffentlichung 15. August 2018 @ 19:43
Letzte Änderung 3. Juni 2021 @ 6:40

Überblick

  • IT-Infrastruktur-Monitoring über Weboberfläche
  • Anpassung der php.ini-Datei für mod_php und der Default-Pool-Konfigurationsdatei für FPM
  • Security through obscurity durch komplizierten Hostnamen und abweichenden HTTPS-Port
  • Wildcard-Zertifikat, damit Hostname nicht extern bekannt wird
  • (Zusätzliche) Absicherung über Apache-Basis-Authentifizierung mit kompliziertem Benutzernamen

Voraussetzungen

Netzwerk

  • Administrator-E-Mail admin@example.com
  • Administrator-Host admin.example.com
  • Benutzer nagios
  • Gruppe nagios
  • Host pSh6v5zB86J20Ll3Wiv6.example.com
  • htpasswd-Benutzer K1MHJaHAIDaLiTDmtkjm
  • HTTPS-Port 42443

Software

  • Apache 2.4.18 #apache2 -v
  • Nagios Core 4.4.1 #https://pSh6v5zB86J20Ll3Wiv6.example.com:42443
  • PHP 7.0.30 #php –version
  • Ubuntu Server 16.04.04 LTS #lsb_release -a

Ordner und Dateien

  • Installation /usr/local/nagios
  • Konfiguration /etc/apache2/sites-available/nagios.conf, /etc/php/7.0/fpm/pool.d/default.conf.disabled, /etc/php/7.0/fpm/pool.d/nagios.conf, /usr/local/nagios/etc
  • Log /usr/local/nagios/var/nagios.log, /var/log/apache2/access-nagios.log, /var/log/apache2/error.log, /var/log/apache2/error-nagios.log, /var/log/php7.0-fpm.log
  • systemd /lib/systemd/system/nagios.service
  • Zertifikate und Schlüssel /etc/letsencrypt/live/example.com/*.pem

Nagios installieren

Erforderliche Pakete installieren

apt install autoconf gcc libc6 libgd2-xpm-dev make unzip wget

Quelltexte herunterladen

cd /tmp
wget --output-document=nagioscore.tar.gz https://github.com/NagiosEnterprises/nagioscore/archive/nagios-4.4.1.tar.gz
tar --extract --file=nagioscore.tar.gz --gzip

Kompilieren

cd /tmp/nagioscore-nagios-4.4.1/
./configure --with-httpd-conf=/etc/apache2/sites-enabled
make all

Benutzer und Gruppe nagios erstellen und Nutzer www-data zu Gruppe nagios hinzufügen

make install-groups-users
usermod -aG nagios www-data

Binärdateien, CGIs und HTML-Dateien installieren

make install

Service installieren und für Autostart einrichten

make install-daemoninit

Command Mode installieren

make install-commandmode

Beispiel-Konfigurationsdateien anlegen

make install-config

Apache-Konfigurationsdateien erstellen und Module aktivieren

make install-webconf
a2enmod rewrite
a2enmod cgi

Benutzerdatei für Basis-Authentifizierung anlegen

Benutzernamen mit Passwortgenerator z. B. KeePass generieren

K1MHJaHAIDaLiTDmtkjm

Benutzerdatei mit Bcrypt-Passwort-Hash neu erstellen

htpasswd -B -c /usr/local/nagios/etc/htpasswd.users K1MHJaHAIDaLiTDmtkjm

Nagios-CGI-Konfigurationsdatei anpassen

...
#authorized_for_system_information=nagiosadmin
authorized_for_system_information=K1MHJaHAIDaLiTDmtkjm
...
#authorized_for_configuration_information=nagiosadmin
authorized_for_configuration_information=K1MHJaHAIDaLiTDmtkjm
...
#authorized_for_system_commands=nagiosadmin
authorized_for_system_commands=K1MHJaHAIDaLiTDmtkjm
...
#authorized_for_all_services=nagiosadmin
#authorized_for_all_hosts=nagiosadmin
authorized_for_all_services=K1MHJaHAIDaLiTDmtkjm
authorized_for_all_hosts=K1MHJaHAIDaLiTDmtkjm
...
#authorized_for_all_service_commands=nagiosadmin
#authorized_for_all_host_commands=nagiosadmin
authorized_for_all_service_commands=K1MHJaHAIDaLiTDmtkjm
authorized_for_all_host_commands=K1MHJaHAIDaLiTDmtkjm
...

Nagios-Konfiguration testen, Service starten und Status abfragen

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
systemctl start nagios
systemctl status nagios.service

Quelltexte löschen

rm --recursive /tmp/nagios*

Virtuellen Host mit Basis-Authentifizierung einrichten

Muster /etc/apache2/sites-enabled/nagios.conf

Hostnamen mit Passwortgenerator z. B. KeePass generieren

pSh6v5zB86J20Ll3Wiv6

Vorinstallierte Apache-Konfiguration löschen

rm /etc/apache2/sites-enabled/nagios.conf

Apache-Konfigurationsdatei anlegen

<VirtualHost *:42443>
#eigene Subdomain statt in Unterordner nagios:
#Alias /nagios /usr/local/nagios/share
CustomLog ${APACHE_LOG_DIR}/access-nagios.log vhost_combined
DocumentRoot /usr/local/nagios/share
ErrorLog ${APACHE_LOG_DIR}/error-nagios.log
ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin
ServerAdmin webmaster@example.com
ServerName pSh6v5zB86J20Ll3Wiv6.example.com
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLEngine on
<Directory /usr/local/nagios/sbin>
Options ExecCGI
<RequireAll>
AuthBasicProvider file
AuthName "Nagios"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
#Require all granted
Require host admin.example.com
Require valid-user
</RequireAll>
</Directory>
<Directory /usr/local/nagios/share>
<RequireAll>
AuthBasicProvider file
AuthName "Nagios"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
php_admin_value open_basedir /usr/local/nagios/share/
#Require all granted
Require host admin.example.com
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>

Konfiguration aktivieren

a2ensite nagios.conf

Nagios-CGI-Konfigurationsdatei anpassen

...
#eigene Subdomain statt in Unterordner nagios:
#url_html_path=/nagios
url_html_path=/
...

[Optional] FPM-Pool-Konfiguration aus Default-Konfiguration erstellen und virtuellen Host anpassen

FPM-Konfigurationsdatei anlegen

cp /etc/php/7.0/fpm/pool.d/default.conf.disabled /etc/php/7.0/fpm/pool.d/nagios.conf
;[default]
[nagios]
...
;listen = /run/php/php7.0-fpm-default.sock
listen = /run/php/php7.0-fpm-nagios.sock
...
;php_admin_value[open_basedir] = nonexistent
php_admin_value[open_basedir] = /usr/local/nagios/share/
...

Konfiguration testen und PHP-FPM neustarten

php-fpm7.0 --test
systemctl reload php7.0-fpm
#systemctl status php7.0-fpm.service

Apache-Konfigurationsdatei modifizieren

<VirtualHost *:42443>
...
<Directory /usr/local/nagios/share>
...
#php_admin_value open_basedir /usr/local/nagios/share/
...
</Directory>
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/php/php7.0-fpm-nagios.sock|fcgi://localhost/"
</If>
</FilesMatch>
<Proxy "fcgi://localhost/" enablereuse=on max=10>
</Proxy>
</VirtualHost>

Konfiguration testen, Apache neustarten und Status abfragen

apache2ctl configtest
systemctl reload apache2
systemctl status apache2.service

Nagios-Plugins installieren

Erforderliche Pakete installieren

apt install autoconf bc build-essential gawk gcc gettext dc libc6 libmcrypt-dev libnet-snmp-perl libssl-dev make snmp wget

Quelltexte herunterladen

cd /tmp
wget --no-check-certificate --output-document=nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar --extract --file=nagios-plugins.tar.gz --gzip

Kompilieren und installieren

cd /tmp/nagios-plugins-release-2.2.1/
./tools/setup
./configure
make
make install

Quelltexte löschen

rm --recursive /tmp/nagios*

Nagios konfigurieren

Sendmail ohne Option -s nutzen

...
command_name notify-host-by-email
#/usr/local/nagios/var/nagios.log "[xxx] wproc: stderr line 01: sendmail: invalid option -- 's'":
#command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/sbin/sendmail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
command_line /usr/bin/printf "%b" "Subject: ** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **\n***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/sbin/sendmail $CONTACTEMAIL$
...
command_name notify-service-by-email
#/usr/local/nagios/var/nagios.log "[xxx] wproc: stderr line 01: sendmail: invalid option -- 's'":
#command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/sbin/sendmail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
command_line /usr/bin/printf "%b" "Subject: ** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **\n***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/sbin/sendmail $CONTACTEMAIL$
...

E-Mail-Adresse hinterlegen

...
#email nagios@localhost ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
email admin@example.com ;
...

Benachrichtigungen für HTTP-Test aktivieren

...
check_command check_http
#notifications_enabled 0
notifications_enabled 1
...

[Optional] localhost 127.0.0.1 in OpenSSH-Server-Konfiguration eintragen

...
#Zugriff nur auf bestimmte Netzwerkschnittstelle:
ListenAddress xxx.xxx.xxx.xxx
ListenAddress 127.0.0.1
...
systemctl reload ssh

Befehl für SSH-Test auf Port 42022 statt Standardport 22 ändern und Benachrichtigungen aktivieren

...
#check_command check_ssh
check_command check_ssh!--port=42022
#notifications_enabled 0
notifications_enabled 1
...

Nagios-Konfiguration testen, Service neustarten und Status abfragen

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
systemctl reload nagios
systemctl status nagios.service

Quellen

https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/cgiauth.html
https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/index.html
https://httpd.apache.org/
https://httpd.apache.org/docs/2.4/howto/auth.html
https://keepass.info/
http://manpages.ubuntu.com/manpages/xenial/man8/php-fpm7.0.8.html
https://nagios-plugins.org/doc/man/
https://secure.php.net/manual/de/install.fpm.php
https://support.nagios.com/kb/article/nagios-core-installing-nagios-core-from-source-96.html#Ubuntu
https://wiki.apache.org/httpd/PHP-FPM
https://www.nagios.org/