30 novembre 2009 nagios tp n°1 - boris pascault · 2011. 3. 27. · installation de nagios afin...
TRANSCRIPT
Gervais COQUIL
Boris PASCAULT
Licence Pro QSSI
Groupe TP B
Nagios
30 novembre 2009
Tp n°1 Nagios, Apache, Fedora
Installation de Nagios
Afin d’installer Nagios il est tout d’abord nécessaire d’installer certains composants :
Un serveur web (nous utiliserions Apache) :
yum install httpd
Un compilateur C :
yum install gcc
Des librairies pour le compilateur :
yum install glibc glibc-common
yum install gd gd-devel
Il faut créer un nouvel utilisateur :
su -l
/usr/sbin/useradd -m nagios
passwd nagios
Ainsi qu’un nouveau groupe contenant les utilisateurs nagios et apache :
/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache
Téléchargements des paquets de Nagios ainsi que des plugins :
mkdir ~/downloads
cd ~/dowloads
wget http://ovh.dl.sourceforge.net/project/nagios/nagios-3.x/nagios-3.0.6/nagios-
3.0.6.tar.gz
wget http://ovh.dl.sourceforge.net/project/nagiosplug/nagios-plugins-1.4.11.tar.gz
Extraction du paquet Nagios
tar xzf nagios-3.0.6.tar.gz
Paramètres de configuration avant la compilation
./configure --with-command -group=nagcmd
Compilation et Installation
make all
make install
make install-init
make install-config
make install-commandmode
Modification du fichier contacts.cfg
vi /usr/local/nagios/etc/objects/contacts.cfg
Dans le fichier ci-dessus nous avons paramétré le compte admin comme étant nagiosadmin et les messages d’erreur
seront envoyés sur la boite mail root@localhost.
Compilation et Installation de l’interface Web de Nagios :
make install install-webconf
Association du compte nagiosadmin à celui permettant la connexion à l’interface web :
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Redémarrage de Apache :
service httpd restart
Extraction du paquet plugins :
tar xzf nagios-plugins-1.4.11.tar.gz
Compilation et Installation des plugins :
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install
Ajout de Nagios au démarrage du système :
chkconfig --add nagios
chkconfig nagios on
Vérification de la configuration de Nagios :
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
Lancement de Nagios :
service nagios start
Paramétrage de SELinux en Pemissive mode
getenforce
getenforce 0
Connexion à l’interface Web de Nagios :
http://localhost/nagios
define contact{
contact_name nagiosadmin ; Short name of user
use generic-contact ; Inherit default values from
generic-contact template (defined above)
alias Nagios Admin ; Full name of user
email root@localhost ; <<***** CHANGE THIS
TO YOUR EMAIL ADDRESS ******
}
Nagios est donc bien installé et opérationnel.
Configuration des hôtes
Afin de pouvoir ajouter un fichier de configuration supplémentaire à Nagios, il faut ajouter une ligne du style
suivant :
cfg_file=/usr/local/nagios/etc/objects/gervaisboris.cfg
Dans le fichier /usr/local/nagios/etc/nagios.cfg
Contenu du fichier gervaisboris.cfg concernant les hôtes :
define host{
use linux-server
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-
Bastien, Prof
alias Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-
Bastien, Prof
address 10.153.3.83
}
define host{
use linux-server
host_name Fabien-Charly
alias Fabien-Charly
address 10.153.3.82
}
define host{
use linux-server
host_name Alexandre-Gael
alias Alexandre-Gael
address 10.153.3.84
}
define host{
use linux-server
host_name Julien-Bastien
alias Julien-Bastien
address 10.153.3.80
}
define host{
use linux-server
host_name Prof
alias Prof
address 10.153.3.93
}
On utilise le template linux-server étant donné qu’il s’agit exclusivement de machines sous Fedora.
use permet de déclarer le template utilisé
host_name déclare le nom d’hôte
alias lui donne un alias dans Nagios (plus simple à utiliser dans certains cas)
address précise l’Ip de l’hôte distant
Ce qui donne sur l’interface Web :
L’image à été prise par le groupe composé de Julien-Ugo et Bastien.
Extrait du fichier templates.cfg concernant les linux-server (linux-server utilisant generic-host) :
define host{
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
notification_period 24x7 ; Send host notifications at any time
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}
define host{
name linux-server ; The name of this host template
use generic-host ; This template inherits other values from the generic-host template
check_period 24x7 ; By default, Linux hosts are checked round the clock
check_interval 5 ; Actively check the host every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each Linux host 10 times (max)
check_command check-host-alive ; Default command to check Linux hosts
notification_period workhours ; Linux admins hate to be woken up, so we only notify during the day
; Note that the notification_period variable is being overridden from
; the value that is inherited from the generic-host template!
notification_interval 120 ; Resend notifications every 2 hours
notification_options d,u,r ; Only send notifications for specific host states
contact_groups admins ; Notifications get sent to the admins by default
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}
Configuration des groupes
Les groupes permettent de rassembler les hôtes de manière organisée.
Extrait du fichier groups.cfg :
define hostgroup{
hostgroup_name Linux_1 ; The name of the hostgroup
alias Machines sous Linux (1) ;Long name of the group
members Julien-Bastien, Fabien-Charly ; Comma separated list of
hosts that belong to this group
}
define hostgroup{
hostgroup_name Linux_2 ; The name of the hostgroup
alias Machines sous Linux (2) ;Long name of the group
members localhost, Alexandre-Gael, Alpha-Fiacre, Alexandre-Gael,
Fabien-Charly, Julien-Bastien, Prof ; Comma separated list of hosts that belong
to this group
}
define hostgroup{
hostgroup_name Autre ; The name of the hostgroup
alias Autres ;Long name of the group
members Prof ; Comma separated list of
hosts that belong to this group
}
define hostgroup{
hostgroup_name Portables ; The name of the hostgroup
alias Portables sous Windows ; Long name of the group
members MiniNeuf, Tyrael ; Comma separated list of
hosts that belong to this group
}
hostgroup_name déclare le nom du groupe
alias permet de décrire le groupe plus en détails
members incluse les hôtes appartenant au groupe (chacun séparé par une virgule).
Ce qui donne sur l’interface Web :
Là aussi l’image à été prise par le groupe composé de Julien-Ugo et Bastien ce qui explique la non-correspondance
des noms de groupe et des membres.
Configuration des services
Pour les clients Linux :
Test du PING vers l’hôte distant :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
Analyse de l’espace disque restant (20% : ALERT, 10% WARNING) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description Root Partition
check_command check_local_disk!20%!10%!/
}
Surveillance des utilisateurs connectés (20 : ALERT, 50 WARNING) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description Current Users
check_command check_local_users!20!50
}
Analyse du nombre de processus (250 : ALERT, 400 WARNING) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description Total Processes
check_command check_local_procs!250!400!RSZDT
}
Analyse de la charge du système:
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}
Analyse de la charge du SWAP (20 : ALERT, 10 WARNING) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description Swap Usage
check_command check_local_swap!20!10
}
Surveillance de la disponibilité du SSH (WARNING sur l’arrêt) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description SSH
check_command check_ssh
notifications_enabled 0
}
Surveillance de la disponibilité du serveur Web (WARNING sur l’arrêt) :
define service{
use local-service ; Name of service template to use
host_name Alpha-Fiacre, Alexandre-Gael, Fabien-Charly, Julien-Bastien, Prof
service_description HTTP
check_command check_http
notifications_enabled 0
}
Pour la description des templates voir la partie des clients Windows
Sur l’interface Web :
Image tirée du TP de Julien-Ugo et de Bastien.
Pour les clients Windows :
Il est nécessaire d’installer un agent SNMP, pour cela nous utiliserons NSClient++
Il est aussi nécessaire de modifier le fichier command.cfg afin de tester certaines spécificités des clients Windows.
# 'check_nt' command definition
define command{
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -s jacky -v $ARG1$
$ARG2$
}
L’attribut jacky correspond au groupe SNMP.
Afin d’assurer le bon fonctionnement de NSClient il faut activer le service correspondant.
Sur le client Windows il faut paramétrer l’adresse du client SNMP (ici notre poste Fedora avec Nagios) ainsi que le
groupe, tout ceci ce fait dans le fichier : C:\Program Files\NSClient\NSC.ini
[Settings]
;# OBFUSCATED PASSWORD
; This is the same as the password option but here you can store the password in an
obfuscated manner.
; *NOTICE* obfuscation is *NOT* the same as encryption, someone with access to this
file can still figure out the
; password. Its just a bit harder to do it at first glance.
;obfuscated_password=Jw0KAUUdXlAAUwASDAAB
;
;# PASSWORD
; This is the password (-s) that is required to access NSClient remotely. If you leave
this blank everyone will be able to access the daemon remotly.
;password=secret-password
;
;# ALLOWED HOST ADDRESSES
; This is a comma-delimited list of IP address of hosts that are allowed to talk to
the all daemons.
; If leave this blank anyone can access the deamon remotly (NSClient still requires a
valid password).
; The syntax is host or ip/mask so 192.168.0.0/24 will allow anyone on that subnet
access
allowed_hosts=10.153.3.0/24
;
;# USE THIS FILE
; Use the INI file as opposed to the registry if this is 0 and the use_reg in the
registry is set to 1
; the registry will be used instead.
use_file=1
allowed_hosts=10.153.3.81
password=jacky
;
; # USE SHARED MEMORY CHANNELS
; This is the "new" way for using the system tray based on an IPC framework on top
shared memmory channels and events.
; It is brand new and (probably has bugs) so dont enable this unless for testing!
; If set to 1 shared channels will be created and system tray icons created and such
and such...
;shared_session=0
On autorise les machines du sous réseau 10.153.8.0 /24 ainsi que le serveur en lui-même et on déclare le mot de
passe (groupe SNMP).
Fichier windows.cfg :
Test du PING:
define service{
use local-service
host_name Tyrael, MiniNeuf
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
Test de la version de NSClient++:
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description NSClient++ Version
check_command check_nt!CLIENTVERSION
}
Test du temps depuis le dernier démarrage:
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description Uptime
check_command check_nt!UPTIME
}
Test de la charge CPU:
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description CPU Load
check_command check_nt!CPULOAD!-l 5,80,90
}
Test de la charge de la RAM:
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description Memory Usage
check_command check_nt!MEMUSE!-w 80 -c 90
}
Test de l’espace disponible sur le disque C:/ :
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description C:\ Drive Space
check_command check_nt!USEDDISKSPACE!-l c -w 80 -c 90
}
Test de l’espace disponible sur le disque D:/ :
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description D:\ Drive Space
check_command check_nt!USEDDISKSPACE!-l d -w 80 -c 90
}
Test de fonctionnement du serveur Web sous Windows : define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description W3SVC
check_command check_nt!SERVICESTATE!-d SHOWALL -l W3SVC
}
Test de l’état du processus Explorer.exe :
define service{
use generic-service
host_name Tyrael, MiniNeuf
service_description Explorer
check_command check_nt!PROCSTATE!-d SHOWALL -l Explorer.exe
}
On utilise le template local-service pour le PING et generic-service pour tout ce qui concerne Windows.
Détails des services dans templates.cfg :
define service{
name generic-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major
performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
is_volatile 0 ; The service is not volatile
check_period 24x7 ; The service can be checked at any time of the day
max_check_attempts 3 ; Re-check the service up to 3 times in order to determine its final (hard) state
normal_check_interval 10 ; Check the service every 10 minutes under normal conditions
retry_check_interval 2 ; Re-check the service every two minutes until a hard state can be determined
contact_groups admins ; Notifications get sent out to everyone in the 'admins' group
notification_options w,u,c,r ; Send notifications about warning, unknown, critical, and recovery events
notification_interval 60 ; Re-notify about service problems every hour
notification_period 24x7 ; Notifications can be sent out at any time
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}
define service{
name local-service ; The name of this service template
use generic-service ; Inherit default values from the generic-service definition
max_check_attempts 4 ; Re-check the service up to 4 times in order to determine its final (hard) state
normal_check_interval 5 ; Check the service every 5 minutes under normal conditions
retry_check_interval 1 ; Re-check the service every minute until a hard state can be determined
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}
Configuration des switchs
Plugin que nous avons utilisé pour tester les interfaces du Switch (Cisco Catalyst 2960) :
#!/bin/sh
# Paramètres :
# $1 : Adresse Ip de l'adresse de l'hôte à tester
# $2 : Numéro de l'interface à tester
# 1=FastEthernet0,
# 2=Serial0,
# 3=Serial1,
# 4=Null,
# Definition des valeurs de retour possibles
OK=0
WARNING=1
CRITICAL=2
UNKNOWN=3
# Test de la syntaxe de l'appel du plugin
if [ $# -ne 2 ] ; then
# Affichage d'un message d'erreur
echo "Usage : $0 <host> <interface_number>"
echo ""
echo "1 = FastEthernet0"
echo "2 = Serial0"
echo "3 = Serial1"
echo "4 = Null"
exit $UNKNOWN
fi
# Requete SNMP
retour=`snmpget $1 -c public -v 2c ifOperStatus.$2`
# Est-ce que l'interface est UP ?
rt=`echo $retour | grep up`
# Si elle n'est pas UP :
if [ -z "$rt" ] ; then
# Est-ce qu'elle est DOWN ?
rt=`echo $retour | grep down`
# Si elle n'est ni UP ni DOWN :
if [ -z "$rt" ] ; then
echo "Interface $2 state is UNKNOWN !"
exit $UNKNOWN
fi
# SI elle est DOWN :
echo "Interface $2 is DOWN !"
exit $CRITICAL
fi
# Si elle est UP :
echo "Interface $2 is UP !"
exit $OK
Ci-dessous la configuration de Nagios pour relever les informations du switch : switchs.cfg testant l’uptime, le PING
ainsi que le statuts des interfaces 1 à 9.
define host{
use generic-switch ; Inherit default values from a template
host_name Cisco Catalyst 2960 ; The name we\'re giving to this switch
alias Cisco Catalyst 2960 ; A longer name associated with the switch
address 10.153.3.100 ; IP address of the switch
hostgroups switches ; Host groups this switch is associated with
}
define hostgroup{
hostgroup_name switches ; The name of the hostgroup
alias Network Switches ; Long name of the group
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Uptime
check_command check_snmp!-C public -o sysUpTime.0
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960 ; The name of the host the service is associated with
service_description PING ; The service description
check_command check_ping!200.0,20%!600.0,60% ; The command used to monitor the service
normal_check_interval 5 ; Check the service every 5 minutes under normal conditions
retry_check_interval 1 ; Re-check the service every minute until its final/hard state is
determined
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 1 Link Status
check_command check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 2 Link Status
check_command check_snmp!-C public -o ifOperStatus.2 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 3 Link Status
check_command check_snmp!-C public -o ifOperStatus.3 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 4 Link Status
check_command check_snmp!-C public -o ifOperStatus.4 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 5 Link Status
check_command check_snmp!-C public -o ifOperStatus.5 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 6 Link Status
check_command check_snmp!-C public -o ifOperStatus.6 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 7 Link Status
check_command check_snmp!-C public -o ifOperStatus.7 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 8 Link Status
check_command check_snmp!-C public -o ifOperStatus.8 -r 1 -m RFC1213-MIB
}
define service{
use generic-service ; Inherit values from a template
host_name Cisco Catalyst 2960
service_description Port 9 Link Status
check_command check_snmp!-C public -o ifOperStatus.9 -r 1 -m RFC1213-MIB
}