I hope someone can help. I’m currently building a POV environment of Icinga on Ubuntu 18. The aim is to monitor Windows, Linux and hardware via SNMP.
I’ve managed to install Icinga2, Director, and Grafana. Generally speaking the core components seem fine. I’ve built some basic host and service templates, through which I’ve remotely monitored services like SSH, HTTP, performed pings etc. I’ve also managed to successfully use the agent on a test Linux server.
Unfortunately I just can’t seem to get the Windows agent installation to work. I’m trying to use a Host Template to set the Self Service API parameters and then use the powershell install script. Unfortunately the agent never seems to connect even though the install completes. I’ve read lots of documentation on the topic but the more I read the less clear the whole thing becomes. Hence this post. I’ve been at the build now for two weeks I need to finish it.
I hope someone can assist.
My current powershell script looks like this;
$icinga = Icinga2AgentModule -DirectorUrl 'https://myserverfqdn/icingaweb2/director/' -DirectorAuthToken '88fb419b8b758b87f76cc432fbb0235e66c36c7c' -IgnoreSSLErrors -Debugmode -RunInstaller;
Output is as follows;
Notice: Started script run...
"ebug: Processing Director API config argument "fetch_agent_name: false
"ebug: Processing Director API config argument "fetch_agent_fqdn: true
"ebug: Processing Director API config argument "transform_hostname: 1
"ebug: Processing Director API config argument "flush_api_directory: true
"ebug: Processing Director API config argument "director_host_object: {"address":"&ipaddress&","display_name":"&hostname.lowerCase&"}
"ebug: Processing Director API config argument "download_url: \\XXXX\XXXXXX\Icinga\selfservice_api
"ebug: Processing Director API config argument "agent_version: 2.11.2
"ebug: Processing Director API config argument "allow_updates: true
"ebug: Processing Director API config argument "agent_listen_port: 5665
"ebug: Processing Director API config argument "install_nsclient: true
Notice: Connected successfully to Icinga Director Self-Service API over API token.
Debug: Setting "global_zones" to default "director-global" and "global-templates"
Debug: Setting "accept_config" to default "true"
Notice: Setting internal Agent Name to "XXXXX.XXX.XXXX.XXXm"
Notice: Trying to fetch Host IP-Address for hostname: XXXXX.XXX.XXXX.XXXm
Notice: Setting IP xxx.xxx.xxx.xxx as primary IP for this host for all requests. Access it with &ipaddress& for all JSON requests.
Notice: Transforming Agent Name to XXXXX.XXX.XXXX.XXXm
Notice: Using Icinga version "", setting certificate directory to "C:\ProgramData\icinga2\etc\icinga2\pki"
Warning: Icinga 2 Agent does not seem to be installed on the system
Notice: Installing Icinga 2 Agent from local directory
Warning: Icinga 2 Agent Installer verification disabled.
Notice: Installing Icinga 2 Agent
Notice: Icinga 2 Agent installed.
Notice: Using Icinga version "2.11.2", setting certificate directory to "C:\ProgramData\icinga2\var\lib\icinga2\certs"
Notice: Found Icinga 2 Agent version 2.11.2 installed at "C:\Program Files\ICINGA2\"
Notice: Creating host "XXXXX.XXX.XXXX.XXXm" over API token inside Icinga Director.
Notice: Writing host API-Key "8ef379e782976bb4543e059f575c9d107ca361f1" to "C:\ProgramData\icinga2\etc\icinga2\icingadirector.token"
"ebug: Processing Director API config argument "fetch_agent_name: false
Debug: Skipping overriding of 'fetch_agent_name', as set by script. [False]
"ebug: Processing Director API config argument "fetch_agent_fqdn: true
Debug: Skipping overriding of 'fetch_agent_fqdn', as set by script. [True]
"ebug: Processing Director API config argument "transform_hostname: 1
Debug: Skipping overriding of 'transform_hostname', as set by script. [1]
"ebug: Processing Director API config argument "flush_api_directory: true
Debug: Skipping overriding of 'flush_api_directory', as set by script. [True]
"ebug: Processing Director API config argument "director_host_object: {"address":"&ipaddress&","display_name":"&hostname.lowerCase&"}
Debug: Skipping overriding of 'director_host_object', as set by script. [{"address":"&ipaddress&","display_name":"&hostname.lowerCase&"}]
"ebug: Processing Director API config argument "download_url: \\\\xxxx\xxx\Icinga\selfservice_api
Debug: Skipping overriding of 'download_url', as set by script. [\\xxxx\xxxx\Icinga\selfservice_api]
"ebug: Processing Director API config argument "agent_version: 2.11.2
Debug: Skipping overriding of 'agent_version', as set by script. [2.11.2]
"ebug: Processing Director API config argument "allow_updates: true
Debug: Skipping overriding of 'allow_updates', as set by script. [True]
"ebug: Processing Director API config argument "agent_listen_port: 5665
Debug: Skipping overriding of 'agent_listen_port', as set by script. [5665]
"ebug: Processing Director API config argument "install_nsclient: true
Debug: Skipping overriding of 'install_nsclient', as set by script. [True]
"ebug: Processing Director API config argument "agent_add_firewall_rule: true
"ebug: Processing Director API config argument "global_zones: director-global!global-templates
Debug: Skipping overriding of 'global_zones', as set by script. [director-global global-templates]
"ebug: Processing Director API config argument "parent_zone: XXXXXXX
"ebug: Processing Director API config argument "ca_server: XXXXXXX
"ebug: Processing Director API config argument "parent_endpoints: XXXXXXX
"ebug: Processing Director API config argument "accept_config: true
Debug: Skipping overriding of 'accept_config', as set by script. [True]
Notice: Successfully fetched configuration for this host over Self-Service API.
Notice: Fetched ticket "1a001ee5b990f1257c208f0d79899e7b4958947c" from Icinga Director
Notice: Generating Host certificates required by Icinga 2
Notice: information/base: Writing private key to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\w10-094.nt.doehle-iom.com.key'.
information/base: Writing X509 certificate to 'C:\ProgramData\icinga2\var\lib\icinga2\certs\w10-094.nt.doehle-iom.com.crt'.
Notice: Storing Icinga 2 certificates
Notice: information/cli: Retrieving X.509 certificate for 'XXXXXXX:5665'.
Subject: CN = XXXXXXX
Issuer: CN = Icinga CA
Valid From: Jan 15 08:04:28 2020 GMT
Valid Until: Jan 11 08:04:28 2035 GMT
Fingerprint: 5C FB AF 35 80 87 BC 71 25 A8 AC C1 F1 B9 85 71 F8 5D 01 CB
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-master.crt'.
Notice: Certificate fingerprint: "5CFBAF358087BC7125A8ACC1F1B98571F85D01CB"
Warning: CA fingerprint validation disabled
Notice: Requesting Icinga 2 certificates
Notice: information/cli: Writing CA certificate to file 'C:\ProgramData\icinga2\var\lib\icinga2\certs\ca.crt'.
information/cli: !!!!!!
information/cli: !!! Certificate request for CN 'XXXXX.XXX.XXXX.XXXm' is pending. Waiting for approval from the parent Icinga instance.
information/cli: !!!!!!
Debug: Old Config Hash: "5664402221322331521711726681371182441222332311675872" New Hash: "7159237172052032208161881262464623316353217278570"
Notice: Icinga 2 configuration backup successfull
Notice: Writing icinga2.conf to "C:\ProgramData\icinga2\etc\icinga2\"
Notice: Icinga 2 configuration check successfull.
Notice: Trying to disable debug log for Icinga 2...
Notice: Icinga 2 debug log is not enabled or configuration not found
Notice: Trying to enable logging for Icinga 2...
Notice: Icinga 2 logging is already enabled or configuration not found
Notice: Trying to install Icinga 2 Agent Firewall Rule for port 5665
Notice: Icinga 2 Agent Firewall Rule already installed. Trying to remove it to add it again...
Notice: Icinga 2 Agent Firewall Rule has been removed. Re-Adding now...
Notice: Icinga 2 Agent Firewall Rule successfully installed for port 5665
Notice: Trying to install and configure NSClient++ from "C:\Program Files\ICINGA2\sbin\NSCP.msi"
Notice: NSClient++ is already installed on the system.
Notice: NSClient++ Firewall Rule is not installed
Notice: NSClient++ Service is not installed
Notice: Restarting service icinga2
Notice: Icinga 2 Agent successfully restarted.
Debug: Dumping properties...
Debug:
Name Value
---- -----
install_msi_package Icinga2-v2.11.2-x86_64.msi
director_host_token 8ef379e782976bb4543e059f575c9d107ca361f1
certs_created True
new_icinga_config /**...
initialized True
icinga_host_exist False
ipv6_count 2
ipaddressV6 fe80::3d59:f4b6:8fa5:6f00%12
generate_config true
cur_install_dir C:\Program Files\ICINGA2\
require_restart
system_architecture x86_64
agent_version 2.11.2
icinga2_agent_version {2, 11, 2}
cert_dir C:\ProgramData\icinga2\var\lib\icinga2\certs
uninstall_id /X{C88D83DE-154D-4846-8D33-1A12A01EC702}
ipaddress xxx.xxx.xxx.xx
ipaddress[0] 169.254.111.0
icinga_ticket 1a001ee5b990f1257c208f0d79899e7b4958947c
use_self_service_api True
endpoint_nodes "XXXXXXX"
fqdn XXXXX.XXX.XXXX.XXXm
ipaddress[1] 169.254.111.0
config_dir C:\ProgramData\icinga2\etc\icinga2\
ipv4_count 2
endpoint_objects object Endpoint "XXXXXXX" {...
ipaddressV6[1] fe80::5462:7910:aefa:4dd2%11
icinga_director_api_version 1.4.0
global_zones object Zone "director-global" {...
use_new_cert_dir True
old_icinga_config /**...
ipaddressV6[0] fe80::3d59:f4b6:8fa5:6f00%12
hostname WXXXXXm
local_hostname XXXXX.XXX.XXXX.XXXm
api_dir C:\ProgramData\icinga2\var\lib\icinga2\api
Debug: Dumping config...
Debug:
Name Value
---- -----
director_domain
director_user
nsclient_directory
director_deploy_config False
accept_config True
parent_zone XXXXXXX
director_auth_token 88fb419b8b758b87f76cc432fbb0235e66c36c7c
transform_hostname 1
agent_install_directory
module_log_file
icinga_enable_debug_log False
agent_version 2.11.2
full_uninstallation False
agent_add_firewall_rule True
director_host_object {"address":"&ipaddress&","display_name":"&hostname.lowerCase&"}
fetch_agent_fqdn True
force_cert False
nsclient_add_defaults False
icinga_disable_log False
install_nsclient True
ticket
debug_mode True
nsclient_firewall False
ignore_ssl_errors True
director_url https://XXXXXXX/icingaweb2/director/
ca_server XXXXXXX
flush_api_directory True
endpoints_config
ca_certificate_path
parent_endpoints XXXXXXX
ca_fingerprint
director_password
download_url \\xxxxx\xxxx\Icinga\selfservice_api
agent_name
nsclient_service False
agent_listen_port 5665
global_zones {director-global, global-templates}
nsclient_installer_path
installer_hashes
icinga_service_user
allow_updates True
remove_nsclient False
ca_port 5665
fetch_agent_name False
caproxy False
Build check is as follows;
icinga2 daemon -C
[2020-01-20 13:56:35 +0000] information/cli: Icinga application loader (version: r2.11.2-1)
[2020-01-20 13:56:35 +0000] information/cli: Loading configuration file(s).
[2020-01-20 13:56:35 +0000] information/ConfigItem: Committing config item(s).
[2020-01-20 13:56:35 +0000] information/ApiListener: My API identity: cyllene
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 InfluxdbWriter.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 FileLogger.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 2 NotificationCommands.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 NotificationComponent.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 13 Notifications.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 IcingaApplication.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 14 HostGroups.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 17 Hosts.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 Downtime.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 CheckerComponent.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 7 Zones.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 5 Endpoints.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 ExternalCommandListener.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 ApiUser.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 2 UserGroups.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 ApiListener.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 235 CheckCommands.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 3 TimePeriods.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 2 Users.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 41 Services.
[2020-01-20 13:56:35 +0000] information/ConfigItem: Instantiated 8 ServiceGroups.
[2020-01-20 13:56:35 +0000] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2020-01-20 13:56:35 +0000] information/cli: Finished validating the configuration file(s)
Server logs from /var/log/icinga2.log relevant to client being installed, are as follows;
[2020-01-20 12:13:51 +0000] information/JsonRpcConnection: Sending certificate response for CN 'host.x.y.com' to endpoint 'host.x.y.com'.
[2020-01-20 12:13:51 +0000] warning/JsonRpcConnection: API client disconnected for identity 'host.x.y.com'
[2020-01-20 12:14:01 +0000] information/ApiListener: Reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:01 +0000] warning/ApiListener: Certificate validation failed for endpoint 'host.x.y.com': code 18: self signed certificate
[2020-01-20 12:14:01 +0000] information/ApiListener: New client connection for identity 'host.x.y.com' to [xxx.xxx.xxx.xxx]:5665 (certificate validation failed: code 18: self signed certificate)
[2020-01-20 12:14:01 +0000] information/ApiListener: Finished reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:01 +0000] information/JsonRpcConnection: Received certificate request for CN 'host.x.y.com' not signed by our CA.
[2020-01-20 12:14:01 +0000] information/JsonRpcConnection: Sending certificate response for CN 'host.x.y.com' to endpoint 'host.x.y.com'.
[2020-01-20 12:14:01 +0000] warning/JsonRpcConnection: API client disconnected for identity 'host.x.y.com'
[2020-01-20 12:14:11 +0000] information/ApiListener: Reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:11 +0000] warning/ApiListener: Certificate validation failed for endpoint 'host.x.y.com': code 18: self signed certificate
[2020-01-20 12:14:11 +0000] information/ApiListener: New client connection for identity 'host.x.y.com' to [xxx.xxx.xxx.xxx]:5665 (certificate validation failed: code 18: self signed certificate)
[2020-01-20 12:14:11 +0000] information/ApiListener: Finished reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:11 +0000] information/JsonRpcConnection: Received certificate request for CN 'host.x.y.com' not signed by our CA.
[2020-01-20 12:14:11 +0000] information/JsonRpcConnection: Sending certificate response for CN 'host.x.y.com' to endpoint 'host.x.y.com'.
[2020-01-20 12:14:11 +0000] warning/JsonRpcConnection: API client disconnected for identity 'host.x.y.com'
[2020-01-20 12:14:21 +0000] information/ApiListener: Reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:21 +0000] warning/ApiListener: Certificate validation failed for endpoint 'host.x.y.com': code 18: self signed certificate
[2020-01-20 12:14:21 +0000] information/ApiListener: New client connection for identity 'host.x.y.com' to [xxx.xxx.xxx.xxx]:5665 (certificate validation failed: code 18: self signed certificate)
[2020-01-20 12:14:21 +0000] information/ApiListener: Finished reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:21 +0000] information/JsonRpcConnection: Received certificate request for CN 'host.x.y.com' not signed by our CA.
[2020-01-20 12:14:21 +0000] information/JsonRpcConnection: Sending certificate response for CN 'host.x.y.com' to endpoint 'host.x.y.com'.
[2020-01-20 12:14:21 +0000] warning/JsonRpcConnection: API client disconnected for identity 'host.x.y.com'
[2020-01-20 12:14:31 +0000] information/ApiListener: Reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:31 +0000] warning/ApiListener: Certificate validation failed for endpoint 'host.x.y.com': code 18: self signed certificate
[2020-01-20 12:14:31 +0000] information/ApiListener: New client connection for identity 'host.x.y.com' to [xxx.xxx.xxx.xxx]:5665 (certificate validation failed: code 18: self signed certificate)
[2020-01-20 12:14:31 +0000] information/ApiListener: Finished reconnecting to endpoint 'host.x.y.com' via host 'xxx.xxx.xxx.xxx' and port '5665'
[2020-01-20 12:14:31 +0000] information/JsonRpcConnection: Received certificate request for CN 'host.x.y.com' not signed by our CA.
[2020-01-20 12:14:31 +0000] information/JsonRpcConnection: Sending certificate response for CN 'host.x.y.com' to endpoint 'host.x.y.com'.
[2020-01-20 12:14:31 +0000] warning/JsonRpcConnection: API client disconnected for identity 'host.x.y.com'