Yep.
Right. NRPE is a small daemon which runs on the agent, and can be queried with check_nrpe
. This originates from Nagios and is their preferred way. NRPE is known for weak TLS, and possible MITM attacks. Also, it doesn’t integrate that transparent as you’ll have with the Icinga 2 Agent sharing the same binary and configuration language as a satellite/master instance.
Coming back to the question - does that then work on a deployment?
In terms of the zones.conf files, I’d suggest changes.
- Avoid using ZoneName and NodeName constants. These have been removed from the CLI wizards in 2.10, and use real FQDN strings instead.
- On the master and satellites, only configure their endpoints and zones.
Master:
object Endpoint "icinga-master" {
//host is not needed
}
object Zone "master" {
endpoints = [ "icinga-master" ]
}
object Endpoint "icinga-sat-1" {
host = "icinga-sat-1"
}
object Zone "satellite-zone-1" {
endpoints = [ "icinga-sat-1" ]
parent = "master"
}
object Zone "global-templates" {
global = true
}
object Zone "director-global" {
global = true
}
Satellite:
object Endpoint "icinga-master" {
host = "XXX"
port = "5665"
}
object Zone "director-global" {
global = true
}
object Endpoint "icinga-sat-1" {
host = "icinga-sat-1"
}
object Zone "satellite-zone-1" {
endpoints = [ "icinga-sat-1" ]
parent = "master"
}
object Zone "master" {
endpoints = [ "icinga-master" ]
}
object Zone "global-templates" {
global = true
}
- On the agent, configure the local endpoint and the parent endpoint and zones.
object Endpoint "agent-FQDN" {}
object Endpoint "icinga-sat-1" {
//set the host attribute, if the agent should actively connect to the satellite
}
object Zone "satellite-zone-1" {
endpoints = [ "icinga-sat-1" ]
}
object Zone "agent-FQDN" {
endpoints = [ "agent-FQDN" ]
parent = "satellite-zone-1"
}
object Zone "global-templates" {
global = true
}
object Zone "director-global" {
global = true
}
Cheers,
Michael