Hello,I am having Icinga2 version 2.5.3
I have added a Firewall in the host file for monitoring.Its completed successfully,as i can see the same in the web with import generic-host by default plugin.
I want to monitor the interfaces with its utilisation of the firewall as well as the temperature .Can any one tell me if there is already a plugin for it? If yes how to use it…
If not , how to search for it and the steps to configure it.
And what changes needs to be done from the firewall point to have communication with icinga.
Kindly help.
Thanks
For plugins, if it’s not included with Icinga (and sometimes nrpe), you usually are on your own for finding plugins. There are a ton of plugins out there, keep in mind you might have better search results for “Nagios Plugins” as opposed to “Icinga Plugins”
For networking specifically, I really like the centreon plugins – they cover a wide range of network devices among other things.
For configuring a plugin you might want to check out the docs on service monitoring, but in general you’re going to want to read through the docs to get a better understanding of how to put things together.
For example, adding a check command and then actually using it usually requires multiple steps:
- define the command
- create/utilize command templates
- create/utilize service templates
- create service apply rules
- *probably some other things I cannot remember since I haven’t had enough coffee
From a firewall standpoint, Icinga will in most cases just need to be allowed to ping [the] interface(s), and be allowed to talk to the device via SNMP.
3 Likes
We use check_nwc_health - ConSol Labs to monitor f5 via SNMP and I can remember that there are firewall and temperature features in there.
1 Like
you need SNMP.
try check_snmp and the centreon plugins
you can use it to monitor the cpu/memory/temperature of network device.
2 Likes
And then do you have to mention the firewall cli credentials inside icinga to check and get the information from it ?
SNMP is then configured at firewall as well as the icinga side to communicate?
if yes,
where to configure the snmp details inside icinga?Please help
check_nwc_health ist SNMP only so no cli credentials. I would advice to configure a read only SNMP community -v 2c (performance) that only Icinga can access (white list) on the firewall.
Your command and service definition in Icinga decides how you specify the SNMP credentials in your Icinga. There are multiple ways to do it as the Icinga config is a domain specific language. If you use the director, you first add the check plugin to the file system of the node from which you want to check, then you define the check command in the director, then add fields for the check command, then create a service template that uses the check specific fields and in the and you use the service template to create the different services from your new service template to check the different metrics you want to monitor. But as your luck will have it, check_nwc_health is in the ITL so most of the work is already done for you Icinga Template Library - Icinga 2.
Hello Dominik,
Thanks for your reply,My concern here is if i use check_nw_health in icinga for taking information about interface and temperature from firewall,I dont have to configure anything from firewall side but need to provide access or credentials inside nw_health feature so that it can log in the firewall and provide the information…isnt it? how is that done?
Hello Radhika,
you install the check command and if you use the director you probably already imported it as nwc_healt’s definition gets shipped with icinga2, then you create a service template and in the end you create a service set with the services created from your template or a apply rule that creates the services depending on variables (fields) of your host object.
The credentials go into the form fields that you crated in the service template:
As you can see, I only use a subset of the possible fields (nwc_health has a lot more options) in the template to make it easier to use and you can define fields that contain credentials so that no password get shown to the user.
In my old system (without the director) I used a apply rule to generate the services from the variables defined on the host.
zones.d/global-templates/templates/nwc-pool-template.conf
template Service "nwc-pool-template" {
import "generic-service"
groups += [ "network-services" ]
vars.nwc_health_community = "community string"
}
Be careful with putting credentials into zones config because as soon as you have a cluster with agents on every server, every server has all the credentials that you put in global distributed zones
conf.d/services/snmp_nwc_pool_complections.conf:
/*
* Service apply rules.
*
* Tip: Use `icinga2 object list --type Service` to
* list all service objects after running
* configuration validation (`icinga2 daemon -C`).
*/
apply Service for (nwc_pool_complections => config in host.vars.nwc_pool_complections) {
import "nwc-pool-template"
check_command = "nwc_health"
display_name = config.display_name
check_interval = 5m
if (config.groups) {
groups = config.groups
}
if (config.check_interval) {
check_interval = config.check_interval
}
if (config.retry_interval) {
retry_interval = config.retry_interval
}
if (config.max_check_attempts) {
max_check_attempts = config.max_check_attempts
}
vars.nwc_health_mode = "pool-complections"
vars += config
}
zones.d/global-templates/templates/loadbalancer-host.conf
template Host "loadbalancer-host" {
import "linux-host"
groups = [ "network-servers", "mysql-servers" ]
vars.nwc_pool_complections["mariadb_cluster_pool"] = {
display_name = "MariaDB Cluster Loadbalancer Pool"
nwc_health_name = "/SMALL_APS_DB/MariaDB_Prod_pool"
wiki_url = "KA/MariaDB+Cluster"
}
But all of this you can find in detail in the online documentation of Icinga. I know the documentation of the director isn’t as complete but you can get training from Icinga (Netways) or one of there partners.
2 Likes