Icinga2 for Linux Systems

Service Monitoring
1

Hi Team,

We have been using Icinga2 for windows systems with Icinga2 agent, NSClient & Powersell for windows.
Not suddenly we started adding the linux servers… Our instances are aws ec2 instances in private subnets & those are not integrated with Active Directory… I have installed icinga2 agent on those boxes but no luck… Still not working with icinga2 metrics like load/memory/procs etc… Can someone help the best way to monitor the linux hosts? we are looking for basic infra monitoring like cpu,memory,service & procs check etc…

Can someone please advise on this?

thanks,
Mani

2

Just to add here… Our linux servers are not added to active directory… Those are aws ec2 instances…

root@aws-**-02:/home/ubuntu# icinga2 node wizard
Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: y
Starting the Agent/Satellite setup routine...
Please specify the common name (CN) [aws-***-02]: <Privided the private ip address> 
Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): <Master icinga2 server name> 
Do you want to establish a connection to the parent node from this node? [Y/n]: y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN): <Provided icinga master ip> 
Master/Satellite endpoint port [5665]:
Add more master/satellite endpoints? [y/N]: n
Parent certificate information:
 Subject:     CN = <Master icinga2 server name>
 Issuer:      CN = Icinga CA
 Valid From:  Oct 29 17:27:06 2019 GMT
 Valid Until: Oct 25 17:27:06 2034 GMT
 Fingerprint: DD 6C 07 B8 B5 21 B3 89 E6 09 83 93 98 E2 87 CF 02 B1 FE 11
Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn '<Private Ipaddress>'):  323a53a12f62850261e2d36fecd700d2b99b21e5  -> I have ran the pki ticket command with private ip on icinga master
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []:
Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y
Reconfiguring Icinga...
Local zone name [<Private ip address> ]: Enter
Parent zone name [master]:
Default global zones: global-templates director-global
Do you want to specify additional global zones? [y/N]: n
Do you want to disable the inclusion of the conf.d directory [Y/n]: n
Done.

This is not working… This is working for the linux which were added in Active directory…

Can someone advise on this? Many thanks in advance

3

What is not Working?

Parent certificate information:
 Subject:     CN = <Master icinga2 server name>
 Issuer:      CN = Icinga CA
 Valid From:  Oct 29 17:27:06 2019 GMT
 Valid Until: Oct 25 17:27:06 2034 GMT
 Fingerprint: DD 6C 07 B8 B5 21 B3 89 E6 09 83 93 98 E2 87 CF 02 B1 FE 11

The above make me feel that it is connecting to your satellite / master

So now have you created the host object ? Have you installed plugins [yum install nagios-plugins-all -y]

Did you create service / service template?

4

Anirban -> many thanks for your response… Yes i have installed monitoring-plugins (Ubuntu)

Here service block…

apply Service "load" {
  import "generic-service"
  enable_notifications = false
  check_command = "load"
  command_endpoint = host.vars.client_endpoint
  assign where host.vars.client_endpoint && host.vars.os == "Linux"
}
apply Service "procs" {
  import "generic-service"
  enable_notifications = false
  check_command = "procs"
  command_endpoint = host.vars.client_endpoint
  assign where host.vars.client_endpoint && host.vars.os == "Linux" 
}

&
Host object is as shown below…

// Endpoints & Zones
object Endpoint "aws-*******-01.*********.aws" {
     host = "########"
}
object Zone "aws-*******-01.*********.aws" {
     endpoints = [ "aws-*******-01.*********.aws" ]
     parent = "master"
}

// Host Objects
object Host "aws-*******-01.*********.aws" {
    check_command = "hostalive"
    address = "########"
    vars.os="Linux"
    vars.app_type="db"

Here, there are couple of things that i would like to address… This ubuntu server is not integrated with AD & I just named it as aws--01..aws in hostfile just for visibility in icinga2 UI… moreover this server aws--01.****.aws is not pingable (just named server internally)…

& in master UI i still seeing the connection issues… which is as shown below…

image
image1103×316 46.1 KB

5

Can you keep this default and use it while creating the object?
In Master icinga Log it should say something.

My understanding is the Certificate CN and Node Wizard CN and the Object Name should match

6

If your are not using the director every zone and endpoint object needs to be defined in zones.conf only (this change came with V2.11).

7

thanks again for your response… I have tried all possibilities… & i always kept certificate CN Node Wizard CN same name… &

I see the below error in icinga2 log

[2020-07-22 06:27:19 -0600] critical/ApiListener: Client TLS handshake failed (from [############]:50722): unsupported protocol

I just followed the same process for other linux servers which are with Active Directory…never got an issues with those servers… I am only facing for servers that are not in AD in AWS…

8

Thanks for your response… I am not sure what it meant… Here my zones.conf file currently…

object Endpoint "<Icinga Master Name>" {
}
object Zone "master" {
    endpoints = [ "<Icinga Master Name" ]
}
object Zone "global-templates" {
    global = true
}
object Zone "director-global" {
    global = true
}

Any changes needs to be done on zones.conf file? Can you Please advise on this

9

Yes, you need to add every zone and endpoint objects for your agents.

10

Strange… I never changed zones.conf file… I just used the same for all agent installations on remote servers… Here, I have been trying to setup the client setup as shown below… It always works for the servers that are in Active directory… This is not working for servers that are not in AD(AWS ec2 linux instances)…

root@aws-**-02:/home/ubuntu# icinga2 node wizard
    Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: y
    Starting the Agent/Satellite setup routine...
    Please specify the common name (CN) [aws-***-02]: <Privided the private ip address> 
    Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
    Master/Satellite Common Name (CN from your master/satellite node): <Master icinga2 server name> 
    Do you want to establish a connection to the parent node from this node? [Y/n]: y
    Please specify the master/satellite connection information:
    Master/Satellite endpoint host (IP address or FQDN): <Provided icinga master ip> 
    Master/Satellite endpoint port [5665]:
    Add more master/satellite endpoints? [y/N]: n
    Parent certificate information:
     Subject:     CN = <Master icinga2 server name>
     Issuer:      CN = Icinga CA
     Valid From:  Oct 29 17:27:06 2019 GMT
     Valid Until: Oct 25 17:27:06 2034 GMT
     Fingerprint: DD 6C 07 B8 B5 21 B3 89 E6 09 83 93 98 E2 87 CF 02 B1 FE 11
    Is this information correct? [y/N]: y
    Please specify the request ticket generated on your Icinga 2 master (optional).
     (Hint: # icinga2 pki ticket --cn '<Private Ipaddress>'):  323a53a12f62850261e2d36fecd700d2b99b21e5  -> I have ran the pki ticket command with private ip on icinga master
    Please specify the API bind host/port (optional):
    Bind Host []:
    Bind Port []:
    Accept config from parent node? [y/N]: y
    Accept commands from parent node? [y/N]: y
    Reconfiguring Icinga...
    Local zone name [<Private ip address> ]: Enter
    Parent zone name [master]:
    Default global zones: global-templates director-global
    Do you want to specify additional global zones? [y/N]: n
    Do you want to disable the inclusion of the conf.d directory [Y/n]: n
    Done.

Here, I have tried both the scenarios… Under Please specify the common name (CN) [aws-***-02]:

I have tried both options private ip address & localhost name… Appropriate ticket generated as well…

Both cases not working… I am just worrying any changes needs to be modified for servers that are not AD…

Apologies… if this doesn’t make any sense… Any advise would be appreciated…

thanks,
mani