Problems creating a check with check_by_ssh

Icinga 2
1

Hello everybody,

I’m having trouble creating a service check with check_by_ssh

Under /etc/icinga2/zones.d/master/ I added a file called sshcommand.conf

The content looks like this:

object CheckCommand "by-ssh-test" {
  import "by_ssh"
  vars.by_ssh_command = "/usr/lib/nagios/plugins/check_by_shh -C $by_ssh_test_command$"
  vars.by_ssh_test_command = "/apps/test/test-shh/check.sh"
}

The service is supposed to be generated via the API, so I created a file named by_ssh.json:

{
        "attrs": {
                "check_command": "by-ssh-test",
                "display_name": "check-by-ssh-test",
                "host_name": "testname.dc.lan",
                "import": [
                        "generic-service"
                ],
                "vars": {
                        "by_ssh_logname": "testuser"
                }
        },
        "name": "testname.dc.lan!check-by-ssh-test",
        "type": "Service"
}

When calling the curl command, however, the following error message always appears:

curl -k -s -u root:icinga -H “Accept: application/json” -X PUT https://localhost:5665/v1/objects/services/testname.dc.lan\!check-by-ssh-test\?pretty=1 -d @by_shh.json

{
    "results": [
        {
            "code": 500.0,
            "errors": [
                "Error: Validation failed for object 'testname.dc.lan!check-by-ssh-test' of type 'Service'; Attribute 'check_command': Attribute must not be empty.\nLocation: in /var/lib/icinga2/api/packages/_api/localhost.mn.biz-1529512723-1/conf.d/services/testname.dc.lan!check-by-ssh-test.conf: 1:0-1:38"
            ],
            "status": "Object could not be created."
        }
    ]
}

The direct call with curl works:

/usr/lib64/nagios/plugins/check_by_ssh -H testname.dc.lan -l testuser -C “/apps/test/test-ssh/check.sh”

Result:

OK - check_by_ssh: Remote command ‘/apps/test/test-ssh/check.sh’ returned status 0

Maybe someone has a tip for me

Thanks and greetings Andy

2

Does you API user have proper permissions?

3

Yes, all rights for the Api are OK. I can also define other checks via the API (Disk Check, Memory Check, TCP Check …)

4

That’s not a valid JSON body, name and type are wrong, also import isn’t correct inside the attrs dictionary. The one below should work.

{
        "templates": [ "generic-service" ]
        "attrs": {
                "check_command": "by-ssh-test",
                "display_name": "check-by-ssh-test",
                "vars": {
                        "by_ssh_logname": "testuser"
                }
        }
}
```
1 Like
5

I have generated the service by hand, because he did not work on the API, now I just have to generate an id_rsa certificate for /home/icinga/.ssh/id_rsa because at the moment the error message appears
“Remote command execution failed: Host key verification failed.” on

6

Before using SSH via the daemon, you’ll need to connect as icinga user manually to the remote host monitored with by_ssh, and manually accept the host key verification. There’s no automated way to my knowledge.

1 Like
7

Thank you for your help,

after I changed the template under /etc/icinga2/zones.d/master/sshcommand.conf and added only the script to be executed as command (command) the check works.

1 Like
8

can you clarify for using check_by_ssh on icinga2 do i use nagios user or icinga user? I have setup nagios user ssh keys and it works when i test it via command line but when i use it in icinga check i am getting : host key verification failed message on plugin o/p.

10

It depends on your distribution e.g. Debian/Ubuntu the user is nagios. See init.conf

/**
 * This file is read by Icinga 2 before the main
 * configuration file (icinga2.conf) is processed.
 */

const RunAsUser = "nagios"
const RunAsGroup = "nagios"