Using Icinga2 with NSCA

j.starosta · November 25, 2021, 3:28pm

Hello everybody,

we are preparing the migration from a Nagios Appliance to Icinga2.

The administrators of our IBM host machines (Z- and I-Systems) need to monitor their systems with NSCA.

I tried to look it up in the documentation and by googling but to no avail.

Agent Based Monitoring - Icinga 2 v2.10 references the Icinga1 doc. Google says that the feature is deprecated and might be removed in a future version.

So what options do we have and is there any documentation how to do something like this?

System information:
Version: r2.12.4-1
Platform: Ubuntu
Platform version: 20.04.3 LTS (Focal Fossa)
Kernel: Linux
Kernel version: 5.4.0-90-generic
Architecture: x86_64

Thanks and best regards, Johannes.

nicke-rejv · December 24, 2021, 9:14am

Hi Johannes,

We are using the modern nsca package named nsca-ng-server (https://nsca-ng.org/) on our fully up-to date CentOS 8 based Icinga 2 server.
On the client side (centos *) we are sending the passive checks with the centos package: nsca-ng-client.

On the icinga server side you will configure the “nsca-ng-server” as per below:

File: nsca-ng.cfg

  command_file = "/run/icinga2/cmd/icinga2.cmd"
  authorize "*" {
	password = "your password"
	#
	# The original NSCA server permits all authenticated clients to submit
	# arbitrary check results.  To get this behaviour, enable the following
	# lines:
	#
	 	hosts = ".*"
	 	services = ".*"
}

Then the simply add user nagios (nsca-ng process owner) to the icingacmd group.
Finally you might also need to enable the command feature with:
icinga2 feature enable command

As for the IBM host machines, you could try to compile nsca-ng

regards Nikolay

j.starosta · January 3, 2022, 9:29am

Hello Nikolay,

I was on vacation and just looked on this the first time since two weeks.
Thanks for the information how to use the command feature, this might be useful. Will have to test it though. There is one caveat though: According to Features - Icinga 2 the needed feature is deprecated and might be removed in the future.
Does anybode here have a schedule when this will happen?
So you might want to change your CentOS monitoring to an implementation with the Icinga2 agent (setup is quite straightforward, we use this for our Windows and Ubuntu Hosts).
And I don’t know whether NSCA can be compiled on the mainframes, we will have to check this.

Regards, Johannes.

log1c · January 3, 2022, 2:06pm

The commandpipe is currently set to be removed with v2.14 of the Icinga 2 core:

I have no experience with NSCA, put as I read the terms “send passive check result” I thought:
Can’t this be achieved with a script that sends that to the API of the Icinga 2 core?

leeclemens · January 3, 2022, 7:47pm

I could see security being a concern. Even if possible, it may be more difficult (i.e. prone to not being implemented correctly) to restrict API access properly.

log1c · January 4, 2022, 7:17am

Sure, but then again one could ask here on how to limit the possible actions of an API user to just some actions and/or host/service objects

j.starosta · January 12, 2022, 1:35pm

Security is actually not the biggest concern to be honest. Our servers don’t have direct internet access.

The main issue I see with the API solution that one would need to develop the needed functionality for sending the data from the i5 machines to Icinga2 in the first place. Which is something where we don’t have resources. Of course outsourcing might be an option but I would like to get an idea, what to expect (in terms of approaches, effort and needed manpower/budget).