Hello,
I know this is going to seem weird but let me explain what I am looking to do. We are using NRPE on a Remote RHEL 7.4 server and Nagios Core running on a different machine. I want to be able to monitor the Firewall Daemon but I want it to come back as 'OK' when it is disabled and Critical if it is running. I know what you are thinking, "Who the heck wants to DISABLE a firewall on their server???". The thing is, we are running in a cloud environment that has its own external security rules outside of the servers and we just want the firewalls to be wide open internally. Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
Monitoring Firewalld with NRPE
Re: Monitoring Firewalld with NRPE
The easiest way to do this would be with the negate plugin.CLee1972 wrote:Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
https://nagios-plugins.org/doc/man/negate.html
Which, essentially, inverts check statuses. OK becomes CRITICAL, CRITICAL becomes OK, that sort of stuff.
The exact implementation would depend on which plugin (that is, the one on the remote machine being called by check_nrpe) you're using to check the status of the firewalld service/process/daemon.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Monitoring Firewalld with NRPE
Thanks for that input mcapra. So, the way I would like to use this is via a command in nrpe.cfg. Example below:mcapra wrote:The easiest way to do this would be with the negate plugin.CLee1972 wrote:Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
https://nagios-plugins.org/doc/man/negate.html
Which, essentially, inverts check statuses. OK becomes CRITICAL, CRITICAL becomes OK, that sort of stuff.
The exact implementation would depend on which plugin (that is, the one on the remote machine being called by check_nrpe) you're using to check the status of the firewalld service/process/daemon.
command[check_firewall_proc]=negate -w OK -c OK -o CRITICAL /usr/local/nagios/libexec/check_procs -C firewalld
I think I may be doing this wrong or maybe I have to set the negate function on the Nagios Core server as a command? On the Nagios Core server I have just defined a service call:
define service{
use service-service
hostgroup_name RemoteMachine
service_description Firewall Process
check_command check_nrpe!check_firewall_proc
}
Re: Monitoring Firewalld with NRPE
If I were you, I would modify the "check_firewall_proc" command as such:
Note: You need to have the full path to the negate plugin. You don't need the warning in the command. Reverting ok to critical and vice versa should be enough. I used "1:" as a critical threshold. This way, if check_procs finds less than one firewalld process running, it would return "CRITICAL", and the negate plugin would change it to OK.
Examples:
remote machine
nagios server
remote machine
nagios server
Code: Select all
command[check_firewall_proc]=/usr/local/nagios/libexec/negate -c OK -o CRITICAL -s /usr/local/nagios/libexec/check_procs -C firewalld -c 1:
Examples:
remote machine
Code: Select all
service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-03-16 11:35:30 CDT; 7min ago
Docs: man:firewalld(1)
Main PID: 8287 (firewalld)
CGroup: /system.slice/firewalld.service
└─8287 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H 192.168.18.4 -c check_firewall_proc
PROCS CRITICAL: 1 process with command name 'firewalld' | procs=1;;1:;0;
Code: Select all
service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
[root@TEST_XI_RHEL_7 services]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Fri 2018-03-16 11:45:04 CDT; 1s ago
Docs: man:firewalld(1)
Process: 8287 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 8287 (code=exited, status=0/SUCCESS)
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:45:02 TEST_XI_RHEL_7 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Mar 16 11:45:04 TEST_XI_RHEL_7 systemd[1]: Stopped firewalld - dynamic firewall daemon.
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H 192.168.18.4 -c check_firewall_proc
PROCS OK: 0 processes with command name 'firewalld' | procs=0;;1:;0;
Be sure to check out our Knowledgebase for helpful articles and solutions!