Monitoring Firewalld with NRPE

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
CLee1972
Posts: 20
Joined: Wed Mar 07, 2018 1:53 pm

Monitoring Firewalld with NRPE

Post by CLee1972 »

Hello,

I know this is going to seem weird but let me explain what I am looking to do. We are using NRPE on a Remote RHEL 7.4 server and Nagios Core running on a different machine. I want to be able to monitor the Firewall Daemon but I want it to come back as 'OK' when it is disabled and Critical if it is running. I know what you are thinking, "Who the heck wants to DISABLE a firewall on their server???". The thing is, we are running in a cloud environment that has its own external security rules outside of the servers and we just want the firewalls to be wide open internally. Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
Top
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Monitoring Firewalld with NRPE

Post by mcapra »

CLee1972 wrote:Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
The easiest way to do this would be with the negate plugin.
https://nagios-plugins.org/doc/man/negate.html

Which, essentially, inverts check statuses. OK becomes CRITICAL, CRITICAL becomes OK, that sort of stuff.

The exact implementation would depend on which plugin (that is, the one on the remote machine being called by check_nrpe) you're using to check the status of the firewalld service/process/daemon.
Former Nagios employee
https://www.mcapra.com/
Top
CLee1972
Posts: 20
Joined: Wed Mar 07, 2018 1:53 pm

Re: Monitoring Firewalld with NRPE

Post by CLee1972 »

mcapra wrote:
CLee1972 wrote:Does anyone know of a way to do almost a reverse positive check_nrpe command and service?
The easiest way to do this would be with the negate plugin.
https://nagios-plugins.org/doc/man/negate.html

Which, essentially, inverts check statuses. OK becomes CRITICAL, CRITICAL becomes OK, that sort of stuff.

The exact implementation would depend on which plugin (that is, the one on the remote machine being called by check_nrpe) you're using to check the status of the firewalld service/process/daemon.
Thanks for that input mcapra. So, the way I would like to use this is via a command in nrpe.cfg. Example below:

command[check_firewall_proc]=negate -w OK -c OK -o CRITICAL /usr/local/nagios/libexec/check_procs -C firewalld

I think I may be doing this wrong or maybe I have to set the negate function on the Nagios Core server as a command? On the Nagios Core server I have just defined a service call:
define service{
use service-service
hostgroup_name RemoteMachine
service_description Firewall Process
check_command check_nrpe!check_firewall_proc
}
Top
User avatar
lmiltchev
Former Nagios Staff
Posts: 13587
Joined: Mon May 23, 2011 12:15 pm

Re: Monitoring Firewalld with NRPE

Post by lmiltchev »

If I were you, I would modify the "check_firewall_proc" command as such:

Code: Select all

command[check_firewall_proc]=/usr/local/nagios/libexec/negate -c OK -o CRITICAL -s /usr/local/nagios/libexec/check_procs -C firewalld -c 1:
Note: You need to have the full path to the negate plugin. You don't need the warning in the command. Reverting ok to critical and vice versa should be enough. I used "1:" as a critical threshold. This way, if check_procs finds less than one firewalld process running, it would return "CRITICAL", and the negate plugin would change it to OK.

Examples:

remote machine

Code: Select all

service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-03-16 11:35:30 CDT; 7min ago
     Docs: man:firewalld(1)
 Main PID: 8287 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─8287 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
nagios server

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H 192.168.18.4 -c check_firewall_proc
PROCS CRITICAL: 1 process with command name 'firewalld' | procs=1;;1:;0;
remote machine

Code: Select all

service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
[root@TEST_XI_RHEL_7 services]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2018-03-16 11:45:04 CDT; 1s ago
     Docs: man:firewalld(1)
  Process: 8287 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 8287 (code=exited, status=0/SUCCESS)

Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 16 11:35:30 TEST_XI_RHEL_7 systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Mar 16 11:35:30 TEST_XI_RHEL_7 firewalld[8287]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Mar 16 11:45:02 TEST_XI_RHEL_7 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Mar 16 11:45:04 TEST_XI_RHEL_7 systemd[1]: Stopped firewalld - dynamic firewall daemon.
nagios server

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H 192.168.18.4 -c check_firewall_proc
PROCS OK: 0 processes with command name 'firewalld' | procs=0;;1:;0;
Be sure to check out our Knowledgebase for helpful articles and solutions!
Top
Locked

Return to “Open Source Nagios Projects”