How to see external command author in Nagios Event Log

[ssm_mon]

Hello,

When querying Nagios Core 4.2.4 Event Log, we see that, for some external commands, like «ACKNOWLEDGE_SVC_PROBLEM» or «SCHEDULE_HOST_SVC_DOWNTIME», the log provides the author of the command, i.e., the name of the user who executed the command.

However, for other external commands, like «DISABLE_HOST_CHECK», the log doesn't provide the author of the command.

How can this external command («DISABLE_HOST_CHECK») be configured so that Nagios Event Log provides the author of the command?

Can someone help us please?
Thanks in advance.

[mcapra]

4.4.0 has a new flag that will require a user to comment when submitting external commands via cgi.cfg:
https://github.com/NagiosEnterprises/na ... 463993c7e0

The relevant section:

* Allow more flexible requirements for comments

Fix for issues #82 and #180

A section named `COMMAND COMMENTS` has been added to the end of `cgi.cfg`.

The configuration variable name is the command name, with `CMD_` replaced
with `CMT_` (for CoMmenT). So, for example, if you want to modify the
comment requirements for the `CMD_ACKNOWLEDGE_HOST_PROBLEM`, the name in
the `cgi.cfg` file would be `CMT_ACKNOWLEDGE_HOST_PROBLEM`.

The value part has two parameters. The first is a number that determines
if a comment is required for that command:

A `0` (zero) means a comment is not allowed, and the `comment` fields
on the form will not be displayed.

A `1` (one) means that a comment is optional. The `comment` fields on
the form will be displayed, but will not be marked as `required` (i.e.
printed in red). If a comment is entered, it will be processed, but
if no comment is entered, it will not be an error.

A `2` means that a comment is required. The `comment` fields on the
form will be displayed, and will be marked as `required` (i.e.
printed in red). If a comment is entered, it will be processed, but
if no comment is entered, it will be an error.

The second parameter is optional, and separated from the `required`
parameter by a comma. Everything after the comma is considered a default
comment for that command, and will be pre-loaded into the comment field
on the form.

Here are a couple of examples of things you can do:

CMT_ACKNOWLEDGE_HOST_PROBLEM=2,This problem is being looked into by [name]
This makes comments for host problem acknowledgements required (which
is the current behavior) but additionally, pre-loads the comment field
on the form with the value `This problem is being looked into by [name]`.

CMT_SCHEDULE_SVC_CHECK=1
This makes comments for rescheduling a service check optional. The
current behavior is that a comment is required.

CMT_SCHEDULE_HOST_DOWNTIME=0
This makes comments not allowed for scheduling downtime for a host. The
comment field on the form will not be displayed, where before, it was
displayed, and a comment was required.

CMT_DISABLE_SVC_CHECK=2
Normally, comments can not be entered when you disable active checks
for a service. This makes comments required, displays the comment fields
on the form, and gives an error if a comment has not been entered.

If no `COMMAND COMMENTS` configuration values are entered in `cgi.cfg`,
the defaults are the same as the current behavior.

Nagios core currently only has comments for host or service related
commands. But comment overrides for every command can be entered in
`cgi.cfg`. That means, if you put in `CMD_DISABLE_FLAP_DETECTION=2`,
disabling flap detection system-wide will have comment fields on the
form and will require a comment. But the comment will just be thrown
away. Some non-host/service commands may or may not allow and process
comments in the future.

You could submit a GitHub issue if you'd like the option to add the current user to the comments when a command is submit. Part of the problem is that the external commands don't actually have a concept of a particular "user". It just receives commands in a pipe and runs them. The CGI that wraps the external commands file does have a concept of users, though.

[ssm_mon]

Hello mcapra,

Thanks for your reply!

We think we must clarify our request:

1. We pretend that Nagios Event Log shows the name of the user Nagios that executed the external command «DISABLE_HOST_CHECK». This name must be captured automatically by Nagios when the command is executed: so, it must not be provided by that user as a comment;

2. Our version of Nagios Core is 4.2.4 and we don't intend to update it soon to version 4.4.0, that you refer in your reply. Maybe that's why we don't find any CMD_ or CMT_ entries in our cgi.cfg.

Thanks again!

[npolovenko]

@ssm_mon, I don't think it's possible without the new comment feature. As you can see all the external script does is it inserts a new entry in /usr/local/nagios/var/rw/nagios.cmd file. There's no tracking of a username. You could add some custom logging code to your script if you wanted though.

Code: Select all

#!/bin/sh
# This is a sample shell script showing how you can submit the DISABLE_HOST_CHECK command
# to Nagios.  Adjust variables to fit your environment as necessary.

now=`date +%s`
commandfile='/usr/local/nagios/var/rw/nagios.cmd'

/bin/printf "[%lu] DISABLE_HOST_CHECK;host1\n" $now > $commandfile

[ssm_mon]

Hello npolovenko,

Thanks for your reply!

We don't understand some parts of your reply:

1. In your script, where/what is the variable for the username that executes the DISABLE_HOST_CHECK command?
2. Where are DISABLE_HOST_CHECK script and other external commands?
3. What is %lu ?

Thanks in advance!

[mcapra]

1. In your script, where/what is the variable for the username that executes the DISABLE_HOST_CHECK command?

There is none. This functionality does not exist. An external command has no concept of what a "username" is. This is why I suggested adding the username to the comment as a work-around.

You could also submit a GitHub issue to request an enhancement to Nagios Core for auditing which users executed which commands.

2. Where are DISABLE_HOST_CHECK script and other external commands?

Here are all of the available external commands:
https://old.nagios.org/developerinfo/ex ... ndlist.php

3. What is %lu ?

A parameter passed toprintf which represents and unsigned long. In the context of this script, it evaluates to the value of $now.

[ssm_mon]

Hello mcapra,

Thanks for your reply!

We are considering to submit a GitHub issue about this matter.

For now, we would like to know where are, physically speaking (directories), DISABLE_HOST_CHECK script and all the other external commands listed in the link you sent us.

Thanks again!

[npolovenko]

@ssm_mon, Here's the external command script to Disable a host check:

Code: Select all

#!/bin/sh
# This is a sample shell script showing how you can submit the DISABLE_HOST_CHECK command
# to Nagios.  Adjust variables to fit your environment as necessary.

now=`date +%s`
commandfile='/usr/local/nagios/var/rw/nagios.cmd'

/bin/printf "[%lu] DISABLE_HOST_CHECK;host1\n" $now > $commandfile

All this script does is inserts a DISABLE_HOST_CHECK;host1\n" $now line into the /usr/local/nagios/var/rw/nagios.cmd file.
So, /usr/local/nagios/var/rw/nagios.cmd is where Nagios grabs the submitted commands and processes them.
DISABLE_HOST_CHECK;host1\n" $now in our case is the external command that gets inserted to the cmd file.
Does this answer your question?

PS: It doesn't matter where you put the external command script before executing it if this is your question.

[ssm_mon]

Hello npolovenko,

Thanks for your reply!

We understand that «It doesn't matter where you put the external command script before executing».

However, external commands scripts automatically used by Nagios graphic interface are, certainly, stored somewhere: it's those locations that we would like to know.

We have already found a few external command scripts under «/usr/local/nagios/libexec/eventhandlers» directory («disable_active_service_checks» and «disable_notifications», for example).

Where are the other external commands scripts?

Thanks again!

[mcapra]

They are not scripts; They are embedded in the CGI itself:
https://github.com/NagiosEnterprises/na ... 1927-L2218

Which has a completely different method of writing to the external commands file than the sample scripts provided above.

You may notice here in the underlying cmd_submitf function that all comment data is passed with a comment author:
https://github.com/NagiosEnterprises/na ... 1914-L1919

Which goes back to my original suggestion to upgrade to 4.4.0 and force all commands to require a comment. This coupled with the lock_author_names directive in cgi.cfg seems like a reasonable strategy for enforcing auditing of command execution.