We are implementing Nagios for non-critical parts of our environment for a few months to see how it stacks up against our current monitoring solution, so far, it's great. Before I try to engineer solutions to the couple of problems we have I thought I might ask to see if/how other people are overcoming these things:
Our current solution, What's Up Gold, has a credential library. You put domain/username/password combinations in the library (they're stored encrypted, supposedly) and when you add a machine for monitoring you just choose which credential set to use. This is important to us because we're monitoring equipment across 7 Windows AD structures with very limited trust relationships in place only between a couple of them.
I know that the general way to store credentials in Nagios, Core at least, is to place $USERxx$ macros in the /etc/nagios/private/resources.cfg file, and I know I could simply create $USER3$-$USER16$, thus having multiple credentials available, but I would then have to have a separate set of check commands in place for each domain, even if I used the same username/password in each domain, the domain prefix has to be provided...
Has anyone encountered this hurdle before and if so, how did YOU solve it?
Managing multiple credential sets
Re: Managing multiple credential sets
I haven't had to solve this particular problem before, but here's how I would solve it:
1. Create the same username/password on all of the domains (I know we still need to solve that pesky domain prefix problem )
2. Enter that as an entry in your resources.cfg file
3. On your AD integrated hosts create a custom macro that contains the name of the domain that host is in i.e.
define host {
hostname blah
address x.x.x.x
...
_DOMAINNAME domain1
}
4. Edit your command so that it looks something like $USER1$/mycommand -H blah -c dosomething -u "$_HOSTDOMAINNAME$\\$USER3$ -p $USER4$
I can't remember if that's exactly the right syntax for a custom macro but the documentation is here: http://nagios.sourceforge.net/docs/3_0/macros.html
This might work for you?
1. Create the same username/password on all of the domains (I know we still need to solve that pesky domain prefix problem )
2. Enter that as an entry in your resources.cfg file
3. On your AD integrated hosts create a custom macro that contains the name of the domain that host is in i.e.
define host {
hostname blah
address x.x.x.x
...
_DOMAINNAME domain1
}
4. Edit your command so that it looks something like $USER1$/mycommand -H blah -c dosomething -u "$_HOSTDOMAINNAME$\\$USER3$ -p $USER4$
I can't remember if that's exactly the right syntax for a custom macro but the documentation is here: http://nagios.sourceforge.net/docs/3_0/macros.html
This might work for you?
Re: Managing multiple credential sets
I do appreciate the effort, it's always nice to know that at least someone's trying to help. Unfortunately, this doesn't really change the current state overly much. It would still require me to have one set of commands for each of the Windows domains, much as I do now. For example, if this were the current state:
Changing to the same user/password in each domain would simplify it slightly to this:
But would still require this:
Now, if I could somehow assign another parameter to a host, such as domain name, and then reference that parameter in the check command, you would be on to something solid. That way my check command could look something like this, and only require one check command.
I know everything I'm using is open source, and I'm free to modify it to add this functionality, but my knowledge of scripting isn't that strong, and I'd rather stick with something that won't break with upgrades.
Code: Select all
$USER3$=domain1/nagios.user
$USER4$=S0meP@ssword
$USER5$=domain2/nagios.user
$USER6$=S0me0therP@ass
$USER7$=domain3/nagios.user
$USER8$=Y3t@notherPass
Code: Select all
$USER3$=nagios.user
$USER4$=S0meP@ssword
$USER5$=Domain1
$USER6$=Domain2
$USER7$=Domain3
Code: Select all
define command {
command_name Percent_Disk_Used_Domain1
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER5$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
command_name Percent_Disk_Used_Domain2
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER6$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$ARG4$
}
define command {
command_name Percent_Disk_Used_Domain3
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER7$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}
Code: Select all
define command {
command_name Percent_Disk_Used
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $HOSTDOMAIN$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}
Re: Managing multiple credential sets
You may want to read my post a little more carefully... trust me the answer is there
Re: Managing multiple credential sets
And so it would seem. I do apologize, when I read your post about the custom macro I must have just assumed I knew what you meant, or I missed a keyword or something. If in fact host-based macros are doable, that would certainly resolve the issue. Thank you very much.jsmurphy wrote:You may want to read my post a little more carefully... trust me the answer is there
Re: Managing multiple credential sets
Okay, so, progress... Yes, custom variables work. There's only a minor nuance struggle left, one that would be more convenient, but certainly isn't as much of a deal-breaker as the whole situation was.
The following lines are spread across a couple of different files, but for the sake of simple presentation they're all lumped in to one block here:
Then, of course, in my resources.cfg I have $USER3$ defined as the password that matches the account specified by the host template.
Unfortunately, $USER3$ doesn't seem to expand if referenced in the custom variable $_HOSTPASSWORD$. Using it the way I have it set up now, if everything were to evaluate, would work fine, and it would allow me to have separate passwords for these accounts as well because each template would specify the username and which $USERx$ macro to use for a password (so they can be "hidden"). If I change the check command to use $USER3$ instead of $_HOSTPASSWORD$ everything works fine, so it's pretty clear where the problem lies.
Is there a way to use a user macro within a custom variable/macro like I'm trying to or is the best I'm going to get this is use the same password for all of my service accounts and consider myself fortunate?
The following lines are spread across a couple of different files, but for the sake of simple presentation they're all lumped in to one block here:
Code: Select all
define host {
name Credentials-Domain1
register 0
_user domain1/nagios.service
_password $USER3$
}
define host {
host_name test1
address test1.domain1.local
max_check_attempts 2
check_interval 2
retry_interval 1
notification_interval 30
notification_options d,u,r
active_checks_enabled 1
notifications_enabled 1
check_command check-host-alive
check_period 24x7
notification_period daytime
contact_groups +sysadmins
use Credentials-Domain1
}
define service {
service_description Disk_Used
max_check_attempts 2
check_interval 60
retry_interval 5
notification_interval 1440
notification_options w,u,c,r
active_checks_enabled 1
notifications_enabled 1
check_command check_used_space!.!75!90!-o 1 -3 1
check_period 24x7
notification_period daytime
contact_groups +sysadmins
}
define host {
define command {
command_name check_used_space
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $_HOSTUSER$ -p $_HOSTPASSWORD$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}
Unfortunately, $USER3$ doesn't seem to expand if referenced in the custom variable $_HOSTPASSWORD$. Using it the way I have it set up now, if everything were to evaluate, would work fine, and it would allow me to have separate passwords for these accounts as well because each template would specify the username and which $USERx$ macro to use for a password (so they can be "hidden"). If I change the check command to use $USER3$ instead of $_HOSTPASSWORD$ everything works fine, so it's pretty clear where the problem lies.
Is there a way to use a user macro within a custom variable/macro like I'm trying to or is the best I'm going to get this is use the same password for all of my service accounts and consider myself fortunate?
Re: Managing multiple credential sets
You know, I've often wondered this (if you could reference a resource macro from a custom macro) but never had probable cause to actually try it out, so thanks for running that little experiment for me .
Unfortunately my bag of tricks doesn't extend that far... without being able to reference another macro, I can't see another way around it. But at least life is a little easier now
Unfortunately my bag of tricks doesn't extend that far... without being able to reference another macro, I can't see another way around it. But at least life is a little easier now
Re: Managing multiple credential sets
True enough, thanks much.jsmurphy wrote:Unfortunately my bag of tricks doesn't extend that far... without being able to reference another macro, I can't see another way around it. But at least life is a little easier now