Hi
I am very new to nagios XI, we just sign up to trial version to explore monitoring versions. So basic tasks which are pre defined appears to be very easy and simple
Does anyone knows whether it is possible to configure Microsoft PKI monitoring for expiring certificates for SCEP and other things as well as try to monitor personal store of individual servers personal store for public certificates?
I can't seem to find out of the box option anywhere, by googling around not much coming out. Perhaps I am just unfamiliar with the nagios
Any help/advise much appreciated
Regards
Monitoring Microsoft PKI and Server Personal Store Public Ce
Re: Monitoring Microsoft PKI and Server Personal Store Publi
I don't know of an out-of-the-box solution for this, but the following plugin might fit your use case:
https://exchange.nagios.org/directory/P ... ck/details
The above plugin would live on your Windows machine and be executed via an agent like NSClient++ or NCPA. If that's all Greek to you, let me know and I can try to break it down a little better!
https://exchange.nagios.org/directory/P ... ck/details
The above plugin would live on your Windows machine and be executed via an agent like NSClient++ or NCPA. If that's all Greek to you, let me know and I can try to break it down a little better!
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Monitoring Microsoft PKI and Server Personal Store Publi
I guess it is a bit worst than greek
So I've downloaded the powershell script that was designed for Nagios, found a place where to upload plug ins in Nagios
One think I am not sure about is that you saying I have to place powershell script on the server and execute it using Nagios client?
Can you explain a bit more
So I've downloaded the powershell script that was designed for Nagios, found a place where to upload plug ins in Nagios
One think I am not sure about is that you saying I have to place powershell script on the server and execute it using Nagios client?
Can you explain a bit more
Re: Monitoring Microsoft PKI and Server Personal Store Publi
There isn't really a good way for Nagios XI to remotely check the PKI store on a Windows machine. It might be something you could do over WMI, but I can pretty much guarantee that is a more complex solution.
So, since Nagios XI can't always do something convenient like SSH into the Windows machine and start asking questions, we need to leverage an agent. An agent is an application that lives on the remote machine and takes requests from the Nagios server.
Step 1 is installing an agent on the remote Windows machine. This agent will take requests from Nagios XI to check things on the remote Windows machine. NSClient++ is a pretty popular one and we have a document for getting it set up on a Windows machine:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
Once you have the agent installed, we need to tell the agent "please use the nm-check-certificate-expiration.ps1 plugin when Nagios asks for certificate information". Configuring this for NSCLient++ is slightly different between versions, but here's the documentation for 0.4.3:
https://docs.nsclient.org/0.4.3/howto/e ... ripts.html
In my NSClient 0.4.4 configuration, I have (among lots of other definitions) the following definitions in place to run specific custom plugins/scripts:
In the first example, CheckAutoNSCP is just a convenient identifier for the command I want to run. It can be named almost anything. scripts\check_winservice.exe is the short-hand path to the script/plugin this command is executing. --service nscp --startmode !auto --critical 1 are all the arguments for my command.
So great, my agent is all set up and ready to talk to the Nagios server. But how exactly do I tell Nagios to send commands to the agent? Nagios XI includes two plugins: check_nrpe and check_nt. I prefer to use check_nrpe.
Lets start by verifying that we can speak to the remote agent. The path /usr/local/nagios/libexec is where (almost) all of the Nagios monitoring plugins live. So, from that path:
Hey great! Nagios can talk to the remote machine. Lets try executing those commands I defined earlier:
Great! Our commands seem to be executing the plugins on the remote Windows machine. Now we need to configure the service checks in Nagios XI:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
For that document, you're doing everything with check_nrpe (or check_nt) as far as Nagios XI is concerned.
So, since Nagios XI can't always do something convenient like SSH into the Windows machine and start asking questions, we need to leverage an agent. An agent is an application that lives on the remote machine and takes requests from the Nagios server.
Step 1 is installing an agent on the remote Windows machine. This agent will take requests from Nagios XI to check things on the remote Windows machine. NSClient++ is a pretty popular one and we have a document for getting it set up on a Windows machine:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
Once you have the agent installed, we need to tell the agent "please use the nm-check-certificate-expiration.ps1 plugin when Nagios asks for certificate information". Configuring this for NSCLient++ is slightly different between versions, but here's the documentation for 0.4.3:
https://docs.nsclient.org/0.4.3/howto/e ... ripts.html
In my NSClient 0.4.4 configuration, I have (among lots of other definitions) the following definitions in place to run specific custom plugins/scripts:
Code: Select all
[/settings/external scripts/scripts]
CheckAutoNSCP=scripts\check_winservice.exe --service nscp --startmode !auto --critical 1
checkUPState=scripts\check_winevent.exe --log system --code "7030","7037" --type "error" --source "Service Control Manager" --verbos "Service entered unpredictable state"So great, my agent is all set up and ready to talk to the Nagios server. But how exactly do I tell Nagios to send commands to the agent? Nagios XI includes two plugins: check_nrpe and check_nt. I prefer to use check_nrpe.
Lets start by verifying that we can speak to the remote agent. The path /usr/local/nagios/libexec is where (almost) all of the Nagios monitoring plugins live. So, from that path:
Code: Select all
[root@localhost libexec]# ./check_nrpe -H 192.168.3.170
I (0.4.4.23 2016-04-05) seem to be doing fine...
Code: Select all
[root@localhost libexec]# ./check_nrpe -H 192.168.3.170 -c checkAutoNSCP
SERVICE OK - 0 service(s).|'services'=0;;1
[root@localhost libexec]# ./check_nrpe -H 192.168.3.170 -c checkUPState
Event log(s): system
Event code(s): 7030, 7037
Event type(s): error
Event sources: Service Control Manager
Time window: 3600 seconds, timestamp: 20160729150142.000000+000
Eventlog system - 0 selected events
Total number of events selected: 0
EVENT OK - 0 events|'events'=0https://assets.nagios.com/downloads/nag ... ios-XI.pdf
For that document, you're doing everything with check_nrpe (or check_nt) as far as Nagios XI is concerned.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Monitoring Microsoft PKI and Server Personal Store Publi
is there a way to monitor certificates using WMI?
Re: Monitoring Microsoft PKI and Server Personal Store Publi
As @mcapra mentioned, it might be possible, but it would definitely be more complex. Here's an article that will help with the WMI client on Linux
https://www.krenger.ch/blog/wmi-commands-from-linux/
A few articles about WMI -
https://blogs.technet.microsoft.com/hey ... computers/
https://blogs.msdn.microsoft.com/powers ... rshell-v1/
http://windowsitpro.com/scripting/use-p ... e-machines
https://www.krenger.ch/blog/wmi-commands-from-linux/
A few articles about WMI -
https://blogs.technet.microsoft.com/hey ... computers/
https://blogs.msdn.microsoft.com/powers ... rshell-v1/
http://windowsitpro.com/scripting/use-p ... e-machines
Former Nagios Employee