Nagios Root Privileges

[johnhok]

Hi all,

I was wondering if Nagios will need root privileges or sudo other than during the installation process? I read some where that some of the plugin do. If so, could you someone provide or help me out what command that it runs because my company policy require to list everything out plus a reason why Nagios XI or logserver would need to use root access.

Also, is there a way to modify the configuration to fit a certain file structure like /opt/app, /opt/data, /opt/logs, and /opt/tools? Because the VM I will be installing it in was built with this mounting structure and these location has all the of the space available.

Thanks,
John Hok

[avandemore]

I was wondering if Nagios will need root privileges or sudo other than during the installation process?

The answer is no depending on what you mean by need. You would need root permission to perform certain types of operations just as any application would.

I read some where that some of the plugin do. If so, could you someone provide or help me out what command that it runs because my company policy require to list everything out plus a reason why Nagios XI or logserver would need to use root access.

Yes some plugins require elevated privileges. The normal location is /usr/bin/sudo. You can find the commands a plugin will run in XI > Configure > CCM > _Commands.

Also, is there a way to modify the configuration to fit a certain file structure like /opt/app, /opt/data, /opt/logs, and /opt/tools? Because the VM I will be installing it in was built with this mounting structure and these location has all the of the space available.

That would be very difficult and out of scope of support. It is somewhat easier to accomplish with Nagios Core.

[dwhitfield]

I'd just like to add a little more detail to the correct answer you already received.

Hi all,

I was wondering if Nagios will need root privileges or sudo other than during the installation process? I read some where that some of the plugin do. If so, could you someone provide or help me out what command that it runs because my company policy require to list everything out plus a reason why Nagios XI or logserver would need to use root access.

Here's the sudoers for xi:

Code: Select all

ser_Alias      NAGIOSXI=nagios
User_Alias              NAGIOSXIWEB=apache
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios checkconfig
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd status
NAGIOSXI ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/change_timezone.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/reset_config_perms.sh
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/messages
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/httpd/error_log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/mysqld.log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXIWEB ALL = NOPASSWD:/etc/init.d/snmptt restart
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/repair_databases.sh
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *

Some plugins will require root access. There are currently 4103 plugins at https://exchange.nagios.org/directory/Plugins, so you'll need to be a little more specific in what you are going to be monitoring.

Here's the sudoers for logserver:

Code: Select all

User_Alias NAGIOSLOGSERVER=nagios
User_Alias NAGIOSLOGSERVERWEB=apache
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash start
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash stop
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash restart
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash reload
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash status
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch start
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch stop
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch restart
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch reload
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch status
NAGIOSLOGSERVER ALL = NOPASSWD:/usr/local/nagioslogserver/scripts/change_timezone.sh
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash start
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash stop
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash restart
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash reload
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash status
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch start
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch stop
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch restart
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch reload
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch status
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/usr/local/nagioslogserver/scripts/get_logstash_ports.sh

Also, be aware that some systems need to run logstash as root when listening on privileged ports.

Also, is there a way to modify the configuration to fit a certain file structure like /opt/app, /opt/data, /opt/logs, and /opt/tools? Because the VM I will be installing it in was built with this mounting structure and these location has all the of the space available.

The literal answer to your question is yes. You can go in the install scripts and change things like cp ./nagiosxi/nagiosxi.init /etc/init.d/nagiosxi to whatever you like. The "real" answer to your question is *no*. If you were to try to modify the install scripts, we wouldn't be able to support the product. To say things another way, if you choose to modify things, you are on your own.

That said, we do offer consulting and custom development. If you would be interested in either, please let us know.

Please let us know if we missed anything, or if you have additional questions!

[johnhok]

Thanks @dwhitfield and @avandemore. That was very helpful.

Could I use a symbolic link... IE for /usr/local/nagioslogserver i to a /opt/apps? Will that be supported? If this is supported, could you help me out with the file structure because then I can break up the app and the data and make sure they get back up with the different mounts point. This way I have the correct symbolic links and everything that is crucial is backed up.

[dwhitfield]

As already mentioned, installing to a location other than the default location is not supported, but we will certainly try to help out if something does go awry. That being said, using symlinks is the "recommend" method. We cannot guarantee that will be problem-free.

Refer to this thread for more detail:
https://support.nagios.com/forum/viewto ... 93&start=0

Also this one:
https://support.nagios.com/forum/viewto ... =6&t=26683