Monitoring remote Nagios XI server - Required ports

[mhixson2]

Hello,

I am trying to use the "Nagios XI Server" configuration wizard to setup monitoring on a new Nagios XI server in a remote datacenter. The network is very locked down but so far I've had the network engineers open TCP 80 and 5666 (for NRPE config later) between the local and remote servers, but the wizard is failing on the first screen when I enter the IP, URL, and credentials (nagiosadmin) with message "Unable to authenticate to remote Nagios XI server - Check your credentials and the remote XI server version.".

The creds are good, I can login to the remote Nagios server with them. The version is good (5.4.0). So that makes me think another port might need opened. If so, what is that port?

Thanks,
Mike

[mhixson2]

Related question:

I have this same monitoring already set up on the source server to a difference remote Nagios XI server (the network between them is not restricted). I see in the service configs that it uses a ticket for authentication. Is there a way for me to generate this ticket outside of the wizard so I can just copy and edit the existing services and have them communicate with a different remote Nagios XI server?

Thanks!

[dwasswa]

Hi @ mhixson2,Here is another forum topic related to your issue..Please see below
https://support.nagios.com/forum/viewto ... t=5698Also,

Here is some documentation that i think will be helpful...Please see below...
https://assets.nagios.com/downloads/nag ... tocols.pdf

Please let me know if you have any questions

[mhixson2]

Thank you. Those are great references and I'll definitely hang onto them, but they do not seem to cover the communication this wizard is using during initial setup.

[tgriep]

Thanks Derick Wasswa for the help.

If you enabled SSL on your remote Nagios server, you would have to have port 443 TCP open as well.

About generating the ticket outside of the wizard, you can use the Backend API URL ticket number from the remote host, copy an existing service on the Main XI server and edit the ticket number to the new remote server.
To get the ticket number, login to the remote server and click on the Admin > Manage Components menu and click on the edit icon for the Backend API URL component.
Select the user account and press the Apply Settings button.
Then on any ot the Data Types lined, you can get the ticket number and use that with the Check XI plugin.
Try that and let us know if you have any other questions.

[mhixson2]

So... I realized netstat should tell me what I want to know, so I ran the command below on the local XI server and then ran the wizard. It looks like it's calling port 80 on the remote XI server, which is indeed open, but maybe not both ways, I'm not sure. I've forwarded this to my network engineers. I think we'll get this figured out unless there are other dependencies I'm not seeing here.

Code: Select all

sudo netstat -nptc | grep [remote XI server IP]

I get several captures of the traffic below before the wizard times out.

Code: Select all

tcp        0      1 [local XI server IP]:55532         [remote XI server IP]:80            SYN_SENT    4138/httpd

If someone could answer my second question about the ticket value, that would be great.

Thanks,
Mike

[mhixson2]

Thanks tgriep!

SSL is not enabled on the remote host. I'll follow your instructions and report back. I appreciate the help.

Mike

[cdienger]

You can get user tickets and encoded passwords with:

Code: Select all

echo "select username, backend_ticket, password from xi_users" | mysql -uroot -pnagiosxi -D nagiosxi

Do you use http or https to normally log into the XI server? By default the wizard uses port 80(http) but the XI server may be setup for https(443).

This is essentially the command that is run when you try to add a XI server:

Code: Select all

curl 'http://REMOTE_XI_IP/nagiosxi//backend/?cmd=getticket&username=USERNAME&password=PASSWORD'

where USERNAME and PASSWORD can be found with the first mysql statement. I'd be curious to see what happens when you run this on the command line.

[mhixson2]

I was able to get the nagiosadmin ticket on the remote server via the backend API componenet and make a copy of the existing services on the local server and all is working well.

My network engineers only opened TCP 80 one way. Once they opened it up both ways I confirmed the wizard would have worked.

The mysql query is awesome, thanks for that.

We use HTTP for all Nagios access currently. SSL isn't setup yet on any of our XI boxes. Oddly enough, when running the curl command on the local XI server, pointing to the remote XI server, I get the error below, but like I said, the wizard works fine. Odd.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<error>
<errormessage>Authentication Failure</errormessage>
</error>

Either way, I have a better understanding of this and gathered some new tools, and everything is working as I need it, so I'm all set. I can troubleshoot further if there are concerns about that curl command persisting to throw an auth error.

[cdienger]

Glad to hear : )