Check_user Plugin usage

[RIDS_I2MP]

We would like to understand about the check_user module on Nagios if it can be used to monitor the user activity ?

Can you please share the details setup steps for Unix and Windows platform.

Thanks
Nitin

[benjaminsmith]

Hi Nitin,

Okay, so on the Linux side there is an official Nagios supporter plugin called check_users. This plugin checks the number of users currently logged in on the local system and generates an error if the number exceeds the thresholds specified.

https://nagios-plugins.org/doc/man/check_users.html

On the Windows side, I would take look at using the Windows Counters available and setup checks via NCPA using the windowscounters API endpoint in NCPA.

https://www.nagios.org/ncpa/help.php#ap ... wscounters

Hope that helps answer your question and let me know if you need clarification on anything.

Thanks,
Benjamin

[RIDS_I2MP]

Hi Team,

if it can be used to monitor the user activity on Prod servers during Off business hours?

Is it possible for Linux ?

Thanks
Nitin Parate

[benjaminsmith]

HI Nitin,

if it can be used to monitor the user activity on Prod servers during Off business hours?

Can you provide some specifics regarding user activity? What metrics do you want to run checks against?

Thanks,
Benjamin

[RIDS_I2MP]

Hi Nitin,

Okay, so on the Linux side there is an official Nagios supporter plugin called check_users. This plugin checks the number of users currently logged in on the local system and generates an error if the number exceeds the thresholds specified.

https://nagios-plugins.org/doc/man/check_users.html

Thanks,
Benjamin

Hi Benjamin/Team,

This Plugin can be used on linux/Unix machine after installing NRPE Agent on it. But we have already installed NCPA Agent on linux/Unix machine . So kindly guide us on how to use check_users plugin for those Linux/Unix servers getting monitored via NCPA Agent.

[benjaminsmith]

Hi,

So you can use plugins with NCPA as well. What you'll want to do here is compile the Nagiso plugins on the server, and use the NCPA plugin API endpoint.

Instructions for Installing Nagios Plugins
https://support.nagios.com/kb/article/n ... tml#CentOS

Reference for the NCPA Plugin API
https://www.nagios.org/ncpa/help.php#ap ... es-plugins

Also, there is a directive in the making ncpa.cfg file to change the plugin path.
https://www.nagios.org/ncpa/help/2.0/configuration.html

Let me know if you have more questions or need further assistance.

Benjamin

[RIDS_I2MP]

Hi Team,

We want to know who exactly is logged in to the server that is username and its details like the time etc. We are already using check_users plugin to find out the number of users currently logged in to.

But now we want to even find who exactly is logged in via Nagios XI.
Please can you suggest us a solution. This is for Linux/Unix Environment where we have NRPE Agent Installed.

For Windows OS :

Please let us know how to find number of currently logged in users and also who exactly is logged in for Windows Servers as well.
Perhaps we have NSC Client installed on all Windows Hosts and there are roughly 800 hosts which we monitor via Nagios. Hence please suggest a solution on which there are no changes required to be made to NSC.ini or NSC.cfg file.

[ssax]

Here is an sh script plugin you can use for Unix/Linux:

https://exchange.nagios.org/directory/P ... rs/details

Here's one I found for Windows:

https://support.nagios.com/forum/viewto ... 94#p191894

[RIDS_I2MP]

Hi Team,

Kindly let us know how to use this plugin as well and what command should we create in Nagios API to use this script based plugin.

Also one more thing i found out show_users plugin for Linux which measure the number of users and also who exactly is logged in and based on that we can decide the warning and critical thresholds , so similar to this can you let us know the plugin for windows domain as well.

We again request you to suggest us a solution which is quick and easy as we all together monitor 1000+ hosts and modifying .cfg file is not feasible for us. Please provide us an alternative solution as well or any idea where we can fix this within much less changes.

[ssax]

Please follow this guide (it's the same process for windows/linux/etc):

https://support.nagios.com/kb/article/n ... a-722.html

For the Linux one, rename it to .sh before following the guide. You'll need to analyze the plugins you find in order to determine what commands you will want to use. For the check users one it has a help section that shows you how to call it and what options it supports:

Code: Select all

[nagios@xid ~]# sh showusers.sh -h
usage: showusers.sh [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]

returns a list of users on the local machine

   -s, --simple show users without the number of sessions
   -m username, --mandatory username
                Mandatory users. Return CRITICAL if any of these users are not
                currently logged in
   -u username, --unauthorized username
                Unauthorized users. Returns CRITICAL if any of these users are
                logged in. This can be useful if you have a policy that states
                that you may not have a root shell but must instead only use
                'sudo command'. Specifying '-u root' would alert on root having
                a session and hence catch people violating such a policy.
   -w username, --whitelist username
                Whitelist users. This is exceptionally useful. If you define
                a bunch of users here that you know you use, and suddenly
                there is a user session open for another account it could
                alert you to a compromise. If you run this check say every
                3 minutes, then any attacker has very little time to evade
                detection before this trips.

                -m,-u and -w can be specified multiple times for multiple users
                or you can use a switch a single time with a comma separated
                list.

   -V --version Print the version number and exit

Just running the plugin will show the logged in users.

For the Windows one, put it in checkusers.ps1 under the plugins directory on the system and then call it through the API.

Both of them can be called like this:

/usr/local/nagios/libexec/check_ncpa.py ... lugin.ext'

We again request you to suggest us a solution which is quick and easy as we all together monitor 1000+ hosts and modifying .cfg file is not feasible for us. Please provide us an alternative solution as well or any idea where we can fix this within much less changes.

None of the built-in functionality lists the users, if there isn't a built-in check for this your only option is to find an alternative plugin.

If you would like to see that feature in NCPA, you can submit a feature request here:

https://github.com/NagiosEnterprises/ncpa/issues