Hi,
I noticed i'm having the same issue with NRDP integration that some other people had notified here in time.
On my side, NagiosXI and NNA are working well and fine separately, and even the plugin for NNA (from NagiosXi side) works OK, giving the extra -tab when watching details of a hostname.
Issue i'm facing is the fact that Alerts created in NNA are not sent to NagiosXI through the NRDP protocol.
I made sure the token is correct, and even used the .txt file with dummy svcname and hostname sent from the CLI (with curl) from the NNA host towards the NagiosXI IP. That went well also, the dummy test svc and host names appeared in the Unconfigured Objects of NagiosXI.
What it seems to be the issue is NNA not being able to send any nrdp request toward the NagiosXI; I looked in the NagiosXI http logs and don't see even a trace of NNA trying to create hostname/service.
Is there a way I can debug this to narrow where the machanism is getting stucked?
Thanks!
NRDP integration with NagiosXI
Re: NRDP integration with NagiosXI
NNA doesn't create a host/service for it, it submits results with the host/service name you defined in NNA.
Do you see them in Admin > Unconfigured Objects on the XI server?
Is the URL you have defined on the NNA server for the NRDP URL like this:
Run this command from the NNA server and send the output:
- If your XI server is using https, change http to https
Do you see them in Admin > Unconfigured Objects on the XI server?
Is the URL you have defined on the NNA server for the NRDP URL like this:
Code: Select all
http://YOURXISERVER/nrdp/- If your XI server is using https, change http to https
Code: Select all
curl -k -L -vvv 'http://YOURXISERVER/nrdp/'Re: NRDP integration with NagiosXI
Hi,
I've tryied also (before opening the question) with an already assigned service on a hostname (the NNA hostname in XI) named like NNAAlerts, exactly the service destination name and host configured in NNA as target destination for the alerts and it did not work either.
(I remember vaguely at some point in the beginning the automatic creation of service/hostname worked from NNA to XI, but now nothing seems to be sent automatically by NNA on nrdp channel anymore)
I've used the curl command as you suggested(https) and it replied well and fully (very verbose) acknowledging there is no issue in communication between the two hosts when doing it manually.
Are there any logs NNA side I could watch to see if/why the nrdp call is triggered correctly? I double checked the NagioxXI setting NNA side to make sure they are correct?
PS. hands-on example:
1. NAgioxXI side defined a service called NNAAlerts on a hostname named WGOSS02, as a passive check. NRDP is listening on https with the right token set-up
2. NNA side defined the NagiosXI link (https://...nrdp/, correct token, etc)
3. NNA side defined the NNAAlerts/WGOSS02 association for the NagiosXI link 4. on NNA side, CLI mode, created a test.txt with the service name and hostname previously defined in XI
5. Sent the test.txt towards the XI with curl, from cli:
6. Data arrives correctly into NagiosXI GUI
So all seems fine communication wise. But when a check that I write breaches a threshold, NNA does not seem to be sending that check's output to the XI, by itself.
Help?
PS. I've put also a local command, on the NNA, a script to spit out in a log the given arguments to it (/usr/local/nagiosna/bin/cmd1.sh) and put that as trigger of the check. It does not fire on WARNING or CRITICAL either, so my bet would be a malfunction in the triggering mechanism of the NNA.
PS2. I think I'm getting somewhere. I didn't know this was logged in var/backend.log:
If that fails, the the whole notify.py fails without having a chance to reach the command section also.
Back to it, it seems is the verification of the XI certificate is the culprit here. The certificate is a valid one, properly generated (not self-signed), and it work without issue otherwise..
Both systems are off Internet access, not sure if that plays into this
I've tryied also (before opening the question) with an already assigned service on a hostname (the NNA hostname in XI) named like NNAAlerts, exactly the service destination name and host configured in NNA as target destination for the alerts and it did not work either.
(I remember vaguely at some point in the beginning the automatic creation of service/hostname worked from NNA to XI, but now nothing seems to be sent automatically by NNA on nrdp channel anymore)
I've used the curl command as you suggested(https) and it replied well and fully (very verbose) acknowledging there is no issue in communication between the two hosts when doing it manually.
Are there any logs NNA side I could watch to see if/why the nrdp call is triggered correctly? I double checked the NagioxXI setting NNA side to make sure they are correct?
PS. hands-on example:
1. NAgioxXI side defined a service called NNAAlerts on a hostname named WGOSS02, as a passive check. NRDP is listening on https with the right token set-up
2. NNA side defined the NagiosXI link (https://...nrdp/, correct token, etc)
3. NNA side defined the NNAAlerts/WGOSS02 association for the NagiosXI link 4. on NNA side, CLI mode, created a test.txt with the service name and hostname previously defined in XI
Code: Select all
<?xml version='1.0'?>
<checkresults>
<checkresult type='host'>
<hostname>WGOSS02</hostname>
<state>0</state>
<output>Everything looks okay! | perfdata=1;</output>
</checkresult>
<checkresult type='service'>
<hostname>WGOSS02</hostname>
<servicename>NNAAlerts</servicename>
<state>1</state>
<output>WARNING: Danger Will Robinson! | perfdata=1;</output>
</checkresult>
</checkresults>
Code: Select all
curl -XPOST https://wgoss01.ot.local/nrdp/ -d token=removed_token_content -d cmd=submitcheck --data-urlencode xml@test.txt -k -vHelp?
PS. I've put also a local command, on the NNA, a script to spit out in a log the given arguments to it (/usr/local/nagiosna/bin/cmd1.sh) and put that as trigger of the check. It does not fire on WARNING or CRITICAL either, so my bet would be a malfunction in the triggering mechanism of the NNA.
PS2. I think I'm getting somewhere. I didn't know this was logged in var/backend.log:
Code: Select all
2021-05-05 17:15:00 DEBUG : URL: https://wgoss01.ot.local/nrdp/
2021-05-05 17:15:00 DEBUG : Data: token=token_removed&cmd=submitcheck&XMLDATA=%3Ccheckresults%3E%3Ccheckresult+type%3D%22service%22%3E%3Chostname%3EWGOSS02%3C%2Fhostname%3E%3Cservicename%3ENNAAlerts%3C%2Fservicename%3E%3Cstate%3E2%3C%2Fstate%3E%3Coutput%3Ebytes+on+WG-Z4+with+filter+%5Bnot+dst+port+22%5D+is+133688961540+%7C+bytes%3D133688961540%3B1%3B1%3B0%3C%2Foutput%3E%3C%2Fcheckresult%3E%3C%2Fcheckresults%3E
2021-05-05 17:15:00 ERROR : Could not send to NRDP server: WGOSS02
Traceback (most recent call last):
File "/usr/local/nagiosna/bin/notify.py", line 195, in send_nrdp_notifications
post_xml_to_nrdp(nrdp, xml, token)
File "/usr/local/nagiosna/bin/notify.py", line 186, in post_xml_to_nrdp
response = urlopen(req)
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open
raise URLError(err)
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>
Back to it, it seems is the verification of the XI certificate is the culprit here. The certificate is a valid one, properly generated (not self-signed), and it work without issue otherwise..
Both systems are off Internet access, not sure if that plays into this
You do not have the required permissions to view the files attached to this post.
Re: NRDP integration with NagiosXI
Replying to myself ... with good news
the bundle of root certificates on the RHEl hosting the NNA didn't contain the CA (+intermediate CA) of the issuer having built the certificate of the XI...
I've extracted the ROOT and the INETERMEDIATE .cer files (encoded as base64) from a windows machine and loaded them into the NNA rhel system.. Now it seems the NRDP calls are getting correctly to the endpoint.
https://help.f-secure.com/product.html? ... -latest-en
the bundle of root certificates on the RHEl hosting the NNA didn't contain the CA (+intermediate CA) of the issuer having built the certificate of the XI...
I've extracted the ROOT and the INETERMEDIATE .cer files (encoded as base64) from a windows machine and loaded them into the NNA rhel system.. Now it seems the NRDP calls are getting correctly to the endpoint.
https://help.f-secure.com/product.html? ... -latest-en
Re: NRDP integration with NagiosXI
That's great to hear! That would be the proper method of fixing that issue.
I've submitted a feature request to development requesting they add an ignore cert option:
So everything is up and running now or do you still have any outstanding issues?
I've submitted a feature request to development requesting they add an ignore cert option:
Code: Select all
FR: NNA - Adding Nagios server for Alerting > NRDP will fail without a valid certificate when using SSL, add the option to ignore the SSL certRe: NRDP integration with NagiosXI
All is fine now.
You may lock this thread.
Thanks again!
You may lock this thread.
Thanks again!
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: NRDP integration with NagiosXI
Locking threadTethiS wrote:All is fine now.
You may lock this thread.
Thanks again!