I have the following questions:
• Can the agent be configured to send information to the servers at Datamax without requiring that the Remote Monitoring servers needing direct access to the client?
• Can the TCP/IP/UDP (which ever it uses) on the NSClient be changed?
• How can we access multiple installations of the NSClient?
• Is opening a port on the firewall to allow access to this client a security risk?
• Is the data being transferred from the client to our servers encrypted in some way as to prevent someone else from capturing the data?
o Is the data that is being transferred sensitive and confidential? If no, do we still need secure transfer?
• Can we configure a single client to allow access to monitoring of all types systems and report this data to the server at Monitoring Site?
• Are there alternative methods to access these clients other than opening a port on the firewall?
Bruce
Configuration questions
-
- Posts: 1128
- Joined: Wed Mar 03, 2010 12:38 pm
- Location: St. Paul, MN, USA
- Contact:
Re: Configuration questions
The "agent" packages we have prepared aren't intended to be used this way, but there is another kind of setup that does exactly that (in Nagios parlance, "passive checks"), using NSCA. You'll have to do a little bit more work to configure it, but it is definitely available as an option.Can the agent be configured to send information to the servers at Datamax without requiring that the Remote Monitoring servers needing direct access to the client?
I don't know for sure, but I would think it has to be TCP so you know Nagios got the information.Can the TCP/IP/UDP (which ever it uses) on the NSClient be changed?
If they have different public IP addresses, just change the address. If you mean multiple machines behind a NAT being accessed remotely, you have a few options:How can we access multiple installations of the NSClient?
1) Use a different external port for each and set up the port forwarding.
2) Use passive checks so you don't even need a port.
3) Set up one box to be checked from the outside that in turn checks all of the stuff behind the NAT, either through multiple check commands or check_multi.
4) Set up one box for the NAT and just look at that directly or with a multi-site aggregation product like Nagios Fusion.
5) I'm pretty sure I'm forgetting at least one option still - suffice it to say there are a few.
I suppose that depends on what kind of risks you're concerned about, but in particular you can set up your firewall to only allow connections to that port FROM the address of your main Nagios box, so that should be plenty adequate to minimize that issue.Is opening a port on the firewall to allow access to this client a security risk?
Yes, NRPE uses SSL for the handshake and offers multiple configurable options for encryption algorithms.Is the data being transferred from the client to our servers encrypted in some way as to prevent someone else from capturing the data?
In most cases, the data isn't particularly interesting, but depending on what checks you are running and what your organization considers sensitive it's certainly possible that it could contain something you don't want public. It will contain a) any arguments passed to the remote check command, and b) the result string that gets displayed in the Nagios interface. It's probably a good idea to use the encryption as long as it's there, so that if you add a command in the future with something sensitive you don't have to worry about remembering to turn it on then.Is the data that is being transferred sensitive and confidential? If no, do we still need secure transfer?
Yes. My answer to your multiple installations question covers some of those ways, and there are also some more complicated ones beyond the scope of this reply available as well.Can we configure a single client to allow access to monitoring of all types systems and report this data to the server at Monitoring Site?
Again, see above, with passive checks being the method that requires zero inbound ports opened and others requiring just one.Are there alternative methods to access these clients other than opening a port on the firewall?
Re: Configuration questions
Thanks so much for the information, no I can relay to my team and see what additional steps they would like to take.
Bruce
Bruce