newvs1.nagios.com and Nagios XI

disrael · Post by **disrael** » Thu Apr 18, 2013 9:15 am

Is there a way to disable Nagios XI from trying to communicate w/ newvs1.nagios.com?

-Doron

mguthrie · Post by **mguthrie** » Thu Apr 18, 2013 12:02 pm

If you disabled the regular system update checks from the admin menu that should prevent the outbound requests.

disrael · Post by **disrael** » Wed Apr 24, 2013 11:45 am

We disabled this option, though our FW team is still seeing requests to newvs1.nagios.com on port 80, once a minute.

Any additional suggestions?

Thanks,

Doron

vAJ · Post by **vAJ** » Wed Apr 24, 2013 2:27 pm

Since it's non-secure HTTP, why not sniff the traffic and see what it is?

scottwilkerson · Post by **scottwilkerson** » Wed Apr 24, 2013 2:31 pm

Do you know what URL it is trying to pull?

Another thing I can think of is that if any users have the default homepage set it will try to pull the feeds from our server. This can be modified globally in Admin-> Manage Components-> Home Page Modification

disrael · Post by **disrael** » Fri Apr 26, 2013 7:53 am

We are not allowed by our corporation to run a packet sniffer.

We changed the user default page, though the firewall team is still seeing Nagios trying to connect to that server every minute 24/7. With that in mind it has to be some automated process as we don't have that many people logging into Nagios. Any other suggestions?

-Doron

slansing · Post by **slansing** » Fri Apr 26, 2013 9:19 am

Without knowing where the data start and endpoints are it is very difficult to search things like this out, is it possible for you to use one of your backup XI servers, un-mount it from the network, and then run a sniffer on it? Or, have the firewall team take a look at the other server and see if there is a difference? Then that could help narrow down the possibilities. It almost certainly has to be some sort of live, RSS like feed sent from us to the server.

disrael · Post by **disrael** » Tue Apr 30, 2013 8:29 am

Code: Select all

  Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 018: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 080: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 035: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 088: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 043: #011Msg: Apr 30 09:24:01 usa7061lv981 CROND[4556]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/cleaner.php > /usr/local/nagiosxi/var/cleaner.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 019: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 074: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 031: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 077: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 044: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 027: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 087: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 052: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 012: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 062: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 021: #011Msg: Apr 30 09:22:01 usa7061lv981 rootsh[06a0e]: tmproot: 003: #011Msg: Apr 30 09:21:01 usa7061lv981 CROND[2531]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/eventman.php > /usr/local/nagiosxi/var/eventman.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 020: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 075: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 021: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 080: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 047: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 030: #011Msg: Apr 30 09:23:01 usa7061lv981 CROND[3905]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/sysstat.php > /usr/local/nagiosxi/var/sysstat.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 021: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 076: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 022: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 081: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 048: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 031: #011Msg: Apr 30 09:23:01 usa7061lv981 CROND[3906]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/reportengine.php > /usr/local/nagiosxi/var/reportengine.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 022: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 077: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 032: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 078: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 045: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 028: #011Msg: Apr 30 09:23:01 usa7061lv981 CROND[3903]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/eventman.php > /usr/local/nagiosxi/var/eventman.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 016: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 078: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 033: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 086: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 053: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 036: #011Msg: Apr 30 09:24:01 usa7061lv981 CROND[4546]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/sysstat.php > /usr/local/nagiosxi/var/sysstat.log 2>&1)
        Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 017: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 079: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 034: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 087: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 054: #011Msg: Apr 30 09:24:02 usa7061lv981 rootsh[06a0e]: tmproot: 037: #011Msg: Apr 30 09:24:01 usa7061lv981 CROND[4547]: (nagios) CMD (/usr/bin/php -q /usr/local/nagiosxi/cron/nom.php > /usr/local/nagiosxi/var/nom.log 2>&1)

I did a tcpdump, this is my first time using this, I have used Wireshark. I did see a lot of nslookups for api.nagios.com and some other sites. Though the nslookups were against our own name server.

scottwilkerson · Post by **scottwilkerson** » Tue Apr 30, 2013 12:20 pm

I don't see anything in here that is calling out to api.nagios.com

scottwilkerson · Post by **scottwilkerson** » Tue Apr 30, 2013 12:29 pm

Doron,

Can you go to Admin -> License Information
Copy the key in "Your License Key:" section and PM it to me.

Also, can you run the following as root

Code: Select all

echo "select * from xi_options where name='auto_update_check';"|psql nagiosxi nagiosxi

Thanks

Nagios Support Forum

newvs1.nagios.com and Nagios XI

newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI

Re: newvs1.nagios.com and Nagios XI