Nagios and NSCA (for Munin)

[mguthrie]

Is SElinux enabled on the Munin machine?

[gshergill]

Hi mguthrie,

How would I go about checking/enabling this please?

Thank you.

Kind Regards,

gshergill

[scottwilkerson]

run the following to check

Code: Select all

sestatus

[gshergill]

Hi guys,

Sorry for the late response, have been on holiday and just got back in.

I ran the sestatus and recieved the following;

Code: Select all

root@muninnagios:~# sestatus
The program 'sestatus' is currently not installed.  You can install it by typing:
apt-get install policycoreutils

After running apt-get install policycoreutils I re-ran the command above and received the following;

Code: Select all

root@muninnagios:~# sestatus
SELinux status:                 disabled

What exactly is SELinux used for? I'll looking online for how to enable it, but does it need to be enabled in a specific way?

Thank you.

Kind Regards,

gshergill

[gshergill]

Hi guys,

The following is the config file for SELinux (/etc/selinux/config);

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Thank you again.

Kind Regards,

gshergill

[mguthrie]

Try setting:

Code: Select all

SELINUX=disabled

In the selinux config. And then running:

Code: Select all

setenforce 0

[gshergill]

Hi mguthrie,

The following is the output from the setenforce command;

Code: Select all

root@muninnagios:~# setenforce 0
setenforce: SELinux is disabled

The following is the output of the send_nsca command on the Nagios Machine to the Munin machine;

Code: Select all

[root@nagiosxi ~]# /usr/local/nagios/libexec/send_nsca -H 192.168.3.82 -c /usr/local/nagios/etc/send_nsca.cfg
Connection refused by host
Error: Could not connect to host 192.168.3.82 on port 5667

Still the same error of connection refused.

And from the Munin Machine;

Code: Select all

root@muninnagios:~# /usr/sbin/send_nsca -H localhost -c /etc/send_nsca.cfg
Connection refused by host
Error: Could not connect to host localhost on port 5667

Thanks.

Kind Regards,

gshergill

[mguthrie]

Pretty sure you're still getting blocked by the firewall. I didn't see nsca on the list of open ports. Add the following line to /etc/sysconfig/iptables and then restart the iptables service.

Code: Select all

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT

[gshergill]

Hi mguthrie,

On the Nagios XI machine, the following is already in the iptables;

Code: Select all

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 5667 -j ACCEPT

However, I added your line instead.

The Munin machine had no sysconfig folder, nor anywhere to edit the iptables.

Running the commands;

aptitude install sysconftool

Hasn't added the directory for sysconfig.

And trying to install the iptables results in the following;

root@muninnagios:~# aptitude install iptables
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.

I'm guessing that's the issue? Being unable to edit the iptables on the Munin machine means there's nothing to allow the port?

Thank you.

Kind Regards,

gshergill

[scottwilkerson]

you should be able to run the following command

Code: Select all

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT