Page 1 of 2
service firewall check
Posted: Fri Jun 05, 2015 7:19 am
by m0le121
i had a problem with the check of the code below.
The code has the name firewall_check.sh on the client.
When i run firewall_check.sh on the client it works correctly (it says running or not running).
Code: Select all
#!/bin/bash
SERVICE=firewall;
status="/etc/init.d/$SERVICE status"
if $status | grep "firewall is running"; then
echo "Status 0 - OK : $service is running"
elif $status | grep "firewall is stopped"; then
echo "Status 1 - Critical : $service is not running"
else
echo "Status 2 - Information : $service is unrecognized service"
fi
At the nagios server i run
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe -H externalip.com -c firewall_check
Code: Select all
define command{
command_name firewall_check
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c firewall_check
}
Code: Select all
define service {
use generic-service
host_name externalip.com
service_description 10telecom firewall check
display_name 10telecom_firewall_check
check_command 10telecom_firewall_check
contact_groups admins
}
The output is always
firewall is stopped
Status 1 - Critical : is not running
What goes wrong?
Re: service firewall check
Posted: Fri Jun 05, 2015 9:37 am
by lmiltchev
When i run firewall_check.sh on the client it works correctly (it says running or not running).
Do you run the check as root or as nagios user? Can you show us the actual check run as nagios from the command line, along with the output of it? Also, show us how the check is defined in the nrpe.cfg. I suspect you will need to add the command to the sudoers.
Re: service firewall check
Posted: Fri Jun 05, 2015 9:37 am
by jdalrymple
Most likely the user running the nrpe daemon doesn't have access to read the service status.
Confirm by launching the script as the user whom is running nrpe.
Repair with a sudoers rule and the appropriate adjustment of your script.
sudoers rule:
Code: Select all
nrpeuser ALL = NOPASSWD:/etc/init.d/firewall status
Adjustment to your script:
Code: Select all
status="sudo /etc/init.d/$SERVICE status"
Re: service firewall check
Posted: Mon Jun 08, 2015 3:15 am
by m0le121
i added the code below on the nagios client.
vi /etc/sudoers
Code: Select all
nagios ALL=NOPASSWD:/etc/init.d/firewall status
i edit my script with the following line:
Code: Select all
status="sudo /etc/init.d/$SERVICE status"
i added the code below on the nagios server.
vi /etc/nagios/cgi.cfg
but if i do "su nagios" on the server...
This account is currently not available.
i have checked the commands as root.
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe -H externalip.com -c 1firewall_check
Status 2 - Information : is unrecognized service
Re: service firewall check
Posted: Mon Jun 08, 2015 9:19 am
by jdalrymple
m0le121 wrote:but if i do "su nagios" on the server...
This account is currently not available.
Running check_nrpe on the server isn't necessary, although this is because the nagios user doesn't have a valid login shell
m0le121 wrote:i have checked the commands as root.
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe -H externalip.com -c 1firewall_check
Status 2 - Information : is unrecognized service
Why is it "1firewall_check"?
Re: service firewall check
Posted: Tue Jun 09, 2015 4:56 am
by m0le121
sorry i mean:
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe -H externalip.com -c firewall_check
Re: service firewall check
Posted: Tue Jun 09, 2015 10:18 am
by jdalrymple
Please change your script so that you get some usable output:
Code: Select all
#!/bin/bash
SERVICE=firewall;
status="/etc/init.d/$SERVICE status"
if $status | grep "firewall is running"; then
echo "Status 0 - OK : $SERVICE is running"
elif $status | grep "firewall is stopped"; then
echo "Status 1 - Critical : $SERVICE is not running"
else
echo "Status 2 - Information : $SERVICE is unrecognized service"
fi
Re: service firewall check
Posted: Mon Jun 15, 2015 5:27 am
by m0le121
edit on the nagios client
I changed the code to:
Code: Select all
#!/bin/bash
SERVICE=firewall;
T1=$(sudo /etc/init.d/$SERVICE status)
RUNNING="$SERVICE is running"
STOPPED="$SERVICE is stopped"
UNKNOWN="$SERVICE is unknown"
if [ "$T1" = "$RUNNING" ]; then
echo "Status 0 - OK : $RUNNING"
exit 0
elif [ "$T1" = "$STOPPED" ]; then
echo "Status 1 - Critical : $STOPPED"
exit 2
else
echo "Status 2 - Information : $UNKNOWN"
exit 3
fi
if i run it at the client it works perfectly.
i edited /etc/sudoers
Code: Select all
root ALL=(ALL) ALL
nagios ALL=(ALL) ALL
nagiosadmin ALL=(ALL) ALL
i edited /etc/nagios/nrpe.cfg
Code: Select all
command[firewall_check]=/usr/lib/nagios/plugins/firewall_check.sh
edit: /etc/nagios/objects/commands.cfg
Code: Select all
define command{
command_name firewall_check
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c firewall_check
}
edit: /etc/nagios/conf.d/SERVICE-sip.cfg
Code: Select all
define service {
use generic-service
host_name externalip.com
service_description firewall check
display_name firewall_check
check_command firewall_check
contact_groups admins
}
When i run the command below from the nagios server as root,nagios,nagiosadmin:
Code: Select all
/usr/lib64/nagios/plugins/check_nrpe -H externalip.com -c firewall_check
the output is always:
Status 2 - Information : firewall is unknown
What did i missed?
Re: service firewall check
Posted: Mon Jun 15, 2015 10:56 am
by abrist
Add some debug to output the contents of the $T1 var in case of unknown:
Code: Select all
#!/bin/bash
SERVICE=firewall;
T1=$(sudo /etc/init.d/$SERVICE status)
RUNNING="$SERVICE is running"
STOPPED="$SERVICE is stopped"
UNKNOWN="$SERVICE is unknown"
if [ "$T1" = "$RUNNING" ]; then
echo "Status 0 - OK : $RUNNING"
exit 0
elif [ "$T1" = "$STOPPED" ]; then
echo "Status 1 - Critical : $STOPPED"
exit 2
else
echo "Status 2 - Information : $UNKNOWN - $T1"
exit 3
fi
Re: service firewall check
Posted: Mon Jun 15, 2015 11:20 am
by lmiltchev
What is the EXACT output of "/etc/init.d/firewall status" when the service is/is not running?