Nagios Support Forum

Hi there, I do not have a problem with NagiosXI. I am actually looking for advice about using event handlers, so any advice will be appreciated.

First, I created a simple local check command "check_local_tcpdump" where it just checks if there are any tcpdump processes running.
I also created a service which will use that command:

$USER1$/check_procs -c $ARG1$ -C $ARG2$
where:
$ARG1$ 1:
$ARG2$ tcpdump

That works fine, but basically what I want to achieve is to create an event handler that whenever there are less than 1 tcpdump process running which means the service state is CRITICAL, call the event handler and restart the tcpdump process.

Then I created an event handler named "event_handler_tcpdump" with the following command:

$USER1$/event_handler_tcpdump.sh $SERVICESTATE$

And the script:

#!/bin/bash
SERVICESTATE=$1
if [[ $SERVICESTATE == 'CRITICAL' ]]
then
echo "The state has changed to $SERVICESTATE" > /tmp/critical.txt
sudo tcpdump -i lo -w /tmp/test.pcap
exit 0
else
echo "The state has changed to $SERVICESTATE" > /tmp/ok.txt
fi

Ideally, instead of sudo tcpdump -i lo -w /tmp/test.pcap, I would just call an external script, but this is just to simplify things.

Now this apparently works. If there are no tcpdump processes running, then the event handler will restart the tcpdump process which will change the state to OK.
Since I will be using this on a remote production server, is it important that the event handler does not duplicate and create more tcpdump processes.

So, is this the right way of doing it?
Hopefully someone can help me out.
Greetings from Mexico.

As for the question "is this the right way", that really only question only the System Administrator can answer.

Just remember the state between when the check was run and the time the event handler is run can be different.

Yea, It did work but now I have another related problem. Not sure if I should make another post but I will reply here.
I am using NRPE to execute a remote script. (I already added the command and service and it works fine.)

All the script does is run tcpdump.

sudo timeout 10 tcpdump -i lo -w /path/test.pcap &

However when I use the timeout, the NRPE does not execute it. If I remove that previous line and add something simple like echo, it does work. (Just to add that the problem is somewhat related with timeout)

I am using timeout since I need to run tcpdump for a certain period of time. It could be between 1 - 86,400 seconds (24h).
Now, I could just use sleep after that line but then NRPE will be runing until the tcpdump finishes but I am not sure if that is possible for such long period of time.

Any suggestions on how to approach this? Perhaps using SSH?

Certainly ssh is one way to do it: https://assets.nagios.com/downloads/nag ... ng_SSH.pdf

https://assets.nagios.com/downloads/nag ... h_NRPE.pdf may also be of interest.

Please let us know if you have questions about either document.