Nagios Support Forum

I am looking for a plugin to alert me when a Unknown Host connects to my network. There is one plugin, but it makes use of opsview which I don't have running as its a commercial product.

I am at the point of having to create a plugin, of which I have no perl experience, an limited bash experience. But I know how to use nmap an can compare to Nagios Host an DHCP logs.

Does any one one have any suggestions on this?

thanks,
John

I'm afraid you may have to create your own plugin for this one I don't believe I've ever seen a plugin that accomplishes this floating about. Probably because there's any myriad of different systems that one might use as a central authoritative repository

jsmurphy wrote:I'm afraid you may have to create your own plugin for this one I don't believe I've ever seen a plugin that accomplishes this floating about. Probably because there's any myriad of different systems that one might use as a central authoritative repository

Saddly, I am not a corporate or enterprise environment. I am a home user trying to learn new things, an not wanting to re-invent the wheel.

I saw information about Nagios host directives being able to accept the MAC address. Is there any truth to this?

My thought now is as follows..
Currently I have a folder for client an servers in the /etc/nagios/ folder. In each folder has cfg files named as the machine in question (ex build.cfg). If I can use the MAC address in the address directive, I guess my intent will be to write a plugin which will get a list of MAC addresses on the network via nmap an compare that to the known MAC addresses in the cfg files.

Regarding writing plugin's. Does it have to be perl, or can I write a bash script? I have no clue what I am doing at this point. Is the Interface clearly documented if I want to add a link an such so that it shows up?

Thanks,
John

I have no idea if it can accept a MAC address or not... I wouldn't think so but I've honestly never tried, I'd be very interested to know if you did get that working. I would be careful doing that though as I daresay there are a lot of third party plugins that would not. You can however use the SuSE 'arp' command to convert any of them in the boxes mac table to hostnames/IP's

Alternatively you could just script a ping for every IP in a given subnet.

The scripts can be in whatever language you prefer, in this instance there's no particular formatting you would need to be aware of... I perhaps used the terminology incorrectly. The script will be standalone, you would use it to generate the .cfg files that nagios needs.

To anyone who is reading this, I have found out that nagios directives are by design to be generic an will accept any value. What matters is how the plugins use the directive. In the case of my question, yes I can put the mac address in the address directive. The fall out (or issue) is that plugins such as the check_ping (I think its called) will not work as ping can not make use of the mac address. In the case of this need I have, I am going to probably write up my own solution then write a plugin to monitor that solution.

My solution will probably include making use of LDAP an DHCP, where I store my dhcpd.lease an dhcpd.conf info in LDAP. On a OpenSuSE system, thats easy to accomplish with a check mark in dhcp server to store in LDAP (of course LDAP needs to be setup an the box hosting dhcp service needs to be configured to use LDAP ~ both easy to do). If interested or you have ideas, please post here.

Thanks,
John

In an attempt to not reinvent the wheel, I was provided a link to a plugin which may help...

check_dhcpd_leases
https://www.monitoringexchange.org/inve ... cpd_Leases

So I am going to install this plugin an see what kind of output it provides. Then see if I can make use of it in my needs.

Copied text from link...
* Shows dhcp leases assigned by ISC DHCPd
* Formatting is flexible, can show combination of Hostnames/IP/Macs
* Can Alert on leases being handed out to unauthorized machines. This can use Hostnames/Mac Addresses, in the form of Whitelists/Blacklists or any combination of these things. Combine for maximum effect. If a machine trips any of those 4 lists an alert is raised by going Critical.

Needless to say, I am stoked.

John