Nagios Support Forum

Hi,
I created a check :
[[email protected] ~]# /usr/local/nagios/libexec/check_tomcat.pl -H xxxxxxxxxx -p 8080 -l xxxxxx -a xxxxxxx -w 25%,10% -c 10%,5%
But when I try to run It, I've got :
CRITICAL: http://xxxxxxxxxxxx:8080/manager/status?XML=true HTTP/1.1 403 Forbidden

From the server I can access Tomcat manager with the url http://localhost:8080/manager/ and using the tomcat user and password (configured in tomcat-users.xml)

Could you please help me ?

Rgds,

Frederic

you may need to put single quotes around the username and password fields if they contain special chars.

Also, can you confirm you can connect to the http://xxxxxxxxxx:8080/manager/ from a remote server (not localhost)?

Hi,
you may need to put single quotes around the username and password fields if they contain special chars.
=> No special chars, I use the same configuration (without single quote) for another check that works

From the server I can access Tomcat manager with the url http://localhost:8080/manager/ and using the tomcat user and password (configured in tomcat-users.xml)
=> Cannot run the manager from another machine
"403 Access Denied

You are not authorized to view this page.

By default the Manager is only accessible from a browser running on the same machine as Tomcat."

If you want to "whitelist" other IP addresses for the Tomcat manager, you need to do so in the manager's config (CATALINA_HOME/conf/Catalina/localhost/manager.xml):
https://www.owasp.org/index.php/Securin ... ger_WebApp

Adding the Nagios XI server's IP address in the manner described in that document should do the trick.

An alternative option -- One that uses a different plugin.

However, if you followed the instructions mentioned in the previous thread by @npolovenko:
https://community.jaspersoft.com/wiki/h ... ng-service

You should be able to use check_jmx to connect to the remote JMX server instead of going through Tomcat's manager:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Frédéric GRANAT, Let us know whether you got this to work.

Hi,
The directory \tomcat\conf\Catalina\localhost is empty.
Maybe I should create a manager.xml file.
Anyway, I looked at a manager.xml file on another server (the check_tomcat works on it), and manager.xml is the basic file.
So the first solution seems to be not necessary.

I 'm using check_tomcat and not check_jmx so the second solution is not usefull, isn't it ?

Rgds,

Frederic.

What is the version of tomcap that you are running on the remote machine, 7, 8, 9? I have a few test VMs with tomcat installed on them, where I can try to recreate the issue, and find a workaround. Can you zip up the entire /opt/tomcat directory, and PM me (or anyone on the Nagios support team) the zip file? Remove sensitive info if needed, e.g. passwords, etc.

FYI, I just tested the "check_tomcat.pl" plugin against one of my VMs, running tomcat 9.0.2, and it seemed to work just fine:
I set up this machine some time ago. I remember I had to make some tweaks to make it work, but it's been a while, so I don't remember what I changed. Anyway, I would like to compare your configs to mine, and see if we can get this resolved. Thanks!

Hi,
What is the version of tomcap that you are running on the remote machine ?
=> Tomcat 8
Can you zip up the entire /opt/tomcat directory
=> The OS is Windows server 2012 R2, please give me the path in that context.

Rgds,

Frederic

The 403 Forbidden message is your Tomcat server telling you that it is blocking the connection and not allowing the Nagios server to connect to it.

There is probably a setting that has to be changed to allow the connections from a remote server.
So check through the Tomcat Manager to see if there is a setting that allows connections to be added beside the localhost entry.

You may have to search the server for one of these files to see if there is a setting to allow remote servers to access the Tomcat Application.
server.xml
web.xml