Page 1 of 2
check_xi_mysql_health does not support SSL
Posted: Wed May 23, 2018 10:23 am
by Tonysnorek
My organization recently made a change to forcing all connections to our AWS RDS Instances to use SSL, unfortunately I am now having problems with around 32 of my service alarms failing because the check_xi_mysql_health command does not support SSL.
It was recommended to use the check_mysql plugin because it does support SSL, however check_mysql plugin does not support the types of service alarms that we are looking for, which are as follows:
MySQL Connection Time
MySQL InnoDB Buffer Pool Hit Rate
MySQL InnoDB Log Waits
MySQL Long Running Processes
MySQL Open Connections
MySQL Slow Queries
MySQL Table Cache Hit Rate
MySQL Thread Cache Hit Rate
Is there anyone out there that can recommend a way to fix this?
Re: check_xi_mysql_health does not support SSL
Posted: Wed May 23, 2018 11:54 am
by mcapra
Interestingly, the latest version of
check_mysql_health still doesn't support SSL yet.
If you're open to executing these checks via NRPE, it looks as though you should be able to leverage the
--mycnf argument to pass in a special client configuration (with your client pems, for example). I suggest NRPE because apparently the
--mycnf argument forces localhost as the target. This is all just based on some light reading and is not something I've tested.
https://exchange.nagios.org/directory/M ... th/details
Re: check_xi_mysql_health does not support SSL
Posted: Wed May 23, 2018 12:47 pm
by Tonysnorek
Thanks for the suggestion. I am not sure if NRPE will work here, I do not have access to the host of the database because they are AWS RDS Hosted instances. I will have to take a look into the possibility for doing that with RDS though.
Re: check_xi_mysql_health does not support SSL
Posted: Thu May 24, 2018 11:22 am
by kyang
Thanks
@mcapra!
Let us know if you have any more questions.
Re: check_xi_mysql_health does not support SSL
Posted: Tue Jun 12, 2018 8:18 am
by Tonysnorek
Unfortunately I am not able to access the host, so NRPE isn't going to work in this case, anyone else out there have a potential solution for this? Can anyone from Nagios tell me when/if the check_mysql_health command is going to support SSL? Seems silly that it doesn't given the current state of cyber security.
Re: check_xi_mysql_health does not support SSL
Posted: Tue Jun 12, 2018 2:38 pm
by scottwilkerson
Not sure when they will add that in... I do know that
/usr/local/nagios/libexec/check_mysql supports SSL, but I realize that it may not offer the same checks you are looking for
Code: Select all
# /usr/local/nagios/libexec/check_mysql -h
check_mysql v2.2.1 (nagios-plugins 2.2.1)
Copyright (c) 1999-2014 Nagios Plugin Development Team
<[email protected]>
This program tests connections to a MySQL server
Usage:
check_mysql [-d database] [-H host] [-P port] [-s socket]
[-u user] [-p password] [-S] [-l] [-a cert] [-k key]
[-C ca-cert] [-D ca-dir] [-L ciphers] [-f optfile] [-g group]
Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
--extra-opts=[section][@file]
Read options from an ini file. See
https://www.nagios-plugins.org/doc/extra-opts.html
for usage and examples.
-H, --hostname=ADDRESS
Host name, IP Address, or unix socket (must be an absolute path)
-P, --port=INTEGER
Port number (default: 3306)
-n, --ignore-auth
Ignore authentication failure and check for mysql connectivity only
-s, --socket=STRING
Use the specified socket (has no effect if -H is used)
-d, --database=STRING
Check database with indicated name
-f, --file=STRING
Read from the specified client options file
-g, --group=STRING
Use a client options group
-u, --username=STRING
Connect using the indicated username
-p, --password=STRING
Use the indicated password to authenticate the connection
==> IMPORTANT: THIS FORM OF AUTHENTICATION IS NOT SECURE!!! <==
Your clear-text password could be visible as a process table entry
-S, --check-slave
Check if the slave thread is running properly.
-w, --warning
Exit with WARNING status if slave server is more than INTEGER seconds
behind master
-c, --critical
Exit with CRITICAL status if slave server is more then INTEGER seconds
behind master
-l, --ssl
Use ssl encryptation
-C, --ca-cert=STRING
Path to CA signing the cert
-a, --cert=STRING
Path to SSL certificate
-k, --key=STRING
Path to private SSL key
-D, --ca-dir=STRING
Path to CA directory
-L, --ciphers=STRING
List of valid SSL ciphers
There are no required arguments. By default, the local database is checked
using the default unix socket. You can force TCP on localhost by using an
IP address or FQDN ('localhost' will use the socket as well).
Notes:
You must specify -p with an empty string to force an empty password,
overriding any my.cnf settings.
Send email to [email protected] if you have questions regarding use
of this software. To submit patches or suggest improvements, send email to
[email protected]
Re: check_xi_mysql_health does not support SSL
Posted: Wed Jun 13, 2018 7:55 am
by Tonysnorek
Thanks for the reply Scott, unfortunately check_mysql also doesn't accomplish what we are looking for either, since these are mainly performance related alarms like table cache hitrate, cpu usage, memory usage, active connections, etc.
Re: check_xi_mysql_health does not support SSL
Posted: Wed Jun 13, 2018 4:39 pm
by scottwilkerson
I don't have the setup to be able to test this, but I did find this workaround
https://uname.pingveno.net/blog/index.p ... sql_health
Re: check_xi_mysql_health does not support SSL
Posted: Thu Jun 14, 2018 10:34 am
by Tonysnorek
Thanks for the reply here once again Scott, The paths in that article are a little out of date but I was able to find the file in question for the plugin, unfortunately at this point I do not believe we are able to obtain the SSL Certificates in question as they are also managed on the RDS side and we have no access to the local file system of the RDS Server.
Re: check_xi_mysql_health does not support SSL
Posted: Thu Jun 14, 2018 11:32 am
by scottwilkerson
Tonysnorek wrote:Thanks for the reply here once again Scott, The paths in that article are a little out of date but I was able to find the file in question for the plugin, unfortunately at this point I do not believe we are able to obtain the SSL Certificates in question as they are also managed on the RDS side and we have no access to the local file system of the RDS Server.
Hmm, I'm not sure there really is going to be any solution if you can't get access to the keys. Some of that is available from Amazon here
https://docs.aws.amazon.com/AmazonRDS/l ... S.SSL.html
Outside of this, I don't have any further suggestions.