NCPA API services check passive or active

[onegative]

G 'Day Nagios XI Support,

Please reference the Topic I opened previously: https://support.nagios.com/forum/viewto ... 16&t=52143

I am having trouble on RHEL6 servers in our environment where the nagios user does not have sufficient permissions to perform service checks on all services defined.

I have taken several steps in attempting to resolve the issue as follows:

1. Added --> (root) NOPASSWD: /sbin/service * status

2. Created an alias --> alias service='sudo /sbin/service'

3. Tested the use of the sudo/alias combo

Code: Select all

-bash-4.1$ service rsyslog status
rsyslogd (pid  1868) is running...

So I can actually use the command line to execute the status check. Unfortunately through the API of the NCPA agent I cannot.
When performing a passive check I get the results:

CRITICAL: rsyslog is unknown (should be running)

And when I attempt an Active check I get the same results:

Code: Select all

 ./check_ncpa.py -H 69.91.2xx.x -P 3181 -t 'mytoken' -M 'services' -q 'service=rsyslog,status=running' -v
Connecting to: https://69.91.2xx.x:3181/api/services/?token=mytoken&check=1&service=rsyslog&status=running
File returned contained:
{
    "returncode": 2,
    "stdout": "CRITICAL: rsyslog is unknown (should be running)"
}
CRITICAL: rsyslog is unknown (should be running)

So I need to know specifically how the NCPA agent actually executes a call to the services on Linux.

Does it execute a 'service -status-all' and then parse the whole results looking for the specific service name?

Does it do something like a direct call to /sbin/service and therefore by-passing my attempt to use sudo to circumvent the shortcomings?

Can someone please explain how it actually works so I can try and devise a way to monitor services on RHEL6?

Any help in solving would be greatly appreciated...

Thanks,
Danny

[npolovenko]

Hello, @onegative. I looked at the NCPA code on github and it looks like it gets the list of services from the /etc/init.d folder. Then, if a service is specified, it runs service service_name status.
Please sign in to the NCPA server as the nagios user, run the following command and show us the output:

su - nagios
service --status-all

https://github.com/NagiosEnterprises/nc ... ervices.py

[onegative]

@npolovenko

Well like I mentioned earlier, these RHEL6 boxes are harden that restrict the usage of the /sbin/service command to determine status for ALL services defined.

So I attempted to utilize sudo to allow the nagios user to execute the /sbin/service command as root.

I also created an alias to change the service command to work as "sudo /sbin/service" which did not work...my guess is that the python code must use a hard call to "/sbin/service svcName status" and forgo just calling "service svcName status" because I could never get it to work properly...so instead of trying to get the ncpa /services api to function I created a small plugin to call my alias which calls sudo and processes the service status correctly...not native like I wanted but it works...the RHEL7 systems that use systemctl do not have this issue because it works to determine status for all services even though nagios user is not an administrator so I am good there.

If anyone wants to use this small plugin here it is along with how I configured the ncpa configuration file.

Go ahead and Lock the Topic and thanks,
Danny

Code: Select all

# Parameter Name - Service-rsyslog
%HOSTNAME%|Service-rsyslog|60 = /plugins/check_service/rsyslog/running

check_service.txt

[npolovenko]

@onegative, Thanks for sharing this plugin with us! We should get it on the Nagios Exchange.
https://exchange.nagios.org/
Would you like to upload it or would you like me to post it?