API calls?

[rferebee]

Hello Nagios team,

Can someone tell me what all these API entries are in my audit log? There are almost 1800 of them in the last 24 hours.

I have no clue what it's doing.

Thank you!

[benjaminsmith]

Hi,

That's coming from the following API call.

Code: Select all

curl -XGET "https://<IPADDRESS>/nagiosxi/api/v1/system/status?apikey=<APIKEY>&pretty=1"

And likely from the Nagios XI Server configuration wizard. Go to the CCM and take a look at the check_interval on those services, maybe it's checking too frequently. every 5 minutes should be sufficient.

Benjamain

[rferebee]

Thanks for your reply.

See attached image. I have those same checks setup for each of my three XI servers. None of them are configured to check at less than 5 minute intervals. Also, I'm not seeing any checks that refer to 'system/status'.

Can you tell me exactly what the name of the check would be if configured through the Nagios XI wizard?

[benjaminsmith]

Hi,

Can you tell me exactly what the name of the check would be if configured through the Nagios XI wizard?

Looking over the Nagios XI Wizard, the Nagiso XI Jobs, Nagiso XI Daemons, load and iowait service checks would be using the system API command. It's calling the system detail command.

Code: Select all

curl -XGET "https://192.168.23.113/nagiosxi/api/v1/system/statusdetail?apikey=<APIKEY>&pretty=1"

--Benjamin

[rferebee]

Does this mean anything to you?

Code: Select all

root@nagiosxi:/root>curl -XGET "https://xx.xx.xx.xx/nagiosxi/api/v1/system/statusdetail?apikey=APIKEY&pretty=1"
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
root@nagiosxi:/root>curl -XGET "https://xx.xx.xx.xx/nagiosxi/api/v1/system/statusdetail?apikey=APIKEY=1" -k
{
    "iostat": {
        "updated": "2021-02-17 15:31:48.565913",
        "user": "4.18",
        "nice": "0.00",
        "system": "2.62",
        "iowait": "3.32",
        "steal": "0.00",
        "idle": "89.89"
    },
    "sysstat": {
        "last_check": "1613604703"
    },
    "perfdataprocessor": {
        "last_check": "1613604712"
    },
    "reportengine": {
        "last_check": "1613604662"
    },
    "nom": {
        "last_check": "1613604662"
    },
    "dbbackend": {
        "last_checkin": "2021-02-17 15:31:02",
        "bytes_processed": "172137117",
        "entries_processed": "322214",
        "connect_time": "2021-02-17 14:03:24",
        "disconnect_time": "0000-00-00 00:00:00"
    },
    "nagioscore": {
        "updated": "2021-02-17 15:31:43.515642",
        "activehostchecks": {
            "val1": "85",
            "val5": "584",
            "val15": "584"
        },
        "passivehostchecks": {
            "val1": "0",
            "val5": "0",
            "val15": "0"
        },
        "activeservicechecks": {
            "val1": "914",
            "val5": "4448",
            "val15": "4472"
        },
        "passiveservicechecks": {
            "val1": "0",
            "val5": "0",
            "val15": "0"
        },
        "activehostcheckperf": {
            "min_latency": "0",
            "max_latency": "0.98744",
            "avg_latency": "0.021890986394557818",
            "min_execution_time": "0.00259",
            "max_execution_time": "4.06773",
            "avg_execution_time": "0.4445006632653057"
        },
        "activeservicecheckperf": {
            "min_latency": "0",
            "max_latency": "1.00399",
            "avg_latency": "0.01809902591599645",
            "min_execution_time": "0.00229",
            "max_execution_time": "10.09645",
            "avg_execution_time": "0.15920947050938303"
        }
    },
    "load": {
        "updated": "2021-02-17 15:31:43.531852",
        "load1": "0.36",
        "load5": "0.33",
        "load15": "0.35"
    },
    "memory": {
        "updated": "2021-02-17 15:31:43.54601",
        "total": "31993",
        "used": "1832",
        "free": "25367",
        "shared": "187",
        "buffers": "4793",
        "cached": "29580"
    },
    "swap": {
        "updated": "2021-02-17 15:31:43.555795",
        "total": "4091",
        "used": "0",
        "free": "4091"
    },
    "feedprocessor": {
        "last_check": "1613604703"
    },
    "deadpool_reaper": {
        "last_check": "1613604662"
    },
    "cleaner": {
        "last_check": "1613604662"
    },
    "dbmaint": {
        "last_check": "1613604602"
    },
    "cmdsubsys": {
        "last_check": "1613604712"
    },
    "eventman": {
        "last_check": "1613604713"
    },
    "daemons": {
        "updated": "2021-02-17 15:31:43.487988",
        "daemon": [
            {
                "@attributes": {
                    "id": "nagioscore"
                },
                "name": "nagios",
                "output": "           \u2514\u250068958 \/bin\/ping -n -U -w 30 -c 5 xx.xx.xx.xx",
                "return_code": "0",
                "status": "0"
            },
            {
                "@attributes": {
                    "id": "pnp"
                },
                "name": "npcd",
                "output": "           \u2514\u25001199 \/usr\/local\/nagios\/bin\/npcd -d -f \/usr\/local\/nagios\/etc\/pnp\/npcd.cfg",
                "return_code": "0",
                "status": "0"
            }
        ]
    }
}

[benjaminsmith]

Hi,

I'm familiar with that message. Are you using a self-signed certificate? If so, you're going to get that message when running those commands locally. You can bypass this by using the -K option as shown in the output.

The other option is to add your self-signed certificate as trusted. The following steps worked on my test system.

Code: Select all

sudo yum install ca-certificates
sudo update-ca-trust enable
sudo cp /path/to/your_new_cert.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

If you have a certificate from a known CA, try the following to resolve this.

Code: Select all

yum update curl
yum install ca-certificates

Reference:
https://stackoverflow.com/questions/146 ... known-ca-c

[rferebee]

Yes, we're using a self-signed cert. I'll attempt to add it as trusted per your instructions. Thank you.

[benjaminsmith]

Hi,

Yes, we're using a self-signed cert. I'll attempt to add it as trusted per your instructions. Thank you.

Sounds good. Let us know it goes.

[rferebee]

I performed the recommended steps, but unfortunately the entries are still occurring in my audit log. Every 1-2 minutes.

Any other ideas?

[benjaminsmith]

Hi @rferebee,

Those entries in the log are coming from the Nagios XI Wizard. It's not unusual to have a significant number of incoming requests to the API. Did you try to increase the check interval for the Nagiso XI Jobs, Nagiso XI Daemons service checks? Also, make sure there are not duplicate configurations for these service checks.

Benjamin