Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NRDP integration with NagiosXI

https://support.nagios.com/forum/viewtopic.php?t=62453

Page 1 of 1

NRDP integration with NagiosXI

Posted: Sun May 02, 2021 8:38 am
by TethiS
Hi,
I noticed i'm having the same issue with NRDP integration that some other people had notified here in time.
On my side, NagiosXI and NNA are working well and fine separately, and even the plugin for NNA (from NagiosXi side) works OK, giving the extra -tab when watching details of a hostname.

Issue i'm facing is the fact that Alerts created in NNA are not sent to NagiosXI through the NRDP protocol.
I made sure the token is correct, and even used the .txt file with dummy svcname and hostname sent from the CLI (with curl) from the NNA host towards the NagiosXI IP. That went well also, the dummy test svc and host names appeared in the Unconfigured Objects of NagiosXI.
What it seems to be the issue is NNA not being able to send any nrdp request toward the NagiosXI; I looked in the NagiosXI http logs and don't see even a trace of NNA trying to create hostname/service.

Is there a way I can debug this to narrow where the machanism is getting stucked?

Thanks!

Re: NRDP integration with NagiosXI

Posted: Mon May 03, 2021 12:06 pm
by ssax
NNA doesn't create a host/service for it, it submits results with the host/service name you defined in NNA.

Do you see them in Admin > Unconfigured Objects on the XI server?

Is the URL you have defined on the NNA server for the NRDP URL like this:

Code: Select all

http://YOURXISERVER/nrdp/
Run this command from the NNA server and send the output:
- If your XI server is using https, change http to https

Code: Select all

curl -k -L -vvv 'http://YOURXISERVER/nrdp/'

Re: NRDP integration with NagiosXI

Posted: Wed May 05, 2021 1:52 am
by TethiS
Hi,

I've tryied also (before opening the question) with an already assigned service on a hostname (the NNA hostname in XI) named like NNAAlerts, exactly the service destination name and host configured in NNA as target destination for the alerts and it did not work either.
(I remember vaguely at some point in the beginning the automatic creation of service/hostname worked from NNA to XI, but now nothing seems to be sent automatically by NNA on nrdp channel anymore)

I've used the curl command as you suggested(https) and it replied well and fully (very verbose) acknowledging there is no issue in communication between the two hosts when doing it manually.

Are there any logs NNA side I could watch to see if/why the nrdp call is triggered correctly? I double checked the NagioxXI setting NNA side to make sure they are correct?


PS. hands-on example:
1. NAgioxXI side defined a service called NNAAlerts on a hostname named WGOSS02, as a passive check. NRDP is listening on https with the right token set-up

2. NNA side defined the NagiosXI link (https://...nrdp/, correct token, etc)
3. NNA side defined the NNAAlerts/WGOSS02 association for the NagiosXI link
nnasetup.JPG
4. on NNA side, CLI mode, created a test.txt with the service name and hostname previously defined in XI

Code: Select all

<?xml version='1.0'?>
<checkresults>
    <checkresult type='host'>
        <hostname>WGOSS02</hostname>
        <state>0</state>
        <output>Everything looks okay! | perfdata=1;</output>
    </checkresult>
    <checkresult type='service'>
        <hostname>WGOSS02</hostname>
        <servicename>NNAAlerts</servicename>
        <state>1</state>
        <output>WARNING: Danger Will Robinson! | perfdata=1;</output>
    </checkresult>
</checkresults>
5. Sent the test.txt towards the XI with curl, from cli:

Code: Select all

 curl -XPOST https://wgoss01.ot.local/nrdp/ -d token=removed_token_content -d cmd=submitcheck --data-urlencode [email protected] -k -v
6. Data arrives correctly into NagiosXI GUI
nnaresulttest.JPG
So all seems fine communication wise. But when a check that I write breaches a threshold, NNA does not seem to be sending that check's output to the XI, by itself.

Help? :)

PS. I've put also a local command, on the NNA, a script to spit out in a log the given arguments to it (/usr/local/nagiosna/bin/cmd1.sh) and put that as trigger of the check. It does not fire on WARNING or CRITICAL either, so my bet would be a malfunction in the triggering mechanism of the NNA.

PS2. I think I'm getting somewhere. I didn't know this was logged in var/backend.log:

Code: Select all

2021-05-05 17:15:00 DEBUG : URL: https://wgoss01.ot.local/nrdp/
2021-05-05 17:15:00 DEBUG : Data: token=token_removed&cmd=submitcheck&XMLDATA=%3Ccheckresults%3E%3Ccheckresult+type%3D%22service%22%3E%3Chostname%3EWGOSS02%3C%2Fhostname%3E%3Cservicename%3ENNAAlerts%3C%2Fservicename%3E%3Cstate%3E2%3C%2Fstate%3E%3Coutput%3Ebytes+on+WG-Z4+with+filter+%5Bnot+dst+port+22%5D+is+133688961540+%7C+bytes%3D133688961540%3B1%3B1%3B0%3C%2Foutput%3E%3C%2Fcheckresult%3E%3C%2Fcheckresults%3E
2021-05-05 17:15:00 ERROR : Could not send to NRDP server: WGOSS02
Traceback (most recent call last):
  File "/usr/local/nagiosna/bin/notify.py", line 195, in send_nrdp_notifications
    post_xml_to_nrdp(nrdp, xml, token)
  File "/usr/local/nagiosna/bin/notify.py", line 186, in post_xml_to_nrdp
    response = urlopen(req)
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open
    raise URLError(err)
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>
If that fails, the the whole notify.py fails without having a chance to reach the command section also.
Back to it, it seems is the verification of the XI certificate is the culprit here. The certificate is a valid one, properly generated (not self-signed), and it work without issue otherwise..

Both systems are off Internet access, not sure if that plays into this

Re: NRDP integration with NagiosXI

Posted: Wed May 05, 2021 7:21 am
by TethiS
Replying to myself ... with good news :)

the bundle of root certificates on the RHEl hosting the NNA didn't contain the CA (+intermediate CA) of the issuer having built the certificate of the XI...

I've extracted the ROOT and the INETERMEDIATE .cer files (encoded as base64) from a windows machine and loaded them into the NNA rhel system.. Now it seems the NRDP calls are getting correctly to the endpoint.

https://help.f-secure.com/product.html? ... -latest-en

Re: NRDP integration with NagiosXI

Posted: Wed May 05, 2021 5:12 pm
by ssax
That's great to hear! That would be the proper method of fixing that issue.

I've submitted a feature request to development requesting they add an ignore cert option:

Code: Select all

FR: NNA - Adding Nagios server for Alerting > NRDP will fail without a valid certificate when using SSL, add the option to ignore the SSL cert
So everything is up and running now or do you still have any outstanding issues?

Re: NRDP integration with NagiosXI

Posted: Thu May 06, 2021 3:42 am
by TethiS
All is fine now.
You may lock this thread.

Thanks again!

Re: NRDP integration with NagiosXI

Posted: Thu May 06, 2021 7:28 am
by scottwilkerson
TethiS wrote:All is fine now.
You may lock this thread.

Thanks again!
Locking thread
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited