Monitoring of multiple machines remotely

[mr_bo_jungle]

Hi all, okay i have just downloaded and setup NagiosXI and have configured it using the wizard to monitor the local network and also 58 remote sites, i am familiar with nagios3 having used it to do the same but i have never set it up to monitor multiple machines at any given remote site and i can't see from within Nagiosxi how you can do this...

I do not want to setup another dedicated install of Nagios for every site we support thats just not practical, surely there must be a way to query all the systems for each site remotely...

So, what i need to know is really quite simple, using NagiosXI, how do i monitor all of the workstations and switches and printers and services over multiple remote sites from my one NagiosXI server/host...

Any help is appreciated.

[mmestnik]

There is more then one way to do anything, we need more information to narrow down the way you should use.

I can only list some of the more popular ways.
1. Using dedicated VPN hardware.
2. Using an ssh *server at each location to check each device from.
3. Having a *server at each location run a cron task to send result data back to Nagios.
4. Send all your check commands with just the SSL security nrpe provides, as the docs might say it's meant to be secure but perhaps it's not secure enough.
5. SNMP has security options also, in the highest versions.

* You can and should just use any server at each location.

[mr_bo_jungle]

We currently use Zenith NOC, we install a remote monitoring gateway agent onto the servers at the various sites, from within the very small application we roll out the desktop agents which reports data back to the server gateway agent which then is accessed remotely by a dedicated monitoring server where the data is processed an reported live via an online web page we log into....the system supports full notifications of all services across the specified LAN and via multiple site locations....i want to replicate this setup using Nagios and save the $120,000 PA...

I want to use one dedicated install of Nagios in our datacentre to remotely monitor all sites and all machines on each site without installing another dedicated nagios server on each site...

Advice is most welcome.

[mmestnik]

The it seams like you would be looking for the Dedicated VPN route. Currently you are using a dedicated monitoring server at each site. What I'm saying is that you can use a server(that does other tasks) as a VPNish gateway or you can use a VPN device.

Sending remote data to the Nagios server is the logic we like best internally, however most deployments like what you describe contact each device from the Nagios server.

Setting up a Dedicated VPN is almost like having a dedicated server at each site, but you would be using the VPNs for other things as well. You can also do this without a VPN, just have Nagios contact each device directly, but there are security concerns... They are not grave though, it is made to be secure we just don't advertise it as being secure. SSL is used and ip addresses are used for authentication the SSL handshake verifies that IP address is owned by the other end.

[mr_bo_jungle]

The current setup we use utilises a small application install per remote site to monitor, the install is a mere 26mb for the gateway server and 4.2mb per windows desktop. This is the type of solution i am looking for in Nagios, the ability to install a small executable file of some description that with minimal configuration will allow me to query remote machines of all kinds fron one single Nagios server. There needs to be some form of gateway on each remote site that allows Nagios to connect to it and then send querys out across the rest of the remote sites lan...SURELY this must exist within Nagios and if it does not then it begs the question, why on earth not!

[mmestnik]

Yes, it's just nrpe, the normal tool to monitor a Linux/Windows server. You can run the nrpe plugin over an nrpe connection.

Though, if you are NOT going to further secure this with a VPN then you should evaluate the check_ssh plugin. This is a near drop-in replacement for nrpe, the added security should be evident but it comes at a performance cost. check_ssh could cut the max number of checks you can run by 3/4ths or more, as it runs 6 to 12 seconds VS 2 to 4. CPU/network/memory resources are less-impacted, but in Nagios wall clock check times can play a big roll in how well your server operates.

[mr_bo_jungle]

Okay good, my understanding is that the check_nrpe plugin acts like an extension of Nagios, allowing it to poll remote sites, my question is then, if i have a site say with 8 SBS 2008 servers with around 180 desktops, how would i use nrpe to poll all of them. From reading it seems that nsclient++ contains the nrpe plugin and having looked at the nsc.ini file i do see references in it to nrpe and its ports but still i'm unsure on how to configure this. I read that nsclient++ can act as a proxy, i assume this is to allow you to connect to one end point at a specified remote site and from that one end point proxy you can then poll the rest of the remote site? is this correct and if so, how would one go about setting this up?

I have read that there is a 'silent install' option for the nsclient which would allow me to preconfigre it and install it across the lan desktops using a simple login script, this sounds ideal as it would contain check_nt and nrpe and allow me to poll services per desktop, but still i am stumped on how to get nagiosxi to be able to monitor anything more than just one machine at any given remote site...

Having used Nagios 3 and now looking at using Nagiosxi, i must say the GUI for Nagiosxi is 'out of the box' more point and click and i guess windowsy....i learnt very quickly the bennefits of being able to get at the back end of Nagios3, i enjoy getting down and dirty with the scripting and thus far see nothing you can do with Nagiosxi that you cant do with Nagios 3...this isn't meant as a snipe at Nagiosxi just a users observations...where i am at the moment i am seriously considering going back to using Nagios3 as it appears i can do what i need to without the expense...sure i will loose the nice GUI but with the tools support there is for Nagios 3 well i can just insatll a nice GUI and have the same levels of functionality for free...really the main one is the ability to input hosts and groups, really though doing a VI isnt so hard....

Your advice so far is appreciated.

[mmestnik]

The first sentence basically says it all. Nagios has a large number of check commands all of them can be used from an nrpe server, an extension of Nagios.

You would need to do one of two things. One way being secure, the other being reckless(I should note that our Linux Agent depends on the reckless bit being set). The secure and intended use was to add a check command line in the nrpe config for each host at the remote sites on the server at the remote site. The reckless way is to allow parameters to be passed to nrpe from the nagios server, a wizard of any kind wouldn't work without this option set.

Wait back up a bit? Why would you be running nsclient++ on a Unix system?

Seams we have our wires crossed, You said that you didn't want a "dedicated install of Nagios" at each site. Made sense I took this to include the Nagios NRPE agent as well, but I left this option open to you, and I didn't even consider that you may have meant that you don't use Unix. Then that currently you use "Zenith NOC", what platform does it use?

You are correct NagiosXI is meant as the fast road to Nagios 3 plus some other utilities pre-bundled, like graphing. NagiosXI is intended for when time is money and/or there are no Unix Admins. We do offer a support plan for Nagios Core(Nagios 3) that you should please ask about.

Perhaps you should outline what it is specifically that you are trying to avoid. If it is that you just can't run Unix at each location, then a Dedicated VPN would be safer then exposing Windows to the internet. I recently discovered something called Cooperative Linux that you might be interested in, if there was a box that didn't need HA you could afford to run it on. coLinux is vary fast and doesn't seem to be a resource drain on Windows, though as predicted the devel version has rebooted my box.

[mr_bo_jungle]

What we need to be able to do is monitor remote sites and all machines at the various locations. We have at the moment 58 sites we are looking to monitor, all are behind firewalls and various UTM systems. Nagios appears to be very usefull for monitoring a single location if Nagios is actually inside the LAN but it appears to strugle as far as useability when monitoring remote sites, by that i mean it is not user friendly. For most serious IT individuals installing a seperate Nagios server per site is A: Not practical and B: Far from cost effective and C: Overly time consuming...

We simply need to be able to have some form of agent running at a single location per site that Nagios can then connect to or make requests to for information about the status of all of the other machines on the LAN. I do see that NSClient++ has the NRPE built into it and it also seems to support remote_check arguements that i assume would allow use to query the remote LAN via the NSClient++ PROXY...this is what i am currently trying to understand, exacly HOW to query a remote LAN via an NSClient++ proxy to gather information about the machines inside the remote LAN...

This to me in the current IT world strikes me as an utterly ESSENTIAL thing for Nagios to be able to do...the ability to monitor multiple remote location that are behind NAT and also to not only query a SINGLE machine at the remote site but also to be able to query ALL devices and ALL the remote sites...

Ultimately this is what we would like to achieve using Nagios, the monitoring of 58 remote locations including all devices, this would include XP desktops, SBS 2008 servers, Terminal servers, 2003 R2 servers, printers, routers, switches, SIP traffic, ADSL lines Fibre optic lines.....everything and all of it done remotely...

Got to love linux in development... :/

What i am looking to learn here is how exactly to do this, not in concept or idea as i understand in theory how, what i cannot understand is HOW asin instructions on how one would acheive this...

[mmestnik]

Firstly you should define what you mean by "Nagios Server" and what you mean by "agent". I'm familiar with DHCP proxy servers and I understand the difference from running a DHCP server VS a DHCP Proxy, but I don't understand what you are talking about. Please be real specific and define the criteria you are attempting to avoid and the criteria for the environment you are looking for.


I learned something new today. After reading up on UTM it seams like the purpose would be to solve the current problem, the UTM should have some secure way to pass an NRPE connection. I have given you several suggestions on how you can pass an NRPE connection securely to a remote Unix device for the purpose of monitoring other devices, though a solution provided by a UTM would be simpler to implement and likely more secure.

It would be advisable to use something like a DHCP Proxy for the purpose of carrying NRPE commands to other hosts, this gives you a central location to control access for all your NRPE devices. With a Unix NRPE server you also get SNMP and other protocol level monitoring, not just the ability to pass NRPE information.

Secondly NSClient++ is some application that runs on Windows and you will have to seek support from the Windows community. I don't know anything about that or even what it can be used for. If it includes an NRPE check command then you just configure that to run. So that you are running check_nrpe inside check_nrpe over an NRPE connection.

Please note that although NRPE uses encryption and verifies the authenticity of the remote IP address it may have flaws or exploits, you are advised to use either VPN or SSH to enhance security.