Nagios doesn't have a specific client application to access monitoring information; instead, it relies on the Apache web server to provide a very simple yet powerful web interface, accessible via any browser and allowing users to access current status information, browse historical logs, create reports and, if so configured, issue commands to the monitoring daemon.
Nagios' web interface relies on a series of CGI programs written in C. The CGIs read their configuration information from two files: the main configuration file and cgi.cfg, located, by default, in the /var/www/etc/nagios/ directory.
Below is a sample configuration file; pay particular attention when setting the authorized_for_* directives, because they allow you to assign special privileges to authenticated users and are, therefore, highly security critical. In the next section, we will review how to create users in Apache.
# Path to the main configuration file (relative to the chroot) main_config_file=/etc/nagios/nagios.cfg # Path to the directory where the HTML files reside (relative to the chroot) physical_html_path=/nagios # Path portion of the URL used to access the web interface url_html_path=/nagios # Time interval (in seconds) between page refreshes refresh_rate=90 # Disable context-sensitive help show_context_help=0 # Mark hosts/services that have not been checked yet as PENDING use_pending_states=1 # Limit the default number of results displayed on the status.cgi result_limit=100 # Enable authentication for the CGIs use_authentication=1 # Do not use x509 cert (SSL) authentication use_ssl_authentication=0 # Uncomment the following directive to set a default user for unauthenticated # sessions (strongly discouraged) #default_user_name=guest # The 'authorized_for_*' directives define a comma-separated list of # authenticated web users who can: # - view system/process information in the extended information CGI: authorized_for_system_information=nagiosadmin,operator # - view configuration information in the configuration CGI: authorized_for_configuration_information=nagiosadmin,operator # - issue system/process commands via the command CGI: authorized_for_system_commands=nagiosadmin # - view status and configuration information for all services authorized_for_all_services=nagiosadmin,operator # - view status and configuration information for all hosts authorized_for_all_hosts=nagiosadmin,operator # - issue commands for all services via the command CGI: authorized_for_all_service_commands=nagiosadmin # - issue commands for all hosts via the command CGI: authorized_for_all_host_commands=nagiosadmin # Options for the Status Map and Status World CGIs statusmap_background_image=smbackground.gd2 default_statusmap_layout=5 default_statuswrl_layout=4 statuswrl_include=myworld.wrl # Command to use when attempting to ping a host from the WAP interface ping_syntax=/sbin/ping -n -c 5 $HOSTADDRESS$ # List of audio files to play in the browser in case of problems. These files # are assumed to be in the /var/www/nagios/media/ directory host_unreachable_sound=hostdown.wav host_down_sound=hostdown.wav service_critical_sound=critical.wav service_warning_sound=warning.wav service_unknown_sound=warning.wav #normal_sound=noproblem.wav # HTML and URL target options action_url_target=_blank notes_url_target=_blank escape_html_tags=1 # Restrict users from changing the author name when submitting comments, # acknowledgements and scheduled downtime from the web interface lock_author_names=1 # Splunk integration options enable_splunk_integration=0 #splunk_url=http://127.0.0.1:8000/
The web interface holds particularly sensitive information about network and services and may even allow the execution of commands that directly affect the monitoring daemon. As a consequence, it is strongly recommended that you configure authentication for accessing the CGIs.
User authentication files are managed with the htpasswd(1) utility. Note that the first time you run this command, you must supply the "-c" option to create the password file:
# htpasswd -c /var/www/users/nagios.passwd nagiosadmin New password: password Re-type new password: password Adding password for user nagiosadmin # htpasswd /var/www/users/nagios.passwd danix@work New password: password Re-type new password: password Adding password for user danix@work # chmod 600 /var/www/users/nagios.passwd # chown www /var/www/users/nagios.passwd
An authenticated user whose username matches the short name of a contact definition is called an authenticated contact and is automatically granted access to information and commands for those hosts and services for which he is contact (please refer to the documentation for further details about authentication in the CGIs).
Well, now that we have Apache requiring users to authenticate, we should also configure SSL to avoid sending passwords in clear text. Below are the openssl(1) commands to create a self-signed certificate (a more detailed discussion about certificate management can be found here).
# openssl genrsa -des3 -out server.3des-key 1024 Generating RSA private key, 1024 bit long modulus ..............++++++ .++++++ e is 65537 (0x10001) Enter pass phrase for server.3des-key: passphrase Verifying - Enter pass phrase for server.3des-key: passphrase # openssl rsa -in server.3des-key -out server.key Enter pass phrase for server.3des-key: passphrase writing RSA key # openssl req -new -key server.key -x509 -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []: IT State or Province Name (full name) []: State Locality Name (eg, city) []: Locality Organization Name (eg, company) []: kernel-panic.it Organizational Unit Name (eg, section) []: Information Technology Common Name (eg, fully qualified host name) []: nagios.kernel-panic.it Email Address []: nagios@kernel-panic.it # chmod 600 server.key # rm server.3des-key # mv server.crt /etc/ssl/ # mv server.key /etc/ssl/private/
The last step is configuring Apache to actually require authentication and encryption to access the Nagios interface by adding the following lines to the /var/www/conf/httpd.conf configuration file:
ScriptAlias /cgi-bin/nagios "/var/www/cgi-bin/nagios"
<Directory "/var/www/cgi-bin/nagios">
SSLRequireSSL
Options ExecCGI
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /users/nagios.passwd
Require valid-user
Order deny,allow
Deny from all
# Authorized clients
Allow from 127.0.0.1 172.16.0.13
</Directory>
Alias /nagios "/var/www/nagios"
<Directory "/var/www/nagios">
SSLRequireSSL
Options None
AllowOverride None
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /users/nagios.passwd
Require valid-user
Order deny,allow
Deny from all
# Authorized clients
Allow from 127.0.0.1 172.16.0.13
</Directory>
And, of course, don't forget to enable the PHP module!
# ln -sf /var/www/conf/modules.sample/php-5.3.conf /var/www/conf/modules/php.conf
Well, it looks like we're done with the configuration for now! Then we can make Nagios evaluate our hard work by invoking it with the "-v" option:
# /usr/local/sbin/nagios -v /var/www/etc/nagios/nagios.cfg Nagios Core 3.5.0 Copyright (c) 2009-2011 Nagios Core Development Team and Community Contributors Copyright (c) 1999-2009 Ethan Galstad Last Modified: 03-15-2013 License: GPL Website: http://www.nagios.org Reading configuration data... Read main config file okay... [...] Read object config files okay... Running pre-flight check on configuration data... [...] Total Warnings: 0 Total Errors: 0 Things look okay - No serious problems were detected during the pre-flight check #
If no errors were detected, then the long-awaited moment has arrived: we are ready to start Nagios! Though not before having created the directory for the lock file (Note: if you haven't rebooted since installing the Nagios packages, the /var/run/nagios/ directory should already exist).
# apachectl startssl /usr/sbin/apachectl startssl: httpd started # install -d -o _nagios /var/run/nagios # /usr/local/sbin/nagios -d /var/www/etc/nagios/nagios.cfg
You can check if everything is working fine by connecting to the web interface (https://your.server.here/nagios/) or taking a look at the logs (/var/www/var/log/nagios/nagios.log).
To finish up, we only have to configure the system to start both Apache and Nagios at boot time, by setting the httpd_flags and pkg_scripts variables in /etc/rc.conf.local:
httpd_flags="-DSSL" pkg_scripts="nagios"
In the next chapter we will take a look at how to extend Nagios with some of its most popular addons.