4. Setting up the web interface

Nagios doesn't have a specific client application to access the monitoring information; instead, it relies on the Apache web server to provide a very simple yet powerful web interface, accessible via any browser and allowing users to access current status information, browse historical logs, create reports and, if so configured, issue commands to the monitoring daemon.

4.1 CGIs configuration

Nagios' web interface relies on a series of CGI programs written in C. The CGIs read their configuration information from two files: the main configuration file and cgi.cfg, located, by default, in the /var/www/etc/nagios/ directory.

Below is a sample configuration file; pay particular attention when setting the authorized_for_* directives, because they allow you to assign special privileges to authenticated users and are, therefore, highly security critical. In the next section, we will review how to create users in Apache.

# Path to the main configuration file (relative to the chroot)
# Path to the directory where the HTML files reside (relative to the chroot)
# Path portion of the URL used to access the web interface

# Disable context-sensitive help

# Enable authentication for the CGIs
# Uncomment the following directive to set a default user for unauthenticated
# sessions (strongly discouraged)

# The 'authorized_for_*' directives define a comma-separated list of
# authenticated web users who can:
# - view system/process information in the extended information CGI:
# - view configuration information in the configuration CGI:
# - issue system/process commands via the command CGI:
# - view status and configuration information for all services
# - view status and configuration information for all hosts
# - issue commands for all services via the command CGI:
# - issue commands for all hosts via the command CGI:

# Options for the Status Map and Status World CGIs

# Command to use when attempting to ping a host from the WAP interface
ping_syntax=/sbin/ping -n -c 5 $HOSTADDRESS$

# Time interval (in seconds) between page refreshes

# List of audio files to play in the browser in case of problems. These files
# are assumed to be in the /var/www/nagios/media/ directory

# HTML and URL target options

# Restrict users from changing the author name when submitting comments,
# acknowledgements and scheduled downtime from the web interface

# Splunk integration options

4.2 Apache configuration

The web interface holds particularly sensitive information about network and services and may even allow the execution of commands that directly affect the monitoring daemon. As a consequence, it is strongly recommended that you configure authentication for accessing the CGIs.

User authentication files are managed with the htpasswd(1) utility. Note that the first time you run this command, you must supply the "-c" option to create the password file:

# htpasswd -c /var/www/users/nagios.passwd nagiosadmin
New password: password
Re-type new password: password
Adding password for user nagiosadmin
# htpasswd /var/www/users/nagios.passwd danix@work
New password: password
Re-type new password: password
Adding password for user danix@work

An authenticated user whose username matches the short name of a contact definition is called an authenticated contact and is automatically granted access to information and commands for those hosts and services for which he is contact (please refer to the documentation for further details about authentication in the CGIs).

Well, now that we have Apache requiring users to authenticate, we should also configure SSL to avoid sending passwords in clear text. Below are the openssl(1) commands to create a self-signed certificate (a more detailed discussion about certificate management can be found here).

# openssl genrsa -des3 -out server.3des-key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for server.3des-key: passphrase
Verifying - Enter pass phrase for server.3des-key: passphrase
# openssl rsa -in server.3des-key -out server.key
Enter pass phrase for server.3des-key: passphrase
writing RSA key
# openssl req -new -key server.key -x509 -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []: IT
State or Province Name (full name) []: State
Locality Name (eg, city) []: Locality
Organization Name (eg, company) []: kernel-panic.it
Organizational Unit Name (eg, section) []: Information Technology
Common Name (eg, fully qualified host name) []: nagios.kernel-panic.it
Email Address []: nagios@kernel-panic.it
# chmod 600 server.key
# rm server.3des-key
# mv server.crt /etc/ssl/
# mv server.key /etc/ssl/private/

The last step is configuring Apache to actually require authentication and encryption to access the Nagios interface by adding the following lines to the /var/www/conf/httpd.conf configuration file:

ScriptAlias /cgi-bin/nagios "/var/www/cgi-bin/nagios"

<Directory "/var/www/cgi-bin/nagios">

    Options ExecCGI

    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /users/nagios.passwd
    Require valid-user

    Order deny,allow
    Deny from all
    # Authorized clients
    Allow from

Alias /nagios "/var/www/nagios"

<Directory "/var/www/nagios">

    Options None
    AllowOverride None

    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /users/nagios.passwd
    Require valid-user

    Order deny,allow
    Deny from all
    # Authorized clients
    Allow from

4.3 Running Nagios

Well, it looks like we're done with the configuration for now! Then we can make Nagios evaluate our hard work by invoking it with the "-v" option:

# /usr/local/sbin/nagios -v /var/www/etc/nagios/nagios.cfg

Nagios 3.0.6
Copyright (c) 1999-2008 Ethan Galstad (http://www.nagios.org)
Last Modified: 12-01-2008
License: GPL

Reading configuration data...

Running pre-flight check on configuration data...


Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check

If no errors were detected, then the long-awaited moment has arrived: we are ready to start Nagios! Though not before having created the directory for the lock file (Note: if you haven't rebooted since installing the Nagios packages, the /var/run/nagios/ directory should already exist).

# apachectl startssl
/usr/sbin/apachectl startssl: httpd started
# install -d -o _nagios /var/run/nagios
# /usr/local/sbin/nagios -d /var/www/etc/nagios/nagios.cfg

You can check if everything is working fine by connecting to the web interface (https://your.server.here/nagios/) or taking a look at the logs (/var/www/var/log/nagios/nagios.log).

To finish up, we have to configure the system to start both Apache and Nagios at boot time, by setting the httpd_flags variable in the /etc/rc.conf.local file:


and by adding the following lines to the /etc/rc.local file:

if [ -x /usr/local/sbin/nagios ]; then
    install -d -o _nagios /var/run/nagios
    echo -n ' nagios'
    /usr/local/sbin/nagios -d /var/www/etc/nagios/nagios.cfg

In the next chapter we will take a look at how to extend Nagios with some of its most popular addons.