Nagios Installation and Configuration

1) Objectives/Description

To setup a system & network monitoring application for monitoring our entire network smoothly and dynamically. Our chosen application is Nagios.


Nagios is a system and network monitoring application. It watches hosts and services that we specify, alerting when things go bad and when they get better. Nagios have many features through which we can easily & smoothly monitor our entire network.

After completion of installation we’ll end up with:

• Nagios and the plugins will be installed underneath /usr/local/nagios
• Nagios will be configured to monitor a few aspects of our local system (CPU load, disk usage, current user etc.) and few network services (SMTP, POP3, HTTP, SNMP etc.).
• The Nagios web interface will be accessible at http://localhost/nagios/

2) System Requirements

The only requirement of running Nagios is a machine running Linux (or UNIX variant) and a C compiler. Should have TCP/IP configured, as most service checks will be performed over the network.

2.1 Prerequisites:

·         OS= Red hat Linux, Enterprise 4/5/6. Cent OS 4/5/6

Make sure that we have the following packages installed in our system:

• Apache
• GCC Compiler
•  GD Development libraries

3) Installation Procedure

     During portions of the installation we'll need to have root access to the machine. Then we have to check all the prerequisites packages are installed or not. To check the packages:

   #rpm –qa | grep httpd

   #rpm –qa | grep gcc

   #rpm –qa | grep gd

   #rpm –qa | grep glibc

   If the packages are not installed then we have to install the packages.

   #rpm –Uvh httpd-* or #yum -y install httpd-*

   #rpm –Uvh gcc-* or #yum -y install gcc-*

   #rpm –Uvh gd-* or #yum -y install gd-*

   #rpm –Uvh glibc-* or #yum -y install glibc-*

   3.1 Create Account Information:

   Create a new nagios user account and give it a password

   #/usr/sbin/useradd nagios

   #passwd nagios

   

   Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

   #/usr/sbin/groupadd nagcmd

   #/usr/sbin/usermod -G nagcmd nagios

   #/usr/sbin/usermod -G nagcmd apache

   3.2 Download Nagios and the Plugins:

   Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions).

   Create a directory for storing the downloads.

   #mkdir ~/downloads

   #cd ~/downloads

   

   3.3 Compile and Install Nagios:

   Extract the Nagios source code tarball.

   #cd ~/downloads

   #tar xzf nagios-3.0.2.tar.gz

   #cd nagios-3.0.2

   Run the Nagios configure script, passing the name of the group we have created earlier like so:

#./configure --with-command-group=nagcmd

   Compile the nagios source code

   #make

   #make all

   Install binaries, init scripts, sample config files and set permissions on the external command directory.

   #make install

   #make install-init

   #make install-config

   #make install-commandmode

   3.4 Customize Configuration

   Sample configurations files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. We'll need to make just one change before we proceed...

   Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with one of our favourite editor and change the email address associated with the nagiosadmin contact definition to the address we'd like to use for receiving alerts.

   #vi /usr/local/nagios/etc/objects/contacts.cfg

   3.5 Configure the Web Interface

   Install the Nagios web config file in the Apache conf.d directory.

   #make install-webconf

   

   Create a nagiosadmin account for logging into the Nagios web interface and assign a password to it.

   #htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

   

   Restart Apache to make the new settings take effect.

   #service httpd restart

   
   3.6 Compile and Install the Nagios Plugins

   Extract the Nagios plugins source code tarball.

   #cd ~/downloads

   #tar xzf nagios-plugins-1.4.11.tar.gz

   #cd nagios-plugins-1.4.11

   Compile and install the plugins.

   #./configure --with-nagios-user=nagios --with-nagios-group=nagios

   #make

   #make install

   3.7 Start Nagios

   Add Nagios to the list of system services and have it automatically start when the system boots.

   #chkconfig --add nagios

   #chkconfig nagios on

   Verify the sample Nagios configuration files.

   #/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

   If there are no errors, start Nagios.

   #service nagios start

   3.8 Login to the Web Interface
   We should now be able to access the Nagios web interface at the URL below. We'll be prompted for the username (nagiosadmin) and password we specified earlier.
   http://localhost/nagios/

   Make sure the machine's firewall rules are configured to allow access to the web server if we want to access the Nagios interface remotely.

   4) Configuration

   Once we get Nagios installed and running properly, we’ll no doubt want to start monitoring more than just our local machine. So we need to configure some configuration files for monitoring Windows/Linux machines, Routers/Switches, Network Printers & publicly available service (HTTP, FTP, SSH etc).

   

   All configuration files are resides in /usr/local/nagios/etc location. Main configuration files are:

·         /usr/local/nagios/etc/cgi.cfg

·         /usr/local/nagios/etc/nagios.cfg

·         /usr/local/nagios/etc/resource.cfg

   

   4.1 Monitoring Routers & Switches:

4.1.1 Configuring Nagios:

   To monitor a network switch/ router we need to edit the main nagios config file

   #vi /usr/share/nagios/etc/nagios.cfg

   

   Remove the leading pound (#) sign from the following line in the main configuration file:

   #cfg_file=/usr/local/nagios/etc/objects/switch.cfg

   Save the file and exit.

   

   Now we need to define some object definition in the switch.cfg file.

   #vi /usr/local/nagios/etc/objects/switch.cfg

   

   Add a new host definition for the switch that we're going to monitor. A sample host definition is already in switch.cfg. Change the host_name, alias, and address fields to appropriate values for the switch.

define host {

        use        generic-switch  ; Inherit default values from template

        host_name  DHK01_EDGE_SW  ; The name we're giving to the switch

        Alias      DHK01_EDGE_SW  ; A longer name associated with switch

        address    172.30.0.7     ; IP address of the switch

        hostgroups EDGE_SW        ; Host groups this switch is associated with

        }

4.1.2 Monitoring Packet Loss and RTA:

Now we can add some service definitions (to the same configuration file) to monitor different aspects of the switch.

Add the following service definition in order to monitor packet loss and round trip average between the Nagios host and the switch every 5 minutes under normal conditions.

define service{

        use                    generic-service ; Inherit values from a template

        host_name              DHK31_EDGE_SW  ; The name of the host the service is associated with

        service_description    PING           ; The service description

        check_command          check_ping!200.0,20%!600.0,60% ; The command used to monitor the service

        normal_check_interval  5       ; Check the service every 5 minutes under normal conditions

        retry_check_interval   1       ; Re-check the service every minute until its final/hard state is determined

        }

This service will be:

• CRITICAL if the round trip average (RTA) is greater than 600 milliseconds or the packet loss is 60% or more.
• WARNING if the RTA is greater than 200 ms or the packet loss is 20% or more.

OK if the RTA is less than 200 ms and the packet loss is less than 20%.

4.1.3 Monitoring SNMP Status Information:

If the switch or router supports SNMP, we can monitor a lot of information by using the check_snmp plugin. Add the following service definition to monitor the uptime of the switch.

define service{

        use                    generic-service ;Inherit values from template

        host_name              DHK01_EDGE_SW

        service_description    Uptime 

        check_command          check_snmp!-C public -o sysUpTime.0

        }

In the check_command directive of the service definition above, the "-C public" tells the plugin that the SNMP community name to be used is "public" and the "-o sysUpTime.0" indicates which OID should be checked.

If we want to ensure that a specific port/interface on the switch is in an up state, we could add a service definition like this:

define service{

        use                    generic-service ; Inherit values from a template

        host_name              DHK01_EDGE_SW

        service_description    Port 1 Link Status

        check_command          check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB

        }

Once we've added the new host and service definitions to the switch.cfg file, we're ready to start monitoring the router/switch. To do this, we'll need to verify our configuration and restart nagios.

In order to verify your configuration, run Nagios with the -v command line option like so:

#/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Restarting/reloading is nececessary when you modify your configuration files and want those changes to take effect.

#/etc/rc.d/init.d/nagios reload

Or

#service nagios restart

  Enjoy :)

Installing SSL Certificate in Apache Jakarta Tomcat

What is SSL Certificate:

SSL Certificates are small data files that digitally bind a crypto-graphic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates bind together:

A domain name, server name or hostname. An organizational identity (i.e. company name) and location.

Objective:

We will install SSL certificate for my.abc.com.bd domain. In that case all requests to http://my.abc.com.bd will be redirected to https://my.abc.com.bd

Scenario & Tested Environment:

Domain is: my.abc.com.bd
OS: Red Hat Enterprise Linux 5
Tomcat: jakarta-tomcat-4.1.24
Used Tool/Command: keytool (keytool is a key and certificate management utility)

Steps:

1. CSR (Certificate Signing Request) Generation
2. Submit CSR to CA (Certification Authority (CA) is an entity that issues digital certificates)
3. Certificate Installation after receiving certificates from CA
4. Apache Jakarta Tomcat Configuration Modification
5. Restart Jakarta Tomcat Service

1. CSR (Certificate Signing Request) Generation:

What is a CSR? A CSR or Certificate Signing Request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

Here is a CSR sample:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

[root@localhost]/opt/jdk1.5.0_21/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

What is your first and last name?
[Unknown]: my.abc.com.bd
What is the name of your organizational unit?
[Unknown]: IT/Technology
What is the name of your organization?
[Unknown]: ABC Technologies
What is the name of your City or Locality?
[Unknown]: Road # 2 House # 2 Gulshan # 2
What is the name of your State or Province?
[Unknown]: Dhaka
What is the two-letter country code for this unit?
[Unknown]: BD

Is CN=my.abc.com.bd, OU=IT/Technology, O=ABC Technologies, L=Road # 2 House # 2 Gulshan # 2, ST=Dhaka, C=BD correct?

[no]: yes

Enter key password for <mykey>
(RETURN if same as keystore password): abcbd123


This will generate a keystore file named my.abe.com.bd.keystore
Using this file, we will generate CSR file.

[root@localhost]#/opt/jdk1.5.0_21/bin/keytool -certreq -keyalg RSA -file /opt/sslcert/my.abc.com.bd.csr -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

[root@localhost]# ls
my.abc.com.bd.csr my.abc.com.bd.keystore

2. Submit CSR to CA

Send necessary details to CA.

3. Certificate Installation

You will receive following files from CA:

• AddTrustExternalCARoot.crt
• my_abc_com_bd.crt
• TrustedSecureCertificateAuthority5.crt
• USERTrustRSAAddTrustCA.crt

Execute following commands from the directory containing both CSR & Keystore file. In our case, working directory is: /opt/sslcert/

[root@localhost]#keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias TrustedSecureCertificateAuthority5 -file TrustedSecureCertificateAuthority5.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -alias my.abc.com.bd -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore

[root@localhost]#keytool -import -trustcacerts -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore

4. Jakarta Tomcat Configuration

Open $TOMCAT_HOME/conf/server.xml file. Add below entries:

<!– Define a non-SSL Coyote HTTP/1.1 Connector on port 80 –>
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”80? minProcessors=”30? maxProcessors=”600?
enableLookups=”false” redirectPort=”8443?
acceptCount=”100? debug=”0? connectionTimeout=”20000?
useURIValidationHack=”false” disableUploadTimeout=”true” strategy=”ms” tcpNoDelay=”true” />
<!– Note : To disable connection timeouts, set connectionTimeout value to -1 –>
.............
.............
.............
.............
<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector address=”1.2.3.4? className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443? minProcessors=”10? maxProcessors=”200?
enableLookups=”true”acceptCount=”100? debug=”0? scheme=”https” secure=”true” connectionTimeout=”20000?useURIValidationHack=”false”disableUploadTimeout=”true”>
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="/opt/sslcert/my.abc.com.bd.keystore" keystorePass="abcbd123" keystoreType="JKS" protocol="TLS" randomFile="/opt/random.pem" rootFile="/opt/root.pem"/>
……
……
……
</Connector>


<Host name=”1.2.3.4? debug=”0? appBase=”<Document root>”
unpackWARs=”true” autoDeploy=”true”>
<Alias>my.abc.com.bd</Alias>
<Context path=”” docBase=”<Document root>” debug=”0?
reloadable=”true” crossContext=”true” />
</Host>
.............
.............

Open <Document Root>/WEB-INF/web.xml file. Add below entries:

<web-app>
.............
.............
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!– auth-constraint goes here if you require authentication –>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
.............
.............
.............
.............
</web-app>

5. Restart Jakarta Tomcat Service

[root@localhost]#sh $TOMCAT_HOME/bin/shutdown.sh
[root@localhost]#sh $TOMCAT_HOME/bin/startup.sh


Check the log file as well:
[root@localhost]#tail -f $TOMCAT_HOME/logs/catalina.out


Cheers :-) !!!

Archive or Delete Old Files

With a single command in Linux, we can archive or delete thousands of files.

Objective: Delete old pdf files more than 60 days old.


mtime
mtime is the file modify time. The mtime gets updated when you modify a file. Whenever you update content of a file or save a file the mtime gets updated.

For instance, "/opt/jakarta-tomcat-4.1.24/temp/" directory contains old pdf files. We want to delete those files which were last modified more than 60 days ago.

find /opt/jakarta-tomcat-4.1.24/temp/*.pdf -mtime +60 -type f -exec rm -f {} \; 


Objective: Archive old pdf files more than 60 days old.

find /opt/jakarta-tomcat-4.1.24/temp/* -name *.pdf -mtime +60 -type f -exec mv -f {} /app/u04/logs/oldpdf/ \;


Objective: Archive all files from one server to another.

Source location: /opt/RadiusCDR/CSV/10.10.0.69/
Destination location: /app/u03/rman_backup/Radius_CSV_Backup/10.10.0.69/
Destination IP: 10.10.10.3


find /opt/RadiusCDR/CSV/10.10.0.69 -name CDRs_2012-12-* -type f -exec cp -f {} root@10.10.10.3:/app/u03/cdr_backup/Radius_CSV_Backup/10.10.0.69/ \;


Cheers!!

Configuring Host Grapher in Windows

What is Host Grapher?

Host Grapher is a very light and effective program to gather Host Statistics like CPU, Memory and Processes. It has been written to be light and fast. One of the changes toward other programs is that instead of the server doing all the work of asking the clients for the information, its the client task to tell the server its own info. There will be clients for Linux, freeBSD , solaris ,Windows and Tru64. There will also a gateway program to include routers. Here is a Screenshot.

How does it work?

First install the server in one machine, install the client on the clients. On unix the client uses the crontab facility , on windows it will be installed as a service. Security has not been an issue yet , so there is a simple general password authentication. Before the records are kept the client has to issue an registration request.

For installing in Windows platform please download Server & Client Software from the site:

http://software.foxlink.org/hostgrapher2/main.html

• Configure the Host Grapher Server

1) After downloading the .zip file, extract it to C:\ (e.g. C :\GrapherServer)

2) Go to C:\GrapherServer\etc

     You have to edit the following two files:

          – apache.txt

          – password.txt

3) apache.txt contains the main data to put apache to work define the Port ServerAdmin Emailand ServerName. Please note that if you are already running a http server on the machine then you can not reuse port 80. Chose another port like 8080.

4) Password.txt contains a simple form text password for client authentication. Put a password for the clients to authenticate.

5) Now change back to c:\GrapherServer and double click on install.bat. The script will install following two services :

     -inetd

-hg2apache

6) If everything worked fine then you should be able to reach the following URL:http://localhost/ or
http://localhost:port/      (port number you have mentioned in apache.txt)

• Configure the Clients

1) Uncompress downloaded files to C:\Grapher2

2) Edit the file C:\grapher2\grapher.conf

3) Save and Exit the file.

4) R un info.bat to find out which network cards you have on your machine.

5) Run install.bat

6) Run register.bat

N.B:

// register.bat -> will reset all information and register the client on the server, this has to be run at least one time.

// upgrade.bat  -> you should run this when you change anything in the config file

// info.bat     -> will give you information about the program.

Cheers!!!

Add New Disk Space to a Virtual Machine in Linux - in VMware

Among many FAQ; very familiar question in VM is how to add new disks. Here are the plain and simple steps to do that:

Objective: Add new disk space in a virtual machine in Linux.

Step 1: Open/Edit virtual machine settings:
Select your virtual machine, and press “Edit virtual machine settings’

Step 2: Add new hardware:
From Hardware section click “Add” > “Next”

Step 3: Select new Hard Disk:
From Hardware type select Hard Disk and click “Next”

Step 4: Create the Disk Type:
Recommended Virtual Disk Type should be SCSI (don’t know why :-P). Select the Disk type from available options:

Step 5: Set Disk Capacity & Options:

Now set the capacity you want to create. One of the nice features of VMWare is that you don’t have to allocate all of the disk space when you create it. So if you create a 20GB disk it won’t take all spaces right away (unless you check the box), the disk will grow as your virtual machine needs it. Lastly, you can split the files into 2GB sizes, while this isn’t necessary, it just makes all the disks much easier to manage and move around. In example we are adding 20GB.

Step 6: Specify VM Disk File:

Step 7: Ensure newly add Disk exists in Hardware Option:

Step 8: Boot & Power On the Virtual Machine.

Step 9: Create new Partition:
Login as root. In Linux the first SCSI drive is sda, the second sdb, the third sdc, etc. since this was the second SCSI drive we added in the VM, the device is known as /dev/sdb

[root@localhost ~]# fdisk /dev/sdb
Press m for help
To create a new partition, press n
This is going to be a primary partition so press p
Partition number is 1
Enter first Cylinder Number:
Enter Last Cylinder number: +20480M (as because our disk size is 20GB)
Press w for write and save the partition table.

Step 10: Format the partition:
Now we have to format the partition with new file system. We’ve decided to use ext3 file system for newly added disk.

[root@localhost ~]# mkfs -t ext3 /dev/sdb1
Above command changes the file system type to ext3 for /dev/sdb1 partition (-t fstype) (man mkfs)

Step 11: Creating Mount Point for new partition:
Create a new directory named app under /
[root@localhost ~]# mkdir -p /app
[root@localhost ~]# mount -t ext3 /dev/sdb1 /app

check whether the partition is properly mounted by running the following command
[root@localhost ~]# df -kh

Step 12: Edit /etc/fstab for permanent entry:
mounting wont be permanent unless you add a /etc/fstab entry
/dev/sdb1 /app ext3 defaults 1 1

Cheers :) !!