2014-05-23 01:01:06 +02:00
# <a id="troubleshooting"></a> Icinga 2 Troubleshooting
## <a id="troubleshooting-information-required"></a> Which information is required
2015-02-25 15:33:11 +01:00
* Run `icinga2 troubleshoot` to collect required troubleshooting information
* Alternative, manual steps:
* `icinga2 --version`
* `icinga2 feature list`
* `icinga2 daemon --validate`
* Relevant output from your main and debug log ( `icinga2 object list --type='filelogger'` )
* The newest Icinga 2 crash log, if relevant
* Your icinga2.conf and, if you run multiple Icinga 2 instances, your zones.conf
2015-02-25 15:01:03 +01:00
* How was Icinga 2 installed (and which repository in case) and which distribution are you using
2014-05-23 01:01:06 +02:00
* Provide complete configuration snippets explaining your problem in detail
* If the check command failed - what's the output of your manual plugin tests?
2015-03-07 15:52:56 +01:00
* In case of [debugging ](21-debug.md#debug ) Icinga 2, the full back traces and outputs
2014-05-23 01:01:06 +02:00
2014-05-23 11:56:30 +02:00
## <a id="troubleshooting-enable-debug-output"></a> Enable Debug Output
2015-07-14 09:19:49 +02:00
Enable the `debuglog` feature:
# icinga2 feature enable debuglog
# service icinga2 restart
You can find the debug log file in `/var/log/icinga2/debug.log` .
Alternatively you may run Icinga 2 in the foreground with debugging enabled. Specify the console
2014-05-29 11:58:25 +02:00
log severity as an additional parameter argument to `-x` .
2014-05-23 11:56:30 +02:00
2015-01-21 08:01:49 +01:00
# /usr/sbin/icinga2 daemon -x notice
The log level can be one of `critical` , `warning` , `information` , `notice`
and `debug` .
2014-05-23 11:56:30 +02:00
2014-08-27 14:32:40 +02:00
## <a id="list-configuration-objects"></a> List Configuration Objects
2015-01-21 08:01:49 +01:00
The `icinga2 object list` CLI command can be used to list all configuration objects and their
2014-11-01 21:35:48 +01:00
attributes. The tool also shows where each of the attributes was modified.
2015-03-07 15:52:56 +01:00
That way you can also identify which objects have been created from your [apply rules ](19-language-reference.md#apply ).
2014-08-27 14:32:40 +02:00
2014-10-15 14:29:29 +02:00
# icinga2 object list
Object 'localhost!ssh' of type 'Service':
* __name = 'localhost!ssh'
* check_command = 'ssh'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 5:3-5:23
* check_interval = 60
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 24:3-24:21
* host_name = 'localhost'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 4:3-4:25
* max_check_attempts = 3
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 23:3-23:24
* name = 'ssh'
* retry_interval = 30
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 25:3-25:22
* templates = [ 'ssh', 'generic-service' ]
% += modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 1:0-7:1
% += modified in '/etc/icinga2/conf.d/templates.conf', lines 22:1-26:1
* type = 'Service'
* vars
% += modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 6:3-6:19
* sla = '24x7'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 6:3-6:19
2014-08-27 14:32:40 +02:00
[...]
2015-01-21 08:01:49 +01:00
You can also filter by name and type:
2014-10-15 14:29:29 +02:00
# icinga2 object list --name *ssh* --type Service
Object 'localhost!ssh' of type 'Service':
* __name = 'localhost!ssh'
* check_command = 'ssh'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 5:3-5:23
* check_interval = 60
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 24:3-24:21
* host_name = 'localhost'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 4:3-4:25
* max_check_attempts = 3
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 23:3-23:24
* name = 'ssh'
* retry_interval = 30
% = modified in '/etc/icinga2/conf.d/templates.conf', lines 25:3-25:22
* templates = [ 'ssh', 'generic-service' ]
% += modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 1:0-7:1
% += modified in '/etc/icinga2/conf.d/templates.conf', lines 22:1-26:1
* type = 'Service'
* vars
% += modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 6:3-6:19
* sla = '24x7'
% = modified in '/etc/icinga2/conf.d/hosts/localhost/ssh.conf', lines 6:3-6:19
2014-11-01 21:35:48 +01:00
2014-10-15 14:29:29 +02:00
Found 1 Service objects.
2014-11-01 21:35:48 +01:00
2014-10-15 14:29:29 +02:00
[2014-10-15 14:27:19 +0200] information/cli: Parsed 175 objects.
2015-01-22 16:09:28 +01:00
## <a id="check-command-definitions"></a> Where are the check command definitions?
2014-11-01 21:35:48 +01:00
2015-02-11 11:51:58 +01:00
Icinga 2 features a number of built-in [check command definitions ](7-icinga-template-library.md#plugin-check-commands ) which are
2014-11-01 21:35:48 +01:00
included using
include < itl >
include < plugins >
2015-06-16 16:01:02 +02:00
in the [icinga2.conf ](4-configuring-icinga-2.md#icinga2-conf ) configuration file. These files are not considered configuration files and will be overridden
2015-01-21 08:01:49 +01:00
on upgrade, so please send modifications as proposed patches upstream. The default include path is set to
2014-11-01 21:35:48 +01:00
`LocalStateDir + "/share/icinga2/includes"` .
2014-10-15 14:29:29 +02:00
2014-11-01 21:35:48 +01:00
You should add your own command definitions to a new file in `conf.d/` called `commands.conf`
or similar.
2014-08-27 14:32:40 +02:00
2014-05-23 01:01:06 +02:00
## <a id="checks-not-executed"></a> Checks are not executed
2014-05-29 11:58:25 +02:00
* Check the debug log to see if the check command gets executed
* Verify that failed depedencies do not prevent command execution
2014-05-23 01:01:06 +02:00
* Make sure that the plugin is executable by the Icinga 2 user (run a manual test)
2015-02-11 11:51:58 +01:00
* Make sure the [checker ](8-cli-commands.md#features ) feature is enabled.
2014-05-23 01:01:06 +02:00
2014-08-22 15:42:01 +02:00
Examples:
2014-05-23 01:01:06 +02:00
2014-08-22 15:42:01 +02:00
# sudo -u icinga /usr/lib/nagios/plugins/check_ping -4 -H 127.0.0.1 -c 5000,100% -w 3000,80%
2014-05-29 15:34:01 +02:00
2014-10-14 18:32:15 +02:00
# icinga2 feature enable checker
2014-05-29 15:34:01 +02:00
The feature 'checker' is already enabled.
2014-05-23 01:01:06 +02:00
## <a id="notifications-not-sent"></a> Notifications are not sent
2014-05-29 11:58:25 +02:00
* Check the debug log to see if a notification is triggered
2014-05-23 01:01:06 +02:00
* If yes, verify that all conditions are satisfied
2014-05-29 11:58:25 +02:00
* Are any errors on the notification command execution logged?
2014-05-23 01:01:06 +02:00
Verify the following configuration
2014-10-28 21:43:20 +01:00
* Is the host/service `enable_notifications` attribute set, and if, to which value?
2014-05-23 01:01:06 +02:00
* Do the notification attributes `states` , `types` , `period` match the notification conditions?
* Do the user attributes `states` , `types` , `period` match the notification conditions?
* Are there any notification `begin` and `end` times configured?
2015-02-11 11:51:58 +01:00
* Make sure the [notification ](8-cli-commands.md#features ) feature is enabled.
2014-08-22 15:42:01 +02:00
* Does the referenced NotificationCommand work when executed as Icinga user on the shell?
2014-10-28 21:43:20 +01:00
If notifications are to be sent via mail make sure that the mail program specified exists.
The name and location depends on the distribution so the preconfigured setting might have to be
changed on your system.
2014-08-22 15:42:01 +02:00
Examples:
2014-05-29 15:34:01 +02:00
2014-10-14 18:32:15 +02:00
# icinga2 feature enable notification
2014-05-29 15:34:01 +02:00
The feature 'notification' is already enabled.
2014-05-23 01:01:06 +02:00
## <a id="feature-not-working"></a> Feature is not working
2014-05-29 11:58:25 +02:00
* Make sure that the feature configuration is enabled by symlinking from `features-available/`
2015-06-16 16:01:02 +02:00
to `features-enabled` and that the latter is included in [icinga2.conf ](4-configuring-icinga-2.md#icinga2-conf ).
2014-05-23 01:01:06 +02:00
* Are the feature attributes set correctly according to the documentation?
* Any errors on the logs?
2014-05-23 16:24:11 +02:00
## <a id="configuration-ignored"></a> Configuration is ignored
2015-03-07 15:52:56 +01:00
* Make sure that the line(s) are not [commented out ](19-language-reference.md#comments ) (starting with `//` or `#` , or
2014-05-29 16:54:57 +02:00
encapsulated by `/* ... */` ).
2015-06-16 16:01:02 +02:00
* Is the configuration file included in [icinga2.conf ](4-configuring-icinga-2.md#icinga2-conf )?
2014-05-23 16:24:11 +02:00
2014-05-23 01:01:06 +02:00
## <a id="configuration-attribute-inheritance"></a> Configuration attributes are inherited from
2015-03-07 15:52:56 +01:00
Icinga 2 allows you to import templates using the [import ](19-language-reference.md#template-imports ) keyword. If these templates
2014-05-29 11:58:25 +02:00
contain additional attributes, your objects will automatically inherit them. You can override
2014-05-23 01:01:06 +02:00
or modify these attributes in the current object.
2014-08-01 16:47:14 +02:00
## <a id="troubleshooting-cluster"></a> Cluster Troubleshooting
2015-06-15 20:10:58 +02:00
This applies to anything using the cluster protocol:
* [Distributed and High-Availability ](12-distributed-monitoring-ha.md#distributed-monitoring-high-availability ) scenarios
* [Remote client ](10-icinga2-client.md#icinga2-client-scenarios ) scenarios
2015-03-07 15:52:56 +01:00
You should configure the [cluster health checks ](12-distributed-monitoring-ha.md#cluster-health-check ) if you haven't
2014-08-01 16:47:14 +02:00
done so already.
> **Note**
>
> Some problems just exist due to wrong file permissions or packet filters applied. Make
> sure to check these in the first place.
### <a id="troubleshooting-cluster-connection-errors"></a> Cluster Troubleshooting Connection Errors
General connection errors normally lead you to one of the following problems:
* Wrong network configuration
* Packet loss on the connection
* Firewall rules preventing traffic
Use tools like `netstat` , `tcpdump` , `nmap` , etc to make sure that the cluster communication
happens (default port is `5665` ).
# tcpdump -n port 5665 -i any
2014-08-22 15:42:01 +02:00
2014-08-01 16:47:14 +02:00
# netstat -tulpen | grep icinga
# nmap yourclusternode.localdomain
### <a id="troubleshooting-cluster-ssl-errors"></a> Cluster Troubleshooting SSL Errors
2015-06-15 20:10:58 +02:00
If the cluster communication fails with SSL error messages, make sure to check
2014-08-01 16:47:14 +02:00
the following
* File permissions on the SSL certificate files
2014-08-22 15:42:01 +02:00
* Does the used CA match for all cluster endpoints?
2015-06-15 20:10:58 +02:00
* Verify the `Issuer` being your trusted CA
* Verify the `Subject` containing your endpoint's common name (CN)
* Check the validity of the certificate itself
2014-08-01 16:47:14 +02:00
2015-07-14 09:19:49 +02:00
Steps on the client `icinga2-node2.localdomain` :
2014-08-01 16:47:14 +02:00
2014-08-22 15:42:01 +02:00
# ls -la /etc/icinga2/pki
2014-08-01 16:47:14 +02:00
2015-06-15 20:10:58 +02:00
# cd /etc/icinga2/pki/
2015-07-14 09:19:49 +02:00
# openssl x509 -in icinga2-node2.localdomain.crt -text
2015-06-15 20:10:58 +02:00
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Bavaria, L=Nuremberg, O=NETWAYS GmbH, OU=Monitoring, CN=Icinga CA
Validity
Not Before: Jan 7 13:17:38 2014 GMT
Not After : Jan 5 13:17:38 2024 GMT
2015-07-14 09:19:49 +02:00
Subject: C=DE, ST=Bavaria, L=Nuremberg, O=NETWAYS GmbH, OU=Monitoring, CN=icinga2-node2.localdomain
2015-06-15 20:10:58 +02:00
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
2015-07-14 09:19:49 +02:00
Try to manually connect from `icinga2-node2.localdomain` to the master node `icinga2-node1.localdomain` :
# openssl s_client -CAfile /etc/icinga2/pki/ca.crt -cert /etc/icinga2/pki/icinga2-node2.localdomain.crt -key /etc/icinga2/pki/icinga2-node2.localdomain..key -connect icinga2-node1.localdomain.crt:5665
CONNECTED(00000003)
---
...
2015-06-15 20:10:58 +02:00
2015-07-14 09:19:49 +02:00
If the connection attempt fails or your CA does not match, [verify the master and client certificates ](16-troubleshooting.md#troubleshooting-cluster-ssl-certificate-verification ).
2015-06-15 20:10:58 +02:00
2015-07-14 09:19:49 +02:00
#### <a id="troubleshooting-cluster-unauthenticated-clients"></a> Cluster Troubleshooting Unauthenticated Clients
2015-06-15 20:10:58 +02:00
Unauthenticated nodes are able to connect required by the
[CSR auto-signing ](10-icinga2-client.md#csr-autosigning-requirements ) functionality.
2015-07-14 09:19:49 +02:00
Master:
2015-06-15 20:10:58 +02:00
2015-07-14 09:19:49 +02:00
[2015-07-13 18:29:25 +0200] information/ApiListener: New client connection for identity 'icinga-client' (unauthenticated)
2015-06-24 13:34:34 +02:00
2015-07-14 09:19:49 +02:00
Client as command execution bridge:
2015-06-15 20:10:58 +02:00
2015-07-14 09:19:49 +02:00
[2015-07-13 18:29:26 +1000] notice/ApiEvents: Discarding 'execute command' message from 'icinga-master': Invalid endpoint origin (client not allowed).
If these messages do not go away, make sure to [verify the master and client certificates ](16-troubleshooting.md#troubleshooting-cluster-ssl-certificate-verification ).
#### <a id="troubleshooting-cluster-ssl-certificate-verification"></a> Cluster Troubleshooting SSL Certificate Verification
Make sure to verify the client's certificate and its received `ca.crt` in `/etc/icinga2/pki` and ensure that
both instances are signed by the **same CA** .
# openssl verify -verbose -CAfile /etc/icinga2/pki/ca.crt /etc/icinga2/pki/icinga2-node1.localdomain.crt
icinga2-node1.localdomain.crt: OK
# openssl verify -verbose -CAfile /etc/icinga2/pki/ca.crt /etc/icinga2/pki/icinga2-node2.localdomain.crt
icinga2-node2.localdomain.crt: OK
Fetch the `ca.crt` file from the client node and compare it to your master's `ca.crt` file:
# scp icinga2-node2:/etc/icinga2/pki/ca.crt test-client-ca.crt
# diff -ur /etc/icinga2/pki/ca.crt test-client-ca.crt
On SLES11 you'll need to use the `openssl1` command instead of `openssl` .
2014-08-01 16:47:14 +02:00
### <a id="troubleshooting-cluster-message-errors"></a> Cluster Troubleshooting Message Errors
At some point, when the network connection is broken or gone, the Icinga 2 instances
will be disconnected. If the connection can't be re-established between zones and endpoints,
they remain in a Split-Brain-mode and history may differ.
2015-07-14 09:19:49 +02:00
Although the Icinga 2 cluster protocol stores historical events in a [replay log ](16-troubleshooting.md#troubleshooting-cluster-replay-log )
for later synchronisation, you should make sure to check why the network connection failed.
2014-08-01 16:47:14 +02:00
2015-06-15 20:10:58 +02:00
### <a id="troubleshooting-cluster-command-endpoint-errors"></a> Cluster Troubleshooting Command Endpoint Errors
Command endpoints can be used for clients acting as [remote command execution bridge ](10-icinga2-client.md#icinga2-client-configuration-command-bridge )
as well as inside an [High-Availability cluster ](12-distributed-monitoring-ha.md#distributed-monitoring-high-availability ).
There is no cli command for manually executing the check, but you can verify
the following (e.g. by invoking a forced check from the web interface):
2015-07-14 09:19:49 +02:00
* `/var/log/icinga2/icinga2.log` contains connection and execution errors.
* The ApiListener is not enabled to [accept commands ](10-icinga2-client.md#clients-as-command-execution-bridge ).
* `CheckCommand` definition not found on the remote client.
* Referenced check plugin not found on the remote client.
* Runtime warnings and errors, e.g. unresolved runtime macros or configuration problems.
* Specific error messages are also populated into `UNKNOWN` check results including a detailed error message in their output.
* More verbose logs are found inside the [debug log ](16-troubleshooting.md#troubleshooting-enable-debug-output ).
2015-06-15 20:10:58 +02:00
2014-08-24 11:21:54 +02:00
### <a id="troubleshooting-cluster-config-sync"></a> Cluster Troubleshooting Config Sync
If the cluster zones do not sync their configuration, make sure to check the following:
* Within a config master zone, only one configuration master is allowed to have its config in `/etc/icinga2/zones.d` .
2015-07-14 09:19:49 +02:00
** The master syncs the configuration to `/var/lib/icinga2/api/zones/` during startup and only syncs valid configuration to the other nodes.
** The other nodes receive the configuration into `/var/lib/icinga2/api/zones/` .
* The `icinga2.log` log file in `/var/log/icinga2` will indicate whether this ApiListener
[accepts config ](12-distributed-monitoring-ha.md#zone-config-sync-permissions ), or not.
### <a id="troubleshooting-cluster-replay-log"></a> Cluster Troubleshooting Replay Log
If your `/var/lib/icinga2/api/log` directory grows, it generally means that your cluster
cannot replay the log on connection loss and re-establishment.
Check the following:
* All clients are connected? (e.g. [cluster health check ](12-distributed-monitoring-ha.md#cluster-health-check )).
* Check your [connection ](16-troubleshooting.md#troubleshooting-cluster-connection-errors ) in general.
* Does the log replay work, e.g. are all events processed and the directory gets cleared up over time?
* Decrease the `log_duration` attribute value for that specific [endpoint ](6-object-types.md#objecttype-endpoint ).