# Monitoring Remote Instances ## Agent-less Checks If the remote service is available using a network protocol and port, and a [check plugin](#setting-up-check-plugins) is available, you don't necessarily need a local client installed. Rather choose a plugin and configure all parameters and thresholds. The [Icinga 2 Template Library](#itl) already ships various examples. ## Agent-based Checks If the remote services are not directly accessible through the network, a local agent installation exposing the results to check queries can become handy. ### SNMP The SNMP daemon runs on the remote system and answers SNMP queries by plugin binaries. The [Monitoring Plugins package](#setting-up-check-plugins) ships the `check_snmp` plugin binary, but there are plenty of [existing plugins](#integrate-additional-plugins) for specific use cases already around, for example monitoring Cisco routers. The following example uses the [SNMP ITL](#itl-snmp) `CheckCommand` and just overrides the `oid` custom attribute. A service is created for all hosts which have the `community` custom attribute. apply Service "uptime" { import "generic-service" check_command = "snmp" vars.oid = "1.3.6.1.2.1.1.3.0" assign where host.vars.community } ### SSH Calling a plugin using the SSH protocol to execute a plugin on the remote server fetching its return code and output. `check_by_ssh` is available in the [Monitoring Plugins package](#setting-up-check-plugins). object CheckCommand "check_by_ssh_swap" { import "plugin-check-command" command = [ PluginDir + "/check_by_ssh", "-l", "remoteuser", "-H", "$address$", "-C", "\"/usr/local/icinga/libexec/check_swap -w $warn$ -c $crit$\"" ] } object Service "swap" { import "generic-service" host_name = "remote-ssh-host" check_command = "check_by_ssh_swap" vars = { "warn" = "50%" "crit" = "75%" } } ### NRPE [NRPE](http://docs.icinga.org/latest/en/nrpe.html) runs as daemon on the remote client including the required plugins and command definitions. Icinga 2 calls the `check_nrpe` plugin binary in order to query the configured command on the remote client. The NRPE daemon uses its own configuration format in nrpe.cfg while `check_nrpe` can be embedded into the Icinga 2 `CheckCommand` configuration syntax. Example: object CheckCommand "check_nrpe" { import "plugin-check-command" command = [ PluginDir + "/check_nrpe", "-H", "$address$", "-c", "$remote_nrpe_command$", ] } object Service "users" { import "generic-service" host_name = "remote-nrpe-host" check_command = "check_nrpe" vars.remote_nrpe_command = "check_users" } nrpe.cfg: command[check_users]=/usr/local/icinga/libexec/check_users -w 5 -c 10 ### NSClient++ [NSClient++](http://nsclient.org) works on both Windows and Linux platforms and is well known for its magnificent Windows support. There are alternatives like the WMI interface, but using `NSClient++` will allow you to run local scripts similar to check plugins fetching the required output and performance counters. The NSClient++ agent uses its own configuration format while `check_nt` can be embedded into the Icinga 2 `CheckCommand` configuration syntax. Example: object CheckCommand "check_nscp" { import "plugin-check-command" command = [ PluginDir + "/check_nt", "-H", "$address$", "-p", "$port$", "-v", "$remote_nscp_command$", "-l", "$partition$", "-w", "$warn$", "-c", "$crit$", "-s", "$pass$" ] vars = { "port" = "12489" "pass" = "supersecret" } } object Service "users" { import "generic-service" host_name = "remote-windows-host" check_command = "check_nscp" vars += { remote_nscp_command = "USEDDISKSPACE" partition = "c" warn = "70" crit = "80" } } For details on the `NSClient++` configuration please refer to the [official documentation](http://www.nsclient.org/nscp/wiki/doc/configuration/0.4.x). > **Note** > > The format of the `NSClient++` configuration file has changed from 0.3.x to 0.4! ### Icinga 2 Agent A dedicated Icinga 2 agent supporting all platforms and using the native Icinga 2 communication protocol supported with SSL certificates, IPv4/IPv6 support, etc. is on the [development roadmap](https://dev.icinga.org/projects/i2?jump=issues). Meanwhile remote checkers in a [Cluster](#cluster) setup could act as immediate replacement, but without any local configuration - or pushing their standalone configuration back to the master node including their check result messages. ### Passive Check Results and SNMP Traps SNMP Traps can be received and filtered by using [SNMPTT](http://snmptt.sourceforge.net/) and specific trap handlers passing the check results to Icinga 2. > **Note** > > The host and service object configuration must be available on the Icinga 2 > server in order to process passive check results. ### NSCA-NG [NSCA-ng](http://www.nsca-ng.org) provides a client-server pair that allows the remote sender to push check results into the Icinga 2 `ExternalCommandListener` feature. The [Icinga 2 Vagrant Demo VM](#vagrant) ships a demo integration and further samples. ## Distributed Monitoring An Icinga 2 cluster consists of two or more nodes and can reside on multiple architectures. The base concept of Icinga 2 is the possibility to add additional features using components. In case of a cluster setup you have to add the cluster feature to all nodes. Before you start configuring the diffent nodes it's necessary to setup the underlying communication layer based on SSL. ### Certificate Authority and Certificates Icinga 2 comes with two scripts helping you to create CA and node certificates for you Icinga 2 Cluster. The first step is the creation of CA using the following command: icinga2-build-ca Please make sure to export a variable containing an empty folder for the created CA files: export ICINGA_CA="/root/icinga-ca" In the next step you have to create a certificate and a key file for every node using the following command: icinga2-build-key icinga2a Please create a certificate and a key file for every node in the Icinga 2 Cluster and save the CA key in case you want to set up certificates for additional nodes at a later date. ### Enable the Cluster Configuration Until the cluster-component is moved into an independent feature you have to enable the required libraries in the icinga2.conf configuration file: library "cluster" ### Configure the Icinga Node Name Instead of using the default FQDN as node name you can optionally set that value using the [NodeName](#global-constants) constant. This setting must be unique on each cluster node, and must also match the name of the local [Endpoint](#objecttype-endpoint) object and the SSL certificate common name. const NodeName = "icinga2a" Read further about additional [naming conventions](#cluster-naming-convention). Not specifying the node name will default to FQDN. Make sure that all configured endpoint names and set common names are in sync. ### Configure the ClusterListener Object The ClusterListener needs to be configured on every node in the cluster with the following settings: Configuration Setting |Value -------------------------|------------------------------------ ca_path | path to ca.crt file cert_path | path to server certificate key_path | path to server key bind_port | port for incoming and outgoing conns peers | array of all reachable nodes ------------------------- ------------------------------------ A sample config part can look like this: /** * Load cluster library and configure ClusterListener using certificate files */ library "cluster" object ClusterListener "cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/icinga2a.crt" key_path = "/etc/icinga2/ca/icinga2a.key" bind_port = 8888 peers = [ "icinga2b" ] } The certificate files must be readable by the user Icinga 2 is running as. Also, the private key file should not be world-readable. Peers configures the direction used to connect multiple nodes together. If have a three node cluster consisting of * node-1 * node-2 * node-3 and `node-3` is only reachable from `node-2`, you have to consider this in your peer configuration. ### Configure Cluster Endpoints In addition to the configured port and hostname every endpoint can have specific abilities to send configuration files to other nodes and limit the hosts allowed to send configuration files. Configuration Setting |Value -------------------------|------------------------------------ host | hostname port | port accept_config | all nodes allowed to send configuration config_files | all files sent to that node - MUST BE AN ABSOLUTE PATH config_files_recursive | all files in a directory recursively sent to that node ------------------------- ------------------------------------ A sample config part can look like this: /** * Configure config master endpoint */ object Endpoint "icinga2a" { host = "icinga2a.localdomain" port = 8888 config_files_recursive = ["/etc/icinga2/conf.d"] } If you update the configuration files on the configured file sender, it will force a restart on all receiving nodes after validating the new config. A sample config part for a config receiver endpoint can look like this: /** * Configure config receiver endpoint */ object Endpoint "icinga2b" { host = "icinga2b.localdomain" port = 8888 accept_config = [ "icinga2a" ] } By default these configuration files are saved in /var/lib/icinga2/cluster/config. In order to load configuration files which were received from a remote Icinga 2 instance you will have to add the following include directive to your `icinga2.conf` configuration file: include_recursive LocalStateDir + "/lib/icinga2/cluster/config" ### Cluster Naming Convention The SSL certificate common name (CN) will be used by the [ClusterListener](pbjecttype-clusterlistener) object to determine the local authority. This name must match the local [Endpoint](#objecttype-endpoint) object name. Example: # icinga2-build-key icinga2a ... Common Name (e.g. server FQDN or YOUR name) [icinga2a]: # vim cluster.conf object Endpoint "icinga2a" { host = "icinga2a.localdomain" port = 8888 } The [Endpoint](#objecttype-endpoint) name is further referenced as `peers` attribute on the [ClusterListener](pbjecttype-clusterlistener) object. object Endpoint "icinga2b" { host = "icinga2b.localdomain" port = 8888 } object ClusterListener "cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/icinga2a.crt" key_path = "/etc/icinga2/ca/icinga2a.key" bind_port = 8888 peers = [ "icinga2b" ] } Specifying the local node name using the [NodeName](#global-constants) variable requires the same name as used for the endpoint name and common name above. If not set, the FQDN is used. const NodeName = "icinga2a" ### Initial Cluster Sync In order to make sure that all of your cluster nodes have the same state you will have to pick one of the nodes as your initial "master" and copy its state file to all the other nodes. You can find the state file in `/var/lib/icinga2/icinga2.state`. Before copying the state file you should make sure that all your cluster nodes are properly shut down. ### Assign Services to Cluster Nodes By default all services are distributed among the cluster nodes with the `Checker` feature enabled. If you require specific services to be only executed by one or more checker nodes within the cluster, you must define `authorities` as additional service object attribute. Required Endpoints must be defined as array. apply Service "dmz-oracledb" { import "generic-service" authorities = [ "icinga2a" ] assign where "oracle" in host.groups } The most common use case is building a master-slave cluster. The master node does not have the `checker` feature enabled, and the slave nodes are checking services based on their location, inheriting from a global service template defining the authorities. ### Cluster Health Check The Icinga 2 [ITL](#itl) ships an internal check command checking all configured `EndPoints` in the cluster setup. The check result will become critical if one or more configured nodes are not connected. Example: apply Service "cluster" { import "generic-service" check_interval = 1m check_command = "cluster" authorities = [ "icinga2a" ] assign where host.name = "icinga2a" } Each cluster node should execute its own local cluster health check to get an idea about network related connection problems from different point of views. Use the `authorities` attribute to assign the service check to the configured node. ### Host With Multiple Cluster Nodes Special scenarios might require multiple cluster nodes running on a single host. By default Icinga 2 and its features will drop their runtime data below the prefix `LocalStateDir`. By default packages will set that path to `/var`. You can either set that variable as constant configuration definition in [icinga2.conf](#icinga2-conf) or pass it as runtime variable to the Icinga 2 daemon. # icinga2 -c /etc/icinga2/node1/icinga2.conf -DLocalStateDir=/opt/node1/var ### Cluster Scenarios #### Features in Cluster Each cluster instance may use available features. If you have multiple locations or departments, they may write to their local database, or populate graphite. Even further all commands are distributed (unless prohibited using [Domains](#domains)). DB IDO on the left, graphite on the right side - works. Icinga Web 2 on the left, checker and notifications on the right side - works too. Everything on the left and on the right side - make sure to deal with duplicated notifications and automated check distribution. #### Location Based Cluster That scenario fits if your instances are spread over the globe and they all report to a central instance. Their network connection only works towards the central master (or the master is able to connect, depending on firewall policies) which means remote instances won't see each/connect to each other. All events are synced to the central node, but the remote nodes can still run local features such as a web interface, reporting, graphing, etc. Imagine the following example with a central node in Nuremberg, and two remote DMZ based instances in Berlin and Vienna. The configuration tree on the central instance could look like this: conf.d/ templates/ germany/ nuremberg/ hosts.conf berlin/ hosts.conf austria/ vienna/ hosts.conf The configuration deployment should look like: * The node `nuremberg` sends `conf.d/germany/berlin` to the `berlin` node. * The node `nuremberg` sends `conf.d/austria/vienna` to the `vienna` node. `conf.d/templates` is shared on all nodes. The endpoint configuration on the `nuremberg` node would look like: object Endpoint "nuremberg" { host = "nuremberg.icinga.org" port = 8888 } object Endpoint "berlin" { host = "berlin.icinga.org" port = 8888 config_files_recursive = [ "/etc/icinga2/conf.d/templates", "/etc/icinga2/conf.d/germany/berlin" ] } object Endpoint "vienna" { host = "vienna.icinga.org" port = 8888 config_files_recursive = [ "/etc/icinga2/conf.d/templates", "/etc/icinga2/conf.d/austria/vienna" ] } Each remote node will only peer with the central `nuremberg` node. Therefore only two endpoints are required for cluster connection. Furthermore the remote node must include the received configuration by the cluster functionality. Example for the configuration on the `berlin` node: object Endpoint "nuremberg" { host = "nuremberg.icinga.org" port = 8888 } object Endpoint "berlin" { host = "berlin.icinga.org" port = 8888 accept_config = [ "nuremberg" ] } include_recursive LocalStateDir + "/lib/icinga2/cluster/config" Depenending on the network connectivity the connections can be either established by the remote node or the central node. Example for `berlin` node connecting to central `nuremberg` node: library "cluster" object ClusterListener "berlin-cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/berlin.crt" key_path = "/etc/icinga2/ca/berlin.key" bind_port = 8888 peers = [ "nuremberg" ] } Example for central `nuremberg` node connecting to remote nodes: library "cluster" object ClusterListener "nuremberg-cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/nuremberg.crt" key_path = "/etc/icinga2/ca/nuremberg.key" bind_port = 8888 peers = [ "berlin", "vienna" ] } The central node should not do any checks by itself. There's two possibilities to achieve that: * Disable the `checker` feature * Pin the service object configuration to the remote endpoints using the [authorities](#assign-services-to-cluster-nodes) attribute. #### Load Distribution If you are planning to off-load the checks to a defined set of remote workers you can achieve that by: * Deploying the configuration on all nodes. * Let Icinga 2 distribute the load amongst all available nodes. That way all remote check instances will receive the same configuration but only execute their part. The central instance can also execute checks, but you may also disable the `Checker` feature. conf.d/ templates/ many/ If you are planning to have some checks executed by a specific set of checker nodes just pin them using the [authorities](#assign-services-to-cluster-nodes) attribute. Example on the `central` node: object Endpoint "central" { host = "central.icinga.org" port = 8888 } object Endpoint "checker1" { host = "checker1.icinga.org" port = 8888 config_files_recursive = [ "/etc/icinga2/conf.d" ] } object Endpoint "checker2" { host = "checker2.icinga.org" port = 8888 config_files_recursive = [ "/etc/icinga2/conf.d" ] } object ClusterListener "central-cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/central.crt" key_path = "/etc/icinga2/ca/central.key" bind_port = 8888 peers = [ "checker1", "checker2" ] } Example on `checker1` node: object Endpoint "central" { host = "central.icinga.org" port = 8888 } object Endpoint "checker1" { host = "checker1.icinga.org" port = 8888 accept_config = [ "central" ] } object Endpoint "checker2" { host = "checker2.icinga.org" port = 8888 accept_config = [ "central" ] } object ClusterListener "checker1-cluster" { ca_path = "/etc/icinga2/ca/ca.crt" cert_path = "/etc/icinga2/ca/checker1.crt" key_path = "/etc/icinga2/ca/checker1.key" bind_port = 8888 } #### High Availability Two nodes in a high availability setup require an [initial cluster sync](#initial-cluster-sync). Furthermore the active master node should deploy the configuration to the second node, if that does not already happen by your provisioning tool. It primarly depends which features are enabled/used. It is still required that some failover mechanism detects for example which instance will be the notification "master". #### Multiple Hierachies Your central instance collects all check results for reporting and graphing and also does some sort of additional notifications. The customers got their own instances in their local DMZs. They are limited to read/write only their services, but replicate all events back to the central instance. Within each DMZ there are additional check instances also serving interfaces for local departments. The customers instances will collect all results, but also send them back to your central instance. Additionally the customers instance on the second level in the middle prohibits you from sending commands to the down below department nodes. You're only allowed to receive the results, and a subset of each customers configuration too. Your central instance will generate global reports, aggregate alert notifications and check additional dependencies (for example, the customers internet uplink and bandwidth usage). The customers instance will only check a subset of local services and delegate the rest to each department. Even though it acts as configuration master with a central dashboard for all departments managing their configuration tree which is then deployed to all department instances. Furthermore the central NOC is able to see what's going on. The instances in the departments will serve a local interface, and allow the administrators to reschedule checks or acknowledge problems for their services. ### Domains A [Service](#objecttype-service) object can be restricted using the `domains` attribute array specifying endpoint privileges. A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint). The following example assigns the domain `dmz-db` to the service `dmz-oracledb`. Endpoint `icinga-node-dmz-1` does not allow any object modification (no commands, check results) and only relays local messages to the remote node(s). The endpoint `icinga-node-dmz-2` processes all messages read and write (accept check results, commands and also relay messages to remote nodes). That way the service `dmz-oracledb` on endpoint `icinga-node-dmz-1` will not be modified by any cluster event message, and could be checked by the local authority too presenting a different state history. `icinga-node-dmz-2` still receives all cluster message updates from the `icinga-node-dmz-1` endpoint. object Host "dmz-host1" { import "generic-host" } object Service "dmz-oracledb" { import "generic-service" host_name = "dmz-host1" domains = [ "dmz-db" ] authorities = [ "icinga-node-dmz-1", "icinga-node-dmz-2"] } object Domain "dmz-db" { acl = { "icinga-node-dmz-1" = DomainPrivReadOnly "icinga-node-dmz-2" = DomainPrivReadWrite } }