Mike Weber's training class on choosing the right Nagios plugin for the job. The training session was held during the Nagios World Conference North America held Sept 27-29th, 2011 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
2. Identifying Options
Public Port Monitoring
NRPE - Nagios Remote Plugin Executor
SSH - Secure Shell
NSClient++
NSCA - Nagios Service Check Acceptor
NRDP - Nagios Remote Data Processor
SNMP - Simple Network Monitoring Protocol
2011 2
3. Criteria for Selection
Ease of Set Up
How much time and effort to get it working?
Network Topology
Firewall – Is there a firewall between Nagios and Client?
Internet – Does the check have to go over a public network?
Internal Network/VPN – Is it on a secure network?
Security
Security for Nagios
Security for Client
Resource Usage
Total RAM usage on client and server
Total CPU usage on client and server
Total Time usage on client and server
2011 3
4. Principles: Nagios Efficiencies in Scale
Poor choices on implementing plugins cannot be compensated
for by additional hardware.
If possible, execute plugins on the client using either SSH,
NRPE, NSCA, NRDP.
Compiled plugins require 10 - 44 times LESS resources than
scripts.
(Plugin RAM + Nagios RAM) x Time = RAM per check
Plugins hold resources for up to 10 seconds.
2011 4
6. Ease of Set Up - Order
Public Port Monitoring
NRPE
NSClient++
SSH
NRDP
NSCA
SNMP
2011 6
7. Ease of Set Up – Public Ports
Advantages
Can be set up with no client modification.
No firewall issues (the nature of public access).
Disadvantages
Limited external port information.
Plain text transfer of usernames/passwords if monitoring accounts.
Limited internal access information (processes, resources, etc.)
2011 7
8. Ease of Set Up – NRPE
Advantages
Complete access to internal and external aspects (plugins and scripts).
Disadvantages
Must set up an agent or daemon on the client.
Data transferred plain text (typical installation).
2011 8
9. Ease of Set Up – NSClient++
Advantages
Complete access to internal and external aspects (plugins and scripts).
Use NRPE, check_nt or other options and programming languages.
Password authentication available.
Disadvantages
Must set up an agent or daemon on the client.
Password authentication method weak.
Data transferred plain text (typical installation).
2011 9
10. Ease of Set Up – SSH
Advantages
Complete access to internal and external aspects (plugins and scripts).
Secure connection and secure data transfer.
Disadvantages
Must set up keys for nagios user.
Requires modification of firewall and/or tcp_wrappers.
May require sudo permissions (set up with visudo).
2011 10
11. Ease of Set Up – NRDP
Advantages
Complete access to internal and external aspects (plugins and scripts).
Password authentication.
Uses port 80 or 443 so no firewall issues.
No daemon to set up on Nagios.
Disadvantages
Requires the creation of a script on the client to send data.
No encryption unless you use SSL.
2011 11
12. Ease of Set Up – NSCA
Advantages
Complete access to internal and external aspects (plugins and scripts).
Password authentication and encryption.
Disadvantages
Requires the creation of a script on the client to send data.
Requires the set up of the NSCA daemon on the Nagios server.
Must configure firewall and tcp_wrappers on the Nagios server.
2011 12
13. Ease of Set Up – SNMP
Advantages
Flexible options for monitoring hardware.
Disadvantages
Requires knowledge of how SNMP works.
Requires the set up of the SNMP daemon on the client or device.
The snmpd.conf on the client requires at least 4 changes for accesss.
2011 13
15. Network Typology
Internal Network or VPN
Perimeter firewall or VPN protects all communication.
Public Network or Internet
Attempts to compromise the system exist.
Some protocols may be less reliable (UDP).
Firewalls or Gateways
Firewalls/Gateways must be modified to allow access.
Firewalls/Gateways cannot be modified to allow access.
2011 15
16. Network Typology – Internal Network
ALL Options will work
Public Ports
NRPE
NSClient++
SSH
NRDP
NSCA
SNMP
2011 16
17. Network Typology – Public Network
Secure Options Recommended
Public Ports – no firewall configuration necessary
SSH - SSH port can usually be opened or is open
NSCA – passive scripts will work behind firewall
NRDP – passive scripts will work behind firewall
Extensive Security for Nagios Server
Firewall limiting access to clients only.
tcp_wrappers limiting access to clients only.
Encrypted connections for administrators.
ModSecurity to filter port 80/443 access (application firewall).
2011 17
19. Security Factors
Security on Nagios
Factors that either elevate or degrade security on the Nagios server.
Security on the Client
Factors that either elevate or degrade security on the client.
Security of Network Communication
Is the data transfer encrypted?
Is the transfer protected by a password or token?
2011 19
20. Security - SSH
Advantages
Data transfer is encrypted.
Login is encrypted.
Disadvantages
Security complexity – users, keys, connections, rights
Typically key uses empty password.
ssh-keygen -b 1024 -f id_dsa -t dsa -N ''
Use of visudo required to provide nagios user access to files and applications.
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_init_service
2011 20
21. Security - NSCA
Advantages
Choice on encryption methods.
Password authentication.
Disadvantages
Complexity of setup – daemon,two config files to edit, password,encryption,firewall,
tcp_wrappers, edit nagios.cfg
2011 21
22. Security - NRDP
Advantages
Token used to secure connectivity.
Uses port 80 so no new port must be opened.
Could use port 443 so encrypted.
Disadvantages
Need to create script on client to collect data and send data to Nagios server.
2011 22
26. Resource Usage
Resources Used on Nagios
Total RAM usage on server.
Total CPU usage on server.
Total Time usage on server.
Resources Used on the Client
Total RAM usage on client.
Total CPU usage on client.
Total Time usage on client.
2011 26
34. Principle #1: Poor choices on implementing plugins cannot
be compensated for by additional hardware.
Knowledge of Plugins
Planning Saves
Hardware Limits
Avoid the Domino
Effect
2011 34
35. Principle #2: If possible, execute plugins on the
client using either SSH, NRPE, NSCA, NRDP.
Typical Client Under Utilized
check_multi Most Efficient
Collect 10-30 checks per connection
Used with NRPE, SSH, NRDP, NSCA
2011 35
36. Principle #3: Compiled plugins require 10 - 44 times
LESS resources than scripts.
12
10
8
6
RAM
4
2
0
Compiled NSCA NSClient++ SSH Perl
2011 36
37. Principle #4: (Plugin RAM + Nagios RAM) x Time =
RAM per check
check_ping
takes 280 RAM
takes 10864 RAM from nagios process to execute plugin
takes 3 seconds to execute
(plugin RAM + nagios RAM) x time = RAM per
check
(280 +10864) X 3 = 32.64 MB RAM per check
2011 37