How to filter by contact_groups to all requests

#1

Hi!
Thanks in advance!!

I have 2 servers:

thrukserver ----> nagiosserver

The Thruk server makes requests to the Nagios server.
An event_broker with livestatus is configured on the Nagios server, and this is presented on port 6557 through unixcat in the xinetd service configuration.

I want to filter the data that Nagios sends to the Thruk server, in such a way that from Nagios only the realative data is offered to a user(contact), only sending the data for which it is authorized in Nagios.

Something like this, could be done from this mode from the destination:

`echo -e 'GET services\nColumns: host_name description state contact_groups\nFilter: contact_groups >= guardias-servicioscriticos' | nc nagiosserver 6557`

But I want to do it from the source (Nagios). I do not know if it can be done by putting the “Filter” in the configuration of xinetd, in the configuration of the event_broker of Nagios, etc …

Thanks.

(Sven Nierlein) #2

Thats not possible. However, the frontend Thruk does honor permissions and authentication, so people will only see what they are allowed to see based on the cgi.cfg and their contact groups.

#3

So, can not I filter the content of a specific Nagios server, so that only certain services are seen?

If the Thruk server is mine, and the Nagios server is from a client of mine, who has asked me to monitor certain services not all of them, can not my client filter the information from the Nagios server of origin, it is absolutely necessary to publish via livestatus all the information on your Nagios server?

(Sven Nierlein) #4

Exactly, thats not possible. If you connect the remote nagios by livestatus you have full access.

There is something on the roadmap which might help you. When connecting to a remote instance via http(s) you have to set an API key. Right now, this API key requires full permissions, but its on the roadmap to make this possible with less privileged keys as well.
But there is no timeline for this feature…

#5

I understand that the filtering of Nagios data (with livestatus) must be done by Nagios or by livestatus, not by Thruk but …

Another option would be to connect as a backend directly to the Nagios website with a specific user, which would be the one that would be restricted or filtered to see certain alarms.

Would it be possible to connect as a backend, via http / https directly to Nagios instead of another instance of Thruk?

(Sven Nierlein) #6

Thats not possible. You can connect with Thruk to either a Livestatus Source or another Thruk instance.