Posts by yash

This forum was archived to /woltlab and is now in read-only mode.

    No, DNS server is not affected and seems to be working fine.


    I ran tcpdump command on my Icinga master server with dst to old AD server and found that the monitoring server is reaching out to my RDS instance via Old AD server. This is how the results look like.


    >>tcpdump dst Old_AD_server


    IP ICINGA_Server.xxxx > Old_AD_server.domain: yyyy+ A? RDS_DB_Server. (68)
    IP ICINGA_Server.xxxx > Old_AD_server.domain: zzzz+ AAAA? RDS_DB_Server. (68).

    Hi @JoNe


    I'm only getting this SQL error on console once I stop my AD servers. Even if I try to validate my DB configuration, it starts processing but does nothing. The strange part is the time I again start my old AD servers, everything works well.


    The concern that I've here is in the LDAP configuration(on icingaweb console), I've mentioned my new AD server details. That new AD server is able to fetch all the users and validates the configuration as well. But everytime, I stop my old AD servers(that has been removed from LDAP configuration), tends to effect my DB connection to icinga resulted in giving the SQL error.

    Hello Everyone,


    Earlier I'd setup Icinga in HA with separate mysql DB,integrated it with AD server and everything was working perfectly fine. Recently our AD servers were changed and this requires us to update the LDAP configuration on Icinga.


    I then updated the AD information in Icinga console at Configuration-->Application pane and created resource and new user backend group in authentication pane with which all the new users were discovered and I thought its done.


    But once I stopped my old AD servers, the Icinga application was not able to connect with the RDS instance and gave me error on the console:-


    SQLSTATE[HY000] [2005] Unknown MySQL server host 'xxxxxxxxxxxxxxxxxxxxxxxxx' (110)


    Even I'm not able to login with my Icinga admin credentials post stopping the AD instance.


    Can anyone please suggest how that can be fixed? What is the thing that I'm missing here.


    Kindly post your suggestion and do revert in case of any query.


    Thanks,

    Hi,


    I was exploring ways by which I can monitor the database in Icinga. I tried it with default nagios-plugin like check_mysql but was not getting much information.


    Just wanted to check of anyone can help me with how to monitoring any database say in AWS RDS or installed in a server using ICINGA?


    Regards,

    I didn't get anything on that


    Aug 19 03:39:06 xxxxxxxxx nrpe[14174]: Caught SIGTERM - shutting down...
    Aug 19 03:39:06 xxxxxxxxx nrpe[14174]: Daemon shutdown
    Aug 19 03:39:06 xxxxxxxxx nrpe[14328]: Starting up daemon
    Aug 19 03:39:06 xxxxxxxxx nrpe[14328]: Server listening on 0.0.0.0 port 5666.
    Aug 19 03:39:06 xxxxxxxxx nrpe[14328]: Server listening on :: port 5666.
    Aug 19 03:39:06 xxxxxxxxx nrpe[14328]: Listening for connections on port 0
    Aug 19 03:39:06 xxxxxxxxx nrpe[14328]: Allowing connections from: 127.0.0.1

    @dnsmichi


    In the nrpe.cfg file, this is the customized command that I'm referring in http service call


    command[check_http_url]=/usr/lib64/nagios/plugins/check_http -H $ARG1$ -u "$ARG2$" -"S"


    Now here is a catch, if I run the URL with those parameters via /usr/lib64/nagios/plugins/check_http on cli, it will give the HTTP OK response: Like for instance:-



    [root@xxxxxxxx plugins]# ./check_http -H "monitoring-portal.org" -u "/index.php?thread/37126-to-monitor-api-call-url-in-icinga2/&postID=234713#post234713" -S
    HTTP OK: HTTP/1.1 200 OK - 51989 bytes in 0.259 second response time |time=0.258623s;;;0.000000 size=51989B;;;0


    But on console, it is showing in Unknown state with plugin error:-
    CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.


    This is how my services are defined keeping monitoring-portal as an example:-


    apply Service "http--test" {
    import "generic-service"
    check_command = "nrpe"
    vars.nrpe_command = "check_http_uri"
    vars.nrpe_arguments = ["monitoring-portal.org", "/index.php?thread/37126-to-monitor-api-call-url-in-icinga2/&postID=234713#post234713" , "S"]
    }


    PS:-This is only happening for API call URL with special character, for rest URLs are working fine.

    Hi All,


    In my ICINGA2 setup, I've web URLs getting monitored via check_http plugin using nrpe command. I'm doing it by defining the customized check_http command in /etc/nagios/nrpe.cfg file and referring that command in my services.cfg file. It works well for normal URLs but now I've one URL that is an XML file which is making an API call in that.


    That URL has all special character like " ?,&,= " and somehow if I add that URL similar to other URLs, its showing in UNKNOWN state and gives the Plugin output :


    "CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages"


    I tried by HTTP encoder but then I'm getting warning alert as "BAD REQUEST"


    Please suggest how to monitor API web URLs?


    Regards,

    Hi,


    I've setup icinga2 v 2.3.2 recently and successfully integrated it with LDAP through Configuration>Application>Resources. All users were successfully discovered and I'm able to logon with domain credentials as well.


    Afterwards, I created a new role "admins" and set permission to "allow all commands" for that role and added one domain user to that role.
    Thinking that I should be able to view anything afterwards, but instead got message "currently there is no dashlet available. please contact the administrator"


    I could not see all items on the left pane as well.


    Please suggest what could be reason for that?


    I checked this link https://dev.icinga.org/issues/10659 but couldn't get the solution from it.

    Hi,


    Not sure what changes did I did lately, but somehow experiencing strange behavior with icinga. Icinga web page control tends to redirect traffic to master 2 even when the control is with master1 which is up and running fine.


    e.g. Suppose icingaweb is currently active with master2, if I stops master2 service, after a min, traffic gets redirected to master 1. That's normal and I'm fine with that.
    Now if I again start master2 service, intially icingaweb still used to be connected with master1 only and will only redirect to master2 when something went wrong on master1 but now once master2 is up, the control gets back with master2.


    Please suggest what could be reason behind it?

    @dnsmichi
    It looks like this.


    logs on testnode:
    [2016-06-25 04:02:46 -0400] information/ApiListener: New client connection for identity 'master2'
    [2016-06-25 04:02:46 -0400] information/ApiListener: Sending config updates for endpoint 'master2'.
    [2016-06-25 04:02:46 -0400] information/ApiListener: Syncing runtime objects to endpoint 'master2'.
    [2016-06-25 04:02:46 -0400] information/ApiListener: Finished sending config updates for endpoint 'master2'.
    [2016-06-25 04:02:46 -0400] information/ApiListener: Sending replay log for endpoint 'master2'.
    [2016-06-25 04:02:46 -0400] information/ApiListener: Replayed 148 messages.
    [2016-06-25 04:02:46 -0400] information/ApiListener: Finished sending replay log for endpoint 'master2'.
    [2016-06-25 04:03:51 -0400] information/JsonRpcConnection: No messages for identity 'master2' have been received in the last 60 seconds.
    [2016-06-25 04:03:51 -0400] warning/JsonRpcConnection: API client disconnected for identity 'master2'
    [2016-06-25 04:03:51 -0400] warning/JsonRpcConnection: API client disconnected for identity 'master2'
    [2016-06-25 04:03:51 -0400] warning/ApiListener: Removing API client for endpoint 'master2'. 0 API clients left.
    [2016-06-25 04:03:51 -0400] warning/ApiListener: Removing API client for endpoint 'master2'. 0 API clients left.
    [2016-06-25 04:03:56 -0400] information/JsonRpcConnection: Reconnecting to API endpoint 'master2' via host '<IP>' and port '5665'
    [2016-06-25 04:03:56 -0400] information/ApiListener: New client connection for identity 'master2'
    [2016-06-25 04:03:56 -0400] information/ApiListener: Sending config updates for endpoint 'master2'.
    [2016-06-25 04:03:56 -0400] information/ApiListener: Syncing runtime objects to endpoint 'master2'.
    [2016-06-25 04:03:56 -0400] information/ApiListener: Finished sending config updates for endpoint 'master2'.
    [2016-06-25 04:03:56 -0400] information/ApiListener: Sending replay log for endpoint 'master2'.
    [2016-06-25 04:03:56 -0400] information/ApiListener: Replayed 148 messages.
    [2016-06-25 04:03:56 -0400] information/ApiListener: Finished sending replay log for endpoint 'master2'.

    @dnsmichi , thanks again for your reply.
    By refering to below steps, I managed to create below file and the error is now fixed:-
    -rw-r--r--. 1 icinga icinga 1696 Jun 24 07:48 ca.crt
    -rw-r--r--. 1 icinga icinga 1696 Jun 24 07:48 master2.crt
    -rw-------. 1 icinga icinga 3243 Jun 24 07:47 master2.key
    -rw-r--r--. 1 icinga icinga 1696 Jun 24 07:48 trusted-master.crt


    Steps:-
    Generate a new local self-signed certificate.
    # icinga2 pki new-cert --cn icinga2-node2.localdomain \--key /etc/icinga2/pki/icinga2-node2.localdomain.key \--cert /etc/icinga2/pki/icinga2-node2.localdomain.crtRequest the master certificate from the master host (icinga2-node1.localdomain) and store it as trusted-master.crt. Review it and continue.
    # icinga2 pki save-cert --key /etc/icinga2/pki/icinga2-node2.localdomain.key \--cert /etc/icinga2/pki/icinga2-node2.localdomain.crt \--trustedcert /etc/icinga2/pki/trusted-master.crt \--host icinga2-node1.localdomainSend the self-signed certificate to the master host using the ticket number and receive a CA signed certificate and the master's ca.crt certificate. Specify the path to the previously stored trusted master certificate.
    # icinga2 pki request --host icinga2-node1.localdomain \--port 5665 \--ticket ead2d570e18c78abf285d6b85524970a0f69c22d \--key /etc/icinga2/pki/icinga2-node2.localdomain.key \--cert /etc/icinga2/pki/icinga2-node2.localdomain.crt \--trustedcert /etc/icinga2/pki/trusted-master.crt \ --ca /etc/icinga2/pki/ca.crt


    Question:- Here on master2 , I currently don't have master2.csr file, will that can cause issue?


    Now, on checking the logs, I find below warnings coming up:-


    on Master1:-


    [2016-06-24 08:02:14 -0400] information/JsonRpcConnection: Reconnecting to API endpoint ‘master2’ via host <ip> and port '5665'
    [2016-06-24 08:02:14 -0400] information/ApiListener: New client connection for identity 'PRDMGMMONIRE2A'
    [2016-06-24 08:02:14 -0400] information/ApiListener: Sending config updates for endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:14 -0400] information/ApiListener: Syncing global zone 'global' to endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:14 -0400] information/ApiListener: Syncing zone 'master' to endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:14 -0400] information/ApiListener: Syncing runtime objects to endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:14 -0400] information/ApiListener: Finished sending config updates for endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:14 -0400] information/ApiListener: Sending replay log for endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:02:15 -0400] information/ApiListener: Replayed 43789 messages.
    [2016-06-24 08:02:15 -0400] information/ApiListener: Finished sending replay log for endpoint 'PRDMGMMONIRE2A'.
    [2016-06-24 08:03:25 -0400] information/JsonRpcConnection: No messages for identity ‘master2’have been received in the last 60 seconds.
    [2016-06-24 08:03:25 -0400] warning/JsonRpcConnection: API client disconnected for identity 'PRDMGMMONIRE2A'
    [2016-06-24 08:03:25 -0400] warning/JsonRpcConnection: API client disconnected for identity 'PRDMGMMONIRE2A'
    [2016-06-24 08:03:25 -0400] warning/ApiListener: Removing API client for endpoint 'PRDMGMMONIRE2A'. 0 API clients left.
    [2016-06-24 08:03:25 -0400] warning/ApiListener: Removing API client for endpoint 'PRDMGMMONIRE2A'. 0 API clients left.
    [2016-06-24 08:03:29 -0400] information/JsonRpcConnection: Reconnecting to API endpoint ‘master2’via host <ip> and port '5665'


    On master2:-


    [2016-06-24 08:04:12 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.31667/s (199/min 991/5min 3078/15min);
    [2016-06-24 08:04:27 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.31667/s (199/min 991/5min 3119/15min);
    [2016-06-24 08:04:31 -0400] warning/JsonRpcConnection: API client disconnected for identity ‘testnode’
    [2016-06-24 08:04:32 -0400] information/ApiListener: New client connection for identity ‘testnode’
    [2016-06-24 08:04:40 -0400] warning/JsonRpcConnection: API client disconnected for identity ‘master1'
    [2016-06-24 08:04:42 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.31667/s (199/min 991/5min 2975/15min);
    [2016-06-24 08:04:44 -0400] information/ApiListener: New client connection for identity ‘master1'
    [2016-06-24 08:04:57 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.31667/s (199/min 991/5min 2975/15min);
    [2016-06-24 08:05:12 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.3/s (198/min 991/5min 2975/15min);
    [2016-06-24 08:05:27 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.3/s (198/min 991/5min 2975/15min);
    [2016-06-24 08:05:42 -0400] information/IdoMysqlConnection: Query queue items: 0, query rate: 3.3/s (198/min 991/5min 2975/15min);
    [2016-06-24 08:05:46 -0400] warning/JsonRpcConnection: API client disconnected for identity ‘testnode’


    Here 'testnode' is server that put in icinga monitoring using Icinga2 node wizard putting both master servers to report.


    With this now, my intention was that if master1 goes down, this testnode should report to master2.


    Please suggest how can i fix those?

    okay, so I did imported the ca.crt file from master1 to master2 but somehow got openssl error for below command
    openssl verify -verbose -CAfile /etc/icinga2/pki/ca.crt /etc/icinga2/pki/icinga2-node1.localdomain.crt



    Can you please share the commands/ steps to follow for manually generating the certificates for 2 master?
    I saw the manual setup here http://docs.icinga.org/icinga2…-autosigning-requirements
    but I guess this will be between master and satellite.

    @
    dnsmichi.. Thanks for your reply.
    Checked with tcpdump, both servers are capturing similar packets.



    As I stated, currently both servers have different ca.crt certificate located at /etc/icinga2/pki dir.


    Does both master should have same ca.crt file? If yes, then even I import the master 1's ca file to master2 and then check the status by below command:-
    openssl s_client -CAfile /etc/icinga2/pki/ca.crt -cert /etc/icinga2/pki/icinga2-node2.localdomain.crt -key /etc/icinga2/pki/icinga2-node2.localdomain.key -connect icinga2-node1.localdomain:5665It gets connected from either side but when run from master1 to master2, at the end its mentioned:-error (7) certificate signature failure..while running from master 2 to master 1 , gets no error.One more thing to mention, currently the status for below command is ok when both servers have different ca file but it gets error when I import master 1's ca file to master2.# openssl verify -verbose -CAfile /etc/icinga2/pki/ca.crt /etc/icinga2/pki/icinga2-node1.localdomain.crticinga2-node1.localdomain.crt: OKPlease suggest

    Hi All,


    I've setup 2 Icinga Master server in RHEL with DB (mysql)on separate server. My intention is have HA across the master server so even if one goes down, the other will get connected with the DB and resume monitoring.


    Till now, I've the 2 masters ready and when one goes down other one pick up the master role as well but after the failover, the 2nd master isn't showing neither 1st master's services nor the servers that were getting monitored through it.


    For testing, I'd added one RHEL machine to icinga monitoring by using node wizard, I mentioned both masters CN and IP hoping if one master goes down, the other will still be monitoring my server but at the moment, after failover, master 2 only monitors HA cluster.


    From both master servers, below are the logs that I'm getting:-
    ................


    Master 1:/var/log/icinga2/icinga2.log
    (0) Handling new API client connection


    [2016-06-23 07:18:30 -0400] information/JsonRpcConnection: Reconnecting to API endpoint 'Master2' via host 'xxxxxxxx' and port '5665'
    [2016-06-23 07:18:30 -0400] warning/ApiListener: Peer certificate for endpoint 'Master2' is not signed by the certificate authority.
    Context:


    Master 2:-/var/log/icinga2/icinga2.log
    (0) Handling new API client connection


    [2016-06-23 07:19:45 -0400] information/ApiListener: New client connection for identity 'master1' (client certificate not signed by CA)
    [2016-06-23 07:19:45 -0400] warning/TlsStream: OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
    [2016-06-23 07:19:45 -0400] warning/ApiListener: No data received on new API connection.
    Context:
    (0) Handling new API client connection


    [2016-06-23 07:19:49 -0400] information/ApiListener: New client connection for identity 'RHELserver' (client certificate not signed by CA)
    [2016-06-23 07:19:49 -0400] warning/TlsStream: OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
    [2016-06-23 07:19:49 -0400] warning/ApiListener: No data received on new API connection.
    Context:
    (0) Handling new API client connection


    ............


    PS:- Each master server has its own CA certificate. I think only one CA certificate should be there for authentication b/w master server, but I don't know how to set that up.



    Please confirm if anything else is needed from my end.