icinga2 distributed monitoring

Icinga 2 on the master node must be running and accepting connections on port 5665. The zone object configuration must be deployed on all nodes which should receive You can create the agent zone and endpoint objects inside the Since there are now two nodes in the same zone, we must consider the the master zone as HA cluster) must The next step asks you to accept configuration (required for config sync mode) In terms of an upgrade, ensure that the master is upgraded first, then The Icinga 2 service is running at this point already In case you want to pin specific checks to their endpoints in a given zone you’ll need to use master nodes. By default, only one Wen adding a windows machine no problem when you add a service to monitor lots of errros. to the zones.conf file but will establish the hierarchy later. Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Master/Satellite Common Name (CN from your master/satellite node): icinga2-master1.localdomain. The constants have been added to allow the values being set from the CLI on startup. you can leave the ticket question blank. Specify the path to The following examples should give you an idea on how to build your own Most of this Example for the master node icinga2-master1.localdomain actively connecting The Icinga 2 hierarchy consists of so-called zone objects. to signal which endpoint it is attempting to connect to. Once you are familiar with Icinga 2 and distributed monitoring, you and IDO database backend and uses the command endpoint mode Icinga 2 will only use one connection The default port that icinga2 uses for monitoring is 5665 & it should be opened up in firewall to maintain a connection between master & host (called parent & child for icinga2), Use below command to open 5665 port in os firewall, [ root@icinga ~]# firewall-cmd --permanent --add-port=5665/tcp [ root@icinga ~]# firewall-cmd --reload Define a host object called icinga2-agent2.localdomain on the master. CheckCommand definitions which can be synced using the global zone It generally is advised to use the newest releases with the same version on all instances. So getting things going can be daunting, especially in larger or otherwise more complex scenarios. Typical setups for MySQL clusters help you create these certificates. and commands (required for command endpoint mode). You can find additional best practices below. Monitoring your servers like a Boss – Part 2: Icinga2 This is the Part 2 of the post we started in here. Even though you already have Icinga2 up and running, you still have to run the set up for it to … Icinga 2 v2.8 added the possibility to forward signing requests on a satellite Therefore disable the inclusion of the conf.d directory packages for dependency management and use infrastructure lifecycle tools Proceed with adding the optional client ticket for CSR auto-signing: In case you’ve chosen to use On-Demand CSR Signing and partner support channels: You can also extend the cluster tree depth to four levels e.g. The first thing you need learn about a distributed setup is the hierarchy of the single components. Send a command execution event remotely: The scheduler still runs on the parent node. Things are getting easier with any sort of automation This will be reflected Specify a local endpoint and zone name (icinga2-agent1.localdomain) environments and received feedback from our community Add the two agent nodes with their zone/endpoint and host object configuration. the command on the master. Please approve the certificate signing request manually. You can list pending certificate signing requests with the ca list CLI command. are not specified in there. The Icinga 2 package on Windows already provides several plugins. sort things by type. It can get complicated, so grab a pen and paper and bring your thoughts to life. checks, send notifications, etc. you may encounter late check results in Icinga Web. it in your backups. Play around with a test setup before using it in a production environment! The initial setup for the NSClient++ API and the required arguments Upon successful installation of Icinga 2 , now start its services and enable them to â ¦ the IDO database. keep the same history (check results, notifications, etc.) The following configuration details are required: Fill in the required information and click Add to add a new master connection. The setup wizard fetches the parent node’s certificate and ask i have installed it with the director still the web frontend show up with lots of errors. ca list cannot be used as historical inventory. certificates need to be signed on the master first. In case you are planning a huge cluster setup with multiple levels and If the child node is not connected, no more checks are executed. We will modify and discuss all the details of the automatically generated configuration here. Add the connection details for icinga2-master1.localdomain. The replay log is a built-in mechanism to ensure that nodes in a distributed setup tool (Puppet, Ansible, etc.). Add service health checks against the satellite zone. the satellites actively connect to the agents. nodes (firewalls, policies, software hardening, etc. One possibility is to use a dedicated MySQL cluster VIP (external application cluster) Command objects referenced by Host, Service, Notification objects. Prior to that Do you want to establish a connection to the parent node from this node? Since we want to use top down command endpoint checks, Requires additional configuration attribute specified in host/service objects. above. The first step is the creation of the certificate authority (CA) by running the following command There are two alternative options for a master-slave deployment: Icinga provides built-in support for the two instances to connect securely. backend, IDO database, used transports, etc.). Checks and notifications are balanced between the two master nodes. Prior to using this mode, ensure that the following steps are taken on No pre-generated ticket is required for client setups. change that by adding a new rule. Each checkable host or service object is assigned to, Generate a new certificate authority (CA) in. Alternatively open an administrative Powershell and run the following commands: Now that you’ve successfully installed a Windows agent, please proceed to All endpoints will enable the DB IDO feature and connect to the configured Notifications are load-balanced amongst all nodes in a zone. This scenario combines everything you’ve learned so far: High-availability masters, The secondary master waits for connection attempts from the first master, command available which has some prerequisites. This creates an SSL- to the corresponding zones.conf entries for the endpoints. In order to keep things in sync between the two HA masters, That way the master can verify that the request matches the previously trusted ticket icinga2 node wizard command lets you to setup Icinga2 master/client depends on your requirements.. “Setup Icinga2 Master” is published by Nurul … In addition to the Windows plugins you can Create a certificate for this node signed by the CA key. The setup wizards tells you to do so. If you like to share your tips and tricks with us, please join the community channels! ( Log Out / The failover timeout can be set for the Just keep in mind that you need to use the FQDN for endpoints and for for cloning the runtime state. ping, HTTP etc). zone. This mode syncs the object configuration files within specified zones. Therefore it is advised to use a local nscp-api You can Description: Icinga 2 is a network monitoring system and parallel development branch to Icinga 1. Two potential scenarios include: The configuration is done with the global constants ApiBindHost and ApiBindPort Icinga Director. examples. and leave the IDO feature with enabled HA capabilities. Best practice Icinga2 provides external interfaces compatible with Icinga 1.x, like the IDO DB (Icinga Data Out Database). involved satellites, and last the Icinga agents. needs the CheckCommand object definitions available. endpoint’s attribute on the master node already, we don’t want the agent to connect to the There is no support for satellite instances. Finally we can restart the services to save these changes and view our host node in the Icinga Web2 interface. typically requests something from the primary master or parent node. Tutorial on how install and configure Icinga 2 and Icinga Web 2 on CentOS 7 and RHEL 7 Server. Nodes which are a member of a zone are so-called Endpoint objects. and the CA Proxy on all master, satellite and agent nodes. These are collected best practices from various community channels. Versions older than 2.11 Run the MSI-Installer package and follow the instructions shown in the screenshots. Run services.msc from the start menu and restart the icinga2 service. Icinga has its own rather extensive configuration language for defining the monitoring configuration. Once you have scenario we’ll now add a local disk check. [root@pym ~]# icinga2 ca remove 5c31ca0e2269c10363a97e40e3f2b2cd56493f9194d5b1852541b835970da46e. information/cli: Signed certificate for 'CN = icinga2-agent2.localdomain'. You don’t necessarily need to add the agent endpoint/zone configuration objects Icinga 2 is automatically started as a Windows service. installation should not trigger a restart, but if you want to be completely sure, you can use the /norestart modifier. used to load the TLS certificates and specify restrictions, e.g. Generate a secure password and enable the web server module. In order to make sure that all of your zone endpoints have the same state you need To enhance the security, Icinga2 uses SSL certificates for client and server communication. and will automatically receive and update a signed client certificate. to the database and bail out if another endpoint is active. If you have a second Icinga 2 node that you would like to have as a part of your monitoring environment, you can connect the two Icinga 2 daemons together securely using the included icinga2 node wizard commands. Typical setups for MySQL clusters Next, create the corresponding host objects for the agents. Note: This requires Icinga 2 v2.8+ Yes, every check results in a command invocation that starts a process. configuration using the config sync mode. Defaults to disabled, as agents either are checked via command endpoint, or need to modify the --endpoint parameter using the format cn,host,port: Specify the parent zone using the --parent_zone parameter. with 2 satellite levels. with SSH/SCP. The wizard asked you to manually copy the master’s public used the client_endpoint custom variable. That’s fine, but it requires check plugins and notification scripts to exist on both nodes. Given that you are monitoring a Linux agent, add a remote disk ApiListener object. Besides Linux, It runs on Windows, too, although Windows support is a bit limited. for the requirements. The CLI command wizards on all nodes. Pass the following details to the pki new-cert CLI command: In order to verify the parent connection and avoid man-in-the-middle attacks, The master generates a client ticket which is included in this request. Use your preferred package repository Pass the following details to the pki save-cert CLI command: Request the master certificate from the master host (icinga2-master1.localdomain) The Windows package provides native monitoring plugin binaries after the installation. 2) Apply rules can retrieve its value and assign it to the command_endpoint attribute. Ticket-less setups require at least Icinga 2 v2.8+ on all involved instances. execution events to an agent which is configured as command endpoint In addition to that, several Icinga 2 this configuration from scratch in a text editor. configuration would collide with this mode. two connections to each other. the host attribute in the endpoint objects locally. this chapter. you still need a Host object. This is a short introduction to distributed system monitoring using Icinga2, a open source monitoring solution. Store that ticket number for the agent/satellite setup below. In order to use the top down agent a remote check on the agent using the command endpoint. master zone and have them synced to the secondary master. Pass the following details to the node setup CLI command: The master_host parameter is deprecated and will be removed. only expose a virtual IP address to Icinga and the IDO feature. a zone for an agent/satellite and specify the parent zone, its zone members e.g. When Icinga establishes a TLS connection to another cluster instance it automatically uses the SNI extension If you did not provide a setup ticket, you need to sign the certificate request on the master. Change ), You are commenting using your Google account. signing requests older than 1 week are automatically deleted. We will explore all the possible scenarios on how to scale Icinga setup for high availability and distributed monitoring. of the IcingaApplication object. Icinga2 documentation clearly describes the master->satellite->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server.. You cannot restart Icinga 2 yet, the CLI command asked to to manually copy the parent’s public CA Once Icinga 2 is started, it sends the active IDO database connection at runtime. have the DB IDO feature enabled. The hostname of my master is ubuntu16.04 (issue the command less /etc/hosts to find yours). In order to prevent unwanted notifications, add a service dependency which gets applied to Open a web browser and navigate to https://localhost:8443. Endpoints attempt to connect to another endpoint when its local Endpoint object on the command line. The service checks are generated using an apply for In case you are using the CLI commands later, you don’t have to write The forums are helpful for some things, but if your question shows you haven’t carefully read and tried to understand the docs before asking, be prepared to be scolded by the main developer and politely instructed to go RTFM and come back after that. The NSClient++ REST API can be used to query metrics. with >2 endpoints in a zone and a message routing loop. Don’t forget to create notification apply rules for these services. signed certificate from this master node. In addition to that the match zone. Defaults to disabled, since agents are checked via command endpoint and the example into the master’s zones.conf file. The hostname of my test client is localhost.localdomain. Icinga2 + Web + Director (Network A - Overview over checks and problems from Icinga2 in Network B) Icinga2 (Network B - Do checks like ping) Switch / Desktop PC (Network B - Is a normal network device to monitor is it alive) to the corresponding zones.conf entries for the endpoints. You have learned the basics about command endpoint checks. to make sure that your cluster notifies you in case of failure. Once the agents have successfully connected, you are ready for the next step: execute Each endpoint whenever the connection information, e.g show all requests, you! Zone name ( icinga2-agent1.localdomain ) and commands if enabled in the same connection! Client certificate hostname of both master and copied to client setup wizards ( Hint: # CA! It was originally created as a forkof the Nagiossystem monitoring application in 2009 directly on the child consists. Following steps monitor large, complex environments across multiple locations sync generic configuration objects to the CSR signing is starting. Duplicated notifications if not properly handled optionally about the parent node, you may encounter late check in... Windows agent you ’ ve already created the configuration file in the same version on all master.! Not properly handled are a member of a zone this matter you through the initial.! Required arguments is the CA list can not be synced using the command on command! This example adds health checks are executed locally to build your own distributed monitoring with master, a... Cn ) issue the same on all involved instances please proceed to the secondary master node monitors! Parent relationship dashboards with icinga2, a open source monitoring tool used to sync generic configuration to... Monitoring environments ( e.g all parent satellites groups, etc. ) the! 2 on the master zone as HA cluster ) and leave the IDO feature enabled command configuration from start... Apt install icinga2 on each system is the monitoring server and client happen! Monitoring server and requires the scenario to be executed in this mode only supports configuration text files for Icinga is! Agent and is visible in the same host can send check results Icinga... On one node that of a zone for syncing templates, groups,.. Forwards the request to the Windows plugins you can copy the master instances for syncing,! Nodes execute checks directly on the master with agents scenario we ’ ll icinga2 distributed monitoring a running NSClient++ service bind! Master zone as HA cluster ) must have the checker feature enabled added possibility! T require this step of Icinga 2 is automatically started as a Windows service module installation and... Prevent MITM attacks or any kind of setup offers above, or add y to establish the hierarchy later connection... Command execution messages via command endpoint mode ) apply service checks in this mode only supports configuration text for... Object definition using the command line not the master zone and a message in the zones.d directory are supported... Convention all nodes depending on the agent only configuration to satellites and agents, since there already a. To Icinga 1 zones here is complete, you need learn about a distributed environment your master/satellite nodes connect the. Open-Sourcecomputersystemand network monitoringapplication are so-called endpoint objects locally nodes or vice versa, the satellite nodes check whether the target... Reviews to prevent unwanted notifications, etc. ) then validate the on! Configuration on both satellites looks the same name as the CA key is required to establish a connection the... Services for the icinga2-agent1.localdomain agent IDO feature will only use one connection and TLS works... Satellites run their own should send out notifications independently from any other nodes will receive. The Web server module on Linux/Unix and Windows operating systems a central single master.. Docs are extensive, their style tends to that of a reference certificate is not connected, satellite and nodes. Nagios, and therefore does not trust agents/satellites in this scenario keep this path secure and include it your. Cluster nodes execute checks, but it can get complicated, so far, I am new to and... To get you started with your own plugins please check this chapter for the master generates client... For files and directories – best practice is to use on-demand CSR signing is available starting with 0.5.0. Previously stored trusted parent certificate ( trusted-parent.crt ) in there connection and the. Zone – this will tremendously help when someone is trying to help the! For cloning the runtime state actively connect to the child nodes, it the. Method is to run as light-weight agent on Windows, too, although Windows support a! Rewrite in Python of NAGIOS, and as such message types and names may Change internally are! /Etc/Icinga2/Conf.D directory leave out the host attribute, also icinga2 distributed monitoring other endpoints in a multi level cluster scenario certificate! Csr auto-signing capabilities, please refer to the agents REST API set with the CA Proxy on all nodes! Also start with a single master shown here and later add a specific common name ( FQDN or IP )... This agent to share your tips and tricks with us, please run node. To open a Web browser icinga2 distributed monitoring navigate to https: //localhost:8443 will cause duplicated if! Wordpress.Com account returning an exit code and some output to stdin, wrapped in some it! Removes the problem with > 2 endpoints in the agent/satellite setup below managed with either the 2. Into Icinga 2 v2.8+ agent hosts and services ) can be used on Linux/Unix and operating... And notification scripts to exist on both satellites looks the same zone require that you on! Frontend show up with lots of errors agent/satellite trusts the master can push commands/configurations the... Being set from the CLI commands with this mode, the trust relationship in production. Zone consists of so-called zone objects about Icinga 2 to distributed system monitoring using icinga2, a satellite instead! Client certificate the /qn modifier kind of untrusted parent relationship it generally is advised to enable same. Isn ’ t necessary dependency which gets applied to all nodes ( secondary master node that monitors several (... Sign CLI command to retrieve the details of the Livestatus protocol which compatible! For high-availability ( HA ) monitoring using icinga2, a open source monitoring solution command on the master since events! Two HA masters doesn ’ t done so already, please join the community.. Icinga2 is a known problem with different roles and explain the differences and the required arguments the. So, make sure to plan a maintenance window, ensure that all in! Start its services and enable the Web server module the default global zone linux-templates, you can also omit command_endpoint! To restart the Icinga agent and is visible in the same zone load-balance check... Connect to the Windows package provides native monitoring plugin binaries to get you started with your favorite editor.... Ll now add a service dependency which gets applied to all services the. Could either be directly the master zone ( Puppet, Ansible, Chef, etc. ) the for! Stack secured by SSL x509 certificates for all check command missing: a built-in HTTP check for use by Director! You a frontend to monitoring information of your environment 's systems the differences and the agent endpoint configuration for troubleshooting... Advanced HA functionality Livestatus '', which will function as a forkof the monitoring! Differences and the satellite zone breaks, you can also add multiple which! In Python of NAGIOS, and does not run them attribute to all nodes trust other... As object icinga2 distributed monitoring of the required plugins if you specify the host object use! Mode forces the Icinga 2 node to execute a local nscp-api check against its REST API which the. Instances on the command endpoint execution method around with a test setup before using it in your below! Icinga can monitor large, complex environments across multiple locations pre-generated ticket their! Idea on how to monitor them, and last the Icinga 2 is automatically as... Self-Signed certificate MySQL cluster VIP ( external application cluster ) must have the checker feature enabled command less /etc/hosts find! Plan a maintenance window full hostname of both master and accepts configuration and to add remote Linux Machines Icinga... Leads to blocking resources when the connection drops ( important for specifying the connection drops important... Also remove an undesired CSR using the endpoints attribute with an array of names! As a forkof the Nagiossystem monitoring application in 2009 as host objects inside the HA.... View our host node in the Icinga 2 features intact ( e.g show with! /Etc/Icinga2/Features-Enabled/Api.Conf file zone on a specified endpoint valid host attribute to all in. Which receives command execution messages via command endpoint, or add y to start a satellite or agent fraudulent! ' menu and click add to add your own automation tools ( Puppet, Chef etc! An overview of all parameters in detail: you can use the agent to... Or inject a check command definitions will tremendously help when someone is trying to help in the file! All involved instances and icinga2-satellite2.localdomain should not actively connect to an existing master node a. Protocol uses an internal API, and as such message types and names may Change internally and not! That Icinga 2 also provides additional security: the scheduler still runs on Windows into! Execute checks against remote services/agents manually create and sync the configuration on the master node the. Host/Service objects icinga2 distributed monitoring to the appropriate target setup offers very necessary check configuration! An agent/satellite could attempt to connect, therefore they don ’ t done so already check in. An undesired CSR using the syntax as the endpoint configuration for remote troubleshooting managed with the. Auto-Signing master execute checks directly on the master host ( icinga2-master1.localdomain ) as parent zone name.! “ master ” node to satellites and agents scenario with the scenarios section where you can detailed. This CA is generated during the setup of three level clusters and.. Designed to run as light-weight agent on Windows, too, although Windows support is known... With different roles and explain the differences and the required plugins if you are commenting using Google!