[naemon-dev] Distributed Monitoring

[Lee Wilson]

Thanks Andreas,
I noticed that from the recent announcement that DNX etc were going to be incorporated in the new release which is what got me looking at them.
In terms of mod_gearman though, my concern still stands over security.  Based on Debian dependancies at least, it doesn't seem to use any standard encryption library (such as openssl) so who's to say how well they've implemented whatever encryption they use and why have they possibly reinvented the wheel anyway?
That's not to say the openssl (or libressl for that matter) doesn't have it's own issues but at least it's a know commodity that we already have to have in place anyway for the likes of Apache/Nginx and some of the check commands.
To be fair I've had similar concerns over MKLivestatus's lack of good security but as it's mainly used on the local box (for me at least) and the same goes for Nagios's named pipe stuff, it's been less of an issue.
I'll certainly be continuing to watch developments to see where this is heading at for the larger deployments it a good step in the right direction as I would really like to see and maybe help Naemon be able to complete on a level field with the likes of Solarwinds Orion and others.
Keep up the good work everyone.
Lee 

     On Tuesday, 20 January 2015, 11:54, Andreas Ericsson <ageric79 at gmail.com> wrote:
   

 On 2015-01-17 11:22, Lee Wilson wrote:
>> Couldn’t you just use a passive monitoring solution and have the
>> remote hosts sending their data in?
>
>
>
> Precisely what I was thinking the problem is that all the current
> plugins I'm aware of aren't what I would call public network
> friendly, security seems to have been added as an after thought in
> most cases. In an ideal world this is what I would like to see being
> possible:1) A remote node is configured with a standard config and
> send out to a new site - All it needs is an IP address, hostname of
> central system and an authentication certificate.


> 2) once onsite the
> node boots up and talks back to the central system via HTTPS to
> retrieve it's config at which point it reconfigures itself and starts
> monitoring3) Alerts are sent back using an external plugin also over
> HTTPS to the central system4) Periodically the node checks back in to
> see if it's configuration needs updating - May be possible to do this
> live if a persistent HTTPS connection is maintained.5) The central
> system monitors the node using freshness checks, if it doesn't
> receive any updates for a period of time, it marks the node down and
> sends an appropriate alert. In effect all that's really needed is an
> HTTP to Naemon proxy, I guess kind of similar to how Thunk works with
> MKLiveStatus but for write access instead of read.  The basic idea is
> not to reinvvent the wheel if something already exists (such as using
> certificate-based auth rather than something more custom). I've been
> working on this idea even before Naemon was created but not being a
> developer by trade I do scratch my head on a few bits.  Got the basic
> elements to a proof of concept more or less worked out if it is of
> interest. Lee
>

Merlin does exactly what you want, except you need to create a custom
"fetch config" script if you want to do it over https instead of over
ssh.

https://kb.op5.com/display/DOC/Scalable+Monitoring contains the kb
articles we have at op5 regarding this. They shouldn't be too markety
but mostly contain technical details regarding how you set it up.

Merlin is 100% opensource. If you have problems using it with Naemon,
I'll be happy to help you get it up and running.

/Andreas


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/naemon-dev/attachments/20150123/f06db9ec/attachment.html>