monitoring remote networks

Kevin Keane subscription at kkeane.com
Thu Mar 19 14:09:59 CET 2009


Mark Weaver wrote:
> Kevin Keane wrote:
>   
>> Mark Weaver wrote:
>>   
>>     
>>> How do I use this same Nagios server to monitor remote client networks 
>>> using the NSClient?
>>>   
>>>     
>>>       
>> As others have already pointed out, fundamentally, it doesn't matter 
>> whether the client is on the same network segment, or behind a router.
>>
>> However, in reality, when you are talking about a "remote" network, most 
>> of the time you are actually talking about a network that has one or 
>> more firewalls in front of them. Very often, you have a firewall from 
>> your local network to the Internet, and a second firewall from the 
>> Internet to the remote network. And firewalls indeed will interfere with 
>> with Nagios. Severely.
>>
>> There are several options for dealing with that:
>> - Establish a VPN between the local and the remote network. Obviously, 
>> you can only do that when the two networks completely trust each other. 
>> Also, if you have several remote networks connecting that way, you may 
>> inadvertently open security holes between two remote networks.
>> - Establish an SSH tunnel that just forwards the NRPE requests from the 
>> local to the remote client. Requires that the remote client trusts you 
>> enough to establish an SSH connection. Also requires that you have a way 
>> to monitor the tunnel, and reestablish it if it goes down.
>> - Open the appropriate ports on the firewalls to allow NRPE traffic 
>> through. You don't want to do that - monitoring information can be quite 
>> sensitive, and you don't want it traveling over the Internet in plain text.
>>
>> There may be more ways to deal with the firewall problem.
>>
>> The way I solved it is by writing a wrapper around NSClient++ that uses 
>> NSCA (i.e., passive checks) instead of NRPE, and then wraps the NSCA 
>> packages in HTTPS. It's primarily for my own in-house use (which is why 
>> the documentation leaves to be desired), but it is an open source 
>> project on SourceForge; look for the project name tntmonitoring.
>>
>>   
>>     
> Thank you Keven... this sounds like a good direction to take. How do I 
> address the need to do active checks on machines on the remote network 
> behind their firewall, or is there more configuration that can be done 
> to the NSClient than I'm currently aware of?
>
> Mark
>   
TNTMonitoring can call any plugin you like. It simply uses the standard 
plugin API (i.e., it uses the standard return codes and takes the 
results from stdout).

So if you want an active check, just add the corresponding plugin to 
TNTMonitoring's plugin directory (Windows, not Linux, executables of 
course) and add a .config file for it in the main TNTMonitoring 
directory. It will then get called every five minutes, along with all 
the other plugins. In fact, two of the my own plugins can scan the whole 
Windows domain up to, I think, 60 or so computers (there is a Windows 
limit that I haven't yet bothered to get around), and report on the 
status of the antivirus software and the hard disk health, respectively. 
I ship them with TNTMonitoring, but they are also in a separate 
Sourceforge project.

I think NSClient++ also has similar functionality for calling any plugin 
you like and submit the results, but of course then you are restricted 
to NSCA as a transport. That is why I am not using NSClient++ for that 
purpose.

 From the Nagios server's perspective, it will of course still be a 
passive check. It has to be; in fact, one of my design goals was to 
allow all checks to run as passive checks and eliminate the need for 
active checks within the remote network. The only way to make it an 
active check would be to bidirectionally connect the two networks, and 
that is something you would want to avoid from a security perspective.

-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list