Browse code

Zautomatyzowany monitoring.

Lukasz P authored on15/02/2021 13:37:06
Showing21 changed files
... ...
@@ -6,6 +6,7 @@
6 6
 - import_playbook: local_bin_files.yaml
7 7
 - import_playbook: firewall_configuration.yaml
8 8
 - import_playbook: journal_basic_setup.yaml
9
+- import_playbook: setup_monitoring.yaml
9 10
 - import_playbook: basic_host_role_setup.yaml
10 11
 - import_playbook: disable_unused_services.yaml
11 12
 
... ...
@@ -3,7 +3,7 @@
3 3
 
4 4
 
5 5
 - name: Configure firewall
6
-  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
6
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local, rhel8.ping.local
7 7
 
8 8
 
9 9
   tasks:
... ...
@@ -53,6 +53,12 @@
53 53
     - {port_firewalld: 3306/tcp, zone: home, port_ufw: 3306, source: 192.168.111.19, proto: tcp, comment: Monitoring MariaDB}
54 54
     when: "'mariadb' in group_names"
55 55
 
56
+  - name: Close ports for MariaDB.
57
+    include_tasks: helpers/firewall_close.yaml
58
+    loop:
59
+    - {port_firewalld: 3306/tcp, zone: home, port_ufw: 3306, source: 192.168.111.19, proto: tcp, comment: Monitoring MariaDB}
60
+    when: "'mariadb' not in group_names"
61
+
56 62
 
57 63
 # ------------------------------------------------------
58 64
 # ---------------- Samba -------------------------------
... ...
@@ -1,6 +1,6 @@
1 1
 ---
2 2
 - name: Configure zones and networks in firewall
3
-  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
3
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local, rhel8.ping.local
4 4
  
5 5
 
6 6
   tasks:
... ...
@@ -21,6 +21,17 @@
21 21
     notify:
22 22
     - Reload Firewalld
23 23
 
24
+  - name: Add monitoring zone in Firewalld
25
+    copy: 
26
+      src: ../templates/firewalld_monitoring_zone.xml
27
+      dest: /etc/firewalld/zones/monitoring.xml
28
+      owner: root
29
+      group: root
30
+      mode: 644
31
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
32
+    notify:
33
+    - Reload Firewalld
34
+
24 35
   - name: Set up UFW configuration in /etc/default
25 36
     copy:
26 37
       src: ../templates/ufw_defaults
... ...
@@ -2,7 +2,7 @@
2 2
 - import_playbook: firewall_basic_setup.yaml
3 3
 
4 4
 - name: Clear all firewall rules, except for ssh and dns connections
5
-  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local
5
+  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local, rhel8.ping.local
6 6
 
7 7
   tasks:
8 8
 
9 9
new file mode 100644
... ...
@@ -0,0 +1,174 @@
1
+---
2
+- import_playbook: apt_cache_update.yaml
3
+
4
+- name: Ensure, that nrpe is installed and running
5
+  hosts: all
6
+
7
+  tasks:
8
+
9
+  - name: Install nrpe and Nagios plugins packages on Debian-like systems.
10
+    apt:
11
+      pkg:
12
+      - nagios-nrpe-plugin
13
+      - nagios-nrpe-server
14
+      - nagios-plugin-check-multi
15
+      - nagios-plugins-contrib
16
+      - nagios-snmp-plugins
17
+    when: ansible_os_family == 'Debian'
18
+
19
+  - name: Install nrpe and Nagios plugins on RedHat-like systems.
20
+    dnf:
21
+      name:
22
+      - nagios-plugins-bonding
23
+      - nagios-plugins-breeze
24
+      - nagios-plugins-by_ssh
25
+      - nagios-plugins-cluster
26
+      - nagios-plugins-dbi
27
+      - nagios-plugins-dhcp
28
+      - nagios-plugins-disk
29
+      - nagios-plugins-dummy
30
+      - nagios-plugins-file_age
31
+      - nagios-plugins-flexlm
32
+      - nagios-plugins-fping
33
+      - nagios-plugins-hpjd
34
+      - nagios-plugins-http
35
+      - nagios-plugins-icmp
36
+      - nagios-plugins-ide_smart
37
+      - nagios-plugins-ldap
38
+      - nagios-plugins-load
39
+      - nagios-plugins-log
40
+      - nagios-plugins-mrtg
41
+      - nagios-plugins-mrtgtraf
42
+      - nagios-plugins-nagios
43
+      - nagios-plugins-nrpe
44
+      - nagios-plugins-nt
45
+      - nagios-plugins-ntp
46
+      - nagios-plugins-nwstat
47
+      - nagios-plugins-oracle
48
+      - nagios-plugins-overcr
49
+      - nagios-plugins-perl
50
+      - nagios-plugins-ping
51
+      - nagios-plugins-procs
52
+      - nagios-plugins-real
53
+      - nagios-plugins-remove_perfdata
54
+      - nagios-plugins-rpc
55
+      - nagios-plugins-sensors
56
+      - nagios-plugins-smtp
57
+      - nagios-plugins-snmp
58
+      - nagios-plugins-ssh
59
+      - nagios-plugins-ssl_validity
60
+      - nagios-plugins-swap
61
+      - nagios-plugins-tcp
62
+      - nagios-plugins-time
63
+      - nagios-plugins-ups
64
+      - nagios-plugins-uptime
65
+      - nagios-plugins-users
66
+      - nagios-plugins-wave
67
+      - nrpe
68
+      state: latest
69
+      enablerepo: epel-modular,epel
70
+    when: ansible_os_family == 'RedHat'
71
+
72
+  - name: Install MariaDB monitoring plugins on RedHat-like systems.
73
+    dnf:
74
+      name:
75
+      - nagios-plugins-mysql
76
+      state: latest
77
+      enablerepo: epel-modular,epel
78
+    when: ansible_os_family == 'RedHat' and 'mariadb' in group_names
79
+
80
+  - name: Install nrpe and Nagios plugins on Suse systems.
81
+    zypper:
82
+      name:
83
+      - monitoring-plugins-apcupsd
84
+      - monitoring-plugins-bind
85
+      - monitoring-plugins-bind9
86
+      - monitoring-plugins-bl
87
+      - monitoring-plugins-bonding
88
+      - monitoring-plugins-breeze
89
+      - monitoring-plugins-by_ssh
90
+      - monitoring-plugins-cluster
91
+      - monitoring-plugins-common
92
+      - monitoring-plugins-contentage
93
+      - monitoring-plugins-count_file
94
+      - monitoring-plugins-cups
95
+      - monitoring-plugins-dhcp
96
+      - monitoring-plugins-dig
97
+      - monitoring-plugins-disk
98
+      - monitoring-plugins-disk_smb
99
+      - monitoring-plugins-dns
100
+      - monitoring-plugins-dns.pl
101
+      - monitoring-plugins-drbd9
102
+      - monitoring-plugins-dummy
103
+      - monitoring-plugins-fail2ban
104
+      - monitoring-plugins-file_age
105
+      - monitoring-plugins-flexlm
106
+      - monitoring-plugins-fping
107
+      - monitoring-plugins-http
108
+      - monitoring-plugins-icmp
109
+      - monitoring-plugins-ide_smart
110
+      - monitoring-plugins-ifoperstatus
111
+      - monitoring-plugins-ifstatus
112
+      - monitoring-plugins-ipmi-sensor1
113
+      - monitoring-plugins-keepalived
114
+      - monitoring-plugins-ldap
115
+      - monitoring-plugins-load
116
+      - monitoring-plugins-log
117
+      - monitoring-plugins-mem
118
+      - monitoring-plugins-mrtg
119
+      - monitoring-plugins-mrtgtraf
120
+      - monitoring-plugins-mysql
121
+      - monitoring-plugins-mysql_health
122
+      - monitoring-plugins-nagios
123
+      - monitoring-plugins-nis
124
+      - monitoring-plugins-nrpe
125
+      - monitoring-plugins-nt
126
+      - monitoring-plugins-ntp_peer
127
+      - monitoring-plugins-ntp_time
128
+      - monitoring-plugins-nwc_health
129
+      - monitoring-plugins-nwstat
130
+      - monitoring-plugins-openvpn
131
+      - monitoring-plugins-oracle
132
+      - monitoring-plugins-overcr
133
+      - monitoring-plugins-ping
134
+      - monitoring-plugins-procs
135
+      - monitoring-plugins-real
136
+      - monitoring-plugins-repomd
137
+      - monitoring-plugins-rpc
138
+      - monitoring-plugins-rsync
139
+      - monitoring-plugins-sensors
140
+      - monitoring-plugins-sentry3
141
+      - monitoring-plugins-sip
142
+      - monitoring-plugins-smart
143
+      - monitoring-plugins-smtp
144
+      - monitoring-plugins-snmp
145
+      - monitoring-plugins-ssh
146
+      - monitoring-plugins-swap
147
+      - monitoring-plugins-tcp
148
+      - monitoring-plugins-tftp
149
+      - monitoring-plugins-time
150
+      - monitoring-plugins-traffic_limit
151
+      - monitoring-plugins-ups
152
+      - monitoring-plugins-users
153
+      - monitoring-plugins-wave
154
+      - monitoring-plugins-zypper
155
+      - nrpe
156
+      state: present
157
+    when: ansible_os_family == 'Suse'
158
+
159
+  - name: Ensure that nrpe is running on Debian-like systems 
160
+    systemd:
161
+      state: started
162
+      name: nagios-nrpe-server
163
+      enabled: yes
164
+      masked: no
165
+    when: ansible_os_family == 'Debian'
166
+
167
+  - name: Ensure that nrpe is running on Redhat-like and Suse systems 
168
+    systemd:
169
+      state: started
170
+      name: nrpe
171
+      enabled: yes
172
+      masked: no
173
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Suse'
174
+
0 175
new file mode 100644
... ...
@@ -0,0 +1,14 @@
1
+- name: Print server name
2
+  debug:
3
+    msg: Installing Nagios configuration for host {{ item.host_name }}
4
+
5
+- name: Copy nagios server file
6
+  template:
7
+    src: ../templates/monitoring/nagios_server.j2
8
+    dest: /etc/nagios/servers/{{ item.host_name }}.cfg
9
+    owner: root
10
+    group: nagios
11
+    mode: 0640
12
+  notify:
13
+  - reload nagios
14
+
0 15
new file mode 100644
... ...
@@ -0,0 +1,35 @@
1
+---
2
+- name: Setup Nagios server files
3
+  hosts: localhost
4
+
5
+
6
+  tasks:
7
+
8
+  - name: Update Nagios server configuration files
9
+    include_tasks: monitoring_server_files.yaml
10
+    loop:
11
+      - {host_name: aegis.ping.local, host_ip: 192.168.111.21}
12
+      - {host_name: centos8test.ping.local , host_ip: 192.168.111.41}
13
+      - {host_name: dropshuttle.ping.local, host_ip: 192.168.111.113}
14
+      - {host_name: fedora33test.ping.local, host_ip: 192.168.111.42}
15
+      - {host_name: jezynka.ping.local, host_ip: 192.168.111.110}
16
+      - {host_name: malinka.ping.local, host_ip: 192.168.111.106}
17
+      - {host_name: leap15test.ping.local, host_ip: 192.168.111.43}
18
+      - {host_name: outpost.ping.local, host_ip: 192.168.111.96}
19
+      #- {host_name: potemkin.ping.local, host_ip: 192.168.111.19} # LOCALHOST
20
+      - {host_name: python-cave.ping.local, host_ip: 192.168.111.50}
21
+      - {host_name: rawhide.ping.local, host_ip: 192.168.111.81}
22
+      - {host_name: rhel8.ping.local, host_ip: 192.168.111.83}
23
+      - {host_name: strategie.ping.local, host_ip: 192.168.111.60}
24
+      - {host_name: stream.ping.local, host_ip: 192.168.111.82}
25
+      - {host_name: ubuntu2004test.ping.local, host_ip: 192.168.111.40}
26
+      - {host_name: union.ping.local, host_ip: 192.168.111.96}
27
+  
28
+
29
+  handlers:
30
+
31
+  - name: reload nagios
32
+    systemd:
33
+      name: nagios
34
+      state: reloaded
35
+
0 36
new file mode 100644
... ...
@@ -0,0 +1,69 @@
1
+---
2
+- name: Configure nrpe on monitored hosts 
3
+  hosts: all
4
+
5
+  tasks:
6
+
7
+  - name: Update nrpe configuration file on Debian-like systems
8
+    copy: 
9
+      src: ../templates/monitoring/nrpe.cfg_{{ ansible_os_family }}
10
+      dest: /etc/nagios/nrpe.cfg
11
+      owner: root
12
+      group: nagios
13
+      mode: 0640
14
+    when: ansible_os_family == 'Debian'
15
+    notify: restart nrpe D
16
+
17
+  - name: Update nrpe configuration file on RedHat-like systems
18
+    copy:
19
+      src: ../templates/monitoring/nrpe.cfg_{{ ansible_os_family }}
20
+      dest: /etc/nagios/nrpe.cfg
21
+      owner: root
22
+      group: nrpe
23
+      mode: 0640
24
+    when: ansible_os_family == 'RedHat'
25
+    notify: restart nrpe RS
26
+
27
+  - name: Update nrpe configuration file on Suse systems
28
+    copy:
29
+      src: ../templates/monitoring/nrpe.cfg_{{ ansible_os_family }}
30
+      dest: /etc/nrpe.cfg
31
+      owner: root
32
+      group: nagios
33
+      mode: 0640
34
+    when: ansible_os_family == 'Suse'
35
+    notify: restart nrpe RS
36
+
37
+  - name: Remove checks from rpm packages on Suse host
38
+    file:
39
+      path: "{{ item }}"
40
+      state: absent
41
+    notify:
42
+    - restart nrpe RS
43
+    when: ansible_os_family == 'Suse'
44
+    with_items:
45
+      - /etc/nrpe.d/check_keepalived.cfg
46
+      - /etc/nrpe.d/check_load.cfg
47
+      - /etc/nrpe.d/check_mysql.cfg
48
+      - /etc/nrpe.d/check_ntp_time.cfg
49
+      - /etc/nrpe.d/check_partition_root.cfg
50
+      - /etc/nrpe.d/check_proc_cron.cfg
51
+      - /etc/nrpe.d/check_swap.cfg
52
+      - /etc/nrpe.d/check_total_procs.cfg
53
+      - /etc/nrpe.d/check_ups.cfg
54
+      - /etc/nrpe.d/check_users.cfg
55
+      - /etc/nrpe.d/check_zombie_procs.cfg
56
+  
57
+
58
+  handlers:
59
+
60
+  - name: restart nrpe RS
61
+    systemd:
62
+      name: nrpe
63
+      state: restarted
64
+
65
+  - name: restart nrpe D
66
+    systemd:
67
+      name: nagios-nrpe-server
68
+      state: restarted
69
+
0 70
new file mode 100644
... ...
@@ -0,0 +1,34 @@
1
+---
2
+- name: Copy nrpe checks to Debian-like hosts
3
+  template:
4
+    src: ../templates/monitoring/various_checks.j2
5
+    dest: /etc/nagios/nrpe.d/various_checks.cfg
6
+    owner: root
7
+    group: nagios
8
+    mode: 0640
9
+  notify:
10
+  - restart nrpe D
11
+  when: ansible_os_family == 'Debian'
12
+
13
+- name: Copy nrpe checks to Redhat-like hosts
14
+  template:
15
+    src: ../templates/monitoring/various_checks.j2
16
+    dest: /etc/nrpe.d/various_checks.cfg
17
+    owner: root
18
+    group: nrpe
19
+    mode: 0640
20
+  notify:
21
+  - restart nrpe RS
22
+  when: ansible_os_family == 'RedHat'
23
+
24
+- name: Copy nrpe checks to Suse hosts
25
+  template:
26
+    src: ../templates/monitoring/various_checks.j2
27
+    dest: /etc/nrpe.d/various_checks.cfg
28
+    owner: root
29
+    group: nagios
30
+    mode: 0640
31
+  notify:
32
+  - restart nrpe RS
33
+  when: ansible_os_family == 'Suse'
34
+
... ...
@@ -16,6 +16,7 @@ python-cave.ping.local
16 16
 rawhide.ping.local
17 17
 strategie.ping.local
18 18
 stream.ping.local
19
+rhel8.ping.local
19 20
 
20 21
 ubuntu2004test.ping.local
21 22
 centos8test.ping.local
22 23
new file mode 100644
... ...
@@ -0,0 +1,35 @@
1
+---
2
+- import_playbook: helpers/monitoring_basic_setup.yaml
3
+- import_playbook: helpers/monitoring_setup_nrpe.yaml
4
+- import_playbook: helpers/monitoring_setup_nagios_servers.yaml
5
+
6
+- name: Setup nrpe checks
7
+  hosts: all
8
+
9
+  tasks:
10
+
11
+  - name: Update nrpe checks configuration to Redhat-like hosts.
12
+    include_tasks: helpers/monitoring_setup_nrpe_checks.yaml
13
+    loop:
14
+    - {plugin_path: "/usr/lib64/nagios/plugins"}
15
+    when: ansible_os_family == 'RedHat'
16
+  
17
+  - name: Update nrpe checks configuration to Debian-like and Suse hosts.
18
+    include_tasks: helpers/monitoring_setup_nrpe_checks.yaml
19
+    loop:
20
+    - {plugin_path: "/usr/lib/nagios/plugins"}
21
+    when: ansible_os_family == 'Debian' or ansible_os_family == 'Suse'
22
+
23
+
24
+  handlers:
25
+
26
+  - name: restart nrpe RS
27
+    systemd:
28
+      name: nrpe
29
+      state: restarted
30
+
31
+  - name: restart nrpe D
32
+    systemd:
33
+      name: nagios-nrpe-server
34
+      state: restarted
35
+
0 36
new file mode 100644
... ...
@@ -0,0 +1,7 @@
1
+<?xml version="1.0" encoding="utf-8"?>
2
+<zone>
3
+  <short>monitoring</short>
4
+  <description>Traffic for monitoring server.</description>
5
+  <source address="192.168.111.19"/>
6
+</zone>
7
+
0 8
new file mode 100644
... ...
@@ -0,0 +1,3 @@
1
+# Managed with Ansible
2
+command[check_disk]=/usr/local/bin/check_disk
3
+
0 4
new file mode 100644
... ...
@@ -0,0 +1,6 @@
1
+#!/bin/bash
2
+# Managed with Ansible
3
+
4
+cd {{ plugins_path }}
5
+./check_disk / -w 20% -c 10%
6
+
0 7
new file mode 100644
... ...
@@ -0,0 +1,3 @@
1
+# Managed with Ansible
2
+command[check_load]=/usr/local/bin/check_load
3
+
0 4
new file mode 100644
... ...
@@ -0,0 +1,6 @@
1
+#!/bin/bash
2
+# Managed with Ansible
3
+
4
+cd {{ plugins_path }}
5
+./check_load -w "$(($(nproc --all)))" -c "$(($(nproc --all)+1))"
6
+
0 7
new file mode 100644
... ...
@@ -0,0 +1,28 @@
1
+define host {
2
+    use                     linux-server
3
+    host_name               {{ item.host_name }}
4
+    alias                   {{ item.host_name }}
5
+    address                 {{ item.host_ip }}
6
+}
7
+
8
+define service {
9
+    use                     bindir-service
10
+    host_name               {{ item.host_name }}
11
+    service_description     PING
12
+    check_command           check_ping!100.0,20%!500.0,60%
13
+}
14
+
15
+define service {
16
+    use                     bindir-service
17
+    host_name               {{ item.host_name }}
18
+    service_description     DISK_ROOT
19
+    check_command           check_nrpe!-c check_disk
20
+}
21
+
22
+define service{
23
+    use                     bindir-service
24
+    host_name               {{ item.host_name }}
25
+    service_description     LOAD
26
+    check_command           check_nrpe!-c check_load
27
+}
28
+
0 29
new file mode 100644
... ...
@@ -0,0 +1,376 @@
1
+#############################################################################
2
+#
3
+# -------- Managed with Ansible ---------
4
+# 
5
+#  Sample NRPE Config File
6
+#
7
+#  Notes:
8
+#
9
+#  This is a sample configuration file for the NRPE daemon.  It needs to be
10
+#  located on the remote host that is running the NRPE daemon, not the host
11
+#  from which the check_nrpe client is being executed.
12
+#
13
+#############################################################################
14
+
15
+
16
+# LOG FACILITY
17
+# The syslog facility that should be used for logging purposes.
18
+
19
+log_facility=daemon
20
+
21
+
22
+
23
+# LOG FILE
24
+# If a log file is specified in this option, nrpe will write to
25
+# that file instead of using syslog.
26
+
27
+#log_file=/var/log/nrpe.log
28
+
29
+
30
+
31
+# DEBUGGING OPTION
32
+# This option determines whether or not debugging messages are logged to the
33
+# syslog facility.
34
+# Values: 0=debugging off, 1=debugging on
35
+
36
+debug=0
37
+
38
+
39
+
40
+# PID FILE
41
+# The name of the file in which the NRPE daemon should write it's process ID
42
+# number.  The file is only written if the NRPE daemon is started by the root
43
+# user and is running in standalone mode.
44
+
45
+pid_file=/var/run/nagios/nrpe.pid
46
+
47
+
48
+
49
+# PORT NUMBER
50
+# Port number we should wait for connections on.
51
+# NOTE: This must be a non-privileged port (i.e. > 1024).
52
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
53
+
54
+server_port=5666
55
+
56
+
57
+
58
+# SERVER ADDRESS
59
+# Address that nrpe should bind to in case there are more than one interface
60
+# and you do not want nrpe to bind on all interfaces.
61
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
62
+
63
+#server_address=127.0.0.1
64
+
65
+
66
+
67
+# LISTEN QUEUE SIZE
68
+# Listen queue size (backlog) for serving incoming connections.
69
+# You may want to increase this value under high load.
70
+
71
+#listen_queue_size=5
72
+
73
+
74
+
75
+# NRPE USER
76
+# This determines the effective user that the NRPE daemon should run as.
77
+# You can either supply a username or a UID.
78
+#
79
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
80
+
81
+nrpe_user=nagios
82
+
83
+
84
+
85
+# NRPE GROUP
86
+# This determines the effective group that the NRPE daemon should run as.
87
+# You can either supply a group name or a GID.
88
+#
89
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
90
+
91
+nrpe_group=nagios
92
+
93
+
94
+
95
+# ALLOWED HOST ADDRESSES
96
+# This is an optional comma-delimited list of IP address or hostnames
97
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
98
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
99
+# supported.
100
+#
101
+# Note: The daemon only does rudimentary checking of the client's IP
102
+# address.  I would highly recommend adding entries in your /etc/hosts.allow
103
+# file to allow only the specified host to connect to the port
104
+# you are running this daemon on.
105
+#
106
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
107
+
108
+allowed_hosts=127.0.0.1,::1,192.168.111.19
109
+
110
+
111
+
112
+# COMMAND ARGUMENT PROCESSING
113
+# This option determines whether or not the NRPE daemon will allow clients
114
+# to specify arguments to commands that are executed.  This option only works
115
+# if the daemon was configured with the --enable-command-args configure script
116
+# option.
117
+#
118
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
119
+# Read the SECURITY file for information on some of the security implications
120
+# of enabling this variable.
121
+#
122
+# Values: 0=do not allow arguments, 1=allow command arguments
123
+
124
+dont_blame_nrpe=0
125
+
126
+
127
+
128
+# BASH COMMAND SUBSTITUTION
129
+# This option determines whether or not the NRPE daemon will allow clients
130
+# to specify arguments that contain bash command substitutions of the form
131
+# $(...).  This option only works if the daemon was configured with both
132
+# the --enable-command-args and --enable-bash-command-substitution configure
133
+# script options.
134
+#
135
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
136
+# Read the SECURITY file for information on some of the security implications
137
+# of enabling this variable.
138
+#
139
+# Values: 0=do not allow bash command substitutions,
140
+#         1=allow bash command substitutions
141
+
142
+allow_bash_command_substitution=0
143
+
144
+
145
+
146
+# COMMAND PREFIX
147
+# This option allows you to prefix all commands with a user-defined string.
148
+# A space is automatically added between the specified prefix string and the
149
+# command line from the command definition.
150
+#
151
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
152
+# Usage scenario:
153
+# Execute restricted commmands using sudo.  For this to work, you need to add
154
+# the nagios user to your /etc/sudoers.  An example entry for allowing
155
+# execution of the plugins from might be:
156
+#
157
+# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
158
+#
159
+# This lets the nagios user run all commands in that directory (and only them)
160
+# without asking for a password.  If you do this, make sure you don't give
161
+# random users write access to that directory or its contents!
162
+
163
+# command_prefix=/usr/bin/sudo
164
+
165
+
166
+# MAX COMMANDS
167
+# This specifies how many children processes may be spawned at any one
168
+# time, essentially limiting the fork()s that occur.
169
+# Default (0) is set to unlimited
170
+# max_commands=0
171
+
172
+
173
+
174
+# COMMAND TIMEOUT
175
+# This specifies the maximum number of seconds that the NRPE daemon will
176
+# allow plugins to finish executing before killing them off.
177
+
178
+command_timeout=60
179
+
180
+
181
+
182
+# CONNECTION TIMEOUT
183
+# This specifies the maximum number of seconds that the NRPE daemon will
184
+# wait for a connection to be established before exiting. This is sometimes
185
+# seen where a network problem stops the SSL being established even though
186
+# all network sessions are connected. This causes the nrpe daemons to
187
+# accumulate, eating system resources. Do not set this too low.
188
+
189
+connection_timeout=300
190
+
191
+
192
+
193
+# WEAK RANDOM SEED OPTION
194
+# This directive allows you to use SSL even if your system does not have
195
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
196
+# were not applied). The random number generator will be seeded from a file
197
+# which is either a file pointed to by the environment valiable $RANDFILE
198
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
199
+# be initialized and a warning will be issued.
200
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
201
+
202
+#allow_weak_random_seed=1
203
+
204
+
205
+
206
+# SSL/TLS OPTIONS
207
+# These directives allow you to specify how to use SSL/TLS.
208
+
209
+# SSL VERSION
210
+# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
211
+#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
212
+#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
213
+#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
214
+#        TLSv1.2+ (use TLSv1.2 or above)
215
+# If an "or above" version is used, the best will be negotiated. So if both
216
+# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
217
+# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.
218
+
219
+#ssl_version=SSLv2+
220
+
221
+# SSL USE ADH
222
+# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
223
+# ADH or 2 to require ADH. 1 is currently the default but will be changed
224
+# in a later version.
225
+
226
+#ssl_use_adh=1
227
+
228
+# SSL CIPHER LIST
229
+# This lists which ciphers can be used. For backward compatibility, this
230
+# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
231
+# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
232
+# greater. 
233
+
234
+#ssl_cipher_list=ALL:!MD5:@STRENGTH
235
+#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
236
+#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
237
+
238
+# SSL Certificate and Private Key Files
239
+
240
+#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
241
+#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
242
+#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
243
+
244
+# SSL USE CLIENT CERTS
245
+# This options determines client certificate usage.
246
+# Values: 0 = Don't ask for or require client certificates (default)
247
+#         1 = Ask for client certificates
248
+#         2 = Require client certificates
249
+
250
+#ssl_client_certs=0
251
+
252
+# SSL LOGGING
253
+# This option determines which SSL messages are send to syslog. OR values
254
+# together to specify multiple options.
255
+
256
+# Values: 0x00 (0)  = No additional logging (default)
257
+#         0x01 (1)  = Log startup SSL/TLS parameters
258
+#         0x02 (2)  = Log remote IP address
259
+#         0x04 (4)  = Log SSL/TLS version of connections
260
+#         0x08 (8)  = Log which cipher is being used for the connection
261
+#         0x10 (16) = Log if client has a certificate
262
+#         0x20 (32) = Log details of client's certificate if it has one
263
+#         -1 or 0xff or 0x2f = All of the above
264
+
265
+#ssl_logging=0x00
266
+
267
+
268
+
269
+# NASTY METACHARACTERS
270
+# This option allows you to override the list of characters that cannot
271
+# be passed to the NRPE daemon.
272
+
273
+# nasty_metachars="|`&><'\\[]{};\r\n"
274
+
275
+
276
+
277
+# COMMAND DEFINITIONS
278
+# Command definitions that this daemon will run.  Definitions
279
+# are in the following format:
280
+#
281
+# command[<command_name>]=<command_line>
282
+#
283
+# When the daemon receives a request to return the results of <command_name>
284
+# it will execute the command specified by the <command_line> argument.
285
+#
286
+# Unlike Nagios, the command line cannot contain macros - it must be
287
+# typed exactly as it should be executed.
288
+#
289
+# Note: Any plugins that are used in the command lines must reside
290
+# on the machine that this daemon is running on!  The examples below
291
+# assume that you have plugins installed in a /usr/local/nagios/libexec
292
+# directory.  Also note that you will have to modify the definitions below
293
+# to match the argument format the plugins expect.  Remember, these are
294
+# examples only!
295
+
296
+
297
+# The following examples use hardcoded command arguments...
298
+# This is by far the most secure method of using NRPE
299
+
300
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
301
+command[check_load]=/usr/lib/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
302
+command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
303
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
304
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
305
+
306
+
307
+# The following examples allow user-supplied arguments and can
308
+# only be used if the NRPE daemon was compiled with support for
309
+# command arguments *AND* the dont_blame_nrpe directive in this
310
+# config file is set to '1'.  This poses a potential security risk, so
311
+# make sure you read the SECURITY file before doing this.
312
+
313
+### MISC SYSTEM METRICS ###
314
+#command[check_users]=/usr/lib/nagios/plugins/check_users $ARG1$
315
+#command[check_load]=/usr/lib/nagios/plugins/check_load $ARG1$
316
+#command[check_disk]=/usr/lib/nagios/plugins/check_disk $ARG1$
317
+#command[check_swap]=/usr/lib/nagios/plugins/check_swap $ARG1$
318
+#command[check_cpu_stats]=/usr/lib/nagios/plugins/check_cpu_stats.sh $ARG1$
319
+#command[check_mem]=/usr/lib/nagios/plugins/custom_check_mem -n $ARG1$
320
+
321
+### GENERIC SERVICES ###
322
+#command[check_init_service]=sudo /usr/lib/nagios/plugins/check_init_service $ARG1$
323
+#command[check_services]=/usr/lib/nagios/plugins/check_services -p $ARG1$
324
+
325
+### SYSTEM UPDATES ###
326
+#command[check_yum]=/usr/lib/nagios/plugins/check_yum
327
+#command[check_apt]=/usr/lib/nagios/plugins/check_apt
328
+
329
+### PROCESSES ###
330
+#command[check_all_procs]=/usr/lib/nagios/plugins/custom_check_procs
331
+#command[check_procs]=/usr/lib/nagios/plugins/check_procs $ARG1$
332
+
333
+### OPEN FILES ###
334
+#command[check_open_files]=/usr/lib/nagios/plugins/check_open_files.pl $ARG1$
335
+
336
+### NETWORK CONNECTIONS ###
337
+#command[check_netstat]=/usr/lib/nagios/plugins/check_netstat.pl -p $ARG1$ $ARG2$
338
+
339
+### ASTERISK ###
340
+#command[check_asterisk]=/usr/lib/nagios/plugins/check_asterisk.pl $ARG1$
341
+#command[check_sip]=/usr/lib/nagios/plugins/check_sip $ARG1$
342
+#command[check_asterisk_sip_peers]=sudo /usr/lib/nagios/plugins/check_asterisk_sip_peers.sh $ARG1$
343
+#command[check_asterisk_version]=/usr/lib/nagios/plugins/nagisk.pl -c version
344
+#command[check_asterisk_peers]=/usr/lib/nagios/plugins/nagisk.pl -c peers
345
+#command[check_asterisk_channels]=/usr/lib/nagios/plugins/nagisk.pl -c channels 
346
+#command[check_asterisk_zaptel]=/usr/lib/nagios/plugins/nagisk.pl -c zaptel 
347
+#command[check_asterisk_span]=/usr/lib/nagios/plugins/nagisk.pl -c span -s 1
348
+
349
+
350
+
351
+# INCLUDE CONFIG FILE
352
+# This directive allows you to include definitions from an external config file.
353
+
354
+#include=<somefile.cfg>
355
+
356
+
357
+
358
+# INCLUDE CONFIG DIRECTORY
359
+# This directive allows you to include definitions from config files (with a
360
+# .cfg extension) in one or more directories (with recursion).
361
+
362
+#include_dir=<somedirectory>
363
+#include_dir=<someotherdirectory>
364
+
365
+
366
+
367
+# local configuration:
368
+# if you'd prefer, you can instead place directives here
369
+
370
+include=/etc/nagios/nrpe_local.cfg
371
+
372
+# you can place your config snipplets into nrpe.d/
373
+# only snipplets ending in .cfg will get included
374
+
375
+include_dir=/etc/nagios/nrpe.d/
376
+
0 377
new file mode 100644
... ...
@@ -0,0 +1,374 @@
1
+#############################################################################
2
+#  
3
+# ------- Managed with Ansible ---------
4
+#
5
+#  Sample NRPE Config File
6
+#
7
+#  Notes:
8
+#
9
+#  This is a sample configuration file for the NRPE daemon.  It needs to be
10
+#  located on the remote host that is running the NRPE daemon, not the host
11
+#  from which the check_nrpe client is being executed.
12
+#
13
+#############################################################################
14
+
15
+
16
+# LOG FACILITY
17
+# The syslog facility that should be used for logging purposes.
18
+
19
+log_facility=daemon
20
+
21
+
22
+
23
+# LOG FILE
24
+# If a log file is specified in this option, nrpe will write to
25
+# that file instead of using syslog.
26
+
27
+#log_file=/var/run/nrpe.log
28
+
29
+
30
+
31
+# DEBUGGING OPTION
32
+# This option determines whether or not debugging messages are logged to the
33
+# syslog facility.
34
+# Values: 0=debugging off, 1=debugging on
35
+
36
+debug=0
37
+
38
+
39
+
40
+# PID FILE
41
+# The name of the file in which the NRPE daemon should write it's process ID
42
+# number.  The file is only written if the NRPE daemon is started by the root
43
+# user and is running in standalone mode.
44
+
45
+pid_file=/var/run/nrpe/nrpe.pid
46
+
47
+
48
+
49
+# PORT NUMBER
50
+# Port number we should wait for connections on.
51
+# NOTE: This must be a non-privileged port (i.e. > 1024).
52
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
53
+
54
+server_port=5666
55
+
56
+
57
+
58
+# SERVER ADDRESS
59
+# Address that nrpe should bind to in case there are more than one interface
60
+# and you do not want nrpe to bind on all interfaces.
61
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
62
+
63
+#server_address=192.168.111.60
64
+
65
+
66
+
67
+# LISTEN QUEUE SIZE
68
+# Listen queue size (backlog) for serving incoming connections.
69
+# You may want to increase this value under high load.
70
+
71
+#listen_queue_size=5
72
+
73
+
74
+
75
+# NRPE USER
76
+# This determines the effective user that the NRPE daemon should run as.
77
+# You can either supply a username or a UID.
78
+#
79
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
80
+
81
+nrpe_user=nrpe
82
+
83
+
84
+
85
+# NRPE GROUP
86
+# This determines the effective group that the NRPE daemon should run as.
87
+# You can either supply a group name or a GID.
88
+#
89
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
90
+
91
+nrpe_group=nrpe
92
+
93
+
94
+
95
+# ALLOWED HOST ADDRESSES
96
+# This is an optional comma-delimited list of IP address or hostnames
97
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
98
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
99
+# supported.
100
+#
101
+# Note: The daemon only does rudimentary checking of the client's IP
102
+# address.  I would highly recommend adding entries in your /etc/hosts.allow
103
+# file to allow only the specified host to connect to the port
104
+# you are running this daemon on.
105
+#
106
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
107
+
108
+allowed_hosts=127.0.0.1,::1,192.168.111.19
109
+
110
+
111
+
112
+# COMMAND ARGUMENT PROCESSING
113
+# This option determines whether or not the NRPE daemon will allow clients
114
+# to specify arguments to commands that are executed.  This option only works
115
+# if the daemon was configured with the --enable-command-args configure script
116
+# option.
117
+#
118
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
119
+# Read the SECURITY file for information on some of the security implications
120
+# of enabling this variable.
121
+#
122
+# Values: 0=do not allow arguments, 1=allow command arguments
123
+
124
+dont_blame_nrpe=0
125
+
126
+
127
+
128
+# BASH COMMAND SUBSTITUTION
129
+# This option determines whether or not the NRPE daemon will allow clients
130
+# to specify arguments that contain bash command substitutions of the form
131
+# $(...).  This option only works if the daemon was configured with both
132
+# the --enable-command-args and --enable-bash-command-substitution configure
133
+# script options.
134
+#
135
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
136
+# Read the SECURITY file for information on some of the security implications
137
+# of enabling this variable.
138
+#
139
+# Values: 0=do not allow bash command substitutions,
140
+#         1=allow bash command substitutions
141
+
142
+allow_bash_command_substitution=0
143
+
144
+
145
+
146
+# COMMAND PREFIX
147
+# This option allows you to prefix all commands with a user-defined string.
148
+# A space is automatically added between the specified prefix string and the
149
+# command line from the command definition.
150
+#
151
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
152
+# Usage scenario:
153
+# Execute restricted commmands using sudo.  For this to work, you need to add
154
+# the nagios user to your /etc/sudoers.  An example entry for allowing
155
+# execution of the plugins from might be:
156
+#
157
+# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
158
+#
159
+# This lets the nagios user run all commands in that directory (and only them)
160
+# without asking for a password.  If you do this, make sure you don't give
161
+# random users write access to that directory or its contents!
162
+
163
+# command_prefix=/usr/bin/sudo
164
+
165
+
166
+# MAX COMMANDS
167
+# This specifies how many children processes may be spawned at any one
168
+# time, essentially limiting the fork()s that occur.
169
+# Default (0) is set to unlimited
170
+# max_commands=0
171
+
172
+
173
+
174
+# COMMAND TIMEOUT
175
+# This specifies the maximum number of seconds that the NRPE daemon will
176
+# allow plugins to finish executing before killing them off.
177
+
178
+command_timeout=60
179
+
180
+
181
+
182
+# CONNECTION TIMEOUT
183
+# This specifies the maximum number of seconds that the NRPE daemon will
184
+# wait for a connection to be established before exiting. This is sometimes
185
+# seen where a network problem stops the SSL being established even though
186
+# all network sessions are connected. This causes the nrpe daemons to
187
+# accumulate, eating system resources. Do not set this too low.
188
+
189
+connection_timeout=300
190
+
191
+
192
+
193
+# WEAK RANDOM SEED OPTION
194
+# This directive allows you to use SSL even if your system does not have
195
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
196
+# were not applied). The random number generator will be seeded from a file
197
+# which is either a file pointed to by the environment valiable $RANDFILE
198
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
199
+# be initialized and a warning will be issued.
200
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
201
+
202
+#allow_weak_random_seed=1
203
+
204
+
205
+
206
+# SSL/TLS OPTIONS
207
+# These directives allow you to specify how to use SSL/TLS.
208
+
209
+# SSL VERSION
210
+# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
211
+#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
212
+#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
213
+#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
214
+#        TLSv1.2+ (use TLSv1.2 or above)
215
+# If an "or above" version is used, the best will be negotiated. So if both
216
+# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
217
+# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.
218
+
219
+#ssl_version=SSLv2+
220
+
221
+# SSL USE ADH
222
+# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
223
+# ADH or 2 to require ADH. 1 is currently the default but will be changed
224
+# in a later version.
225
+
226
+#ssl_use_adh=1
227
+
228
+# SSL CIPHER LIST
229
+# This lists which ciphers can be used. For backward compatibility, this
230
+# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
231
+# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
232
+# greater. 
233
+
234
+#ssl_cipher_list=ALL:!MD5:@STRENGTH
235
+#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
236
+#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
237
+
238
+# SSL Certificate and Private Key Files
239
+
240
+#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
241
+#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
242
+#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
243
+
244
+# SSL USE CLIENT CERTS
245
+# This options determines client certificate usage.
246
+# Values: 0 = Don't ask for or require client certificates (default)
247
+#         1 = Ask for client certificates
248
+#         2 = Require client certificates
249
+
250
+#ssl_client_certs=0
251
+
252
+# SSL LOGGING
253
+# This option determines which SSL messages are send to syslog. OR values
254
+# together to specify multiple options.
255
+
256
+# Values: 0x00 (0)  = No additional logging (default)
257
+#         0x01 (1)  = Log startup SSL/TLS parameters
258
+#         0x02 (2)  = Log remote IP address
259
+#         0x04 (4)  = Log SSL/TLS version of connections
260
+#         0x08 (8)  = Log which cipher is being used for the connection
261
+#         0x10 (16) = Log if client has a certificate
262
+#         0x20 (32) = Log details of client's certificate if it has one
263
+#         -1 or 0xff or 0x2f = All of the above
264
+
265
+#ssl_logging=0x00
266
+
267
+
268
+
269
+# NASTY METACHARACTERS
270
+# This option allows you to override the list of characters that cannot
271
+# be passed to the NRPE daemon.
272
+
273
+# nasty_metachars="|`&><'\\[]{};\r\n"
274
+
275
+# This option allows you to enable or disable logging error messages to the syslog facilities.
276
+# If this option is not set, the error messages will be logged.
277
+disable_syslog=0
278
+
279
+# COMMAND DEFINITIONS
280
+# Command definitions that this daemon will run.  Definitions
281
+# are in the following format:
282
+#
283
+# command[<command_name>]=<command_line>
284
+#
285
+# When the daemon receives a request to return the results of <command_name>
286
+# it will execute the command specified by the <command_line> argument.
287
+#
288
+# Unlike Nagios, the command line cannot contain macros - it must be
289
+# typed exactly as it should be executed.
290
+#
291
+# Note: Any plugins that are used in the command lines must reside
292
+# on the machine that this daemon is running on!  The examples below
293
+# assume that you have plugins installed in a /usr/local/nagios/libexec
294
+# directory.  Also note that you will have to modify the definitions below
295
+# to match the argument format the plugins expect.  Remember, these are
296
+# examples only!
297
+
298
+
299
+# The following examples use hardcoded command arguments...
300
+# This is by far the most secure method of using NRPE
301
+
302
+command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
303
+command[check_load]=/usr/lib64/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
304
+command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
305
+command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
306
+command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200
307
+
308
+
309
+# The following examples allow user-supplied arguments and can
310
+# only be used if the NRPE daemon was compiled with support for
311
+# command arguments *AND* the dont_blame_nrpe directive in this
312
+# config file is set to '1'.  This poses a potential security risk, so
313
+# make sure you read the SECURITY file before doing this.
314
+
315
+### MISC SYSTEM METRICS ###
316
+#command[check_users]=/usr/lib64/nagios/plugins/check_users $ARG1$
317
+#command[check_load]=/usr/lib64/nagios/plugins/check_load $ARG1$
318
+#command[check_disk]=/usr/lib64/nagios/plugins/check_disk $ARG1$
319
+#command[check_swap]=/usr/lib64/nagios/plugins/check_swap $ARG1$
320
+#command[check_cpu_stats]=/usr/lib64/nagios/plugins/check_cpu_stats.sh $ARG1$
321
+#command[check_mem]=/usr/lib64/nagios/plugins/custom_check_mem -n $ARG1$
322
+
323
+### GENERIC SERVICES ###
324
+#command[check_init_service]=sudo /usr/lib64/nagios/plugins/check_init_service $ARG1$
325
+#command[check_services]=/usr/lib64/nagios/plugins/check_services -p $ARG1$
326
+
327
+### SYSTEM UPDATES ###
328
+#command[check_yum]=/usr/lib64/nagios/plugins/check_yum
329
+#command[check_apt]=/usr/lib64/nagios/plugins/check_apt
330
+
331
+### PROCESSES ###
332
+#command[check_all_procs]=/usr/lib64/nagios/plugins/custom_check_procs
333
+#command[check_procs]=/usr/lib64/nagios/plugins/check_procs $ARG1$
334
+
335
+### OPEN FILES ###
336
+#command[check_open_files]=/usr/lib64/nagios/plugins/check_open_files.pl $ARG1$
337
+
338
+### NETWORK CONNECTIONS ###
339
+#command[check_netstat]=/usr/lib64/nagios/plugins/check_netstat.pl -p $ARG1$ $ARG2$
340
+
341
+### ASTERISK ###
342
+#command[check_asterisk]=/usr/lib64/nagios/plugins/check_asterisk.pl $ARG1$
343
+#command[check_sip]=/usr/lib64/nagios/plugins/check_sip $ARG1$
344
+#command[check_asterisk_sip_peers]=sudo /usr/lib64/nagios/plugins/check_asterisk_sip_peers.sh $ARG1$
345
+#command[check_asterisk_version]=/usr/lib64/nagios/plugins/nagisk.pl -c version
346
+#command[check_asterisk_peers]=/usr/lib64/nagios/plugins/nagisk.pl -c peers
347
+#command[check_asterisk_channels]=/usr/lib64/nagios/plugins/nagisk.pl -c channels 
348
+#command[check_asterisk_zaptel]=/usr/lib64/nagios/plugins/nagisk.pl -c zaptel 
349
+#command[check_asterisk_span]=/usr/lib64/nagios/plugins/nagisk.pl -c span -s 1
350
+
351
+
352
+
353
+# INCLUDE CONFIG FILE
354
+# This directive allows you to include definitions from an external config file.
355
+
356
+#include=<somefile.cfg>
357
+
358
+
359
+
360
+# INCLUDE CONFIG DIRECTORY
361
+# This directive allows you to include definitions from config files (with a
362
+# .cfg extension) in one or more directories (with recursion).
363
+
364
+#include_dir=<somedirectory>
365
+#include_dir=<someotherdirectory>
366
+
367
+include_dir=/etc/nrpe.d/
368
+
369
+# KEEP ENVIRONMENT VARIABLES
370
+# This directive allows you to retain specific variables from the environment
371
+# when starting the NRPE daemon. 
372
+
373
+#keep_env_vars=NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION
374
+
0 375
new file mode 100644
... ...
@@ -0,0 +1,365 @@
1
+#############################################################################
2
+#
3
+# ------- Managed with Ansible ---------
4
+#
5
+#  Sample NRPE Config File
6
+#
7
+#  Notes:
8
+#
9
+#  This is a sample configuration file for the NRPE daemon.  It needs to be
10
+#  located on the remote host that is running the NRPE daemon, not the host
11
+#  from which the check_nrpe client is being executed.
12
+#
13
+#############################################################################
14
+
15
+
16
+# LOG FACILITY
17
+# The syslog facility that should be used for logging purposes.
18
+
19
+log_facility=daemon
20
+
21
+
22
+
23
+# LOG FILE
24
+# If a log file is specified in this option, nrpe will write to
25
+# that file instead of using syslog.
26
+
27
+#log_file=/var/log/nagios/nrpe.log
28
+
29
+
30
+
31
+# DEBUGGING OPTION
32
+# This option determines whether or not debugging messages are logged to the
33
+# syslog facility.
34
+# Values: 0=debugging off, 1=debugging on
35
+
36
+debug=0
37
+
38
+
39
+
40
+# PID FILE
41
+# The name of the file in which the NRPE daemon should write it's process ID
42
+# number.  The file is only written if the NRPE daemon is started by the root
43
+# user and is running in standalone mode.
44
+
45
+pid_file=/run/nrpe/nrpe.pid
46
+
47
+
48
+
49
+# PORT NUMBER
50
+# Port number we should wait for connections on.
51
+# NOTE: This must be a non-privileged port (i.e. > 1024).
52
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
53
+
54
+server_port=5666
55
+
56
+
57
+
58
+# SERVER ADDRESS
59
+# Address that nrpe should bind to in case there are more than one interface
60
+# and you do not want nrpe to bind on all interfaces.
61
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
62
+
63
+#server_address=127.0.0.1
64
+
65
+
66
+
67
+# LISTEN QUEUE SIZE
68
+# Listen queue size (backlog) for serving incoming connections.
69
+# You may want to increase this value under high load.
70
+
71
+#listen_queue_size=5
72
+
73
+
74
+
75
+# NRPE USER
76
+# This determines the effective user that the NRPE daemon should run as.
77
+# You can either supply a username or a UID.
78
+#
79
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
80
+
81
+nrpe_user=nagios
82
+
83
+
84
+
85
+# NRPE GROUP
86
+# This determines the effective group that the NRPE daemon should run as.
87
+# You can either supply a group name or a GID.
88
+#
89
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
90
+
91
+nrpe_group=nagios
92
+
93
+
94
+
95
+# ALLOWED HOST ADDRESSES
96
+# This is an optional comma-delimited list of IP address or hostnames
97
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
98
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
99
+# supported.
100
+#
101
+# Note: The daemon only does rudimentary checking of the client's IP
102
+# address.  I would highly recommend adding entries in your /etc/hosts.allow
103
+# file to allow only the specified host to connect to the port
104
+# you are running this daemon on.
105
+#
106
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
107
+
108
+allowed_hosts=127.0.0.1,::1,192.168.111.19
109
+
110
+
111
+
112
+# COMMAND ARGUMENT PROCESSING
113
+# This option determines whether or not the NRPE daemon will allow clients
114
+# to specify arguments to commands that are executed.  This option only works
115
+# if the daemon was configured with the --enable-command-args configure script
116
+# option.
117
+#
118
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
119
+# Read the SECURITY file for information on some of the security implications
120
+# of enabling this variable.
121
+#
122
+# Values: 0=do not allow arguments, 1=allow command arguments
123
+
124
+dont_blame_nrpe=0
125
+
126
+
127
+
128
+# BASH COMMAND SUBSTITUTION
129
+# This option determines whether or not the NRPE daemon will allow clients
130
+# to specify arguments that contain bash command substitutions of the form
131
+# $(...).  This option only works if the daemon was configured with both
132
+# the --enable-command-args and --enable-bash-command-substitution configure
133
+# script options.
134
+#
135
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
136
+# Read the SECURITY file for information on some of the security implications
137
+# of enabling this variable.
138
+#
139
+# Values: 0=do not allow bash command substitutions,
140
+#         1=allow bash command substitutions
141
+
142
+allow_bash_command_substitution=0
143
+
144
+
145
+
146
+# COMMAND PREFIX
147
+# This option allows you to prefix all commands with a user-defined string.
148
+# A space is automatically added between the specified prefix string and the
149
+# command line from the command definition.
150
+#
151
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
152
+# Usage scenario:
153
+# Execute restricted commmands using sudo.  For this to work, you need to add
154
+# the nagios user to your /etc/sudoers.  An example entry for allowing
155
+# execution of the plugins from might be:
156
+#
157
+# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
158
+#
159
+# This lets the nagios user run all commands in that directory (and only them)
160
+# without asking for a password.  If you do this, make sure you don't give
161
+# random users write access to that directory or its contents!
162
+
163
+# command_prefix=/usr/bin/sudo
164
+
165
+
166
+# MAX COMMANDS
167
+# This specifies how many children processes may be spawned at any one
168
+# time, essentially limiting the fork()s that occur.
169
+# Default (0) is set to unlimited
170
+# max_commands=0
171
+
172
+
173
+
174
+# COMMAND TIMEOUT
175
+# This specifies the maximum number of seconds that the NRPE daemon will
176
+# allow plugins to finish executing before killing them off.
177
+
178
+command_timeout=60
179
+
180
+
181
+
182
+# CONNECTION TIMEOUT
183
+# This specifies the maximum number of seconds that the NRPE daemon will
184
+# wait for a connection to be established before exiting. This is sometimes
185
+# seen where a network problem stops the SSL being established even though
186
+# all network sessions are connected. This causes the nrpe daemons to
187
+# accumulate, eating system resources. Do not set this too low.
188
+
189
+connection_timeout=300
190
+
191
+
192
+
193
+# WEAK RANDOM SEED OPTION
194
+# This directive allows you to use SSL even if your system does not have
195
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
196
+# were not applied). The random number generator will be seeded from a file
197
+# which is either a file pointed to by the environment valiable $RANDFILE
198
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
199
+# be initialized and a warning will be issued.
200
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
201
+
202
+#allow_weak_random_seed=1
203
+
204
+
205
+
206
+# SSL/TLS OPTIONS
207
+# These directives allow you to specify how to use SSL/TLS.
208
+
209
+# SSL VERSION
210
+# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
211
+#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
212
+#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
213
+#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
214
+#        TLSv1.2+ (use TLSv1.2 or above)
215
+# If an "or above" version is used, the best will be negotiated. So if both
216
+# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
217
+# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.
218
+
219
+#ssl_version=SSLv2+
220
+
221
+# SSL USE ADH
222
+# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
223
+# ADH or 2 to require ADH. 1 is currently the default but will be changed
224
+# in a later version.
225
+
226
+#ssl_use_adh=1
227
+
228
+# SSL CIPHER LIST
229
+# This lists which ciphers can be used. For backward compatibility, this
230
+# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
231
+# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
232
+# greater. 
233
+
234
+#ssl_cipher_list=ALL:!MD5:@STRENGTH
235
+#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
236
+#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
237
+
238
+# SSL Certificate and Private Key Files
239
+
240
+#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
241
+#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
242
+#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
243
+
244
+# SSL USE CLIENT CERTS
245
+# This options determines client certificate usage.
246
+# Values: 0 = Don't ask for or require client certificates (default)
247
+#         1 = Ask for client certificates
248
+#         2 = Require client certificates
249
+
250
+#ssl_client_certs=0
251
+
252
+# SSL LOGGING
253
+# This option determines which SSL messages are send to syslog. OR values
254
+# together to specify multiple options.
255
+
256
+# Values: 0x00 (0)  = No additional logging (default)
257
+#         0x01 (1)  = Log startup SSL/TLS parameters
258
+#         0x02 (2)  = Log remote IP address
259
+#         0x04 (4)  = Log SSL/TLS version of connections
260
+#         0x08 (8)  = Log which cipher is being used for the connection
261
+#         0x10 (16) = Log if client has a certificate
262
+#         0x20 (32) = Log details of client's certificate if it has one
263
+#         -1 or 0xff or 0x2f = All of the above
264
+
265
+#ssl_logging=0x00
266
+
267
+
268
+
269
+# NASTY METACHARACTERS
270
+# This option allows you to override the list of characters that cannot
271
+# be passed to the NRPE daemon.
272
+
273
+# nasty_metachars="|`&><'\\[]{};\r\n"
274
+
275
+
276
+
277
+# COMMAND DEFINITIONS
278
+# Command definitions that this daemon will run.  Definitions
279
+# are in the following format:
280
+#
281
+# command[<command_name>]=<command_line>
282
+#
283
+# When the daemon receives a request to return the results of <command_name>
284
+# it will execute the command specified by the <command_line> argument.
285
+#
286
+# Unlike Nagios, the command line cannot contain macros - it must be
287
+# typed exactly as it should be executed.
288
+#
289
+# Note: Any plugins that are used in the command lines must reside
290
+# on the machine that this daemon is running on!  The examples below
291
+# assume that you have plugins installed in a /usr/local/nagios/libexec
292
+# directory.  Also note that you will have to modify the definitions below
293
+# to match the argument format the plugins expect.  Remember, these are
294
+# examples only!
295
+
296
+
297
+# The following examples use hardcoded command arguments...
298
+# This is by far the most secure method of using NRPE
299
+
300
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
301
+command[check_load]=/usr/lib/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
302
+command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
303
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
304
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 250 -c 300
305
+
306
+
307
+# The following examples allow user-supplied arguments and can
308
+# only be used if the NRPE daemon was compiled with support for
309
+# command arguments *AND* the dont_blame_nrpe directive in this
310
+# config file is set to '1'.  This poses a potential security risk, so
311
+# make sure you read the SECURITY file before doing this.
312
+
313
+### MISC SYSTEM METRICS ###
314
+#command[check_users]=/usr/lib/nagios/plugins/check_users $ARG1$
315
+#command[check_load]=/usr/lib/nagios/plugins/check_load $ARG1$
316
+#command[check_disk]=/usr/lib/nagios/plugins/check_disk $ARG1$
317
+#command[check_swap]=/usr/lib/nagios/plugins/check_swap $ARG1$
318
+#command[check_cpu_stats]=/usr/lib/nagios/plugins/check_cpu_stats.sh $ARG1$
319
+#command[check_mem]=/usr/lib/nagios/plugins/custom_check_mem -n $ARG1$
320
+
321
+### GENERIC SERVICES ###
322
+#command[check_init_service]=sudo /usr/lib/nagios/plugins/check_init_service $ARG1$
323
+#command[check_services]=/usr/lib/nagios/plugins/check_services -p $ARG1$
324
+
325
+### SYSTEM UPDATES ###
326
+#command[check_yum]=/usr/lib/nagios/plugins/check_yum
327
+#command[check_apt]=/usr/lib/nagios/plugins/check_apt
328
+
329
+### PROCESSES ###
330
+#command[check_all_procs]=/usr/lib/nagios/plugins/custom_check_procs
331
+#command[check_procs]=/usr/lib/nagios/plugins/check_procs $ARG1$
332
+
333
+### OPEN FILES ###
334
+#command[check_open_files]=/usr/lib/nagios/plugins/check_open_files.pl $ARG1$
335
+
336
+### NETWORK CONNECTIONS ###
337
+#command[check_netstat]=/usr/lib/nagios/plugins/check_netstat.pl -p $ARG1$ $ARG2$
338
+
339
+### ASTERISK ###
340
+#command[check_asterisk]=/usr/lib/nagios/plugins/check_asterisk.pl $ARG1$
341
+#command[check_sip]=/usr/lib/nagios/plugins/check_sip $ARG1$
342
+#command[check_asterisk_sip_peers]=sudo /usr/lib/nagios/plugins/check_asterisk_sip_peers.sh $ARG1$
343
+#command[check_asterisk_version]=/usr/lib/nagios/plugins/nagisk.pl -c version
344
+#command[check_asterisk_peers]=/usr/lib/nagios/plugins/nagisk.pl -c peers
345
+#command[check_asterisk_channels]=/usr/lib/nagios/plugins/nagisk.pl -c channels 
346
+#command[check_asterisk_zaptel]=/usr/lib/nagios/plugins/nagisk.pl -c zaptel 
347
+#command[check_asterisk_span]=/usr/lib/nagios/plugins/nagisk.pl -c span -s 1
348
+
349
+
350
+
351
+# INCLUDE CONFIG FILE
352
+# This directive allows you to include definitions from an external config file.
353
+
354
+#include=<somefile.cfg>
355
+
356
+
357
+
358
+# INCLUDE CONFIG DIRECTORY
359
+# This directive allows you to include definitions from config files (with a
360
+# .cfg extension) in one or more directories (with recursion).
361
+
362
+#include_dir=<somedirectory>
363
+#include_dir=<someotherdirectory>
364
+include_dir=/etc/nrpe.d
365
+
0 366
new file mode 100644
... ...
@@ -0,0 +1,4 @@
1
+# Managed with Ansible
2
+command[check_load]={{ item.plugin_path }}/check_load -w "$(($(nproc --all)))" -c "$(($(nproc --all)+1))"
3
+command[check_disk]={{ item.plugin_path }}/check_disk / -w 20% -c 10%
4
+