This is a multi-part series of Nagios articles all focused on configuring a complete Nagios monitored network. Find all related articles here.
This article demonstrates how to install and configure the Nagios monitoring system (the server) on a Linux CentOS 7 or RHEL7 server. This article goes as far as installing and configuring Nagios to show the “localhost” only. I’ll write second article that shows how to add other machines via “agent” and “non-agent” methods.
Nagios is an exceptional tool for monitoring networked devices. Monitor servers, workstations, printers, routers and firewalls. Monitor anything that supports SNMP.
Nagios is an open-souce server that runs on Linux. It provides a web interface showing the state of your network of devices.
For the examples given here, the hostname will be a DNS registered machine at “http://nagios.example.com” so change that to whatever name you use.
Install the packages using:
yum install epel-release yum install nagios yum install nagios-plugins* yum install perl-rrdtool perl-GD yum install perl-Nagios-Plugin
TIP: Make sure your web server is installed. I won’t cover that in this tutorial because it might be you have special needs. If you don’t have anything else running on this server and are happy to, just install Apache with “yum install httpd”.
Configure Nagios to start now and on future boots:
systemctl enable nagios systemctl restart nagios
The “yum” install command above places the Apache “vhost” file at “/etc/httpd/conf.d/nagios.conf”. The contents of this file look like the following:
ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi-bin/" <Directory "/usr/lib64/nagios/cgi-bin/"> Options ExecCGI AllowOverride None <IfVersion >= 2.3> <RequireAll> Require all granted AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </RequireAll> </IfVersion> <IfVersion < 2.3> Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </IfVersion> </Directory> Alias /nagios "/usr/share/nagios/html" <Directory "/usr/share/nagios/html"> Options None AllowOverride None <IfVersion >= 2.3> <RequireAll> Require all granted AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </RequireAll> </IfVersion> <IfVersion < 2.3> Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </IfVersion> </Directory>
But i’ve opted for my own “vhost” config as follows:
<VirtualHost *:80> ServerName nagios.example.com ServerAdmin [email protected] ErrorLog logs/nagios.example.com_log CustomLog logs/nagios.example.com_log common DocumentRoot /usr/share/nagios/html ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi-bin/" ScriptAlias /cgi-bin "/usr/lib64/nagios/cgi-bin/" Alias /nagios "/usr/share/nagios/html" <Directory "/usr/lib64/nagios/cgi-bin/"> Options +ExecCGI AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </Directory> <Directory "/usr/share/nagios"> Options None AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/passwd Require valid-user </Directory> </VirtualHost>
For good security we need to restrict access to Nagios by authentication credentials. Most of the work is already done for us. We simple need to change the password.
Notice the “/etc/nagios/passwd” line in the above “vhost”. That file has an entry already allowing us to login with credentials. Using the following example we can change the password to be something we like:
htpasswd /etc/nagios/passwd nagiosadmin
Keep in mind that Nagios is accessible to us via “http” and not “https”. Obviously we want to fix that as soon as possible with LetsEncrypt or whichever SSL certificate authority you prefer.
Make a small change to the “/etc/nagios/cgi.cfg” file. Notice the “url_html_path=/” line.
main_config_file=/etc/nagios/nagios.cfg physical_html_path=/usr/share/nagios/html url_html_path=/ show_context_help=0 use_pending_states=1 use_authentication=1 use_ssl_authentication=0 authorized_for_system_information=nagiosadmin authorized_for_configuration_information=nagiosadmin authorized_for_system_commands=nagiosadmin authorized_for_all_services=nagiosadmin authorized_for_all_hosts=nagiosadmin authorized_for_all_service_commands=nagiosadmin authorized_for_all_host_commands=nagiosadmin default_statuswrl_layout=4 ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$ refresh_rate=90 result_limit=100 escape_html_tags=1 action_url_target=_blank notes_url_target=_blank lock_author_names=1 navbar_search_for_addresses=1 navbar_search_for_aliases=1
Now fix a few permission issues:
chown -R apache.apache /usr/share/nagios chown -R apache.apache /usr/lib64/nagios/ usermod -a -G nagios apache
Now restart Nagios:
systemctl restart nagios
Visit your new Nagios server at “http://nagios.example.com”.
Consider using LetsEncrypt to get your Nagios talking over “https” rather than the standard “http”.
SELinux can cause issues with Nagios and CentOS 7 (and RHEL). My solution is to create custom SELinux modules to specifically allow the behavior of Nagios that was being blocked. An interesting situation occurred where not everything was caught in the logs so i have to run the following twice.
First find the logged causes of the problem:
tail -f /var/log/audit/audit.log > /tmp/nagios.selog
Then run:
sealert -a /tmp/nagios.selog
The following commands were recommended by the output of the above:
ausearch -c 'statusjson.cgi' --raw | audit2allow -M my-statusjsoncgi
You’ll need to restart related services which “might” include “httpd”, “php-fpm” and “nagios”.