How to Add Remote Linux Host on Icinga2 Server to monitor

We have already covered in our previous article, Icinga2 installation on RPM based systems such as CentOS, RHEL, Fedora & openSUSE also we have covered Icingaweb2 installation in Linux. Adding one more article into that, here i’m going to show you how to Add Remote Linux host into Icinga2 server to monitor. Icinga2 uses its own unique and secure communication protocol to establish the communication between Client & Server by TLS with certificates, and fully supports IPv4 and IPv6. Icinga2 clients will sync their locally defined objects to the defined master node such as ‘ping4’, ‘ssh’, ‘http’, ‘disk’, ‘disk /’, ‘icinga’, ‘load’, ‘procs’, ‘swap’ & ‘users’

Icinga 2 master, satellite and client instances communicate using the default tcp port 5665. The connections are parent zone nodes to Client zone nodes (parent => child) or client zone nodes to parent zone nodes (parent <= child). So allow the port number on your firewall according that.

Icinga2 Master : Setup the Master for Remote Clients

Run the icinga2 node wizard CLI command on your master to setup a new node on the master. The command must be run as root, all Icinga 2 specific files will be updated to the icinga user. Make sure to answer the first question with n (no) and simply hit Enter wherever you are until finish this setup.

# Run icinga2 node wizard to setup Master for Remote Client #
# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: n
Starting the Master setup routine...
Please specifiy the common name (CN) [vps50253.vps.ovh.ca]: Press Enter
Checking for existing certificates for common name 'vps50253.vps.ovh.ca'...
Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/etc/icinga2/pki/vps50253.vps.ovh.ca.csr'.
information/base: Writing private key to '/etc/icinga2/pki/vps50253.vps.ovh.ca.key'.
information/base: Writing certificate signing request to '/etc/icinga2/pki/vps50253.vps.ovh.ca.csr'.
information/cli: Signing CSR with CA and writing certificate to '/etc/icinga2/pki/vps50253.vps.ovh.ca.crt'.
information/cli: Copying CA certificate to '/etc/icinga2/pki/ca.crt'.
Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
Please specify the API bind host/port (optional):Press Enter
Bind Host []: Press Enter
Bind Port []: Press Enter
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

The setup wizard will do the following:

  • Check if the api feature is already enabled, and if not: ◦Generate a local CA in /var/lib/icinga2/ca or use the existing one
  • Generate a new CSR, sign it with the local CA and copying it into /etc/icinga2/pki
  • Enabling the API feature, and setting optional bind_host and bind_port
  • Generate a local zone and endpoint configuration for this master based on FQDN
  • Setting the NodeName and TicketSalt constants in constants.conf

Make sure your configuration file should be like below. If no, modify it according it (NodeName : your Icinga2 maser server host name).

# Check Master NodeName & Const TicketSalt #
# egrep 'NodeName|TicketSalt' /etc/icinga2/constants.conf
const NodeName = "vps50253.vps.ovh.ca"
const TicketSalt = "f3ca267a2fc59a8350c50363902ed506"

# Modify zone.conf file according your hostname (NodeName : your Icinga2 maser server host name) #
# cat /etc/icinga2/zones.conf
/*
 * Generated by Icinga 2 node setup commands
 * on 2016-01-27 06:33:31 -0500
 */

 object Endpoint "vps50253.vps.ovh.ca" {
 }

 object Zone ZoneName {
        endpoints = [ "vps50253.vps.ovh.ca" ];
}

The setup wizard does not automatically restart Icinga2, So Restart the Icinga2 and check the status everything is fine.

# For SysVinit Systems #
# service icinga2 restart
# service icinga2 status

# For Systemd Systems #
# systemctl restart icinga2.service
# systemctl status icinga2.service

Generate secure ticket salt for CSR Auto-Signing on Icinga2 server for Remote Client.

# ticket salt for CSR Auto-Signing (Remote Client HostName : 2daygeek) #
# icinga2 pki ticket --cn '2daygeek'
2fdfec3b98221622841cc437ee74b09a1f44bd04

Icinga2 Client : Setup the Remote Client on Linux for Icinga2

Install Icinga2 from your distribution’s package and make sure your systme shoud have installed openSSH package which will handle SSL communication. Then run the Icingaweb2 installation in client.

# Install Icinga2 Service #
# apt-get install icinga2

# For RHEL/CentOS/Fedora 21 and older system #
# yum install icinga2

# For Fedora 21 and later systems #
# dnf install icinga2

# For suse & openSUSE systems #
# zypper install icinga2

# For SysVinit systems #
# service icinga2 start

# For Systemd systems #
# systemctl start icinga2.service

Install Icinga2 Node wizard into Remote Linux Host.

# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:Enter 
Starting the Node setup routine...
Please specifiy the common name (CN) [2daygeek]: Enter
Please specifiy the local zone name [2daygeek]: Enter
Please specify the master endpoint(s) this node should connect to:Enter
Master Common Name (CN from your master setup): vps50253.vps.ovh.ca
Do you want to establish a connection to the master from this node? [Y/n]: y
Please fill out the master connection information:Enter
Master endpoint host (Your master's IP address or FQDN): 192.99.246.33
Master endpoint port [5665]: Enter
Add more master endpoints? [y/N]:  Enter
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):Enter
Host [192.99.246.33]: Enter
Port [5665]: Enter
information/base: Writing private key to '/etc/icinga2/pki/2daygeek.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/2daygeek.crt'.
information/cli: Generating self-signed certifiate:
information/cli: Fetching public certificate from master (192.99.246.33, 5665):

information/cli: Writing trusted certificate to file '/etc/icinga2/pki/trusted-master.crt'.
information/cli: Stored trusted master certificate in '/etc/icinga2/pki/trusted-master.crt'.

Please specify the request ticket generated on your Icinga 2 master.
 (Hint: # icinga2 pki ticket --cn '2daygeek'): 2fdfec3b98221622841cc437ee74b09a1f44bd04
information/cli: Processing self-signed certificate request. Ticket '2fdfec3b98221622841cc437ee74b09a1f44bd04'.

information/cli: Created backup file '/etc/icinga2/pki/2daygeek.crt.orig'.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/2daygeek.crt'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):Enter
Bind Host []: Enter
Bind Port []: Enter
Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

11 Comments on “How to Add Remote Linux Host on Icinga2 Server to monitor”

  1. Thank you. this is great for a few nodes. I’m looking to do this programmatically to install icinga2 and provision thousands of nodes. Ithere a way to create an “answer file” so I can run the icinga2 node wizard and get every answer answered with the answer file on the client side, and on the server side either leverage the API for node registration or some other method to add clients.

  2. I saw the use of ‘icinga2 node list’ ….which was deprecated before the last Update of this article. Do you have any intentions of doing another update of the procedure to use the current method(s)? I was starting to follow this guide until I saw this. Using this article would potentially put “OLD” methods into a new configuration that would later not work.

  3. I’m getting a lot of fails in my Icinga2 master after I generated the config for the client. Every config item is showing an error saying that the UserGroup ‘icingaadmins’ doesn’t exist. This is correct, it does not exist on my master, I created my own users, groups, notification commands, etc. I don’t want the client to send out any notifications, it’s just a node to monitor, I still want the master only to send out notifications, etc.

    How do I get past this? Do I have to update all my users, groups, host groups, service groups, etc on the node? that’s a lot of work if I want to add multiple target servers for monitoring!

    Thanks for any advice you can provide!

    h

    1. @JD,
      It seem’s you have missed something while configuring, check the error log file to get more details about it. Also share the error message so that i can help you further.

      1. There is nothing logged in error.log on both client and server

        below is my configuration

        ON ICICNGA SERVER

        [root@icinga2 ~]# icinga2 node list
        Node ‘Atlas’ (last seen: Wed Aug 24 08:27:31 2016)
        * Host ‘Atlas’
        * Service ‘apt’
        * Service ‘disk’
        * Service ‘disk /’
        * Service ‘http’
        * Service ‘icinga’
        * Service ‘load’
        * Service ‘ping4’
        * Service ‘ping6’
        * Service ‘procs’
        * Service ‘ssh’
        * Service ‘swap’
        * Service ‘users’

        ===========================================

        /etc/icinga2/zones.conf

        *
        * Generated by Icinga 2 node setup commands
        * on 2016-08-23 13:15:49 +0200
        */

        object Endpoint “icinga2” {
        }

        object Zone ZoneName {
        endpoints = [ “icinga2” ]
        }

        object Endpoint “Atlas” {
        host = “192.168.0.58”
        }

        object Zone “Atlas” {
        endpoints = [ “Atlas” ]
        parent = “icinga2”
        }

        ##################################################

        on ICICNGA CLIENT

        /etc/icinga2/zones.conf

        /*
        * Generated by Icinga 2 node setup commands
        * on 2016-08-23 16:58:33 +0530
        */

        object Endpoint “icinga2” {
        host = “192.168.0.190”
        port = “5665”
        }

        object Zone “master” {
        endpoints = [ “icinga2” ]
        }

        object Endpoint “Atlas” {
        }

        object Zone “Atlas” {
        endpoints = [ “Atlas” ]
        parent = “master”
        }

Leave a Reply

Your email address will not be published. Required fields are marked *