Pnacssh is a versatile tool to set up secure passive monitoring via ssh with a few steps. As widely known, passive checks are a convenient way to gather monitoring information from hosts which somehow are not available for active checks, and SSH offers a well proven framework for secure communications. Pnacssh has following features:
- Based on monitoring templates (basic checks for Linux and Windows are included, easily extendable)
- Create Nagios host and service definitions for the selected host and template
- Create SSH keys
- Configure SSH for secure communications
- Create host-specific sftp setup for bulk transfers of monitoring results
- Customize data collector scripts (Perl/Powershell) according to templates
- Generate host-specific data collectors which can be run periodically (cron/scheduled task)
- Monitoring incoming check results and feed them to Nagios via external command interface
As described above, Pnacssh is capable to automate all steps involved in secure passive monitoring. All this functionaliy is available as a small perl script and a set of templates, making deployment and further customization an easy task.
- Nagios Core compatible monitoring system
- SSH Server
- Perl
Pnacssh comes as a zipped archive file. Download and unpack it to the target installation directory (/var/opt/pnacssh in examples)
-
Create an ordinary dedicated user for pnacssh (pnacssh-user in examples)
-
Update parameters in the main configuration file pnacssh.config:
| Parameter | Description | Default value |
|---|---|---|
| DataCollectorHost | Nagios server's name or ip address | None. Required |
| DataCollectorUser | Dedicated ordinary user for pnacssh | None. Required |
| DataCollectorPort | Listening port for SSH server | 22 |
| SshKeygenBin | Where to find ssh-keygen program | /usr/bin/ssh-keygen |
| SshKeyscanBin | Where to find ssh-keyscan program | /usr/bin/ssh-keyscan |
| SshKeygenType | SSH public key type | rsa |
| SshKeygenLength | SSH public key length | 2048 |
| ExternalCommandFile | Nagios external command file | /usr/local/nagios/var/rw/nagios.cmd |
- run pnacssh in init mode:
./pnacssh-pl --init
init mode will create the following directory/file structure:
staging/collector - collector packages will be created here
staging/sftpin - check results from remote hosts
etc/known_hosts - Nagios host's ssh host public keys for distribution
-
Modify the home directory of pnacssh-user to /var/opt/pnacssh/staging/sftpin (Linux command usermod)
-
Activate a cron job to run pnacssh in monitor mode:
*/5 * * * * cd "/var/opt/pnacssh"; ./pnacssh.sh --monitor
cron entry above will run pnacssh in monitor mode every 5 minutes, consolidating all arrived check results into an external command file and submit it to Nagios before deleting it.
- Append the following directives to the sshd_config file (location may vary, a good guess is /etc/ssh)
Match User pnacssh-user
PasswordAuthentication no
PubkeyAuthentication yes
AllowTcpForwarding no
AuthorizedKeysFile /var/opt/pnacssh/etc/authorized_keys
Setup above will make sure that pnacssh-user can only use public key authentication based on managed keys in pnacssh directory. NB! read permissions only.
That's all. Your Nagios+Ssh system is now ready for processing passive checks via pnacssh.
Pnacssh comes with a standard Linux template called linbasic. Follow steps below to monitor a Linux system (lindef (ip 10.4.5.6) in examples) via pnacssh:
- Run pnacssh in config mode to create Nagios configuration files:
./pnacssh.pl --config --hostname lindef --template linbasic > <nagios configuration directory>
pnacssh in config mode will create host and services definitions for basic Linux monitoring on lindef.
- Run pnacssh in collector mode to create data collector which will be deployed on host lindef:
./pnacssh.pl --collector --hostname lindef --ip 10.4.5.6 --template linbasic
Pnacssh in collector mode will generate a data collector for host lindef ready to use. Data collector content is in staging/collector/lindef-linbasic directory.
- Transfer data collector directory securely to the host lindef. NB! This step is important as the data collector contains the private key. You need to make sure that that key arrives its host in a secure manner. Making an encrypted zip archive can be a solution.
- Copy data collector directory contents to a dedicated directory on lindef (/var/opt/pnacssh for example)
- Run the data collector directly to see if it performs checks and transfer results as expected
- Set up a cron job to run the data collector at an interval of your choice.
Pnacssh comes with a standard Windows template called winbasic. Follow steps below to monitor a Windows system (winabc (ip 10.1.2.3) in examples) via pnacssh:
- Run pnacssh in config mode to create Nagios configuration files:
./pnacssh.pl --config --hostname winabc --template winbasic > <nagios configuration directory>
pnacssh in config mode will create host and services definitions for basic Windows monitoring on winabc.
- Run pnacssh in collector mode to create data collector which will be deployed on host winabc:
./pnacssh.pl --collector --hostname winabc --ip 10.1.2.3 --template winbasic
Pnacssh in collector mode will generate a data collector for host winabc ready to use. Data collector content is in staging/collector/winabc-winbasic directory.
- Transfer data collector directory securely to the host winabc. NB! This step is important as the data collector contains the private key. You need to make sure that that key arrives its host in a secure manner. Making an encrypted zip archive can be a solution.
- Copy data collector directory contents to a dedicated directory on winabc (c:\pnacssh for example)
- Run the data collector directly to see if it performs checks and transfer results as expected
- Set up a scheduled task to run the data collector