With the Icinga master node configured, the servers we want + to monitor can now be added as agent nodes. As the names suggest, + the Icinga master node pushes the desired configuration to agent + nodes, while agent nodes report the configured status checks back + to the master. Communication between the master and agent nodes is + encrypted via TLS, with the master node acting as a certificate + authority.

+ +

You can find my script to automate this process + + here.

+ +

Install Pakcages

Start by installing the required packages on the server to be + monitored.

+ +

apt install icinga2 monitoring-plugins 
+monitoring-plugins-contrib

+ +

Initialize PKI with master

Now we need to setup the PKI that will be used for the communication + with the master node. The first step is to generate a certificate + signing request. Replace hostname with the FQDN of the server.

+ +

icinga2 pki new-cert --cn "hostname" --cert "/etc/icinga2/pki/hostname.crt" --csr "/etc/icinga2/pki/hostname.csr" --key "/etc/icinga2/pki/hostname.key"

+ +

Next we save the master node's public key certificate. Replace + master with the FQDN of your master node.

+ +

icinga2 pki save-cert --host "master" --port 5665 --key "/etc/icinga2/pki/hostname.key" --trustedcert "/etc/icinga2/pki/trusted-master.crt"

+ +

Receive signed certificate from the master node.

+ +

icinga2 pki request --host "master" --port 5665 --key "/etc/icinga2/pki/hostname.key" --cert "/etc/icinga2/pki/hostname.crt" --trustedcert "/etc/icinga2/pki/trusted-master.crt" --ca "/etc/icinga2/pki/ca.crt"

+ +

Deploy configuration files

Write Icinga configuration.

+ +

/etc/icinga2/icinga2.conf 
+include "constants.conf"
+const NodeName = "$nodename"
+include "zones.conf"
+include "features-enabled/*.conf"
+include <itl>
+include <plugins>
+include <plugins-contrib>
+include <manubulon>
+include <windows-plugins>
+include <nscp>"

+ +

Write zones configuration.

+ +

/etc/icinga2/zones.conf 
+echo "object Endpoint "hostname" {}
+object Zone "hostname" {
+  parent = "master"
+  endpoints = [ "hostname" ]
+}
+object Zone "master" {
+  endpoints = [ "master" ]
+}
+object Endpoint "master" {
+  host = "master"
+}
+object Zone "director-global" {
+  global = true
+}

+ +

Write API configuration file.

+ +

/etc/icinga2/features-available/api.conf 
+echo "object ApiListener \"api\" {
+  accept_commands = true
+  accept_config = true
+}

+ +

Enable API

Next, we need to enable the API on the agent.

+ +

icinga2 feature enable api
+
+mkdir -p /var/lib/icinga2/certs
+
+cp /etc/icinga2/pki/hostname.crt /etc/icinga2/pki/hostname.key /etc/icinga2/pki/ca.crt /var/lib/icinga2/certs/
+
+chown -R nagios: /var/lib/icinga2/certs/

+ +

Sign agent CSR on Master

The only action needed on the master node is to sign the agent's + CSR. Logon to your master node and run the following:

+ +

fpr="$(icinga2 ca list | tail -1 | cut -d '|' -f 1)"
+icinga2 ca sign $fpr

+ +

Configure Firewall

Before finishing we need to open the proper firewall port. + I will use UFW in the example here and allow traffic only only + from the master node for best security.

+ +

ufw allow proto tcp from master-ip to any port 5665

+ +

Restart Icinga on Agent

Finally, restart the icinga service on the agent node.

+ +

systemctl restart icinga2

+ +

The Icinga agent node will now pull down configuration from the master. + You will know that this worked if /var/lib/icinga2/api/zones + begins to populate with new files.

+Consider donating if this article was useful. +[BTC] +