blob: e0aa6c092f54d668556287b51a283960bddaae80 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
<!DOCTYPE html>
<html lang=en>
<head>
<title></title>
<meta charset="utf-8"/>
<link rel="shortcut icon" href="favicon.ico"/>
<link rel='stylesheet' href='../style.css'/>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<header><h1>Icinga Agent Node Installation and Configuration</h1></header>
<main>
<p>With the Icinga master node configured, the servers we want
to monitor can now be added as agent nodes. As the names suggest,
the Icinga master node pushes the desired configuration to agent
nodes, while agent nodes report the configured status checks back
to the master. Communication between the master and agent nodes is
encrypted via TLS, with the master node acting as a certificate
authority.</p>
<p>You can find my script to automate this process
<a href=https://git.chudnick.com/server-scripts/tree/monitoring/icinga-agent>
here</a>.</p>
<h2>Install Pakcages</h2>
<p>Start by installing the required packages on the server to be
monitored.</p>
<pre><code>apt install icinga2 monitoring-plugins
monitoring-plugins-contrib</code></pre>
<h2>Initialize PKI with master</h2>
<p>Now we need to setup the PKI that will be used for the communication
with the master node. The first step is to generate a certificate
signing request. Replace <em>hostname</em> with the FQDN of the server.</p>
<pre><code>icinga2 pki new-cert --cn "<em>hostname</em>" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --csr "/etc/icinga2/pki/<em>hostname</em>.csr" --key "/etc/icinga2/pki/<em>hostname</em>.key"</code></pre>
<p>Next we save the master node's public key certificate. Replace
<em>master</em> with the FQDN of your master node.</p>
<pre><code>icinga2 pki save-cert --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --trustedcert "/etc/icinga2/pki/trusted-master.crt"</code></pre>
<p>Receive signed certificate from the master node.</p>
<pre><code>icinga2 pki request --host "<em>master</em>" --port 5665 --key "/etc/icinga2/pki/<em>hostname</em>.key" --cert "/etc/icinga2/pki/<em>hostname</em>.crt" --trustedcert "/etc/icinga2/pki/trusted-master.crt" --ca "/etc/icinga2/pki/ca.crt"</code></pre>
<h2>Deploy configuration files</h2>
<p>Write Icinga configuration.</p>
<pre><code><strong>/etc/icinga2/icinga2.conf</strong>
include "constants.conf"
const NodeName = "$nodename"
include "zones.conf"
include "features-enabled/*.conf"
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>"</code></pre>
<p>Write zones configuration.</p>
<pre><code><strong>/etc/icinga2/zones.conf</strong>
echo "object Endpoint "<em>hostname</em>" {}
object Zone "<em>hostname</em>" {
parent = "<em>master</em>"
endpoints = [ "<em>hostname</em>" ]
}
object Zone "<em>master</em>" {
endpoints = [ "<em>master</em>" ]
}
object Endpoint "<em>master</em>" {
host = "<em>master</em>"
}
object Zone "director-global" {
global = true
}</code></pre>
<p>Write API configuration file.</p>
<pre><code><strong>/etc/icinga2/features-available/api.conf</strong>
echo "object ApiListener \"api\" {
accept_commands = true
accept_config = true
}</code></pre>
<h2>Enable API</h2>
<p>Next, we need to enable the API on the agent.</p>
<pre><code>icinga2 feature enable api
mkdir -p /var/lib/icinga2/certs
cp /etc/icinga2/pki/<em>hostname</em>.crt /etc/icinga2/pki/<em>hostname</em>.key /etc/icinga2/pki/ca.crt /var/lib/icinga2/certs/
chown -R nagios: /var/lib/icinga2/certs/</code></pre>
<h2>Sign agent CSR on Master</h2>
<p>The only action needed on the master node is to sign the agent's
CSR. Logon to your master node and run the following:</p>
<pre><code>fpr="$(icinga2 ca list | tail -1 | cut -d '|' -f 1)"
icinga2 ca sign $fpr</code></pre>
<h2>Configure Firewall</h2>
<p>Before finishing we need to open the proper firewall port.
I will use UFW in the example here and allow traffic only only
from the master node for best security.</p>
<pre><code>ufw allow proto tcp from <em>master-ip</em> to any port 5665</code></pre>
<h2>Restart Icinga on Agent</h2>
<p>Finally, restart the icinga service on the agent node.</p>
<pre><code>systemctl restart icinga2</code></pre>
<p>The Icinga agent node will now pull down configuration from the master.
You will know that this worked if <em>/var/lib/icinga2/api/zones</em>
begins to populate with new files.</p>
<p>
<hr>
Consider <a href=../donate.html>donating</a> if this article was useful.
<a class=qr href=../images/bitcoin.png>[BTC]</a>
</p>
</main>
<footer>
<a href=../kb.html>Knowledge Base</a>
<br>
<a href=../index.html>www.chudnick.com</a>
</footer>
</body>
</html>
|
