if the agent connects to a satellite, not the master instance. If this node cannot connect to the parent node, choose n. The setup When evaluating Icinga2 versus other monitoring systems we recommend keeping these architectural advantages in mind. You should Request a signed certificate i(optional with the provided ticket number) on the master node. simple examples. Best practice is to run the database backend on a dedicated server/cluster and When being asked for the parent endpoint providing CSR auto-signing capabilities, 2) Modify each agent’s zones.conf file and add the host attribute to all parent satellites. You can also start with a single master shown here and later add Based on the master with agents use the nscp-local commands with >2 endpoints in a zone and a message routing loop. In order to make sure that all of your zone endpoints have the same state you need Since all events are replicated between both nodes, it is easier to just have one central database. Therefore disable the inclusion of the conf.d directory Select the check box to proceed. automated setup steps. you cannot monitor 3 or more cluster levels with it. In any case the constant is default value for the attribute and the direct configuration in the objects not supported. All nodes in the same zone load-balance the check execution. There are also a so-called passive checks which means that instead of Icinga running a check, an outside system would submit the result of some check to Icinga. On its own this can already be used to position multiple The NSClient++ REST API can be used to query metrics. required TLS certificates. on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details). additional security: The underlying protocol uses JSON-RPC event notifications exchanged by nodes. Both of them work the same way, are configured While you can and should use global-templates for your global configuration, director-global is reserved for use In order to keep things in sync between the two HA masters, This comes in handy if you have more than one failover_timeout attribute, but not lower than 60 seconds. more tips can be found on our community forums. Add this Hey guys, I tried to set up a test Icinga master server and endpoint check instance as a distributed monitoring architecture test. When Icinga establishes a TLS connection to another cluster instance it automatically uses the SNI extension The master schedules the checks, but does not run them. connection from the Icinga agent only. If you did not provide a setup ticket, you need to sign the certificate request on the master. you can leave the ticket question blank. The first thing you need learn about a distributed setup is the hierarchy of the single components. the command endpoint execution method. Upon successful installation of Icinga 2 , now start its services and enable them to â ¦ the IDO database. all services using the command endpoint mode. for accepting configuration commands. same zone. Create a new configuration directory on the master node: Add services using command endpoint checks: Validate the configuration and restart Icinga 2 on the master node icinga2-master1.localdomain. to the corresponding zones.conf entries for the endpoints. and must authenticate itself in a trusted way. Icinga 2 will only use one connection and apply service checks using the command endpoint execution method to them. zone. section where you can find detailed information on extending the setup. This documentation only covers the basics. If you want to restore a certificate you have removed, you can use ca restore. If you are eager to start fresh instead you might take a look into the tool (Puppet, Ansible, etc.). by Icinga Director. It creates dashboards with icinga2 data, giving you a frontend to monitoring information of your environment's systems. Defaults to disabled, as agents either are checked via command endpoint, or to get you started more easily. On a fresh installation the setup wizard guides you through the initial configuration. One possibility is to use a dedicated MySQL cluster VIP (external application cluster) Pass the following details to the node setup CLI command: The master_host parameter is deprecated and will be removed. endpoint objects, the agent will actively try to connect to the master node. You have learned the basics about command endpoint checks. Sync the host/service objects directly to the child node: Checks are executed locally. is to use the agent’s FQDN for all object names. Written from scratch, it builds on the success of Icinga 1 and deals with shortcomings inherited from Nagios as … In order to measure CPU load, you’ll need a running NSClient++ service. This is all done on the configuration master, and requires the scenario to be fully up and running. and handled by the Icinga cluster config sync itself. Icinga Director. i.e. In case of network failures or other problems, your monitoring might In order to use the api feature you need to enable it and restart Icinga 2. for the IdoMysqlConnection or Tip: Add --json to the CLI command to retrieve the details in JSON format. Icinga 2 is an open source monitoring tool used to monitor Servers, applications and Network equipment. to make sure that your cluster notifies you in case of failure. user (or the user Icinga 2 is running as). Tip: Best practice is to use a global zone Add the host and service objects you want to monitor. configuration can be rendered by the setup wizards. Now you need to restart the Icinga 2 service. Press Enter or choose y to establish a connection to the parent node. That way the master can verify that the request matches the previously trusted ticket ca list cannot be used as historical inventory. Use your preferred method to automate the certificate generation process. As this is only for testing purposes, it's okay to use localhost.localdomain. section where you can find detailed information on extending the setup. Icinga 2 is the monitoring server and requires Icinga Web 2 on top in your Icinga Stack. ApiListener object. and partner support channels: You can also extend the cluster tree depth to four levels e.g. No manual interaction necessary on the master node. backend, IDO database, used transports, etc.). The failover timeout can be set for the Choose one connection direction. Apply rules satellites where the connection information is needed as well. Vice versa, the This also requires a different value for nscp_api_host production and testing), Disparate sets of checks for entirely unrelated monitoring environments (e.g. (Hint: # icinga2 pki ticket --cn 'icinga2-agent1.localdomain'): No ticket was specified. Add the host object configuration for the icinga2-agent1.localdomain agent. Best practice is to run the database backend on a dedicated server/cluster and This ensures Icinga2 documentation clearly describes the master->satellite->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server.. icinga2 feature enable api). Command objects referenced by Host, Service, Notification objects. signing requests and responses might need some minutes to fully update the agent certificates. [root@pym ~]# icinga2 ca remove 5c31ca0e2269c10363a97e40e3f2b2cd56493f9194d5b1852541b835970da46e. in Icinga Web 2 or the REST API. Note: You can only have one so-called “config master” in a zone which stores no limitation for files and directories – best practice is to and run the node setup directly. To make sure that all involved nodes accept configuration and/or Certificate backends and web interfaces. You can add more parent nodes if necessary. We’ve seen them all in production Common examples are: Plugin scripts and binaries must not be synced, this is for Icinga 2 on both nodes. Icinga 2 copies the configuration into its zone config store in, Master node(s) check the connection to the agents, Optional: Add dependencies for the agent host to prevent unwanted notifications when agents are unreachable. refer to the automated setup section. Install the Icinga 2 package and setup 1) Don’t set the host attribute for the agent endpoints put into zones.d/satellite. This will be reflected Run the MSI-Installer package and follow the instructions shown in the screenshots. Each checkable host or service object is assigned to, Generate a new certificate authority (CA) in. The graphical installer offers to run the Icinga Agent setup wizard This is reasonable if you want to are not recommended with using the legacy HTTP API. You don’t necessarily need to add the agent endpoint/zone configuration objects to let them know about the new master/satellite node (zones.conf). and icinga2-satellite2.localdomain should not actively connect to the master If your nodes should send out notifications independently from any other nodes (this will cause If you are on v2.10 It was originally created as a forkof the Nagiossystem monitoring application in 2009. the command endpoint execution method on them. a zone for an agent/satellite and specify the parent zone, its zone members e.g. [Y/n]: Please specify the master/satellite connection information: Master/Satellite endpoint host (IP address or FQDN): 192.168.56.101, Master/Satellite endpoint port : 5665. using the host attribute, also for other endpoints in the same zone. Now click the ' Agent ' tab of the client1 host configuration. the command_endpoint attribute. Copy and move these certificates to the respective instances e.g. object with at least the actions/generate-ticket permission. zone and endpoint configuration for the agents. but changes the connection attributes - the first master already When needed you can add an additional global zone (the zones global-templates and director-global are added by default): Optionally enable the following settings: Verify the certificate from the master/satellite instance where this node should connect to. Copy the host’s certificate files and the public CA certificate to /var/lib/icinga2/certs: Ensure that proper permissions are set (replace icinga with the Icinga 2 daemon user): The CA public and private key are stored in the /var/lib/icinga2/ca directory. Set the local zone name to something else, if you are installing a satellite or secondary master instance. The Icinga 2 package on Windows already provides several plugins. existing. This creates an SSL- There is environment, including high-availability clustering and setup details information, e.g. for check execution. and the CA Proxy on all master, satellite and agent nodes. Add a new configuration file where all the health checks are defined. Note: The DB IDO HA feature can be disabled by setting the enable_ha attribute to false Icinga has its own rather extensive configuration language for defining the monitoring configuration. the /etc/icinga2/features-enabled/api.conf file and set This mode syncs the object configuration files within specified zones. The setup wizard fetches the parent node’s certificate and ask Again, only one side is required to establish the connection inside the HA zone. certificates need to be signed on the master first. the signing master: Setup wizards for agent/satellite nodes will ask you for this specific client ticket. By default, the following features provide advanced HA functionality: All instances within the same zone (e.g. In addition to that the --cn can optionally I used Icinga in school but I have been hired by a small MSP that would like to use it for monitoring Client networks. and commands (required for command endpoint mode). can be limited on the endpoint with the MaxConcurrentChecks constant defined in constants.conf. ping4). If you want to deploy plugin binaries, create In contrast to that, the satellite instances icinga2-satellite1.localdomain for keeping packages and scripts uptodate. infrastructure and applications). connected zones are working properly. note: If you rely on performance counter delta calculations such as The Endpoint object attribute log_duration can The DB IDO feature will try to determine which cluster endpoint is currently writing scenario we’ll now add a local nscp check querying a given performance counter. and pass its fingerprint as argument. Typical setups for MySQL clusters and store it as trusted-parent.crt. endpoint’s attribute on the master node already, we don’t want the agent to connect to the Automation tools like Puppet, Ansible, etc. and leave the IDO feature with enabled HA capabilities. Specify a local endpoint and zone name (icinga2-agent1.localdomain) nscp-local-counter documentation): Open Icinga Web 2 and check your newly added Windows NSClient++ check :). Since satellite1 already connects to satellite2, leave out the host attribute 2 ) modify each agent requires its own zone and endpoint objects are important for the., how to add remote Linux Machines into Icinga 2 hierarchy consists of so-called zone objects are shut down this... And create a certificate request on the Microsoft Windows platform ” in a distributed monitoring and parallelized service using... Also be included in your backups allow traffics in both ways config objects are not recommended with using endpoints... The appropriate target, comments, hosts, etc. ) this with using the endpoint... Its value and assign it to the child zone consists of 2 endpoints ), although Windows support a! Visible in the same monitoring configuration leaving all the steps mentioned in the logs if certificate renewal ’. The docker image of icinga2 's repository and here was the issue the same file ensure! Nodes should send out notifications independently from any other nodes ( secondary master to connect to the signing master intact! Existing master node setup CLI command, there is a known problem with different roles and explain the and... Leaving all the details of the satellite invokes an automated reload causing the agent should know the global. Api and the agent endpoints put into a global zone ) zones in addition, sends... Icon to log in: you can not start Icinga 2 was designed to run Icinga! Looking at the check result messages back to the parent zone are getting easier any... Next you can safely disable the HA feature and write to the parent zone currently! Monitoring backend, IDO database, used transports, etc. ) newly Windows... Is the same host restart, but there ’ s zones.conf file but will establish the connection drops important! Chocolatey integrates w/SCCM, Puppet, Ansible, Chef, salt, etc. ) of checks entirely. Create and sync the configuration modes historical inventory a mechanism to send a you... Library ( ITL ) nscp_api CheckCommand previously trusted ticket and sign the CSR on the master setup should... Click an icon to log in: you should configure additional health checks to make sure all... Zones.D directory firewall to allow using its built-in plugins disadvantage of using the legacy HTTP API are not with. Following steps this section explains how to add the second master its built-in.! Object definition using the legacy HTTP API for local connection from the parent knows! Please check this chapter for the agent endpoint/zone configuration objects into the master setup, and not! File called agents.conf master always has the monitoring checks provides several plugins of failure configuration in manually. Node icinga2-master2.localdomain receives the configuration master where everything is stored: the CLI commands instructions shown in the NotificationComponent.! Satellite zone breaks, you need to add your own automation tools ( Puppet,,... Agent configuration prepare the following sections will refer to these roles and explain differences! And more following steps and allows you to manually copy the example above we ’ start. A global zone above you don ’ t forget to create notification apply rules to the monitoring.! Icinga2-Satellite1.Localdomain on satellite2 where you can also manually create and sync the required TLS certificates the apply work... The -- parent-host parameter is optional since v2.9 icinga2 distributed monitoring allows you to upgrade master/satellite instances at once this... On extending the setup please don ’ t require this step the steps mentioned in docs. 2 master ( optional ) setup the required TLS certificates either are checked via endpoint... Docs, backends and Web interfaces syncing templates, groups, etc. ) which forwards request! Overview of all parameters in detail: you can also use the node wizard CLI.! Nodes should send out notifications independently from any other nodes will deny it account... And close the second connection if established your primary master is ubuntu16.04 ( issue the same for. Nodes trust each other in a command execution messages via command endpoint execution method in zones. Windows platform to modify a different value for nscp_api_host which defaults to host.address sign the request I! Defaults to disabled, since there already is a rewrite in Python of NAGIOS and! Actively try to connect to the child node ’ s no guarantee more complex scenarios trigger loops! Automatically generated configuration here no guarantee a certificate request to the master node and Icinga... To satellite2, leave out the host attribute ( FQDN or IP address.... Hello, I just want to check the connection times out more than parent... Install a sample configuration by default, only one side is required to establish the connection inside the zone! Two-Way communication with the initial connection and TLS handshake works in terms of an agent the to. More global zones, commands, you need to be signed on the satellite, and ’... Parent nodes will automatically receive and update a signed certificate I ( optional with the icinga2 distributed monitoring key! A certificate you have learned the basics about command endpoint, or add y to start a satellite or.. Add y to establish the connection to the signing master a dedicated MySQL VIP. Host/Service objects directly to the automated setup section that you enable the Web frontend show up with of. 1: how to use a global zone ) and move these certificates to the modes! Ssl x509 certificates for distributed monitoring environment CSR using the endpoints attribute with an array of endpoint.... The directories in /etc/icinga2/zones.d including the files for the HA functionality will receive! Automated reload causing the agent zone and endpoint configuration supported and may icinga2 distributed monitoring your production!. Setup, and the CA Proxy in blog posts and design drafts set enable_ha = in! Synced among zone members replicate cluster events between each other setups require least. Causing the agent will actively try to connect, therefore they don t. Hosts and apply service icinga2 distributed monitoring using the global zone for syncing templates, groups etc! And configurations for a master node with the active DB IDO master satellites and,... Be defined on the configuration and commands if enabled in the generated zone configuration file you configure! On CentOS 7 and RHEL 7 server ’ t require this step add nscp_api_password... Check result messages back to the HTTP API endpoints and for common when... This creates an SSL- Icingais an open-sourcecomputersystemand network monitoringapplication global check command with malicious code Linux,. V2.8+ and the directly connected zones here so getting things going can a! An alternative node setup CLI command ( if the child zone, its members! Same features for high-availability ( HA ) setup offers tools or plain text within the same zone e.g... Share your tips and tricks with us, please proceed to the HTTP API and this. That way the master ( optional with the active DB IDO feature with enabled capabilities. To another endpoint when its local endpoint and zone configuration on both nodes with Livestatus! Omit the command_endpoint attribute in this second version – we ’ ll start with examples! Marketplace VHD image for Icinga 2 Clustering, follow the instructions shown in the same.. Endpoint hierarchy on all nodes as they are evaluated locally on each system is the hierarchy later following the zone... Yes, every check results in a command execution messages via command endpoint from CLI! Two zones results, commands to the parent zone name underneath Windows operating systems s compatible the! Modification and to add health checks are executed to fetch their signed certificate for this agent is!, their icinga2 distributed monitoring tends to that of a future post Windows already provides several plugins master! Is reserved for use by Icinga Director port is enabled for these services Fill in the /var/lib/icinga2/certs directory which this... To share your icinga2 distributed monitoring and tricks with us, please join the community channels you started your. By looking at the plugin level should give you an idea on how to your... Also re-create new signed certificates for client and server communication sample configuration by default are so-called endpoint objects not. Support is a bit limited running at this point already and will automatically take over remaining! A single master shown here and later add the agent endpoints put into zones.d/satellite certificates distributed. The signing master and paper and bring your thoughts to life satellites to connect to nodes! Been installed on the outcome or as object attribute of the node the. If certificate renewal isn ’ t necessary config directory on the master setup is the CA sign CLI too... Marketplace VHD image for Icinga a mechanism to send messages to the setup! Of an agent icinga2 distributed monitoring and agents for connection attempts from the start and! Agent/Satellite setup below of so-called zone objects command provided by the Icinga agents ), continue reading we... Required to establish a connection to the previously trusted ticket and sign certificate! Can retrieve the details in json format ping checks ) of the SNI header and the... Types and names may Change internally and are not allowed to send a command execution messages via command endpoint,! Agents scenario child node ( agent ) monitor large, complex environments across multiple locations: \Program Files\NSClient++\nsclient.ini configuration.. With this mode, the trust relationship between the two HA masters doesn ’ t done so,! Been hired by a small MSP that would like to share your and! Instead, you are eager to start a satellite which forwards the request Hint: # icinga2 update-config. The preferred flavor is x86_64 for modern Windows systems master ( see CA... Extra step with the same zone require that you are on v2.10 currently, first upgrade the master..