Nagios Plug-ins

by admin on October 3, 2007

Nagios is a great way to monitor your computers. It is easy to install from source and has great documentation.

NRPE is a secure, efficient plugin that will allow you to monitor things on remote computers. It is secure because you limit who NRPE listens to in the xinetd config file and via hosts.allow (tcp-wrappers) and the firewall.

The Nagios server issues a command to nrpe on the remote machine, that command is looked up in the nrpe.cfg file and then and only then will it run the command with specific hardcoded parameters for the remote machine. For example:

The Nagios server says to little.pc.edu "check_home"

In nrpe.cfg on little.pc.edu, there is a line:

command[check_home]=/usr/local/nagios/libexec/check_disk -w 10% -c 5% -p /home0

This means that a specific program check_disk will be run with specific parameters to check the /home partition. You get a WARNING email when /home gets to 10% free space and a CRITICAL email when it gets to 5%.

It is also easy to make your own homemade plugins. You can collect any information from your Linux PC and store it in /var/log and then write a program (C, Perl, Python, etc) to parse this log file and execute one print statement which is sent back to the Nagios server.

I was particularly interested in reporting excessive Samba login failures. In smb.conf, set debug level to 2:

debuglevel = 2
log file = /var/log/samba/user.log
# log size in KB
max log size = 19999

The cron job is:

#!/bin/bash
#
# look for large number of failed username attempts
#
#
grep FAILED /var/log/samba/user.log | \
     grep _STATUS_WRONG_PASSWORD > /var/log/samba/failed.tmp

#
# eof

Then use a simple C program to report back to the server:

#include <stdio.h>
#include <
string.h>
#include <stdlib.h>
#include <ctype.h>

#define MAXLINELEN (int)400

int  main( int argc, char *argv[])
{

char instr[MAXLINELEN], *pos1, *pos2, outstr[2000];
int i = 0, retcode=0, warnLevel, critLevel;
FILE *fp;


if (argc < 3)
{
puts("usage: check_samba_log filename warnLevel CritLevel");
   exit( 3);
}

warnLevel=atoi( argv[2]);
  critLevel=atoi( argv[3]);



fp = fopen( argv[1],"r");
if (fp == NULL)
{
     printf( "%s %s\n", argv[1], "file not found");
     exit( 1);
}
fgets( instr, 400, fp);


do
{
    if( strlen( instr) &
gt; 0)
    {
      pos1 = strstr( instr, "[");
      pos2 = strstr( instr, "]");
    }
    if( pos1 == NULL || pos2 == NULL)
    {
       i = i - 1;

    }
    else
    {
       *pos2 =  '\0';
       strcat( outstr, " ");
       strcat( outstr, pos1+1);
       fgets( instr, 400, fp);
    }
    i++;
} while (feof(fp)== 0);



printf( "OK %s %d\n", outstr, i);
fclose( fp);


if ( i > warnLevel)
{
   retcode=1;
}

if ( i > critLevel)

{
   retcode=2;
}

exit( retcode);

}  // main

// eof

Sleep well at night knowing that no one will be making a brute force attack on your Samba server without you knowing it.

This tip comes from Rich in Virginia, USA

Instant fame is easy at Linux Journal. Just send us your useful Tech Tips to share with the Linux Community, and we'll send you a cool t-shirt for your efforts! Send it to: jgray@linuxjournal.com.