Andreas Ericsson wrote: > I think I'd solve this using a small custom script that runs all the checks > you want against the nodes (I suppose all nodes require more or less identical > checks) and sends the results back to the Nagios server as passive checks. > > If the head nodes aren't allowed to talk to Nagios, they could publish the > checkresults (along with a timestamp) through some other means, like http, > ftp or even just a simple netcat session where a polling script on the > Nagios server can fetch them later. Make sure to include a timestamp in the > results-file if you do that, so you can verify that the checks are actually > being run. > > Interesting problem. I'd take it kindly if you keep us posted :)
I'm using stunnel to forward the messages via intermediate nodes and I'm quite happy with it: Each intermediate node does a namespace transformation for the hostname (most of them just prepending the zone name), so that I can use the same minimal monitoring script on all leaf-nodes (which are sending the same "node name" for redundant and nearly identical nodes) Since name space transformation happens on the stunnel side closer to nagios+apache server, no node can send an invalid nagios service identifier to fake messages for other nodes and each connection is secured with own client/server key pair to fight message injection. The tunnel will also do an additional input validation for the forwarded messages and output of "invalid" messages (for services/hosts just new to the tree) can be used to create nagios configuration automatically. ------------------------------------------------------------------------------ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
