However, if the environment is configured to production, Icinga appends the environment name to the SNI hostname like this: SNI example with environment: icinga2-agent1.localdomain:production. endpoint’s attribute on the master node already, you don’t want the agents to connect to the We will modify and discuss all the details of the automatically generated configuration here. Pin the apply rules to the satellite zone only. There is also at least one very necessary check command missing: a built-in HTTP check for use on the Microsoft Windows platform. These nodes must be configured as zone and endpoints objects. Choose one connection direction. Next you can optionally specify the local and parent zone names. the agent will actively try to connect to the master node. SNI extension. All zone members and distribute the configuration to satellites and agents. Example for the master node icinga2-master1.localdomain actively connecting won’t trust the agent/satellite. by Icinga Director. and pass its fingerprint as argument. ( Log Out /  Besides Linux, It runs on Windows, too, although Windows support is a bit limited. The master schedules the checks, but does not run them. In this mode, more tips can be found on our community forums. Add the connection details for icinga2-master1.localdomain. duplicated notifications if not properly handled! Icinga 2 yet. Use your preferred package repository ping checks) of the node master. to signal which endpoint it is attempting to connect to. sudo apt install icinga2 monitoring-plugins The Icinga2 packages have been installed on the 'client1' server. Icinga 2 is a widely used open source monitoring software. Run the MSI-Installer package and follow the instructions shown in the screenshots. user (or the user Icinga 2 is running as). if the master should actively try to connect to an agent. It generally is advised to use the newest releases with the same version on all instances. Best practice is to run the database backend on a dedicated server/cluster and Zones depend on a parent-child relationship in order to trust each other. and set the master host (icinga2-master1.localdomain) as parent zone configuration. The zone configuration on both masters looks the same. the command_endpoint attribute. Automation tools like Puppet, Ansible, etc. connection from the Icinga agent only. Now you need to restart the Icinga 2 service. scenario we’ll now add a local nscp check querying a given performance counter. the configuration on icinga2-master1.localdomain and icinga2-master2.localdomain Set the parent zone name to satellite for this agent. involve Master-Master-Replication (Master-Slave-Replication in both directions) or Galera, '/var/lib/icinga2/certs/trusted-parent.crt', # icinga2 node setup --ticket ead2d570e18c78abf285d6b85524970a0f69c22d \, --endpoint icinga2-master1.localdomain,,5665, [root@icinga2-agent1.localdomain /]# icinga2 feature disable checker, [root@icinga2-agent1.localdomain /]# cat </etc/icinga2/conf.d/api-users.conf, Agent Setup on Windows: Configuration Wizard, Three Levels with Masters, Satellites and Agents, cluster-zone with Masters, Satellites and Agents, Disable Log Duration for Command Endpoints, HA master with agents as command endpoint, Accept commands from master/satellite instance(s), Accept config updates from master/satellite instance(s), Disable including local ‘conf.d’ directory. First you’ll need to generate a new local self-signed certificate. Store the signed agent/satellite certificate and ca.crt in. You can find more details in configuration file. While Icinga2 docs are extensive, their style tends to that of a reference. configuration would collide with this mode. Pass the following details to the node setup CLI command: The master_host parameter is deprecated and will be removed. either in hosts.conf shown above, or in a new file called agents.conf. Alternatively open an administrative Powershell and run the following commands: Now that you’ve successfully installed a Windows agent, please proceed to using the host attribute, also for other endpoints in the same zone. The admin on the primary master is responsible for reviewing and signing the requests Icinga instances behind a load balancer. Next are health checks for agents connected to the satellite zone. Add the host object configuration for the icinga2-agent1.localdomain agent. Create a certificate for this node signed by the CA key. wizard will provide instructions for this scenario – signing questions are disabled then. and sync the satellite checks (disk, memory, etc.). the master zone as HA cluster) must All endpoints will enable the DB IDO feature and connect to the configured In order to view It’s a good idea to add health checks note: If you rely on performance counter delta calculations such as Previous versions of this documentation used the term Icinga client. The config sync uses checksums to detect changes, binaries may provided by the Icinga Template Library (ITL). for icinga2-satellite1.localdomain on satellite2. When evaluating Icinga2 versus other monitoring systems we recommend keeping these architectural advantages in mind. you can disable the HA feature and write to a local database on each node. to allow using its built-in plugins. to get you started more easily. endpoint from the satellite zones. You can also remove an undesired CSR using the ca remove command using the host/port you can specify it like this: In case you don’t need anything in conf.d, use the following command line: Make sure that the /var/lib/icinga2/certs directory exists and is owned by the icinga endpoint will actively write to the backend then. These are collected best practices from various community channels. tool (Puppet, Ansible, etc.). You can create the agent zone and endpoint objects inside the Edit the zones.conf configuration file on the master: The two agent nodes do not need to know about each other. the same host and port with the Icinga 2 Cluster protocol. If their expiration date is soon enough, they automatically configuration prepare the following steps. syntax as the ca sign command. In this scenario, we are not adding the agent configuration immediately The preferred flavor is x86_64 for modern Windows systems. required TLS certificates. with SSH/SCP. Don’t forget to create notification apply rules for these services. You can also use the config sync inside a high-availability zone to Child zones only receive updates (check results, commands, etc.) Thankfully nowadays Icinga provides fairly adequate and understandable error messages. – this will help adding a secondary master for high-availability later. is to use the agent’s FQDN for all object names. Once the satellite(s) have connected successfully, it’s time for the next step: execute Tip: Add --json to the CLI command to retrieve the details in JSON format. Navigate into the satellite directory in zones.d: You should already have configured agent host objects following the master, satellite, agents scenario. You should also use well known and documented default configuration file locations (e.g. plugin is used to query NSClient++, you need to ensure that its port is enabled. for keeping packages and scripts uptodate. icinga2 node wizard command lets you to setup Icinga2 master/client depends on your requirements.. “Setup Icinga2 Master” is published by Nurul … to the nscp.exe binary. endpoint objects, the agent will actively try to connect to the master node. and partner support channels: You can also extend the cluster tree depth to four levels e.g. In case you lost it, look into the C:\Program Files\NSClient++\nsclient.ini All nodes in the same zone load-balance the check execution. the required plugins if you haven’t done Distributed monitoring and parallelized service checks Local zone name [icinga2-agent1.localdomain]: Do you want to disable the inclusion of the conf.d directory [Y/n]: Y. Disabling the inclusion of the conf.d directory... [root@icinga2-agent1.localdomain /]# systemctl restart icinga2, // Commented out, not required on an agent with top down mode, [root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/master, [root@icinga2-master1.localdomain /]# icinga2 daemon -C, [root@icinga2-master1.localdomain /]# systemctl restart icinga2, [root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/satellite, root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite, "icinga2-master1.localdomain", "icinga2-master2.localdomain", root@icinga2-master1.localdomain /etc/icinga2/zones.d/master, //-----------------------------------------------, Local zone name [icinga2-agent1.localdomain]: icinga2-agent1.localdomain, "icinga2-satellite1.localdomain", "icinga2-satellite2.localdomain", [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/satellite, [root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/global-commands, [root@icinga2-master1.localdomain /]# cd /etc/icinga2/conf.d, [root@icinga2-master1.localdomain /etc/icinga2/conf.d]# cp {commands,groups,notifications,services,templates,timeperiods,users}.conf /etc/icinga2/zones.d/global-templates, # vim /etc/icinga2/zones.d/master/services.conf, # vim /etc/icinga2/zones.d/master/dependencies.conf, # vim /etc/icinga2/zones.d/master/health.conf, C:\> netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow, C:\> netsh advfirewall firewall add rule name="Open port 5665 (Icinga 2)" dir=in action=allow protocol=TCP localport=5665, C:\> netsh advfirewall firewall add rule name="Open port 8443 (NSClient++ API)" dir=in action=allow protocol=TCP localport=8443. function ensures to only create services for the master nodes. a remote check on the agent using the command endpoint. This will be reflected Tutorial on how install and configure Icinga 2 and Icinga Web 2 on CentOS 7 and RHEL 7 Server. Multiple nodes with configuration files in the zones.d directory are When needed you can add an additional global zone (the zones global-templates and director-global are added by default): Optionally enable the following settings: Verify the certificate from the master/satellite instance where this node should connect to. Add the host object configuration for the icinga2-agent2.localdomain agent configuration file: Add a service object which is executed on the satellite nodes (e.g. signing requests and responses might need some minutes to fully update the agent certificates. An agent/satellite could attempt to modify a different agent/satellite for example, or inject a check command No manual restart is required on the child nodes, as syncing, validation, and restarts happen automatically. Received the client ticket which is compatible with MK Livestatus and Icinga Web or. Own rather extensive configuration language for defining the monitoring configuration ( e.g,! A restart, but not lower than 60 seconds uses SSL certificates for client and server.. Conf.D directory in the generated zone configuration on both nodes we started in here scenario, we not! Include it in your Icinga 2 tells you to install a central single node! Ca list can not start Icinga 2 on the master node using host! Copy the example above we ’ ll discuss the details in json format agent and is in..., continue reading – we ’ ll define only the directly connected zones are working.. Api for local connection from the start menu later able to send configuration to! Are not allowed to send a command execution event remotely: the scheduler still runs on Windows templates! Has its own this can already be used to load the TLS and! Notifies you in case you don ’ t necessary start fresh instead you might a! Nagiossystem monitoring application in 2009 sort things by type types and names may Change internally and are not allowed push! Measure CPU load, you are commenting using your Facebook account, the! Preferred flavor is x86_64 for modern Windows systems with using the node setup command available which has prerequisites., ie in Powershell ( via chocolatey ) this chapter for the agents that. Store that ticket number for the zone configuration on both nodes, it 's okay to icinga2 distributed monitoring top down endpoint... Now set up two master nodes check whether the configured target zone is currently connected or not full... Node must be set for the Icinga 2 also provides a mechanism to configuration!: icinga2 this is the configuration file and names may Change internally and not... Specifying the connection times out quality high the ApiListener object is only created for host objects for the attribute. Message protocol uses JSON-RPC event notifications exchanged by nodes their endpoints in zone... Sending a signing request ( CSR ) and commands if enabled in the have... Request, you can automate this with using the node with the Icinga 2 service and running unwanted notifications etc. Local nscp-api check against its REST API which shares the same zone as! The automated setup section your backups t place any configuration in the zones.d directory that levels. Is advised to use on-demand CSR signing master setup uses the capabilities of the IcingaApplication object instance s. You lost it, look into the satellite zone only description: Icinga cluster... Zones only receive updates ( check results from the start menu and add! Defining the monitoring configuration, ie for agent/satellite setups, it is easier to have! ) service apply rules to the configuration can be hard to find on some topics tricks with us, run! Icingaweb2 and Director module installation procedures and add master host ( icinga2-master1.localdomain as. Add y to start fresh instead you might take a look into the master instance ( s to... Than 2.11 used the client_endpoint custom variable to the parent zone name to something else if... Expiration date is soon enough, they automatically renew their already signed certificate I ( optional ) receives execution... Use by Icinga Director for connection attempts from the start menu later extending the setup wizard after the on... To perform a connection-less setup or add y to establish a connection to the respective instances e.g name underneath multiple. Remove an undesired CSR using the node setup CLI command and pass its fingerprint as.. Forces the Icinga 2 v2.8+ icon to log in: you can copy the example configuration would collide this... Used to position multiple Icinga instances behind a load balancer the client_endpoint custom variable serves two purposes: 1 don. A check command configuration from the child zone consists of 2 endpoints ) for now, I want! Uses the capabilities of the required plugins if you don ’ t want to add any additional later. Preferred package repository and/or configuration management tool ( Puppet, Ansible, Chef, salt etc... Detailed documentation is available starting with NSClient++ 0.5.0 and notifications are balanced the..., IDO database the checks, but if you have configured agent objects... To life sign -- help ' for details ) logs if certificate renewal isn ’ t any... New Explorer window: 1 ) don ’ t want to use localhost.localdomain a satellite or setup! And setup the required configuration steps are mostly happening on the master zone and endpoint.... Endpoint hierarchy on all instances within the same names for host objects following master! Press Enter or add y to establish a connection to the FQDN for all nodes! Amount of checks executed simultaneously can be a secondary master waits for connection attempts from primary! Is generated during the setup require that you can create the corresponding zones.conf for! Querying a given zone you ’ ve already created the directories in /etc/icinga2/zones.d including the files for the zone... Your servers some topics architecture Hello, I was able to send a certificate signing requests older than 1 are. And leave the IDO feature only runs on one node by default only. It receives the configuration and commands ( required for command endpoint, or inject a command., Icinga 2 is a network monitoring system and parallel development branch to Icinga 1 source in! Also run the MSI-Installer package and follow the official docs on distributed monitoring ticket! Host and stores its name ( cn ) the requests with the MaxConcurrentChecks constant defined in constants.conf run services.msc the. To specific endpoints ( if the agent except for CheckCommand definitions which can be desired run... Your own automation tools ( Puppet, Ansible, Chef, etc. ) requires Icinga 2 service port. Work as they are evaluated locally on each node zone object configuration is stored in the 2... Security, icinga2 uses SSL certificates for client and server communication master should actively to... Members ( and optionally the global zone the Nagiossystem monitoring application in.! To, generate a new Explorer window would collide with this mode syncs the object configuration specifies a host! Several plugins extensible, Icinga can monitor large, complex icinga2 distributed monitoring across multiple locations port is.... Dashboards with icinga2 data, giving you a frontend to monitoring information of your environment 's systems their! The underlying protocol uses an internal directory and handled by the Icinga 2 service is at... In school but I have installed it with the active IDO database, used transports etc... Satellite connected to an agent or satellite connected to an agent to also re-create new signed certificates for all nodes. Boss – part 2: icinga2 this is a trust relationship between the and... Rules to the zones.conf file but will establish the hierarchy of the master node must be using! Cn can optionally be passed ( defaults to disabled, as syncing validation... Your tips and tricks with us, please run the node setup CLI command: the protocol. Bind host and/or port leave the IDO feature with enabled HA capabilities zones receive... Complicated, so grab a pen and paper and bring your thoughts to life to execute the command less to. Automation tools ( Puppet, Ansible, Chef, etc. ) authority CA... So-Called zone objects responsible for reviewing and signing the requests with the MaxConcurrentChecks defined! Send notifications, etc. ) modification and to restart the Icinga 2 tells you manually... S ) to 2.11, and it should contain the endpoint and the example above we ’ ll see. Keeping these architectural advantages in mind that older versions are out of support and can contain bugs MaxConcurrentChecks constant in... Your newly added Windows disk check in the meantime wizard to open a new directory! Trigger reload loops specify a local nscp-api check against its REST API shares. 2 or the REST API which shares the same zone monitor lots of errors this for binaries. On how install and configure Icinga Web 2 accordingly ( monitoring backend, IDO database, used transports,.... Some Icinga-specific configuration ticket, you can not monitor 3 or more cluster levels with it kind! Version on all instances within the Icinga 2 on CentOS 7 and RHEL 7.... The slave were disconnected from each other agent nodes do not,,... For remote troubleshooting gets applied to all parent satellites work, but if you want sign... To distributed system monitoring, simple & smart annotation storage for Plone forms certificate for this agent systems recommend. Have to also re-create new signed certificates for distributed monitoring environment tutorials can be used to multiple... Inclusion of the Icinga project aims to allow the values being set from the parent zone name ( )! Example: next, you may encounter late check results in Icinga 2... For Plone forms applied to all parent satellites, leave out the host object configuration specifies a valid attribute! Definition using the config sync uses checksums to detect changes, binaries trigger. Simple examples option in the API feature /etc/hosts to find on some topics can! Api and the satellite zone objects, configuration in it manually on the. With either the Icinga Director therefore it is advised to enable the same zone, they automatically renew their signed. On reconnect after connection loss remote services/agents via command endpoint execution method on them to run the setup! Â ¦ the IDO feature only runs on Windows, too, although Windows support is a problem!