Blackfin Software

Nagios is a great open source monitoring tool, and allows a wide range of options for monitoring servers and network devices of all varieties. SNMP is supported as are a custom set of plugins for the monitored clients. When it comes to Windows machines, there are also good options, but configuring it and getting it working is not a ‘one-click’ operation, thus the subject of this post.

Once you get this working, you’ll be able to view the Services page of your Nagios console, and view something like this:

Nagios Services GUI with monitored Windows machine

This involves utilizing the NSCA facility in Nagios, which allows you to receive passive updates into your monitoring system via a proprietary protocol. This requires installing the monitoring software on the (client, monitored) Windows machine, configuring it to point at your Nagios server, then installing it as a Windows Service. Then you will modify your Nagios configuration and add this Windows machine, as well as the names of the services on the machine that you’ve chosen to monitor.

Setting up your client(monitored) machine

There are several options for the software that can be installed on Windows to enable this monitoring. Two of the better options are NC_Net and NSClient++ - I believe these are the ones that are being currently maintained. They both provide the ability to perform active checks (Nagios server contacts Windows machine to retrieve data), but NC_Net also provides the ability to perform passive checks(Windows machine sends data to Nagios server). The fewer open ports at the firewall, and fewer ways to get into each server is certainly preferable - not to mention lessening the load on your Nagios server. So - I prefer deploying passive checks for my Windows servers. NC_Net also appears to be more extensible, and offers more options. The only downside is that it requires dotNet - currently dotNet 2.0 - but that comes with the territory, so…

Be sure to download NC_Net from its Sourceforge project page I’m currently running NC_Net 4.4.0. Note: The original(?) version available from shatterit.com - which prominently claims to be the “Official Site” - hasn’t been updated for several years, and should really be taken down. Anyway - download the one from Sourceforge and install it on your Windows host. It will run on XP and WS 2003, I’m not sure about Vista or WS2008. You’ll need to modify several configuration files. At this point, it installs by default into C:\Program Files\Montitech\NC_Net

Within the config dir, there are two files that you need to modify - startup.cfg and passive.cfg. They are well documented internally, so you can read through them to fully understand all of the options. Or - if you just want it to work quickly, enable(uncomment) the following options:

startup.cfg:

active_check false
passive_check true
passive_alwayson true
embedded_send_nsca true
host_passive <windows_machine_nagios_host_id>
ip_passive <nagios_server_ip>

passive.cfg

C testrun false
2 cputotal -l 10,80,90,5,20,90
3 uptime
4 usedspace -l C -w 80 -c 90
5 servicestate -d showall -l NC_Net
7 Memory Use
8 Perf Counter -l "\Paging file(_total)\% usage","Paging File usage is %%.4f %" -w 50 -c 60
10 Instances -l System,Process,Memory,Processor
11 EventLog -l Application,any,10,1,NC_Net,-2,start,stop,0 -w 5 -c 20

I’ve enabled just a standard set of checks for illustrative purposes here. Read through the passive.cfg file to understand the different commands and their options.

If you do not already have the dotNet framework installed on your windows machine, d/l and install it. As of this writing, NC_Net requires dotNet 2.0 - that is what I’ve installed to get NC_Net 4.4.0 working.
It is currently available at dotNet 2.0

Then, from the command line within the NC_Net dir, enter:

Net Start NC_Net

This will start NC_Net as a service, which will attempt to contact your Nagios server at the default NSCA port(5667) once it has some data to report.

Setting up your Server

If you don’t have the NSCA addon installed in conjunction with Nagios, then download it from http://www.nagios.org/download/addons/, and install it. Note: I’m running Centos 5.2, and Nagios 3.0.3. One of the prereqs for NSCA is libmcrypt - if you’re missing that (locate libmcrypt.so), then you’ll need to d/l and install that prior to compiling NSCA.


mkdir /usr/local/src
cd /usr/local/src
tar xzf {your download dir}/nsca-2.7.2.tar.gz
cd nsca-2.7.2
sh ./configure
make all
cp src/*nsca /usr/local/nagios/bin/
chown nagios.nagios /usr/local/nagios/bin/*nsca
cp sample-config/nsca.cfg /usr/local/nagios/etc/

edit the nsca.cfg file and change the IP to your Nagios server’s IP (interface that you want NSCA listening on)
server_address=<nagios_server_IP_address>

You can then start the daemon:
/usr/local/nagios/bin/nsca –c /usr/local/nagios/etc/nsca.cfg
There are a couple ways to insure that the NSCA daemon starts automagically, and you can find a complete treatment of these here: http://nagios.sourceforge.net/download/contrib/documentation/misc/NSCA_Setup.pdf

Make sure the daemon is listening: netstat -an|grep 5667, and that you’ve configured firewall(s), as well as iptables and/or selinux on your Nagios server to be able to access your NSCA daemon at port 5667.

So - depending upon how the logging of your Nagios installation is configured, you should be getting some messages via syslog - typically by default in /var/log/messages, where, after at least five minutes, you should see some messages like the following:


Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;cputotal;0;OK - load average: 0%, 0%
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;uptime;0;System Uptime - 23 day(s) 15 hour(s) 38 minute(s)
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;usedspace;0;C: - total: 19.99 Gb - used: 7.23 Gb (36%) - free 12.75 Gb (64%)
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;servicestate;0;NC_Net: Started
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;Memory Use;0;Memory usage: total:2464.94 Mb - used: 146.97 Mb (6%) - free: 2317.97 Mb (94%)
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;Perf Counter;0;"Paging File usage is %%.4f %" = 0.17 %
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;Instances;0;System: - Process: alg,svchost#2,svchost#4,svchost#3,winlogon,svchost#1,svchost,_Total,wmiprvse,inetinfo,services,spoolsv,dllhost#1,smss,logon.scr,lsass,logonui,cygrunsrv,csrss,System,msdtc,dllhost,sshd,NC_Net,snmp,Idle - Memory: - Processor: _Total,0
Sep 6 18:43:13 nagiosadmin nagios: PASSIVE SERVICE CHECK: <windows_machine_nagios_host_id>;EventLog;0;OK: No entries in Application log recently.


Setting up your host in Nagios

You’ll need to configure Nagios to have entries mirroring the host and services that you’ve just set up in your NC_Net configuration. I’ve been using Nagios Administrator, which is a decent GUI interface into the Nagios command files. It is built upon Symfony, a powerful LAMP-based framework.

You should set up the following items in this order:

Add the Command

Add a ‘check_dummy’ command (if it doesn’t already exist)

Nagis Administrator check_dummy Command

Add the Services

Add a service to correspond with each passive check that you’ve defined in the NC_Net passive.cfg file. The Service’s Name field has to correspond with the name of the check specified as the second field of each enabled check in the passive.cfg. For instance, for the ‘cputotal’ passive check, define a service like:

Nagios Administrator cputotal service

Note that the ‘check_dummy’ command must be specified, and flag ‘use passive-service’ must be set in the ‘Special’ field.

Add the Host

Once you’ve added all the services that correspond to the passive checks you’ve enabled, add the host that corresponds to your Windows machine:

Nagios Administrator add Windows machine

Note that - most importantly - the Name must match the name specified in the NC_Net startup.cfg - <windows_machine_nagios_host_id>, and that the flag ‘active_checks_enabled’ must be set to ‘0′, and you must specify the correct IP address, host group, OS and contact group.

Nagios Administrator services for Windows machine

Scroll down and specify the correct services to match up to those in your NC_Net passive.cfg for that host.

Once you have these items all created successfully, go to the Generator screen and ‘Save’ your configuration. On your Nagios server, restart the Nagios server. service nagios restart

Now you should soon see the correct service entries on your Nagios GUI screen populated.

This is good treatment of monitoring Exchange Server with these tools.

I’m the proud owner of a new iPhone 3G, but have had a hard time getting my SSL IMAP email working. A bit unusual, since I’ve been involved in supporting Internet email operations since the early 90’s. I run my own IMAP server (dovecot) on Linux, and utilize SSL encrypted IMAP on standard ports. I employ a self-signed cert as the price is right, and the folks that I provide email for all know who I am or who Blackfin Software is, so ‘verified identity’ is not an issue.

It turns out that you cannot accept and store a self-signed cert from within the iPhone mail application. So - what you need to do is to get it there from your syncing host. I’ve done this on a mac, so I’m not sure if it will work from a PC. You’ll need to go through the normal procedure of setting up your IMAP mail account utilizing Mac OS X Mail. The first time it contacts your IMAP server, it will complain that the certificate presented by your mail server is not trusted. Examine/display the cert, and then click and drag the actual cert to your desktop. Once it is there, double click on it. It should open it with the ‘Keychain Access’ app. Import the certificate into your (default) login keychain and once there, go into it and modify the trust settings such that it is ‘trusted always’. Exit Keychain access. Make sure that you can quit and restart Mail, and that it is able to both receive and send email with the Mac Mail app - without asking you if you want to trust the self signed cert.

Now you’ll need to sync your iPhone with your Mac. It should pick up these new email settings as well as the new trusted certificate from your keychain. If you have another account configured on your iPhone Mail, you may need to disable it. I had to actually reboot my iPhone (turn off, turn back on), to get these settings to work. This may or may not have had to do with the fact that I had been trying to configure the account directly on the iPhone. At this point it picked up my IMAP folders, etc. YMMV.

Hope this helps….

(iPhone 3G, Mac OS X 10.4.(?)7)

In my capacity as a Dad, I find it a bit scary when my kids are online, and I don’t have any reliable monitoring software or - better yet - a good porn filter - in place to protect them from some of the more unseemly business out there. When we had our ISP - Gulf Coast Internet, based in the thriving metropolis of Pensacola, FL - back in the glory days of the net prior to the dot bomb, we provided a filtering service to some of our customers so that anyone using their dialup account would not be subject to the bad stuff. The provider of this filtering service - Nessus - did a remarkable job of maintaining a list of objectionable content. Subscribers to their service were pleased to have this net based filter available to them. It was 100%(well - extremely) reliable, in that it wasn’t software that Junior knew how to get around at night when you were in sleeping or out for dinner, etc. Also, and perhaps almost as importantly, this solution did not compel you to install yet another software package along with all the assorted and sundry bloatware that is already dragging your machine down to a crawl.

So, after we left the ISP behind, I was still able to use this filter for while, but when they finally reconfigured that box, or got rid of that service, we were left with the ‘look over their shoulder’ method of child-internet surf monitoring. Keeping the computer that the kids can use in a central part of the house, such as the kitchen, helps this process, but it is still a losing proposition.

So - what is available out there to help you? All kinds of software packages for the Windows environment that promise to prevent the kids from doing all of those things that they shouldn’t be doing online. Just install it after you’ve installed your antivirus, antiphishing, antipopup, antiadware, etc. - and watch that system slow down just a little bit more. I mean - how much time does the average parent spend trying to perform all of the administrative tasks that they need to do to try to plug all the holes left in MS software? I for one find it particularly frustrating, knowing that it does not have to be this way. Go buy a Mac already. Which is what we’ve done, a couple times now in the last three years. After OS X came out, and I became aware of how slick and polished the entire package is, we had to take the plunge. The family got a new iMac with the swivel screen and it sat in the kitchen on the bar, where the screen could be turned in for recipe perusal, and out for the kids homework and surfing. Apple is doing a good job locking down and maintaining security. It is really nice not having to worry about installing and maintaining all of the antivirus and anti-adware tools. The tools are all pretty good, and fairly intuitive - this greatly reduces the internal tech support load - which is not what computer people want to do after dinner. Ask me how I know.

Anyway, the point of this diatribe is that I needed a solution that would work for a small home network that consists of both PC’s and Mac’s - I use PC’s in my work as my customers do, so it’s not a matter of choice. So, it used to be that Belkin was providing very inexpensive routers that included the ability to use a third party filtering service - one that is now called Blue Coat - used to be Cyberian. What a great tool for families, I thought. After repeated attempts to get it working on my Belkin pre-N wireless router, I went through the normal tech support nightmare on steroids - particularly bad since Belkin is primarily a cable accessory company - only to find out that they stopped providing this service.

There are some more expensive routers that provide filtering, but after some peeking and poking, I found that some of the less expensive ZyXEL routers provide access to this third party filtering. So, I got a ZyXEL Zywall 2 plus, as that seemed to be the cheapest one that did provide this service. Still - at about $150, and $60 a year or so for the service, it is a bit more expensive than the $30 linksys or netgear router/wifi hubs that end up in most homes. But - peace of mind it does provide. I had some history with ZyXEL, apparently a Taiwanese company that appears to be much more engineering oriented as opposed to marketing driven. We had used their modems when we first started our ISP - they provided a technology that gave you a 16.8! kbps connection as opposed to the slower 14.4. Anyway - I’d read some good things about the ZyXEL modems and had some sucess with them, and we had a good experience with them at Gulf Coast. This router is a bit more complex than your consumer grade linksys, and there’s a little more configuration required, but it’s been working solidly for me now for several months, and I recommend it highly for all parents with more than one computer at home - irrespective of whether or not those computers are Macs or PCs. I found some of the best prices on the net at a small company called Nowthor - http://shopping.nowthor.com/zyxel-zywall-2-plus.html - I’ve ordered both the router and the subscription to the filtering service(what ZyXEL calls the iCard Silver) through them, and gotten good turn around time.