Analytics for Nagios

Overview

Analytics for Nagios (formerly known as Splunk for Nagios) includes a major re-write of all dashboards using Simple XML and it leverages inputs from the Splunk Supported "Splunk Add-on for Nagios Core". It has been tested successfully with Nagios XI and Nagios Core 4.

Important: use Splunk for Nagios version 3 with Nagios 3.x, and Analytics for Nagios version 4 with Nagios Core 4.x or Nagios XI.

New dashboards:

• Overview dashboard featuring Alerts & Notifications over time
• Recurring Alerts dashboard
• Gearman Workers dashboard
• Calendar Heatmap dashboard (D3)
• Network Map (D3)

MK Livestatus Dashboards:

• Livestatus Network Health
• Livestatus Service Alerts
• Livestatus Host SLA
• Livestatus Service SLA
• Livestatus Host Groups
• Livestatus Service Groups
• Livestatus Host and Service Acknowledgement
• Livestatus Host and Service Downtime

Very powerful dashboards:

• Host Availability
• Top 100 Alerts

Now you can monitor, manage and troubleshoot all your devices from one single pane of glass with Analytics for Nagios.

Get out of the 1980's and replace Cacti, Munin, MRTG, Orca, etc. with Analytics for Nagios... no more rrd configuration and no more agents to install.

Why poll for data twice? Analytics for Nagios creates the performance graphs automatically!

Analytics for Nagios also has another huge advantage over rrd based graphing solutions, and that is you can graph performance and capacity metrics with full fidelity, ie. no more 'averaged out' rrd based graphs.

• Supported on Linux/Unix Splunk servers only.
• Any feedback, including requests for enhancement are most welcome.
  • Email: luke@verypowerful.info

Analytics for Nagios is hosted at GitHub

• Feel free to submit a pull request:
  • https://github.com/skywalka/splunk-for-nagios

Setup Analytics for Nagios

Distributed Deployment

• Install the Splunk Supported "Splunk Add-on for Nagios Core" on the Universal Forwarders, Search Heads, Indexers/Peer Nodes, and Heavy Forwarders.
• Install "Analytics for Nagios" on your Search Head/s

Add an Index to Splunk

• Create an index called nagios on your Indexers/Peer Nodes.

Install and Configure a 'Universal Forwarder' on the Nagios server/s

Install the Splunk Supported "Splunk Add-on for Nagios Core"
https://splunkbase.splunk.com/app/2703/

Follow the Setup Instructions as per Splunk's official documentation:
http://docs.splunk.com/Documentation/AddOns/latest/NagiosCore/Setup

Note: Do not set the following configurations in $NAGIOS_HOME/etc/nagios.cfg if you are running Nagios XI.
e.g. /usr/local/nagios/etc/nagios.cfg

#service_perfdata_command=...
#host_perfdata_command=...

If they are commented, keep them commented. If they are set, remove or comment the options. If these lines are set, the field extractions in the add-on may fail.

Do not change the perfdata file templates as the data is also used by PNP in Nagios XI:

service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$\tSERVICEOUTPUT::$SERVICEOUTPUT$

host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tHOSTOUTPUT::$HOSTOUTPUT$

Update the sourcetypes in inputs.conf if you are running Nagios XI:

[monitor:///usr/local/nagios/var/nagios.log]
disabled = 0
sourcetype = nagios:core
index = nagios

[monitor:///usr/local/nagios/var/host-perfdata]
disabled = 0
sourcetype = nagios:core:hostperfxi
index = nagios

[monitor:///usr/local/nagios/var/service-perfdata]
disabled = 0
sourcetype = nagios:core:serviceperfxi
index = nagios

Update the sourcetypes in inputs.conf if you are running Nagios Core 4.x:

[monitor:///usr/local/nagios/var/nagios.log]
disabled = 0
sourcetype = nagios:core
index = nagios

[monitor:///usr/local/nagios/var/host-perfdata]
disabled = 0
sourcetype = nagios:core:hostperf
index = nagios

[monitor:///usr/local/nagios/var/service-perfdata]
disabled = 0
sourcetype = nagios:core:serviceperf
index = nagios

Configure Analytics for Nagios on your Search Head/s

All of the dashboards and saved searches in Analytics for Nagios use searches based on index=nagios

• Update the nagios_index macro in Analytics for Nagios if you use a different index

Update the following macros in Analytics for Nagios if you are running Nagios Core 4.x:

• nagios_core_hostperf
  • change from 'nagios:core:hostperfxi' to 'nagios:core:hostperf'
• nagios_core_serviceperf
  • change from 'nagios:core:serviceperfxi' to 'nagios:core:serviceperf'

MK Livestatus Integration

• Livestatus makes use of the Nagios Event Broker API for accessing status and object data. It opens a socket by which data can be retrieved on demand. The socket allows you to send a request for hosts, services or other pieces of data and get an immediate answer. The data is directly read from Nagios' internal data structures.
• Version 4 of Analytics for Nagios includes external scripts for livestatus integration that must be updated for your nagios environment:
• Edit the following python script using your favourite text editor and replace the Hostnames and Port number with your Nagios server/s that are running MK Livestatus:
  $SPLUNK_HOME/etc/apps/SplunkForNagios/bin/mklivestatus.py
• Optionally, you can test connectivity to your MK Livestatus server/s by running the following script from the command line on your Splunk server:
  $SPLUNK_HOME/etc/apps/SplunkForNagios/bin/test-mklivestatus.py

REQUIRED:

• The Livestatus dashboards and the new reports will NOT work if you do not edit the script as instructed above.
• You must ensure that the ip address of your Splunk Search Head/s is listed next to "only_from" in /etc/xinetd.d/livestatus on your nagios server.
• mk-livestatus v1.2.6p5 or greater required!

Reference:

https://mathias-kettner.de/checkmk_livestatus.html

Nagios Plugins supported by Analytics for Nagios

• All Official Nagios Plugins: https://www.nagios.org/download/plugins
• check_iftraffic_nrpe: https://github.com/skywalka/check-iftraffic-nrpe

How To Send Alerts From Splunk To Nagios

Configure a Scheduled Saved Search in Splunk to send alerts to Nagios:

• Prerequisites:
  • send_nsca: must be installed on the *nix Splunk server
  • nsca: must be listening on the Nagios server
• The name of the Saved Search must begin with the corresponding hostname defined in Nagios followed by a hyphen then the name of the Service defined in Nagios, eg.
  • server01 - XYZ Alert
• Time range:
  • Start time = -5m@m
  • Finish time = now
• Schedule and alert:
  • tick "Schedule this search"
• Schedule type = Basic
  • Run every = 5 minutes
• Alert conditions:
  • Perform actions = if number of events
  • is greater than 0 (ie. if an alert is to be generated when a given event does occur)
    • or
  • is equal to 0 (ie. if an alert is to be generated when a given event does not occur)
• Alert actions:
  • tick Trigger shell script
  • Filename of shell script to execute = splunk-nagios.sh
• Click Save

REQUIRED:

• Edit the script located at $SPLUNK_HOME/etc/apps/SplunkForNagios/bin/scripts/splunk-nagios.sh and change the following variables so that they are relevant to your environment:
  • SPLUNKSERVER=splunk01 (ie. hostname of the splunk server)
  • WWW=splunk (ie. the hostname of the splunk search head)
  • NSCABIN=/usr/lib/nagios/plugins (ie. location of send_nsca on your splunk server)
  • NSCACFG=$NSCABIN (ie. location of send_nsca.cfg on your splunk server)
  • NSCAHOST=nagios.abc.com.au (ie. Fully Qualified Domain Name of your Nagios server)
  • NSCAPORT=5667 (ie. port number of the nsca daemon on your Nagios server)

Thank You

• Tim Hartmann for Livestatus assistance
• Stephen Ho for dashboard optimizations
• Wil Cooley for additional field extractions

Road Map

• 4.1
  • Performance Charts by Host or Service Group
  • Alerts by Host or Service Group
  • Availability Reports for Host and Service Groups

Disclaimer

• This app has been created to work with Nagios Core version 4 and Nagios XI and it may or may not suit your specific purposes.

Copyright (c) 2015 Luke Harris. All Rights Reserved.

License

• GNU GENERAL PUBLIC LICENSE Version 3

Older Versions

v3.0.0

• Added Livestatus dashboards
• Added Service Acknowledgement
• Added Host and Service Downtime integration

v2.0.1

• fixed bug in Livestatus Alerts Dashboard
• added check_splunk_license script and new dashboard: Nagios Splunk License Usage Graph

v2.0

• added external lookup scripts for integration with MK Livestatus
• added 2 dashboards updated with live status data from Nagios
• added a CMDB Report and Service Alerts by Service Group
• added 5 Cisco Network Dashboards with Graphs of Network Interface Utilization, CPU, Memory, Temperature and Gateway Usage sourced from Nagios Plugin Performance Data
• added AIX Filesystem Usage Graphs
• added BSD specific Host Dashboard

v1.1.1

• added 2 NAS Dashboards with Graphs of Storage Usage, Quota Usage, SAVVOL Usage, Connections by Protocol, etc (EMC Isilon and Celerra)

v1.1

• added 4 all new Powerful Views with Graphs of metal level metrics sourced from Nagios Plugin Performance Data
• added Nagios Alerts Form Search with an auto-populating drop-down list of all device names to easily display relevant alert history
• added 5 all new field extractions for CIM compliance: http://www.splunk.com/base/Documentation/latest/Knowledge/UnderstandandusetheCommonInformationModel

v1.0

• initial release