All HowTo's Linux Redhat, Fedora and CentOS Linux Web Servers

Nagios Part 1 | Install & Configure Nagios On CentOS7 and RHEL

This is a multi-part series of Nagios articles all focused on configuring a complete Nagios monitored network. Find all related articles here.

This article demonstrates how to install and configure the Nagios monitoring system (the server) on a Linux CentOS 7 or RHEL7 server. This article goes as far as installing and configuring Nagios to show the “localhost” only. I’ll write second article that shows how to add other machines via “agent” and “non-agent” methods.

Nagios is an exceptional tool for monitoring networked devices. Monitor servers, workstations, printers, routers and firewalls. Monitor anything that supports SNMP.

Nagios is an open-souce server that runs on Linux. It provides a web interface showing the state of your network of devices.

For the examples given here, the hostname will be a DNS registered machine at “http://nagios.example.com” so change that to whatever name you use.

Install the packages using:

yum install epel-release
yum install nagios 
yum install nagios-plugins*
yum install perl-rrdtool perl-GD
yum install perl-Nagios-Plugin

TIP: Make sure your web server is installed. I won’t cover that in this tutorial because it might be you have special needs. If you don’t have anything else running on this server and are happy to, just install Apache with “yum install httpd”.

Configure Nagios to start now and on future boots:

systemctl enable nagios
systemctl restart nagios

The “yum” install command above places the Apache “vhost” file at “/etc/httpd/conf.d/nagios.conf”. The contents of this file look like the following:

ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi-bin/"
<Directory "/usr/lib64/nagios/cgi-bin/">
 Options ExecCGI
 AllowOverride None
 <IfVersion >= 2.3>
 <RequireAll>
 Require all granted
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
 </RequireAll>
 </IfVersion>
 <IfVersion < 2.3>
 Order allow,deny
 Allow from all
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
 </IfVersion>
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory "/usr/share/nagios/html">
 Options None
 AllowOverride None
 <IfVersion >= 2.3>
 <RequireAll>
 Require all granted
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
 </RequireAll>
 </IfVersion>
 <IfVersion < 2.3>
 Order allow,deny
 Allow from all
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
 </IfVersion>
</Directory>

But i’ve opted for my own “vhost” config as follows:

<VirtualHost *:80>

 ServerName nagios.example.com
 ServerAdmin [email protected]
 ErrorLog logs/nagios.example.com_log
 CustomLog logs/nagios.example.com_log common

 DocumentRoot /usr/share/nagios/html 
 ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi-bin/"
 ScriptAlias /cgi-bin "/usr/lib64/nagios/cgi-bin/"
 Alias /nagios "/usr/share/nagios/html"

<Directory "/usr/lib64/nagios/cgi-bin/">
 Options +ExecCGI
 AllowOverride None
 Order allow,deny
 Allow from all
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
</Directory>

<Directory "/usr/share/nagios">
 Options None
 AllowOverride None
 Order allow,deny
 Allow from all
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios/passwd
 Require valid-user
</Directory>

</VirtualHost>

For good security we need to restrict access to Nagios by authentication credentials. Most of the work is already done for us. We simple need to change the password.

Notice the “/etc/nagios/passwd” line in the above “vhost”. That file has an entry already allowing us to login with credentials. Using the following example we can change the password to be something we like:

htpasswd /etc/nagios/passwd nagiosadmin

Keep in mind that Nagios is accessible to us via “http” and not “https”. Obviously we want to fix that as soon as possible with LetsEncrypt or whichever SSL certificate authority you prefer.

Make a small change to the “/etc/nagios/cgi.cfg” file. Notice the “url_html_path=/” line.

main_config_file=/etc/nagios/nagios.cfg
physical_html_path=/usr/share/nagios/html
url_html_path=/
show_context_help=0
use_pending_states=1
use_authentication=1
use_ssl_authentication=0
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin
default_statuswrl_layout=4
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
result_limit=100
escape_html_tags=1
action_url_target=_blank
notes_url_target=_blank
lock_author_names=1
navbar_search_for_addresses=1
navbar_search_for_aliases=1

Now fix a few permission issues:

chown -R apache.apache /usr/share/nagios
chown -R apache.apache /usr/lib64/nagios/
usermod -a -G nagios apache

Now restart Nagios:

systemctl restart nagios

Visit your new Nagios server at “http://nagios.example.com”.

Consider using LetsEncrypt to get your Nagios talking over “https” rather than the standard “http”.

SELinux can cause issues with Nagios and CentOS 7 (and RHEL). My solution is to create custom SELinux modules to specifically allow the behavior of Nagios that was being blocked. An interesting situation occurred where not everything was caught in the logs so i have to run the following twice.

First find the logged causes of the problem:

tail -f /var/log/audit/audit.log > /tmp/nagios.selog

Then run:

sealert -a /tmp/nagios.selog

The following commands were recommended by the output of the above:

ausearch -c 'statusjson.cgi' --raw | audit2allow -M my-statusjsoncgi

You’ll need to restart related services which “might” include “httpd”, “php-fpm” and “nagios”.

Leave a Reply

Your email address will not be published. Required fields are marked *