Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Monday, June 27, 2011

Send Nagios Status Reports through a Cron Job

It will be useful for the managers to get a summarized status report of the system daily. This can be achieved through following script . The script should be listed in the crontab to execute in daily basis.

Steps (Commands should be written to the script file)

1. Generate the html version of the report automatically.
wget -v --user nagios_user --password 'password' --no-check-certificate -O ./`date +%Y%m%d`-report.html "https://your_nagios_server_URL/nagios/cgi-bin/avail.cgi?show_log_entries=&host=Host1&service=all&timeperiod=yesterday&timeperiod=24x7"

Here replace nagios_user with whoever the user having privileges to generate status report and 'password' with his password, Host1 to the host name that you want to generate report. It is better to run the command separately and check whether you are getting the html file correctly. If everything is fine you will get a a html report with the date
i.e. 20110627-report.html

If you have no idea how to get the https:// .... code part, just put a tail -f for the http access log of the server (nagious) and generate the report from the nagios GUI. The required code to generate the report will be on your screen.

Here my nagios is running on https://..So I need to put a tail -f for /var/log/httpd/ssl_access_log and generate the required report from the nagios GUI.

Get the code and replace it with the code above.



2. Copy this file to a temporary file named rep.html
cp `date +%Y%m%d`-report.html rep.html

The temporary file will be useful for HTML altering purposes with sed command.

3. Convert HTML file to PS2
/usr/bin/html2ps -U rep.html > rep.ps

4. Convert ps file to PDF version
ps2pdf rep.ps report`date +%Y%m%d`.pdf
This will create a pdf file with the name report-yyyymmdd.pdf

5. Mail the content to the appropriate user
nail -a reportyyyymmdd.pdf -s "Nagios Report" admin@your_domain


Now the script file should be called through a cronjob
If you wish to set the cron job to a user, login to the system as that user and type the command crontab -e which enables him to edit the cron jobs

Put an entry related to the cron job
15 00 * * * /home/user/scrip.sh
Here the scrip.sh is the file you have all commands related to nagios report generation + emailing parameters

Save and exit from the crontab edit mode.
Make sure the user has the privileges to execute the file 'script.sh'

Friday, June 24, 2011

Nagios Authentication with LDAP using Apache Module mod_authnz_ldap

Nagios basic authentication mechanism is htpasswd. The password file is defined at /etc/httpd/conf.d/nagios.conf

AuthUserFile /usr/local/nagios/etc/htpasswd.users

I tried to authenticate users from the LDAP server to enable centralized user authentication.

Here I have used authnz_ldap_module in Apache to authenticate users for Nagios system.
My apache version Apache/2.2.14 (Unix) and Nagios 3.2.3

First of all we need to have the apache module build with apache. Check /etc/httpd/conf/httpd.conf for the following entry.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

If your apache is not compiled with authnz_ldap_module, follow the link and enable authnz_ldap_mod support in apache. Normally, this module is available apache version 2.1 and later
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

Here are the parameters that I configured in /etc/httpd/conf.d/nagios.conf

SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access for LKNIC"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://[ldap_server_ip]:[lapd_port]/[Base_DN]?[searching_parameres i.e. uid etc]
Require valid-user


The entries in BOLD is related to the LDAP authentication. I have allowed all LDAP users to nagios system as I have configured 'Require valid-user' setting in the nagios.conf. User restrictions can be done referring http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingtls

By enabling SSLRequireSSL in the configuration I have set the HTTPS connection for nagios. With this settings nagios is accessible only with https://server.url/nagios

Even though I have enabled all LDAP users to visit the nagios system, the user levels are defined at the cgi.cfg at /usr/local/nagios/etc/
E.g.
authorized_for_system_commands= user1, user2, etc..
authorized_for_read_only=user3

Hope this will help you to configure central authentication for Nagios

Useful reference:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingtls
http://www.linux.com/archive/feature/120050

Monday, June 20, 2011

MySQL DATE_SUB Function

If you are using a database as the back-end, programmers needs to access data from the databases (i.e. MySQL) and process them before display information to the clients. For example if you have date of Birth (dob) in a database table column, you need to read each dob from the table and calculate the age inside your coding.
If you are using MySQL, it allows you to do small calculations with your queries.

DATE_SUB / DATE_ADD are very useful MySQL functions which reduce more coding in your program.

Following given is one example of using DATE_SUB function.

$query = "select customer.name as name, orig_date from where orig_date > DATE_SUB(CURDATE(),INTERVAL 7 DAY)
This will display the records created within one week time

Good Reference
http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html

Monday, June 13, 2011

IP Tables DNAT and IP Forwarding

We had a requirement to forward all mails coming to mail server port 25 to the virus scanner port 25. We created DNAT on the IP tables to enable Pre-routing.

-A PREROUTING -s virus_scanner_ip -p tcp -j ACCEPT
-A PREROUTING -s my_network -p tcp -m tcp --dport 25 -j DNAT --to-destination virus_scanner_ip

The first rule to accept whatever connections from the virus_scanner to the mail server and the second rule to forward all connections to virus_scanner . The interesting thing here is the network defined in the second rule includes the virus_scanner_ip as well, but due to the first rule, the routing loop will not be created.

We enabled this and configured virus_scanner to route all packets via mail server. This is a must as the client accept the session only with the mail server.

The other important fact is to enable ip forwarding on the mail server.( This is a must as the mail server forwards all requests from clients to the virus scanner.)

Please refer following documents for further details;
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ - IP Forwarding
http://linux-ip.net/html/nat-dnat.html - DNAT and Pre Routing

Monday, June 6, 2011

IP ROUTE2

This is much interesting topic related to policy based routing in Linux. I have used this mechanism in a firewall (linux) with 3 Internet connectivity from 3 ISPs.
Use following link for more details.

http://www.policyrouting.org/iproute2.doc.html