Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We already run a Nagios-3.2 instance on an Ubuntu system in a remote data centre, and my goal is to monitor as much services on my new Windows host as possible.

...

The check-host-alive test is a basic test from the nagios-plugins-basic package, and is based on check_ping, which can do IPv4 and IPv6, and defaults to IPv4. It is defined in /etc/nagios-plugins/config/ping.cfg.  Interestingly, there are checks to deal with dual stack monitoring:

...

Microsoft SQL Server

There is no packaged Nagios plugin to Nagios plugins in any Ubuntu package that can check the status of SQL Server, but Nagios Exchange lists does list a number of them. They are written in various languages (Perl, Python, PHP), but and they all rely on the FreeTDSa set of libraries for Unix and Linux that allows programs to natively talk to Microsoft SQL Server and Sybase databases.  Unfortunately, And because this library does not support IPv6 (sad)IPv6, hence none  none of the mentioned plugins work..work (sad).

After asking around on the FreeTDS mailing list, a guy called Peter Deacon wrote a patch that adds IPv6. Yah (smile).After compliation  I did some testing and I was able to connect to my SQL Server using a Perl script that uses DBD::Sybase

 

Sybase (smile).

With the FreeTDS library now support IPv6 connections, I went to the Nagios Exchange and picked 

SSL certificate expiration date

Now that the server has an SSL certificate, it should be monitored so that we get a warning when it is about to expire in about 3 years. The way I usually do this is by using a Nagios plugin to monitor a service that uses the certificate, and then pick the certificate expiration option of the plugin. For example the check_smtp plugin has this option:

Code Block
 -D, --certificate=INTEGER
    Minimum number of days a certificate has to be valid.


The common way to test this sort of stuff is with OpenSSL's s_client, but unfortunately that does not support IPv6. Off then to GnuTLS.

Connecting to SQL Server on port 1433 does not do anything, so that's a dead end. Connecting to RDP on port 3389 gives happens with a nice TLS 1.0 handshake (smile)

Code Block
bofh@nagios:~$ gnutls-cli hayek.terena.org -p 3389 --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 142 CA certificate(s).
Resolving 'hayek.terena.org'...
Connecting to '2001:610:148:bad:250:56ff:fe86:9:3389'...
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=NL,O=TERENA,OU=CFO,CN=hayek.terena.org', issuer `C=NL,O=TERENA,CN=TERENA SSL CA', RSA key 2048 bits, signed using RSA-SHA, activated `2013-01-23 00:00:00 UTC', expires `2016-01-23 23:59:59 UTC', SHA-1 fingerprint `513523a823b8d5c15c30a80f2772e58d826605ba'
 - Certificate[1] info:
  - subject `C=NL,O=TERENA,CN=TERENA SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA, activated `2009-05-18 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3a881764472b6441ddb3afdd47c6b8b76ee7ba1d'
 - Certificate[2] info:
  - subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA, activated `2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3d4b2a4c64317143f50258d7e6fd7d3c021a529e'
- The hostname in the certificate matches 'hayek.terena.org'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

 

This indicates that it possible to monitor the certificate the same way as with HTTPS web sites. I tested it in and this works (smile)

 

Concluding, this is what the monitoring looks like in the end:

 

Image Added

 RDP HTTPS check