How do I monitor a server behind a firewall with Nagios?

Nagios comes with a client-side agent called NRPE that the Nagios server contacts on port 5666 to run remote service-checks, but what if the server is firewalled?? There is a solution, using a feature of Nagios called “passive checks”.  Its called that because Nagios will passively wait for the client servers to actively check-in with their condition.

(NOTE: This guide was written for Ubuntu 12.04.5 LTS. It shouldn’t require much change on Debian, but it will require some paths and such to be adjusted for other distributions.)


Add a new config to Apache:

<VirtualHost *:8000>
 ServerAdmin webmaster@localhost
DocumentRoot /var/www/passivechecks
 <Directory />
 Options FollowSymLinks
 AllowOverride None
 <Directory /var/www/passivechecks>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
ErrorLog /var/log/nagios/passivechecks-error.log
LogLevel warn
CustomLog /var/log/nagios/passivechecks-access.log combined

..and enable the new site configuration:

# a2ensite passivechecks

Enable Apache to listen on the new port. Edit /etc/apache2/ports.conf to include this:

NameVirtualHost *:80
NameVirtualHost *:8000
Listen 80
Listen 8000

..and restart Apache:

root@nagios:/var/www/passivechecks# service apache2 restart

Create the PHP script on the Nagios server to answer check-ins from remote clients and signal Nagios:

// [<timestamp>] PROCESS_SERVICE_CHECK_RESULT;<host_name>;<svc_description>;<return_code>;<plugin_output>
$commandfile = "/var/lib/nagios3/rw/nagios.cmd";
$now = time();
$data = "[$now] PROCESS_SERVICE_CHECK_RESULT;".$_GET['hostname'].";" . $_GET['service'] . ";"
 . "0;Agent-originated check-in.\n";


Note that the PHP script needs to have permissions to write to the port:

root@nagios:/var/www/passivechecks# ls -l /var/lib/nagios3/rw/nagios.cmd
prw-rw---- 1 nagios nagios 0 May 22 18:55 /var/lib/nagios3/rw/nagios.cmd

So, add the Apache CGI user to the “nagios” group:

root@nagios:/var/www/passivechecks# grep ^nagios /etc/group

On the client machine, create a cron job to use curl to check-in every minute:

# crontab -e
# CRONtab for "root" user
# Check-in with Nagios so it knows we're alive
# (We have to do this passive check since Nagios is firewalled from
# pinging us.)
* * * * * /usr/bin/curl --connect-timeout 30 ''

On the server, watch for a new log message to appear, acknowledging the check was run (should appear immediately):

# less /var/log/nagios3/nagios.log
[1432321021] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;;imalive;0;Agent-originated check-in.

Now you can define the service in your Nagios configuration. Note that since there’s no real “check_command”, we’ll use a special “check_dummy” command that comes with Nagios.

define command {
 command_name passive_check
 command_line /usr/lib/nagios/plugins/check_dummy 2 "CRITICAL: Agent has not checked-in with re
define service {
 use generic-service ; Name of service template to use
 service_description     imalive
 check_command           passive_check
 passive_checks_enabled  1
 check_period            never

..Verify your configuration:

root@nagios:/var/www/passivechecks# nagios3 -v /etc/nagios3/nagios.cfg
Total Warnings: 0
Total Errors: 0

Things look okay - No serious problems were detected during the pre-flight check

..and restart Nagios:

root@nagios:/var/www/passivechecks# service nagios3 restart
 * Restarting nagios3 monitoring daemon nagios3 Waiting for nagios3 daemon to die...
 [ OK ]


Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *