Icinga Agent Node Installation and Configuration

With the Icinga master node configured, the servers we want to monitor can now be added as agent nodes. As the names suggest, the Icinga master node pushes the desired configuration to agent nodes, while agent nodes report the configured status checks back to the master. Communication between the master and agent nodes is encrypted via TLS, with the master node acting as a certificate authority.

You can find my script to automate this process here.

Install Pakcages

Start by installing the required packages on the server to be monitored.

apt install icinga2 monitoring-plugins 
monitoring-plugins-contrib

Initialize PKI with master

Now we need to setup the PKI that will be used for the communication with the master node. The first step is to generate a certificate signing request. Replace hostname with the FQDN of the server.

icinga2 pki new-cert --cn "hostname" --cert "/etc/icinga2/pki/hostname.crt" --csr "/etc/icinga2/pki/hostname.csr" --key "/etc/icinga2/pki/hostname.key"

Next we save the master node's public key certificate. Replace master with the FQDN of your master node.

icinga2 pki save-cert --host "master" --port 5665 --key "/etc/icinga2/pki/hostname.key" --trustedcert "/etc/icinga2/pki/trusted-master.crt"

Receive signed certificate from the master node.

icinga2 pki request --host "master" --port 5665 --key "/etc/icinga2/pki/hostname.key" --cert "/etc/icinga2/pki/hostname.crt" --trustedcert "/etc/icinga2/pki/trusted-master.crt" --ca "/etc/icinga2/pki/ca.crt"

Deploy configuration files

Write Icinga configuration.

/etc/icinga2/icinga2.conf 
include "constants.conf"
const NodeName = "$nodename"
include "zones.conf"
include "features-enabled/*.conf"
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>
include <windows-plugins>
include <nscp>"

Write zones configuration.

/etc/icinga2/zones.conf 
echo "object Endpoint "hostname" {}
object Zone "hostname" {
  parent = "master"
  endpoints = [ "hostname" ]
}
object Zone "master" {
  endpoints = [ "master" ]
}
object Endpoint "master" {
  host = "master"
}
object Zone "director-global" {
  global = true
}

Write API configuration file.

/etc/icinga2/features-available/api.conf 
echo "object ApiListener \"api\" {
  accept_commands = true
  accept_config = true
}

Enable API

Next, we need to enable the API on the agent.

icinga2 feature enable api

mkdir -p /var/lib/icinga2/certs

cp /etc/icinga2/pki/hostname.crt /etc/icinga2/pki/hostname.key /etc/icinga2/pki/ca.crt /var/lib/icinga2/certs/

chown -R nagios: /var/lib/icinga2/certs/

Sign agent CSR on Master

The only action needed on the master node is to sign the agent's CSR. Logon to your master node and run the following:

fpr="$(icinga2 ca list | tail -1 | cut -d '|' -f 1)"
icinga2 ca sign $fpr

Configure Firewall

Before finishing we need to open the proper firewall port. I will use UFW in the example here and allow traffic only only from the master node for best security.

ufw allow proto tcp from master-ip to any port 5665

Restart Icinga on Agent

Finally, restart the icinga service on the agent node.

systemctl restart icinga2

The Icinga agent node will now pull down configuration from the master. You will know that this worked if /var/lib/icinga2/api/zones begins to populate with new files.


Consider donating if this article was useful. [BTC]