2

I'd like to monitor some hosts on which I can't allow an income connection. Is there a away to achieve that while using "Icinga 2 Client" or "by_ssh"?

I can't find anything about that in the official documentation: http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/monitoring-remote-systems#icinga2-remote-monitoring-client

My favorite set up would be that my remote host could establish an ssh connection to the Icinga2 server and send the data over that channel.

Thank you very much!

Marcel Colomb
  • 123
  • 5

2 Answers2

2

You can use passive checks. See: http://docs.icinga.org/latest/en/passivechecks.html

For example you can use NSCA-ng AddOn on the machine that needs to be monitored. NSCA-ng will send the status of the service to the Natios server. You will need to open firewall from the monitored host to NSCA service on Nagios server.

If you can not allow any communication between Icinga and monitored server, it is not possible to monitor it.

Another solution would be to use a jumphost (application firewall) to have limited access to the restricted servers.

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
1

It doesn't matter which node established the connection - either from the master to the client, vice versa or both (first one wins). That way you may connect clients in your DMZ directly to your master for example.

I wouldn't go the nsca way, that's considered insecure and a performance problem introduction you won't see with Icinga 2 clients and clusters.

Docs are here: http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/icinga2-client#icinga2-client

dnsmichi
  • 845
  • 5
  • 12