In the following tutorial, you will learn to install Icinga2 on a Ubuntu 22.04 server and how to connect it to a client node. Instead of the default Apache server, we will use Nginx to run Icinga2 Web.
Prerequisites
- Two machines running Ubuntu 22.04. One of them will act as a Master server and another one will act as the client for monitoring.
- A non-root user with sudo privileges on both servers.
- A fully qualified domain name (FQDN) for the master server,
icinga.example.comand the client node,client.example.com. - Make sure everything is updated.
$ sudo apt update $ sudo apt upgrade
- Few packages that your system needs.
$ sudo apt install wget curl nano software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release ubuntu-keyring unzip -y
Some of these packages may already be installed on your system.
Step 1 – Configure Firewall on the Master server
The first step is to configure the firewall. Ubuntu comes with ufw (Uncomplicated Firewall) by default.
Check if the firewall is running.
$ sudo ufw status
You should get the following output.
Status: inactive
Allow SSH port so the firewall doesn’t break the current connection on enabling it.
$ sudo ufw allow OpenSSH
Allow port 5665 which is required by the Icinga2 client to connect to the server.
$ sudo ufw allow 5665
Allow HTTP and HTTPS ports as well.
$ sudo ufw allow http $ sudo ufw allow https
Enable the Firewall
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Check the status of the firewall again.
$ sudo ufw status
You should see a similar output.
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 443 ALLOW Anywhere 5665 ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 5665 (v6) ALLOW Anywhere (v6)
Step 2 – Install MySQL
Ubuntu 22.04 ships with the latest version of MySQL. You can install it with a single command.
$ sudo apt install mysql-server
Check the version of MySQL.
$ mysql --version mysql Ver 8.0.32-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
This step is necessary for MySQL versions 8.0.28 and above. Enter the MySQL Shell.
$ sudo mysql
Run the following command to set the password for your root user. Make sure it has a mix of numbers, uppercase, lowercase, and special characters.
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourPassword12!';
Exit the shell.
mysql> exit
Run the MySQL secure install script.
$ sudo mysql_secure_installation
First, you will be asked for your root password. Enter it. Next, you will be asked to install the Validate Password Component. It checks the strength of passwords used in MySQL. Press Y to install it. Next, you will be asked to set the level of the password validation policy. Choose 2 as it is the strongest one.
Securing the MySQL server deployment. Enter password for user root: VALIDATE PASSWORD COMPONENT can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD component? Press y|Y for Yes, any other key for No: Y There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2 Using existing password for root. Estimated strength of the password: 100
Next, enter N to refuse to change your root password. Also, enter Y to remove anonymous users, disallow remote root logins, remove the test database, and reload the privilege tables.
Change the password for root ? ((Press y|Y for Yes, any other key for No) : N ... skipping. By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y Success. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y Success. All done!
Step 3 – Configure MySQL
Log in to the MySQL shell. Enter your root password when prompted.
$ sudo mysql -u root -p
Create the Icinga database.
mysql> CREATE DATABASE icinga2;
Create the SQL user account for Icinga2. Don’t change the database and the username because they are already set by default. If you want to change them, you will need to perform some extra steps while installing the MySQL driver in Step 5. Enter the password, and you will get an error and then be asked to reconfigure where you can specify your custom database name and users.
mysql> CREATE USER 'icinga2'@'localhost' IDENTIFIED BY 'Your_password2';
Grant all privileges on the database to the user.
mysql> GRANT ALL PRIVILEGES ON icinga2.* TO 'icinga2'@'localhost';
Flush user privileges.
mysql> FLUSH PRIVILEGES;
Exit the shell.
mysql> exit
Step 4 – Install Icinga2 and Monitoring plugins on the Master Server
We will use the Icinga2 official repository for installation. Download and import the Icinga2 GPG key.
$ wget -O - https://packages.icinga.com/icinga.key | sudo gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
Run the following commands to create and add the Icinga2 repository information to the APT sources list.
$ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-`lsb_release -cs` main" | sudo tee /etc/apt/sources.list.d/$(lsb_release -cs)-icinga.list $ echo "deb-src [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] http://packages.icinga.com/ubuntu icinga-`lsb_release -cs` main" | sudo tee -a /etc/apt/sources.list.d/$(lsb_release -cs)-icinga.list
Update the system repositories list.
$ sudo apt update
Install Icinga2 and the monitoring plugins.
$ sudo apt install icinga2 monitoring-plugins -y
Step 5 – Install IDO MySQL driver on the Master Server
For Icinga2 to work, it needs a database. For that, we need to install the IDO MySQL driver and set up the database connection. Run the following command to install the MySQL driver.
$ sudo apt install -y icinga2-ido-mysql
You will be prompted to set up the driver and create a database using the dbconfig-common utility. Select Yes to continue.
Next, you will be asked for the MySQL password for the icinga2 database. Enter the password configured in step 3 to continue.
You will be asked to confirm the password again.
Next, you will be asked to enable the ido-mysql feature. Select Yes to continue.
You can check the database details in the /etc/icinga2/features-available/ido-mysql.conf file.
$ cat /etc/icinga2/features-available/ido-mysql.conf /** * The db_ido_mysql library implements IDO functionality * for MySQL. */ library "db_ido_mysql" object IdoMysqlConnection "ido-mysql" user = "icinga2", password = "Your_password2", host = "localhost", database = "icinga2"
Enable the ido-mysql feature.
$ sudo icinga2 feature enable ido-mysql
Restart the Icinga2 service.
$ sudo systemctl restart icinga2
Verify the service status.
$ sudo systemctl status icinga2
? icinga2.service - Icinga host/service/network monitoring system
Loaded: loaded (/lib/systemd/system/icinga2.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/icinga2.service.d
??limits.conf
Active: active (running) since Mon 2023-05-01 08:02:36 UTC; 1s ago
Process: 9823 ExecStartPre=/usr/lib/icinga2/prepare-dirs /etc/default/icinga2 (code=exited, status=0/SUCCESS)
Main PID: 9828 (icinga2)
Status: "Startup finished."
Tasks: 10
Memory: 17.6M
CPU: 657ms
CGroup: /system.slice/icinga2.service
??9828 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
??9846 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
??9849 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
Step 6 – Configure Icinga2 API
To manage and configure the Icinga2 monitoring through HTTP, you need to configure the Icinga2 API. Run the following command to enable the Icinga2 API, generate TLS certificates for Icinga2, and update Icinga2 configurations.
$ sudo icinga2 api setup
You will get a similar output.
information/cli: Generating new CA. information/base: Writing private key to '/var/lib/icinga2/ca//ca.key'. information/base: Writing X509 certificate to '/var/lib/icinga2/ca//ca.crt'. information/cli: Generating new CSR in '/var/lib/icinga2/certs//icinga.example.com.csr'. information/base: Writing private key to '/var/lib/icinga2/certs//icinga.example.com.key'. information/base: Writing certificate signing request to '/var/lib/icinga2/certs//icinga.example.com.csr'. information/cli: Signing CSR with CA and writing certificate to '/var/lib/icinga2/certs//icinga.example.com.crt'. information/pki: Writing certificate to file '/var/lib/icinga2/certs//icinga.example.com.crt'. information/cli: Copying CA certificate to '/var/lib/icinga2/certs//ca.crt'. information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'. information/cli: Reading '/etc/icinga2/icinga2.conf'. information/cli: Enabling the 'api' feature. Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Updating 'NodeName' constant in '/etc/icinga2/constants.conf'. information/cli: Created backup file '/etc/icinga2/constants.conf.orig'. information/cli: Updating 'ZoneName' constant in '/etc/icinga2/constants.conf'. information/cli: Backup file '/etc/icinga2/constants.conf.orig' already exists. Skipping backup. Done. Now restart your Icinga 2 daemon to finish the installation!
The above command creates a /etc/icinga2/conf.d/api-users.conf file with the default user root having all the permissions over Icinga2 API. We need a new user with minimal permissions required by Icinga Web.
Open the api-users.conf file for editing.
$ sudo nano /etc/icinga2/conf.d/api-users.conf
Add the following code at the end of the file.
/** api for icingaweb2 */ object ApiUser "icingaweb2" password = "PassWordApiIcingaWeb2" permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
Make a note of the credentials which will be needed later on to access the website. The Icinga2 API server listens on port 5665 by default. Restart the service for the changes to take effect.
$ sudo systemctl restart icinga2
The next step is to install the Icinga Web interface. It comes pre-configured for Apache but we will be using the Nginx server. Therefore, first, we need to install Nginx and the SSL certificates.
Step 7 – Install Nginx
Ubuntu 22.04 ships with an older version of Nginx. To install the latest version, you need to download the official Nginx repository.
Import Nginx’s signing key.
$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
Add the repository for Nginx’s stable version.
$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg arch=amd64] \ http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ | sudo tee /etc/apt/sources.list.d/nginx.list
Update the system repositories.
$ sudo apt update
Install Nginx.
$ sudo apt install nginx
Verify the installation.
$ nginx -v nginx version: nginx/1.24.0
Start the Nginx server.
$ sudo systemctl start nginx
Step 8 – Install SSL
We need to install Certbot to generate the SSL certificate. You can either install Certbot using Ubuntu’s repository or grab the latest version using the Snapd tool. We will be using the Snapd version.
Ubuntu 22.04 comes with Snapd installed by default. Run the following commands to ensure that your version of Snapd is up to date.
$ sudo snap install core && sudo snap refresh core
Install Certbot.
$ sudo snap install --classic certbot
Use the following command to ensure that the Certbot command can be run by creating a symbolic link to the /usr/bin directory.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Run the following command to generate an SSL Certificate.
$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d icinga.example.com
The above command will download a certificate to the /etc/letsencrypt/live/icinga.example.com directory on your server.
Generate a Diffie-Hellman group certificate.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
Check the Certbot renewal scheduler service.
$ sudo systemctl list-timers
You will find snap.certbot.renew.service as one of the services scheduled to run.
NEXT LEFT LAST PASSED UNIT ACTIVATES ------------------------------------------------------------------------------------------------------------------------------------ Mon 2023-05-01 13:37:57 UTC 3h 45min left Mon 2023-05-01 07:20:42 UTC 2h 31min ago ua-timer.timer ua-timer.service Mon 2023-05-01 14:39:29 UTC 4h 47min left Sat 2023-02-04 16:04:18 UTC 2 months ago motd-news.timer motd-news.service Mon 2023-05-01 15:53:00 UTC 6h left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
Do a dry run of the process to check whether the SSL renewal is working fine.
$ sudo certbot renew --dry-run
If you see no errors, you are all set. Your certificate will renew automatically.
Step 9 – Configure Nginx and PHP
Since Icinga is configured for Apache, the PHP-FPM package is not installed by default. You will also need the PHP Imagick module if you want to export the graphs to PDF. Run the following command to install PHP-FPM and the PHP Imagick library.
$ sudo apt install php-fpm php-imagick
Configure PHP-FPM
Open the file /etc/php/8.1/fpm/pool.d/www.conf.
$ sudo nano /etc/php/8.1/fpm/pool.d/www.conf
We need to set the Unix user/group of PHP processes to nginx. Find the user=www-data and group=www-data lines in the file and change them to nginx.
... ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = nginx group = nginx ...
Find the listen.owner = www-data and listen.group = www-data lines in the file and change them to nginx.
; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. The owner ; and group can be specified either by name or by their numeric IDs. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = nginx listen.group = nginx
Save the file by pressing Ctrl + X and entering Y when prompted.
Restart the PHP-FPM service.
$ sudo systemctl restart php8.1-fpm
Configure Nginx
Create and open the file /etc/nginx/conf.d/icinga.conf for editing.
$ sudo nano /etc/nginx/conf.d/icinga.conf
Paste the following code in it.
server
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name icinga.example.com;
access_log /var/log/nginx/icinga.access.log;
error_log /var/log/nginx/icinga.error.log;
# SSL
ssl_certificate /etc/letsencrypt/live/icinga.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/icinga.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/icinga.example.com/chain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
resolver 8.8.8.8;
location ~ ^/index\.php(.*)$
# fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/run/php/php8.1-fpm.sock; # Depends On The PHP Version
fastcgi_index index.php;
# try_files $uri =404;
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $remote_user;
location ~ ^/(.*)?
alias /usr/share/icingaweb2/public;
index index.php;
rewrite ^/$ /dashboard;
try_files $1 $uri $uri/ /index.php$is_args$args;
location ~ \.php$
return 404;
# enforce HTTPS
server
listen 80;
listen [::]:80;
server_name icinga.example.com;
return 301 https://$host$request_uri;
Notice the root directory to be used in the Nginx configuration is /usr/share/icingaweb2/public.
Save the file by pressing Ctrl + X and entering Y when prompted once finished.
Open the file /etc/nginx/nginx.conf for editing.
$ sudo nano /etc/nginx/nginx.conf
Add the following line before the line include /etc/nginx/conf.d/*.conf;.
server_names_hash_bucket_size 64;
Save the file by pressing Ctrl + X and entering Y when prompted.
Verify the Nginx configuration file syntax.
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the Nginx service.
$ sudo systemctl restart nginx
Step 10 – Prepare Web Setup
Before accessing Icinga Web, we need to set it up. When using Icinga Web, you are required to authenticate using a token. Generate the token using the following command.
$ sudo icingacli setup token create The newly generated setup token is: 3c4d4e155635f512
Note down the token because you will need it later. You can always retrieve it later using the following command.
$ sudo icingacli setup token show The current setup token is: 3c4d4e155635f512
The next step is to create a database and a database user. Log in to the MySQL shell.
$ sudo mysql -u root -p
Create the Icinga Web database.
mysql> CREATE DATABASE icingaweb2;
Create the SQL user account for Icinga Web.
mysql> CREATE USER 'icingaweb2'@'localhost' IDENTIFIED BY 'Your_password3';
Grant all privileges on the database to the user.
mysql> GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';
Flush user privileges.
mysql> FLUSH PRIVILEGES;
Exit the shell.
mysql> exit
Step 11 – Set up IcingaWeb
Open the URL https://icinga.example.com in your browser and you will get the following screen.
Enter the token generated in the previous step and press the Next button to proceed.
On the next screen, choose the modules you want to install and click Next to proceed. The Monitoring module is selected for you by default. On the next page, you will be shown the requirements and whether they have been fulfilled. Make sure all the requirements are marked green.
Click Next to proceed to the next page to select the authentication type.
The authentication type is set to Database by default. Click Next to proceed. You will be asked to fill in the database credentials on the next page.
Fill in the database credentials created in step 10. Click the Validate Configuration button to verify the credentials. Once verified, click Next to proceed. Next, you will be asked to name the authentication backend.
Leave the default value and click Next to proceed. On the next page, you will be asked to create an administrator account.
Enter the credentials for your new administrator account and click Next to proceed. Next, you will be shown the Application Configuration page.
Leave all the default values for the application and logging configuration and click Next to proceed. You will be asked to review the configuration on the last page.
You can go back to change any of the settings. If you are satisfied, click Next to proceed.
Click Next to proceed with the configuration of the monitoring module. Next, you will be asked for Icinga database credentials.
Fill in the database credentials in step 3 and click Validate Configuration to verify the connection. Once verified, click Next to proceed. Next, you will be asked to fill in the API details.
Fill in the API credentials created in step 6 and click Validate Configuration to verify the connection. Click Next to proceed. Next, you will be asked to choose protected custom variables for monitoring security.
Leave the default values and click Next to proceed. Next, you will be asked to review the Monitoring configuration. You can go back and change it if you want.
If you are satisfied, click Finish to complete the installation.
Once finished successfully, click the Login to Icinga Web 2 button to open the login page.
Enter your administrator account details and click the Login button to open the Icinga Web dashboard.
Visit the Overview >> Services page to check the status of the master server similar to the following.
Step 12 – Initialize Master Server
The next step is to initialize the master server as the master node. The master node acts as the main controller for the monitoring stack. Run the following command to start the initialization process.
$ sudo icinga2 node wizard
You will be prompted if it is an agent setup. Enter n to set up the master node.
Welcome to the Icinga 2 Setup Wizard!
We will guide you through all required configuration details.
Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: n
Next, you will be asked for the common name or the domain name. Press Enter to select the default value that is displayed.
Please specify the common name (CN) [icinga.example.com]: Reconfiguring Icinga... Checking for existing certificates for common name 'icinga.example.com'... Certificate '/var/lib/icinga2/certs//icinga.example.com.crt' for CN 'icinga.example.com' already existing. Skipping certificate generation. Generating master configuration for Icinga 2. 'api' feature already enabled.
Next, enter the master zone name and press Enter to proceed. In our case, it is the same as the server domain name.
Master zone name [master]: icinga.example.com
Next, you will be asked if you want to add any additional global zones. Press n to skip adding and press Enter to proceed.
Default global zones: global-templates director-global Do you want to specify additional global zones? [y/N]: n
In the next step, leave the API bind host and port as default and press Enter to proceed.
Please specify the API bind host/port (optional): Bind Host []: Bind Port []:
Next, press Y to disable the configuration inside the /etc/icinga2/conf.d/ directory since we will use the Icinga2 Zones configuration later.
Do you want to disable the inclusion of the conf.d directory [Y/n]: Y Disabling the inclusion of the conf.d directory... Checking if the api-users.conf file exists... Done. Now restart your Icinga 2 daemon to finish the installation!
Restart the service to apply the changes.
$ sudo systemctl restart icinga2
And last but not least, run the following command to create a ticket for the client server. Use the client’s domain name as the argument.
$ sudo icinga2 pki ticket --cn 'client.example.com' 365cd931d3091537622a95b113b17775893a224f
Note down the ticket for use later.
Step 13 – Initialize Icinga2 Agent on Client Server
Log in to the client server and install Icinga2 and the monitoring plugins. Run the following commands to do that.
$ wget -O - https://packages.icinga.com/icinga.key | sudo gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg $ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-`lsb_release -cs` main" | sudo tee /etc/apt/sources.list.d/$(lsb_release -cs)-icinga.list $ echo "deb-src [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] http://packages.icinga.com/ubuntu icinga-`lsb_release -cs` main" | sudo tee -a /etc/apt/sources.list.d/$(lsb_release -cs)-icinga.list $ sudo apt update $ sudo apt install icinga2 monitoring-plugins -y
Verify if the Icinga service is enabled and running.
$ sudo systemctl status icinga2
? icinga2.service - Icinga host/service/network monitoring system
Loaded: loaded (/lib/systemd/system/icinga2.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/icinga2.service.d
??limits.conf
Active: active (running) since Tue 2023-05-02 07:32:07 UTC; 59min ago
Main PID: 7602 (icinga2)
Status: "Startup finished."
Tasks: 8
Memory: 13.9M
CPU: 1.018s
CGroup: /system.slice/icinga2.service
??7602 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
??7620 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
??7623 /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2 --no-stack-rlimit daemon --close-stdio -e /var/log/icinga2/error.log
Start the Icinga Node Wizard to initialize the agent on the client server.
$ sudo icinga2 node wizard
You will be prompted if it is an agent setup. Enter Y to set up the agent.
Welcome to the Icinga 2 Setup Wizard!
We will guide you through all required configuration details.
Please specify if this is an agent/satellite setup ('n' installs a master setup) [Y/n]: Y
Next, you will be asked to specify the common name. Leave the default value and press Enter to proceed.
Starting the Agent/Satellite setup routine... Please specify the common name (CN) [client.example.com]:
Next, specify the parent endpoint as icinga.example.com and enter Y to establish a connection to the parent node from the client.
Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Master/Satellite Common Name (CN from your master/satellite node): icinga.example.com Do you want to establish a connection to the parent node from this node? [Y/n]: Y
Next, enter the IP address of the master server and leave the port value unchanged as default.
Please specify the master/satellite connection information: Master/Satellite endpoint host (IP address or FQDN): 199.247.31.184 Master/Satellite endpoint port [5665]:
Enter N to reject adding more master endpoints.
Add more master/satellite endpoints? [y/N]: N
Next, you will be shown the certificate information for the master server. Press Y to confirm the information and proceed.
Parent certificate information: Version: 3 Subject: CN = icinga.example.com Issuer: CN = Icinga CA Valid From: May 1 08:28:26 2023 GMT Valid Until: Jun 1 08:28:26 2024 GMT Serial: 53:50:d4:1a:85:c5:70:5b:b1:f6:0e:c3:b6:e4:db:62:df:8d:5e:d9 Signature Algorithm: sha256WithRSAEncryption Subject Alt Names: icinga.example.com Fingerprint: DC BB 90 68 29 E5 C4 B5 74 F5 BC 8C BF A1 8F BF D2 9D A4 E5 A9 9A 43 2C 3B 24 AE A9 CD 19 32 F4 Is this information correct? [y/N]: Y
Next, enter the request ticket generated in the previous step.
Please specify the request ticket generated on your Icinga 2 master (optional). (Hint: # icinga2 pki ticket --cn 'client.example.com'): 365cd931d3091537622a95b113b17775893a224f
Leave the API bind host and port as default and press Enter to continue.
Please specify the API bind host/port (optional): Bind Host []: Bind Port []:
Next, enter Y twice to accept configuration and commands from the master node.
Accept config from parent node? [y/N]: Y Accept commands from parent node? [y/N]: Y
Press Enter to accept the default local zone name which is the client domain name. Enter the master domain name as the parent zone name to proceed.
Reconfiguring Icinga... Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect. Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect. Local zone name [client.example.com]: Parent zone name [master]: icinga.example.com
Press N to skip adding additional global zones.
Default global zones: global-templates director-global Do you want to specify additional global zones? [y/N]: N
Press N to skip disable the configurations from the /etc/icinga2/conf.d/ directory.
Do you want to disable the inclusion of the conf.d directory [Y/n]: Y Disabling the inclusion of the conf.d directory... Done. Now restart your Icinga 2 daemon to finish the installation!
Restart the Icinga service to apply the configuration changes.
$ sudo systemctl restart icinga2
Step 14 – Create Zones Configuration on the Master Server
Log back into the server and create a new directory as the default zone.
$ sudo mkdir -p /etc/icinga2/zones.d/icinga.example.com/
Next, create a configuration file in the newly created directory and open it for editing.
$ sudo nano /etc/icinga2/zones.d/icinga.example.com/client.example.com.conf
Paste the following code in it. The IP address in the code should match the public IP address of the client.
// Endpoints
object Endpoint "client.example.com"
// Zones
object Zone "client.example.com"
endpoints = [ "client.example.com" ]
parent = "icinga.example.com"
// Host Objects
object Host "client.example.com"
check_command = "hostalive"
address = "95.179.138.148"
vars.client_endpoint = name
Save the file by pressing Ctrl + X and entering Y when prompted once finished.
Create and open the services file for editing.
$ sudo nano /etc/icinga2/zones.d/icinga.example.com/services.conf
Paste the following code in it.
// Ping apply Service "Ping" check_command = "ping4" assign where host.address // check executed on master // System Load apply Service "System Load" check_command = "load" command_endpoint = host.vars.client_endpoint // Check executed on client01 assign where host.vars.client_endpoint // SSH Service apply Service "SSH Service" check_command = "ssh" command_endpoint = host.vars.client_endpoint assign where host.vars.client_endpoint // Icinga 2 Service apply Service "Icinga2 Service" check_command = "icinga" command_endpoint = host.vars.client_endpoint assign where host.vars.client_endpoint
Run the following command to verify the configuration.
$ sudo icinga2 daemon -C
You will get a similar output.
[2023-05-02 11:21:23 +0000] information/cli: Icinga application loader (version: r2.13.7-1) [2023-05-02 11:21:23 +0000] information/cli: Loading configuration file(s). [2023-05-02 11:21:23 +0000] information/ConfigItem: Committing config item(s). [2023-05-02 11:21:23 +0000] information/ApiListener: My API identity: icinga.example.com [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 IcingaApplication. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 Host. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 FileLogger. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 IdoMysqlConnection. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 CheckerComponent. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 4 Zones. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 2 Endpoints. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 2 ApiUsers. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 ApiListener. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 1 NotificationComponent. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 244 CheckCommands. [2023-05-02 11:21:23 +0000] information/ConfigItem: Instantiated 4 Services. [2023-05-02 11:21:23 +0000] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars' [2023-05-02 11:21:23 +0000] information/cli: Finished validating the configuration file(s).
Restart the Icinga service to apply the configuration changes.
$ sudo systemctl restart icinga2
Step 15 – Verify on the Icinga Dashboard
Open the Icinga2 Web Dashboard to verify the client machine information. Select Overview >> Hosts from the left menu and you will see the following screen.
It might take some time for the client status to show as UP. Click the Client to see more details about it. Select Overview >> Services and you will see the following statuses about the client.
This confirms that the client is sending stats correctly to the Icinga master server.
Conclusion
This concludes our tutorial on installing Icinga Monitoring Software on a Ubuntu 22.04 server and configuring it to monitor a client machine running the same Operating system. If you have any questions, post them in the comments below.
