Un article de Wiki Centreon.

Sommaire 1 General 1.1 Setup general NDO 1.1.1 Prepare SSH communication 1.1.2 Scripting the SSH-Tunneling 1.1.3 Securing NDO 1.1.4 Testing the secured setup 1.2 Some remarks/tips/advice 1.3 Known issues

General

A distributed architecture is based on central monitoring servers and several satellite monitors. The central server consolidates all monitoring data and offers a user interface which also offers the possibility to monitor and manage the central server and the satellite monitors. The satellite monitors send their check results to the central server. This type of setup permits distribution of checks - for any type of reason f.e. remote locations, DMZ, etc.

In practice, centcore takes care of the data transfers between the different servers. The central server has to be equipped with a complete monitoring installation (Nagios, Centreon, NDOutils, MySQL, etc.), in contrast with the satellite monitors that only have Nagios and NDOutils installed (also NO MySQL-Server!).

The following setup will result in a configuration in which all traffic will flow over SSH only. 
Sometimes this is necessary because of an internal requirement or because the Sensor stands somewhere
in the internet.

Setup general NDO

First of all complete the steps showing you this site: DistributedArchitecture
Come back here when completing all steps but do not configure the ndomod.cfg setting. This will be done here.

Prepare SSH communication

Copy the SSH pub key of User 'nagios' at your satellite server
to the users 'nagios' authorized_keys at the Centreon Master server.

Initiate an initial connection as user 'nagios' from satellite to master (remote user 'nagios').
This is needed because of the question/answer thing showing below.

ssh -l nagios nagios@CENTREONMASTERIP

The authenticity of host 'CENTREONMASTERIP (CENTREONMASTERIP)' can't be established.
RSA key fingerprint is xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx.
Are you sure you want to continue connecting (yes/no)?

Answer this with yes ;o)
You should NOT be asked for a password! If asked: check pub key, user you use and so on.
Then try again - the above message should not appear anymore.

Important note: 
You have to use either the IP or the FQDN. It depends on what you want but then stay conform.
e.g. when you use the IP then enter everywhere in the next configuration the IP and not sometimes
the FQDN and sometimes the IP. So when you want to use a FQDN establish the above connection NOT
with the IP.

Scripting the SSH-Tunneling

First of all we need a startup script at the satellite(!) which will open a ssh tunnel to the master
server at local userdefined port (5669 here) and the mysql default port (you should NOT have
a SQL server running at the satellite site!)

The following is a startup script tested and working on Ubuntu 8.04.2 - Nagios 3 :
Please edit it to your needs and ensure that all settings match your nagios installation at satellite.

vim /etc/init.d/ndo

#!/bin/sh
content removed by author of this article
# End of this script

chmod 775 /etc/init.d/ndo
Add it to your startup. At my Ubuntu Server I have done this:

update-rc.d ndo defaults

(On Redhat,Suse etc you have your own tools for that, eg. chkconfig etc)

Testing your setup:

root@itcs-centsensor01:/data/scripts# netstat -natl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:5669          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 CENTREONSENSORIP:41479       CENTREONMASTERIP:22       ESTABLISHED
tcp        0      0 CENTREONSENSORIP:41480       CENTREONMASTERIP:22       ESTABLISHED
tcp        0      0 127.0.0.1:37858         127.0.0.1:5669          TIME_WAIT
tcp6       0      0 ::1:5669                :::*                    LISTEN
tcp6       0      0 ::1:3306                :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN

root@itcs-centsensor01:/data/scripts# cat /var/log/centreon/ssh-to-master-connect.log
SSH connect initiated. New log created at Thu Mar 26 15:51:34 CET 2009 

OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to CENTREONMASTERNAME [CENTREONMASTERIP] port 22.
debug1: Connection established.
debug1: identity file /home/nagios/.ssh/identity type -1
[....]

This all shows you that the your setup is working right now!

Securing NDO

OK now we have a tunnel which listens at port 5669 and forwards to the Master server (and there to port 5668)
That's the basic needed thing for this setup. Now we have to configure the ndo daemon and the ndomod both
to this special setup:

Create ndo2db.cfg for satellite:

Create ndomod.cfg for satellite:

Generate config files and upload as normal to the satellite your configuration.

Testing the secured setup

OK now - when we have luck ;o) - everything works fine now.
To be sure check the following:

1) nagios.log at satellite 
   should showing you: 
   [1238078028] Nagios 3.1.0 starting... (PID=26055)
   [1238078028] Local time is Thu Mar 26 15:33:48 CET 2009
   [1238078028] LOG VERSION: 2.0
   [1238078028] ndomod: NDOMOD 1.4b7 (10-31-2007) Copyright (c) 2005-2007 Ethan Galstad (nagios@nagios.org)
   [1238078028] ndomod: Successfully connected to data sink.  0 queued items to flush.
   [1238078028] Event broker module '/usr/local/nagios/bin/ndomod.o' initialized successfully.
2) check mysql connections at centreon master server:
   mysql> SHOW PROCESSLIST ;
   +--------+------+-----------+------+---------+------+-------+------------------+
   | Id     | User | Host      | db   | Command | Time | State | Info             |
   +--------+------+-----------+------+---------+------+-------+------------------+
   |  91669 | ndo  | localhost | ndo  | Sleep   |    0 |       | NULL             |
   | 225076 | root | localhost | NULL | Query   |    0 | NULL  | SHOW PROCESSLIST |
   | 231676 | ndo  | localhost | ndo  | Sleep   |    0 |       | NULL             |
   +--------+------+-----------+------+---------+------+-------+------------------+
   -> You should see here permanently TWO ndo Users here coming from 'localhost'

Hmm I think that's it. ;o)
Have fun!

NO WARRANTY BUT IT WORKS - FOR ME..

By Thomas Fischer
iT-CUBE SYSTEMS GmbH (Homepage)

Some remarks/tips/advice

• Remote pollers only are supported from version Centreon 2 beta 5.
• NDOutils do not give a lot information on why things just won't work so make sure NDOutils are compiled with mysql support - review the config.log carefully. If NDO2DB is working, you should see a mysql session for the configured user on the configured database.
• The procedures to restart, reload, ... nagios as well as the transfer of configs to remote pollers are called via a command file (/var/lib/centreon/centcore.cmd). Make sure the both the Apache and Centcore owner can create and modify this command file.

Known issues

• High traffic (about 1 GB / day)
  • Compression in SSH and MySQL didn't reduce it much