Colourful Norwich skyline illustration

Michael Sage

IT, Digital & Culture

Nagios MySQL

Nagios MySQL

Monitoring MySQL servers, we will need to pass through a username and password for MySQL when checking the service availability. Firstly we will create a MySQL user: We start on the MySQL user and we will log in to the database server and create a new user for Nagios to use. I normally use the local check_mysql plugin so there is no need to let the user login from other servers.
CREATE USER 'nagios'@'localhost' IDENTIFIED BY 'password'
Next check by running the check_mysql plugin
sudo -s -u nagios /usr/lib/nagios/plugins/check_mysql -H localhost -u nagios -p password
Add this to you nrpe definition file and restart nagios-nrpe-server. Add to your Nagios server and away you go!

Auto OpenVPN Script

Auto OpenVPN Script

Build a new VPS and then follow the instructions here! I had an issue with my install to do with routing, the trouble was in the iptables NAT rule. Check if IPv4 forward is enable.
# grep net.ipv4.ip_forward /etc/sysctl.conf
# cat /proc/sys/net/ipv4/ip_forward
# sysctl -a | grep "net.ipv4.ip_forward "
net.ipv4.ip_forward = 1
If it’s ok, check your iptables rules.
iptables -t nat -L -vn --line
iptables -L FORWARD -vn --line
I had no nat rule in my nat table, sad times! I added the following and all is well. $IP is your public server IP:
iptables -t nat -A POSTROUTING -s -j SNAT --to $IP

Cert for ESXi

Cert for ESXi

To generate a certificate request for an ESXi 6.0 host:
  1. Open a command prompt and navigate to the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default this is  C:\OpenSSL-Win32\bin.
  2. Run the command:

    openssl req -new -nodes -out rui.csr -keyout rui-orig.key

    This creates the certificate request rui.csr.

  3. Convert the Key to be in RSA format by running these command:

    openssl rsa -in rui-orig.key -out rui.key

Installing and configuring the certificate on the ESXi host 

After the certificate is created, complete the installation and configuration of the certificate on the ESXi 6.0 host:
  1. Navigate to the console of the server to enable SSH on the ESXi 6.0 host.
  2. Log in to the host and then navigate to /etc/vmware/ssl.
  3. Copy the files to a backup location, such as a VMFS volume.
  4. Log in to the host with WinSCP or login locally (my preferred method) and navigate to the /etc/vmware/ssl directory.
  5. Delete the existing  rui.crt and  rui.key from the directory.
  6. Copy the newly created  rui.crt and  rui.key or create them using vi (again my preferred method, I also at the intermediate cert to the .crt file) to the directory using Text Mode or ASCII mode to avoid the issue of special characters (  ^M) appearing in the certificate file.
  7. Type vi rui.crt to validate that there are no extra characters.

    Note: There should not be any erroneous  ^M characters at the end of each line.

  8. Restart the management agents

    /etc/init.d/hostd restart

    /etc/init.d/vpxa restart

Z-Push with MXRoute

Z-Push with MXRoute

I decided to set myself a little challenge to get ActiveSync working for free for a project I am working on. Most ActiveSync clients on the market are licensed directly from Microsoft.

I have an email service from the excellent MXRoute and I am not using the service much, they don’t currently offer a mobile solution so I thought I would see if it is possible to use a small virtual private server (VPS) to connect to IMAP and pass it to my mobile, turns out you can! I am using MXRoutes London servers, you will need to change the config if you are using any other locations.

Using Z-PUSH (2.3.5) to connect to MX Route

Known Issues:

Z-push syncs the shared address book, I haven’t worked out how to stop this, it’s a minor issue, but you do need to be aware of it.

Z-push fails to get the name of the calendar, so on an activesync device the calendar name shows up as unknown, but it works.

Z-push pulls the tasks through as a calendar, I have turned off syncing tasks.

Z-push itself isn’t the most reliable platform. This isn’t an issue per se, but it is something you need to be aware of.


A VPS or server, I am running Ubuntu 16.04 LTS A MXRoute account Apache installed with an SSL cert (I’m using letencrypt) PHP7 with php-cli and php-soap Instructions

Add the z-push repo by creating /etc/apt/sources.list.d/z-push.list with the content

deb /

Download and add the repo key to the keychain

wget -qO – | sudo apt-key add –

Run apt-get update

We then need to install the z-push packages that we need

apt-get install z-push-common z-push-config-apache z-push-backend-caldav z-push-backend-carddav z-push-backend-combined z-push-backup-imap z-push-ipc-sharedmemory

This will install and configure z-push ready to go, we now need to edit the config files to tell it where to get the contacts, calendar and email from.

Start by editing /usr/share/z-push/config.php

Change the section “Default Settings” to match your timezone and ensure that the define(‘USE_FULLEMAIL_FOR_LOGIN’,true); is set to true.

Under the logging settings there is a specialLogUsers value, this is really useful to put a user in here when you need to troubleshoot, this generates debug logs for the named user and which can be found in the /var/log/z-push directory, but remember to remove them when you have done your testing as they can generate massive log files.

The only other setting we need to change is the Backend settings.

Change the backend provider setting to:


Save and exit the file

Next edit the /usr/share/z-push/backend/combined/config.php

Update it to match the following values

‘backends’ => array(
‘i’ => array(

‘name’ => ‘BackendIMAP’,


‘d’ => array(

‘name’ => ‘BackendCardDAV’,


‘c’ => array(

‘name’ => ‘BackendCalDAV’,



‘delimiter’ => ‘/’,

//force one type of folder to one backend

//it must match one of the above defined backends

‘folderbackend’ => array(



















//creating a new folder in the root folder should create a folder in one backend

‘rootcreatefolderbackend’ => ‘i’,




This tells z-push which backend is responsible for which function.

Next we need to edit the individual service files we will start with email.

Edit the file /usr/share/z-push/backend/imap/config.php

Update the following values, this is assuming you are using MXRoute’s London servers.

// Defines the server to which we want to connect

define(‘IMAP_SERVER’, ‘’);

// connecting to default port (143)

define(‘IMAP_PORT’, 993);

// best cross-platform compatibility (see for options)

define(‘IMAP_OPTIONS’, ‘/ssl/norsh’);

// Mark messages as read when moving to Trash.

// BE AWARE that you will lose the unread flag, but some mail clients do this so the Trash folder doesn’t get boldened

define(‘IMAP_AUTOSEEN_ON_DELETE’, false);

// Since I know you won’t configure this, I will raise an error unless you do.

// When configured set this to true to remove the error


// Folder prefix is the common part in your names (3, 4)

define(‘IMAP_FOLDER_PREFIX’, ”);

// Inbox will have the preffix preppend (3 & 4 to true)


// Inbox folder name (case doesn’t matter) – (empty in 4)


// Sent folder name (case doesn’t matter)

define(‘IMAP_FOLDER_SENT’, ‘inbox.SENT’);

// Draft folder name (case doesn’t matter)

define(‘IMAP_FOLDER_DRAFT’, ‘inbox.DRAFTS’);

// Trash folder name (case doesn’t matter)

define(‘IMAP_FOLDER_TRASH’, ‘inbox.TRASH’);

// Spam folder name (case doesn’t matter). Only showed as special by iOS devices

define(‘IMAP_FOLDER_SPAM’, ‘inbox.junk’);

// Archive folder name (case doesn’t matter). Only showed as special by iOS devices


You also want to update the method used for sending emails (I am using an SSL connection to MXRoute)

define(‘IMAP_SMTP_METHOD’, ‘smtp’);

global $imap_smtp_params;

$imap_smtp_params = array(‘host’ => ‘ssl://’, ‘port’ => 465, ‘auth’ => true, ‘username’ => ‘imap_username’, ‘password’ => ‘imap_password’ );

The above ‘imap_username’ and ‘imap_password’ are variables and do not need changing to the actual username and password.

Save and close the file.

Next we will setup syncing contacts

Edit /usr/share/z-push/backend/carddav/config.php update the following

// Server protocol: http or https

define(‘CARDDAV_PROTOCOL’, ‘https’);

// Server name

define(‘CARDDAV_SERVER’, ‘’);

// Server port

define(‘CARDDAV_PORT’, ‘2080’);

// Address book path

define(‘CARDDAV_PATH’, ‘/rpc/addressbooks/%u/’);

// Server path to the default address book

define(‘CARDDAV_DEFAULT_PATH’, ‘contacts/’);

// Support sync-collection

define(‘CARDDAV_SUPPORTS_SYNC’, false);

Save and close the file

Finally the calendar sync

Edit /usr/share/z-push/backend/caldav/config.php

// Server protocol: http or https

define(‘CALDAV_PROTOCOL’, ‘https’);

// Server name

define(‘CALDAV_SERVER’, ‘’);

// Server port

define(‘CALDAV_PORT’, ‘2080’);

// Path

define(‘CALDAV_PATH’, ‘/rpc/calendars/%u/’);

// Default CalDAV folder (calendar folder/principal). This will be marked as the default calendar in the mobile

define(‘CALDAV_PERSONAL’, ‘calendar’);

// If the CalDAV server supports the sync-collection operation

// DAViCal, SOGo and SabreDav support it

// SabreDav version must be at least 1.9.0, otherwise set this to false

// Setting this to false will work with most servers, but it will be slower

define(‘CALDAV_SUPPORTS_SYNC’, false);

// Maximum period to sync.

// Some servers don’t support more than 10 years so you will need to change this

define(‘CALDAV_MAX_SYNC_PERIOD’, 2147483647);

Save and close the file

Although not necessarily I restart apache at this point.

service apache2 restart

On your client device (iOS / Android / Outlook 2013+)

As there is no autodiscovery function you will need to enter the settings manually.

Username: Full email address

Password: Users MXRoute Password

Server: Your VPS address (i.e.

Basic Troubleshooting

Check the apache and z-push logs, both of which can be found in /usr/var/log/

Turn on debugging for a single user (see above for details)

Check you can access activesync on your server, you should be promoted for a username and password use the email address and the users mxroute password, you should see a page that gives you the activesync information and tell you that “GET is not supported”.

You should now be good to go!

Configure Windows Remote Desktop to use TLS with StartSSL

Configure Windows Remote Desktop to use TLS with StartSSL

**Firstly it is important to note that StartSSL don’t currently have a trusted root CA.**

Firstly you will need to create you CSR. I do this from a Linux box as openssl is much easier from the command line. You can generate the CSR online or using various Windows tools.

Go to you Linux terminal and type the following

openssl req -out rdp.csr -new  -newkey rsa:4096 -nodes -keyout rdp.key

Open the CSR (nano rdp.csr) and copy the contents into the StartSSL certificate wizard.

You will now need to wait for StartSSL to generate your certificate, in my experience this is currently taking upto 24 hours, it used to be nearly instant.

Open the .crt file and save it on your Linux box as rdp.crt. You will also need to grab the StartSSL Intermediate cert from their site.

You now need to combine the two files. I tend to do this in nano or notepad++ depending on which environment I am working in.

Paste the contents of rdp.crt and this have a line break and paste the intermediate cert underneath it. Save this file, I normally save mine as rdp.pem.

Next we need to take this new file and turn it into a pfx file that Windows will understand. Simple go back to your Linux terminal with the new file and type the following

openssl pkcs12 -export -out rdp.pfx -inkey rdp.key -in rdp.pem

Now go to the windows machine you wish to use the certificate on making sure you have a copy of the rdp.pfx file!

You now need to open the certificate snap-in, the easiest way to do this is.

Start-> Run -> mmc add snapin certificates (Local Computer), select personal certificates and right click, choose All Tasks -> Import. Select the pfx file.

Copy the new cert (probably called and place a copy in Remote Desktops -> Certificates.

Double click the certificate and copy the Thumbprint (this is found at the bottom of the details list). You need to paste this Thumbprint into a new file and remove the spaces so you are left with a 40 digit string.

Open a command prompt as an administrator and type / paste the following:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”


That’s it you have successfully installed a StartSSL Cert onto your Windows RDP server!

OVH Gateway for Failover IPs

OVH Gateway for Failover IPs

OVH have a very odd way of assigning failover IPs for dedicated and VPS servers. 

I run a pfsense firewall on my virtual platform and all the internet traffic runs through that. 

Firstly you need to generate a virtual MAC in the OVH control panel which you need to assign to the WAN interface of your pfSense box. 

Next you need to add the IPs to the alias list on you pfSense machine.

Now this is where things get interesting! You need to add a couple of routes to allow pfSense to get out to the internet at all. You will need the gateway of your primary dedicated / VPS IP address, this will probably be on a different subnet to you new failover IPs.  In this example I will use as my primary IP and the gateway for this IP will be

From the shell of your pfSense box type:

route add -net -iface em0

route add default

Your pfSense box should now be able to see the internet. 

You will also need to add a rule to allow your pfSense LAN out to the internet. Within the pfSense webConfig go to 

Firewall -> NAT

Click on outbound. Set it to manual outbound and add a mapping:

Interface: WAN

Source: (this should be your LAN i.e.

Leave the rest as defaults and save. This should now allow your LAN traffic out on to the WAN.

The routes we typed earlier will not survive a reboot, in order to fix this go to the plugins and download shellcmd. Once this is installed simply add the two routes we typed above into shellcmd plugin (Services -> shellcmd)

Pre March 2017 Notes

Pre March 2017 Notes

DOS Boot USB Stick, June 10, 2016 08:54, Easy USB boot creator

Ubuntu non LVM Extension, April 12, 2016 18:18, cfdisk /dev/sdx parted delete the partition and create it again with the desired size resize2fs /dev/sdxY

All for one and Media Center Remote double press issue, January 9, 2015 19:42, I see a lot of creative work being done to get around the problem introduced by the latest critical patch. As people have accurately surmized, the media center remote actually alternates remote codes when a button is pressed. The media center IR driver can use this fact to debounce key presses. The effectively causes the behavior most folks are seeing in that the pronto (and likely other learning remotes) learn only one of the two codes and the IR driver will only accept it once because it is waiting for the alternate code so it can be sure a 2nd key press was made.

The good news is that there’s a registry entry to enable/disable this debouncing behavior in the IR driver. All you need to do is disable it and the pronto and other universal remotes should work fine.

The registry key to disable it is

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesidIrRemotes745a17a0-74d3-11d0-b6fe-00a0c90f57da] On Win 8 this changes to HidIR 🙂

You should see a DWORD key called “EnableDebounce”. You’ll notice it’s set to 1. Set it to 0 to disable debouncing.

You’ll need to reboot the computer to have this registry change take effect.

Extending a volume without Reboot, May 3, 2014 16:41, pvdisplay – Display physical partitions vgdisplay – Display volume names lvdisplay – Display Logical volumes

Bottom line: if the underlying Volume Group doesn’t have enough free space, to extend the Logical Volume you’ll first have to extend the underlying Volume Group by adding another Physical Volume to it.

In VMWare you could either create a new virtual hard disk device to add to the volume group, or extend an existing virtual hard disk device, create a new partition with cfdisk, and add the new partition to the Volume Group:

example 1: you’ve added to VMWare a new virtual hard disk called /dev/sdb pvcreate /dev/sdb vgextend turnkey /dev/sdb

example 2: you’ve expanded the existing sda hard disk cfdisk /dev/sda partprobe pvcreate /dev/sda3 vgextend turnkey /dev/sda3 After you’ve extended the Volume Group, you are free to extend the underlying Logical Volume:

lvextend -L+10G /dev/turnkey/root Extending logical volume root to 27.0 GiB Logical volume root successfully resized Finally, you’ll have to resize the filesystem within /dev/turnkey/root so it can see that the underlying block device just got 10G bigger:

resize2fs /dev/turnkey/root resize2fs 1.41.11 (14-Mar-2010) Filesystem at /dev/turnkey/root is mounted on /; on-line resizing required old desc_blocks = 2, new_desc_blocks = 2 Performing an on-line resize of /dev/turnkey/root to 7077888 (4k) blocks. The filesystem on /dev/turnkey/root is now 7077888 blocks long.

Nagios and Freepbx monitoring, December 8, 2013 15:14, Modified from

I want to monitor the following: Possibility for a phone to be able to register at the Asterisk server The registration at the SIP providers are OK The Operating system is not overloaded The server where Asterisk is running is up

I use nconf but have included the actually manipulation of text files for completeness!


Download and install sip check on your asterisk server Define it in commands.cfg

command ‘check_sip’ define command{ command_name check_sip command_line /usr/local/libexec/check_sip -u “$ARG1$” } Define the sip check in services.cfg, I also created a service group called ip_telephony service ‘Asterisk Check SIP’ define service{ use default-service host_name dull service_description Asterisk Check SIP check_command check_sip!sip:XXXXX@dull.mynet servicegroups ip_telephony contact_groups it-slav_msn,it-slav_mail,call_it-slav }

On my install the plugins were in /usr/local/nagios/libexec I had to edit check_sip and change the use lib definition to /usr/local/nagios/libexec for it to pick up my perl tools.

Monitor the Peers

With the asterisk command “sip show peers”, information about the connected sip peers can be found:

[root@dull custom] asterisk -rx “sip show peers” Name/username Host Dyn Nat ACL Port Status pulver 5060 OK (154 ms) digisip/XXXXX 5060 OK (44 ms) 6016 (Unspecified) D 0 UNKNOWN 6005 (Unspecified) D 0 UNKNOWN 6004/6004 D 5060 OK (139 ms) 6003/6003 D 5060 OK (136 ms) 6002/6002 D 5060 OK (8 ms) 6011 (Unspecified) D 0 UNKNOWN 6010 (Unspecified) D 0 UNKNOWN 6000 (Unspecified) D 0 UNKNOWN 6001 (Unspecified) D 0 UNKNOWN 11 sip peers [Monitored: 5 online, 6 offline Unmonitored: 0 online, 0 offline]

Marcus Rejås he has written a Nagios plugin to monitor the sip peers. I got the script and modified to fit my needs, i.e. get performance data for graphing: /opt/plugins/custom/


Simple Asterisk Peer Check. Copyright (C) 2008 Marcus Rejås / Rejås Datakonsult

Modified with perfdata by Peter Andersson

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Very simple plugin that checks if a peer is ok. The peers needs “qualify=yes” in its configuration.

A peer that is not registered or non-existent will result in error. If the peer is OK a short statusline (from Asterisk) is written. There is timing information suitable for graphing as well.

You should have received a copy of the GNU General Public License along with this program. If not, see .

Example use of this script:

sip:~ ./sip_check_peer mysecretary-100 mysecretary-100/461762501 5060 OK (10 ms) sip:~

if [ $ == 0 -o “$1” == “-h” -o $ -gt 1 ]; then echo “Usage: $0” exit 3 fi

LINE=asterisk -r -x “sip show peers” | grep $1 | grep “OK (”

This is a uggly. Just to check that the expression above does not match more then one line.

HITS=asterisk -r -x “sip show peers” | grep $1 | grep “OK (” | wc -l

if [ $HITS -gt 1 ]; then echo “ERROR: Multiple match, tweak your arguments or fix $0 🙂 ” exit 3 fi

if [ “$LINE” ]; then echo -n “OK: ” echo -n $LINE Create perdata echo -n “|time=” echo $LINE | awk ‘{gsub(/(/,””)};{gsub(/)/,””)};{print $(NF-1)$NF}’ exit 0 elif [ -z “$LINE” ]; then echo “CRITICAL: Something is wrong with $1”; exit 2 else echo $LINE exit 2 fi

The command run by hand looks like this: [root@dull /] /opt/plugins/custom/ pulver OK: pulver 5060 OK (166 ms)|time=166ms The plugin is started by nrpe at the asterisk server and configured in /etc/nrpe.d/mycommands.cfg command[asterisk_peer_digisip]=sudo /opt/plugins/custom/ digisip command[asterisk_peer_pulver]=sudo /opt/plugins/custom/ pulver command[asterisk_peer_6002]=sudo /opt/plugins/custom/ 6002 command[asterisk_peer_6003]=sudo /opt/plugins/custom/ 6003 command[asterisk_peer_6004]=sudo /opt/plugins/custom/ 6004

/opt/plugins/custom/ must run as a high privileged user so I’m using sudo, modify /etc/sudoers with visudo: visudo -f /etc/sudoers –snip– nobody ALL= (root) NOPASSWD: /opt/plugins/custom/ –snip– Turn of requiretty, because it will run without a console –snip– Defaults requiretty –snip–

At this point things didn’t work for me and I had to tweak the script and the sudoers file and add my nagios user to the asterisk group.

The things I changed… LINE=asterisk -r -x “sip show peers” | grep $1 | grep “OK (” to LINE=sudo asterisk -r -x “sip show peers” | grep $1 | grep “OK (”

Added nagios to the asterisk group

nobody ALL= (root) NOPASSWD: /opt/plugins/custom/ to nagios ALL=(all) NOPASSWD: /usr/sbin/asterisk

Again Peters post is copied here, again I ignored it and used nconf!

The service checks are defined in services.cfg and also put into the same servicegroup service ‘Asterisk Peer Pulver’ define service{ use default-service host_name dull service_description Asterisk Peer Pulver check_command check_nrpe!asterisk_peer_pulver servicegroups ip_telephony contact_groups it-slav_sms,it-slav_mail,call_it-slav }

I also defined the other peers, i.e. digisip, 6002, 6003, 6004 The servicegroup is defined in servicegroups.cfg servicegroup ‘ip_telephony’ define servicegroup{ servicegroup_name ip_telephony alias IP – Telephony }

Zimbra 8 SSL, November 15, 2013 19:48, openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

cp server.key /opt/zimbra/ssl/zimbra/commercial/commercial.key cp server.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt cp /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt

/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

su – zimbra $ zmcontrol stop $ zmcontrol start

Nagios NRPE Ubuntu, April 4, 2013 12:30, First, you need to install the nagios-nrpe-server. There is a nagios-nrpe-plugin but that’s not what you need because that is just the plugin and you need this daemon (Linux equivalent of a Windows Service for all you Windows guys).

sudo apt-get install nagios-nrpe-server

sudo ps -Al | grep nrpe

netstat -an | grep 5666

Next, we need to set up the Nagios server to be able to check our machine.

sudo nano /etc/nagios/nrpe.cfg

and change allowed_hosts=,x.x.x.x

sudo /etc/init.d/nagios-nrpe-server restart

From the Nagios server /usr/local/nagios/libexec/check_nrpe -H y.y.y.y

ESXi Nagios Plugin,February 1, 2013 15:47,

Windows Update Client, September 4, 2012 09:18, Windows Update WUAUCLT Command Line Switches

The command line switches to WUAUCLT — the Windows Update Automatic Updates client — are documented, just not very coherently. There’s quite a few of them, but the only ones I need regularly are the ones to force update checks. They work with Windows 2000 Server and Windows Server 2003, though they make work on other versions.

These checks are typically done when you restart the update service on the client, which can be done manually by restarting the service.

net stop wuauserv net start wuauserv

Even then, a lot of times I’ll want to verify on the WSUS server that there aren’t any more updates remaining for a particular host; I’m too impatient to wait for a client to report in on its own.

wuauclt /detectnow

The detectnow switch will force a relatively immediate query to the WSUS server to see if there are any updates that are needed. If there are, the yellow shield will appear in the system tray. This is usually pretty quick, within 20-30 seconds.

wuauclt /r /ReportNow

The ReportNow switch will force the client to send updated status to the WSUS server. It may take a minute or two for the server to reconcile and display the updated status.

Reregister a machine wuauclt /resetauthorization /detectnow

If things still aren’t working, the Windows Update log can be found at %systemroot%WindowsUpdate.log. The log file — strangely verbose, for Microsoft — is just text and viewable in Notepad. If the server you’re trying to connect to is crapping out, or your group policy is pointing you to the wrong server, the proof will be in there.

Ubuntu Nagios Server, October 29, 2011 22:34, Nagios and NConf on Ubuntu 10.04 Lucid Lynx By jason | Published: August 24, 2010 Have you been wondering about how to get Nagios and NConf setup on your Ubuntu server? Well, I took some notes the last time around, and here they are, for anyone that may find them useful. Here we go!

Prerequisites If you didn’t check the box to configure your box as a LAMP (Linux, Apache, MySQL, PHP) server when you first setup your box, do that first with:

sudo apt-get install apache2 sudo apt-get install mysql-server mysql-client sudo apt-get install php5 libapache2-mod-php5 If you want phpMyAdmin (for web-based MySQL administration):

sudo apt-get install phpmyadmin Installing Nagios Install Nagios with

sudo apt-get install nagios3 It should install all the necessary dependencies. Follow the prompts to get it configured and test it out by browsing to http:///nagios3

If you would like to monitor Windows servers using NSClient++ (which I am doing), also install the NRPE plugin with

sudo apt-get install nagios-nrpe-plugin I felt like I ought to backup the config files before I started messing with them, so I backed them up with

sudo cp -r /etc/nagios3 /etc/nagios3.backup Installing NConf NConf provides a web-based frontend for configuring Nagios. There’s no package in the Ubuntu repositories for it, but you can download it pretty easily. Version 1.2.6 was the latest as of the time of this writing, so make sure you’re getting the latest version. (Note: it looks like the link below gets cut off, so here’s a link to the NConf download page where you can grab the latest source)

wget Unpack it to your webroot: sudo tar xzvf nconf-1.2.6-0.tgz -C /var/www Change the owner of the folder and files you just extracted to the web user: sudo chown -R www-data:www-data /var/www/nconf Now you’ll need to create a MySQL database to hold the NConf configuration data. Using phpMyAdmin (sudo apt-get install phpmyadmin if you don’t have it) do the following: Privileges -> Add a new User User name: nconf Host: localhost Password: (generate, and make a note of the generated password) Create database with the same name and grant all privileges Go Privileges -> reload the privileges Then browse to http:///nconf and follow the prompts to finish initial configuration of NConf.

When you get to the database configuration page, enter nconf for the username and the database name, and use the generated password you should have made a note of earlier. For most everything else, accept the defaults, but change the NAGIOS_BIN variable to /usr/sbin/nagios3 to reference the right location.

Finally, remove the folders and files referenced at the end of the installation process:

sudo rm -r /var/www/nconf/INSTALL sudo rm /var/www/nconf/INSTALL.php sudo rm -r /var/www/nconf/UPDATE sudo rm /var/www/nconf/UPDATE.php At this point, you should be able to login to NConf, although it won’t be doing anything of importance.

Configuring Nagios to use NConf We’ll need to make some changes to one of the Nagios configuration files, so (using sudo) open up /etc/nagios3/nagios.cfg in your favorite editor and delete or comment out all the lines that begin with cfg_dir= or cfg_file= and add the following lines:



Back at the terminal, run the following command to create a folder for NConf to dump the configuration files it generates.

sudo mkdir /etc/nagios3/import Configuring NConf to Deploy Nagios Configurations Automatically Almost there. Using sudo, open up /var/www/nconf/ADD-ONS/ and make the following changes to paths:

OUTPUT_DIR=”/var/www/nconf/output/” NAGIOS_DIR=”/etc/nagios3/” … /etc/init.d/nagios3 reload This script will deploy the generated configuration package and then reload the running instance of Nagios, but it’s easiest to use just installed in the root crontab.

sudo crontab -e and adding the line

/var/www/nconf/ADD-ONS/ Final Steps After saving and closing the root crontab, log back into NConf and take a look around. You’ll see some sample definitions and some predefined services for the localhost computer. You may want to delete the check_local_mrtgtraf and check_local_procs services, as the first one doesn’t work without additional configuration and the second one is a sample definition, but you can make those changes at your leisure.

Once you’re ready, click Generate Nagios config, and if all goes well, you’ll see something like the following:

[ Initializing NConf perl-API (library version 0.2, written by A. Gargiulo) ] [ Copyright (c) 2006-2009 Sunrise Communications AG, Zurich, Switzerland ]

[INFO] Starting generate_config script [INFO] Generating global config files [INFO] Generating config for Nagios-collector ‘Default Nagios’ [INFO] Ended generate_config script

Running syntax check:

Default_collector: Total Warnings: 0 Total Errors: 0 Changes updated successfully. Now log back into Nagios and click on Service Detail. Within a minute or two, you should see the hosts and services change to reference the configuration as generated from NConf.

If that works, then huzzah!

Start making your configuration changes in NConf and enjoy not having the manipulate those Nagios conf files by hand anymore!

Troubleshooting, Tips and Caveats Try running the script by hand (with sudo) if it doesn’t appear that Nagios is getting the configurations from NConf. You may be able to glean some information from the output of that script.

New hosts not showing up in Nagios after being created in NConf? Make sure you’ve selected Default Nagios under “monitored by” when defining the host, or that host won’t get assigned properly.

This setup process effectively disables all the command definitions provided by the package install of Nagios, which are stored under /etc/nagios-plugins/config. I looked through them and compared them to the ones provided by default with NConf, and I was fine with what NConf provided. NConf provides a mechanism to import command definitions if you really find that you need them.

I have no idea how this setup will hold up under an upgrade of the Nagios package. We’ll see when the time comes, and if I remember, I’ll update these notes.

If you have any trouble with the steps provided above, please comment and I’ll do what I can to assist.

EDIT /var/www/nconf/config/nconf.php NAGIOS_BIN = /usr/sbin/nagios3


Ubuntu Nagios Error, August 16, 2011 11:02,

Error: Could not stat() command file ‘/var/lib/nagios3/rw/nagios.cmd’!

In “/etc/nagios3/nagios.cfg” the “check_external_commands=1″ set.

/etc/init.d/nagios3 stop dpkg-statoverride –update –add nagios www-data 2710 /var/lib/nagios3/rw dpkg-statoverride –update –add nagios nagios 751 /var/lib/nagios3 /etc/init.d/nagios3 start

MySQL, August 13, 2011 10:44

create database newdatabase;

CREATE USER ‘newuser’@’localhost’ IDENTIFIED BY ‘password’;

grant usage on *.* to newuser@localhost;

GRANT ALL PRIVILEGES ON newdatabase. * TO ‘newuser’@’localhost’;


Windows 2008 R2 – WDTV Live fix, June 2, 2011 18:20 michael Enable ‘Netbios over TCP/IP’ Enable service ‘Computer Browser’ Enable service ‘SSDP Discovery’ Disabled firewall

IPTables, February 3, 2011 10:24, iptables-restore < /etc/iptables.rules iptables-save > /etc/iptables.rules

AutoLogin, November 24, 2010 15:59, You can use Registry Editor to add your log on information. To do this, follow these steps: Click Start, click Run, type regedit, and then click OK. Locate the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Using your account name and password, double-click the DefaultUserName entry, type your user name, and then click OK. Double-click the DefaultPassword entry, type your password under the value data box, and then click OK.

If there is no DefaultPassword value, create the value. To do this, follow these steps: In Registry Editor, click Edit, click New, and then click String Value. Type DefaultPassword as the value name, and then press ENTER. Double-click the newly created key, and then type your password in the Value Data box. Note: If the DefaultPassword registry entry does not exist, Windows XP automatically changes the value of the AutoAdminLogonregistry key from 1 (true) to 0 (false) to turn off the AutoAdminLogon feature after the computer is restarted. Double-click the AutoAdminLogon entry, type 1 in the Value Data box, and then click OK.

If there is no AutoAdminLogon entry, create the entry. To do this, follow these steps: In Registry Editor, click Edit, click New, and then click String Value. Type AutoAdminLogon as the value name, and then press ENTER. Double-click the newly created key, and then type 1 in the Value Data box. Exit Registry Editor. Click Start, click Restart, and then click OK.

Disable strict name checking, November 24, 2010 15:57, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

New DWORD (32-bit) Value. Value name  DisableStrictNameChecking, 1 in the Value data 

Climate Monitor Firmware, November 24, 2010 15:49,

Convert KMS to MAK, November 24, 2010 15:46, slmgr.vbs /ipk