Question about the host check of current users


#1

Hello all,

I noticed that there is always three users logged on the remote servers that I am montoring. After checking the process with ps -aux, there was only one person logged onto the remote server which was myself. I have not noticed anything unusual in the services other than the process of my remote connection to the server. Is there a number of users that always stay logged onto a Unix/linux system? Or is it an error with nagios?

I am also wanting to monitor the times that users are logged onto remote servers. This would be nice in order to monitor any unusual activity or a possible successful hacker receiving access to a server. Is there a way to monitor the times that users log onto hosts and have nagios sent out notifications for this?

Any help or suggestions would be greatly appreciated. :slight_smile:

Geo


#2

Use the who command and see which users are logged and when they have logged in. You can write a small script that uses the who command , and let Nagios use the script as command for a service check.

webtools.live2support.com/linux/who.php


#3

The thing that I noticed with nagios is that it says that 4 users are logged onto all of the servers that are being monitored by nagios. I logged onto the remote machine and ran the “who” command it said that only one user was logged on, which was my self. There are 6 remote servers that are monitored by nagios, and nagios say that there is always 4 users logged on at all times, which I know if not correct. When I log onto on of the servers, it then changes from 4 to 5 users that are logged on.

Here is my config in Nagios for the the “check_users” command in case something might be wrong with it:

[code]define service{
use linux-service
host_name
service_description Current_Users
check_command check_users!10!12
is_volatile 0
check_period 24x7
max_check_attempts 4
normal_check_interval 3
retry_check_interval 1
contact_groups nagios-admins
notification_interval 120
notification_period 24x7
}

define command{
command_name check_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}[/code]

Why is nagios detecting 4 users that are logged while in reality there is no one logged on? Should try out the newer 3.1 version (I am running 3.0 right now)?


#4

Hm, this is puzzling. So, with the who command you get the good number of users and with check_users you don’t.
What do you get when you use the check_users command in terminal on remote hosts and on your Nagios box? Do you also get the wrong number of users logged in?

Are the names of those users human readable or there are some wierd characters or character order when you issue the who command on the terminal?

Try to issue both, who and check_users commands on both, Nagios server host and the remote hosts, and see if there is anything that could lead you to the source of the problem.


#5

[blockquote]So, with the who command you get the good number of users and with check_users you don’t. [/blockquote]

Exactly

[blockquote]Are the names of those users human readable or there are some wierd characters or character order when you issue the who command on the terminal?[/blockquote]

Here are the results that I get from running “who” on the remote machine:

root pts/0 Apr 24 11:24 (<server-name>) root pts/1 Apr 24 11:38 (<server-name>)

here are the results of the same command on the local machine where nagios is installed:

suse tty7 2008-03-31 13:01 (:0) suse pts/2 2008-03-31 13:02 (:0.0) suse pts/3 2008-04-18 10:25 (:0.0) suse pts/4 2008-04-23 14:53 (:0.0)

What I am thinking, is that nagios is some how seeing the users on the local machine where nagios is installed and displaying that for the logged on users for the other 6 remote hosts being monitored by nagios. I am not sure how or why it is doing this. I have built my own config file for the remote hosts aside from the default nagios config files for the sake of organization and convenience. Could that play a factor with nagios being confused with the current logged on users on the remote servers?

I also have to mention that nagios is having similar problems with displaying the correct number of processes on all hosts being monitored by nagios, from which about half of the actual number of process on all hosts are being displayed… but i will make another post on that later.


#6

You’re right. See what I’ve found in check_users.c source:
This plugin checks the number of users currently logged in on the local system and generates an error if the number exceeds the thresholds specified.

I think it’s the same situation for the check_procs

Both commands when executed from terminal don’t need the hostname argument, so i suppose they only run the check on localhost.

You could try those checks with NRPE.


#7

Alright, that makes sense… I was reading up on NRPE and I do not have a total understanding of how nagios checks remote hosts without a username or password. I understand how it uses SSH for access, but without a username or password is where I get stuck. Could you explain how that works aside from SSH?

I am having a couple of problems with the NRPE installation. I have compiled the tar file with no problems and ran “./configure && make all” with no problems. The next thing that I am getting stuck on is starting the plugin over XINETD. I type in the following command so I can apply the nrpe config:

When I run this command it does nothing but gives me a continuous “>”. I also have ran from the command prompt “cp /usr/local/src/nrpe-VERSION/init-script.suse /etc/init.d/nrpe” as well as the following:

[code]# chkconfig --add nrpe
insserv: script nrpe is not executable, skipped!
nrpe 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd based services:
nrpe: off

chkconfig --level 2345 nrpe on

insserv: script nrpe is not executable, skipped!
insserv: script nrpe is not executable, skipped![/code]

What am I still missing for the NRPE Installation?


#8

Hm, don’t really know. I haven’t tested it personaly. Did you check the official documentation about NRPE?
nagios.sourceforge.net/docs/nrpe/NRPE.pdf
or:
crucialwebhost.com/blog/nagi … -services/

Sorry for a lousy answer, but I don’t have much experience with NRPE. Maybe somebody else from Nagios Forum crew could help you.


#9

Actually that first link you gave me was great, I have NRPE installed on the local machine. So that is taken care of… I did not understand the explaination of NRPE very well in terms of installing NRPE on the remote hosts that I want to monitor. Cause from what I understand Nagios uses NRPE as the port through which nagios accesses the remote server for service checks and such. Can I install NRPE without the nagios system being on the remote host, or do i have to also install nagios with the NRPE plug in? How would one go about configuring that?


#10

I think that you should install only NRPE on the remote host. Nagios is one sided application (if you exclude distributed monitoring, of course) which collects data from regular and NRPE remote hosts. If you’re going to install Nagios on the remote host, then there is no point of NRPE.


#11

How would I link that shell skript for “who” into a nagios command definition? I have written the file a little bit enough to show any users currently logged and who has logged on previously. Other than that I have not gotten all that far with writing the script to compare valid signatures or users with what should be in the skript…

Here is what I am thinkin for the nagios check command line, not sure if its right…

[code]service definition{
use linux-service
host_name host
service_desription nrpe_check!check_users
}

command definition{
command_name nrpe
command_line $USER1$/check_nrpe $HOSTADDRESS$ -c $ARG1$
}[/code]

Then I would define my own nrpe command for “users” such as the following:

My question is, how would I define the values from the script file to the values in the nagios command check? And for the script file, do I need that to come up with the users from which nagios can run a check on that server? I also want to put in the option of times for this service check as well, do you have an idea of how I would that as well?

[EDIT: I am goin on vacation to Paris for a week, so I wont get back to this until a week from next tuesday when I am back]