Nagios contact groups to check_mk – Valuable Tech Notes

I have Nagios installed with traditional configuration files. I have created some contact groups and assigned them to hosts.

For web UI I'm using check_mk. And here's the question:

Check_mk supports showing hosts/services based on contact group membership. But I can't use the Nagios contact groups in check_mk. (Result should be that if person XYZ is logged in, he see only hosts and services assigned to him.)

My users are in LDAP (I'm using check_mk login form, not apache authorisation).

I can't find any information about this in documentation so if someone have experience, please tell me how this works.

The problem is that I cannot let everybody be admin and receive all alerts…

I added the following after the two answers-suggestions came in:

I did those steps (please correct it if it doesn't make any sense 🙂 )
I have extra one admin user which is not in LDAP to manage check_mk.

I created users in nagios under DN ou=People,dc=company,dc=com (with
uid attribute as ID, objectclass is posixAccount)
I created 5 groups under DN ou=group,dc=company,dc=com (with cn as
group ID, user members are under memberUid field, objectclass is posixGroup)

Groups:

cn=nagios (for all nagios users, contains users U1, U2, U3, U4)
cn=nagios_admins (for admin role, contains users U1, U2)
cn=nagios_users (for user role, contains user U3)
cn=nagios_guests (for guest role, contains user U4)
cn=testgroup (my contactgroup, contains user U1)

In nagios text configs I added contactgroup named "testgroup":

define contactgroup{
     contactgroup_name   testgroup
     alias               LDAP test contactgroup
     members             user1
}

define contact{
     contact_name                    user1                   ; Short
     use                             generic-contact         ;
     alias                           Nagios Admin            ; Full
     email                           test@company.com        ;
}

4) I assigned testgroup to several hosts with services in nagios text
configs (works fine for nagios email alerts)

5) I created contactgroup in WATO named testgroup

6) I restarted check_mk (check_mk -R)

7) I updated user LDAP settings in CHECK_MK:

LDAP User Settings:

User Base DN: dc=company,dc=com
Search Scope: search whole subtree
Search Filter: (objectclass=posixAccount)
Filter Group: cn=nagios,ou=group,dc=company,dc=com
User-ID Attribute: uid

That looks working fine, users from

cn=nagios,ou=group,dc=company,dc=com can authentificate well.

LDAP Group Settings:

Group Base DN: ou=group,dc=company,dc=com
Search scope: whole subtree
Search filter:
(&(objectclass=posixGroup)(|(cn=nagios)(cn=nagios_admins)(cn=nagios_users)(cn=testgroup)(cn=nagios_guests)))
Member Attribute: memberUid

LDAP Attribute Sync Plugins:

Alias: LDAP attribute to sync: cn
Contactgroup Membership: checked
Roles:
     Normal monitoring user: cn=nagios_users,ou=group,dc=company,dc=com
     Administrator: cn=nagios_admins,ou=group,dc=company,dc=com
     Guest user: cn=nagios_guests,ou=group,dc=company,dc=com

Handle nested group memberships: unchecked

8) After saving & test I can see this output:

connection     Success     Connection established. The connection settings seem to be ok.
User Base-DN     Success     The User Base DN could be found.
Count Users     Success     Found 4 users for synchronization.
Group Base-DN     Success     The Group Base DN could be found.
Count Groups     Success     Found 5 groups for synchronization.
Sync-Plugin: Roles     Success     Found all 3 groups.

9) when I log into check_mk as user U1, I'm not able to see hosts and
services assigned in nagios to contactgroup testgroup 🙁

I'm able to authorize myself but there is no rule politics to be applied. When I open (as administrator) a WATO users, I can see all 4 users, but all four are "normal monitoring users" and when I click on edit button I can't add them contactgroup and change role (which I don't want, it should be read from LDAP). But in user table there is no contactgroup or notifications assigned (Contact groups: none, Notifications: not a contact).

Please take a look on it, I'm starting to be desperate 🙂

Best Answer

As a starting point:

If you define the nagios groups from within WATO, it'll be possible to assign everything via the GUI.

In the documentation for LDAP the key line is probably this one:

"The user is added to all contactgroups where the user is member of a group in LDAP whichs CN is exactly matching the name of the contactgroup." (you have to also enable that feature, but what I want to point at is the group matching)

So, if you have a LDAP group unix-admins you should also define a contact group "unix-admins" via WATO. That can then be assigned a certain WATO folder or specific services as the/a contact to notify.

Best Answer

Related Solutions

Does anyone use check_mk for Nagios? Anything I should be aware of before considering it

Set SNMP Community with check_mk WATO

Related Topic