why favour icinga over nagios @ froscon 2015

www.icinga.org

Why favour Icinga over Nagios

2015-08-22

Markus Frosch

• Consultant @NETWAYS• Icinga Team since 2012• Organisation of Icinga 2• Debian developer

@lazyfrosch

THE ICINGA PROJECT

Open Source Enterprise Monitoring

Icinga is a scalable and extensible monitoring system which checks the availability of your resources, notifiesusers of outages and provides extensive BI data.

You?

• originally forked from Nagios in 2009• focus on improvements and scalability• independent version Icinga 2 since 2014•web interfaces and addons

Icinga Core

Nagios based C-sourceMySQL, PostgreSQL, Oracle

Icinga Core

Nagios based C-sourceMySQL, PostgreSQL, Oracle

Icinga Quality, Testing and Community Support

Website and Open Source Ticketing System

Icinga Quality, Testing and Community Support

Website and Open Source Ticketing System

3rd Party Tools3rd Party ToolsIcinga Webbased on PHP using ExtJS, Agavi MVCIcinga Webbased on PHP using ExtJS, Agavi MVC

IDOUTILSIDOUTILS

Icinga Web 2Based on PHP / responsive designIcinga Web 2Based on PHP / responsive design

Icinga 2

C++-based sourcewith multiple components

Icinga 2

C++-based sourcewith multiple components

IDOIDO LivestatusLivestatus ClusterCluster APIAPI ……

ICINGA 2 INTRODUCTION

• monitors everything• in a regular interval• preferring active checks• gathering status• collect performance data / metrics

• notifies using any channel• detects dependencies• handles events in configured way

• forwards logs to Logstash and Graylog• passes performance data to Graphite,

OpenTSDB or InfluxDB• integrate with other tools?

Icinga 2

• release 2.3.8 (2015-07-20)•new code base on C++ and Boost• similar ideas to Nagios• Puppet, Chef and Ansible integration•Packages and Vagrant Box available

WHY NAGIOS™ IS GOOD?

Nagios™ is good, because:

✔ monitoring things is very easy✔ very simple software stack ✔ no complex external dependencies

Nagios™ is good, because:

✔ active checks are powerful✔ gathering performance data✔ huge community✔ thousands of Plugins

OK, BUT WHY ICINGA THEN?

Nagios™ does not scale

✗ it's just a single loop✗ limitations using external interfaces✗ large installations are difficult

Icinga 2 on the other hand

✔ provides a multithreaded engine✔ distributes load in cluster automatically✔ is able to monitor thousands of devices

every few seconds

MODULES

Modules in Nagios™?

# tar xzvf mk-livestatus-1.2.4.tar.gz# cd mk-livestatus-1.2.4 # ./configure --prefix=/usr/local/icinga

--exec-prefix=/usr/local/icinga# make# cp src/livestatus.o /usr/local/icinga/bin

define module { module_name mklivestatus path /usr/local/icinga/bin/livestatus.o module_type neb args /usr/local/icinga/var/rw/live }

CheckerChecker

NotifyNotify

API(soon)API(soon)

CompatCompat ClusterCluster

IDOIDO GELFGELF

GraphiteGraphite

PerfdataPerfdata

OpenTSDBOpenTSDB

LivestatusLivestatus

# icinga2 feature enable livestatus# icinga2 feature enable ido-mysql

# vim /etc/icinga2/features- available/ido-mysql.conf

DEMO

CLUSTERING

How about high available Nagios™?

✗ there is no integrated failover mechanism✗ configuration is not distributed✗ no shared monitoring information

What Icinga 2 provides you

✔ zones for multitenancy environments✔ support for logic splits in the config✔ availability and scaling zones✔ automatic redistribution of checks✔ master / satellite / agent

centra

l

datace

nter

centra

l

datace

nter

CheckerChecker ConfigConfig

LivestatusLive

status

CheckerChecker

DatabaseDatabase

IDOIDO

IDOIDO

remotelocation

CheckerChecker

Nagios™ and security

✗ NSCA works, but not in a good way✗ NRPE has a couple of security issues✗ You can make it secure … by hand

Icinga 2 clustering is PKI TLS only

✔ bidirectional connections✔ helps you setting up a CA✔ replication of events and status

DEMO

CONFIGURATION

Nagios™ config tricks are weird…

define service{host_name linux1,linux2,linux3,...,linux9service_description ssh-checkother service directives ...}

Nagios™ can only do lists

define hostgroup{hostgroup_name linux-serversalias Linux Serversmembers linux1,linux2,linux3}

Icinga 2 brings logic

apply Service "ssh" {import "generic-service”

check_command = "ssh” assign where host.address && host.vars.os == "Linux” ignore where host.vars.test == true}

Icinga 2 wants to unterstand you

object HostGroup "mysql-server" {display_name = "MySQL Server"

assign where match("*mysql*", host.name) assign where host.vars.role == "mysql-server" ignore where host.vars.environment != "production"}

Imagine a host you manage

object Host "shop1.nbg.de.bratwurst.de" { import "generic-host" address = "192.0.2.123"

vars = { environment = "production" role = "webserver" location = "nbg1" application = "bratwurstshop" team = "appsupport" }}

Maybe add templates

template Host "webserver-default" { import "generic-host" vars = { environment = "production" role = "webserver" }}object Host "shop1.nbg.de.bratwurst.de" { import "webserver-default" address = "192.0.2.123"

vars.location = "nbg1" [...]}

Now add some services

apply Service "http" { import "generic-service" check_command = "http" assign where host.role == "webserver"}

apply Service "https" { import "generic-service" check_command = "http" vars.http_ssl = true assign where host.role == "webserver"}

Get notified

apply Notification "host-prod-oncall" to Host { import "mail-host-notification" user_groups = [ "datacenter-oncall" ] timeperiod = "non-workhours" assign where host.environment == "production"}

apply Notification "appsupport-prod-oncall" to Service { import "mail-service-notification" user_groups = [ "appsupport-oncall" ] timeperiod = "non-workhours" assign where host.team == "appsupport" \ && host.environment == "production"}

Define dependencies

apply Dependency "host-in-nbg1" to Host { parent_host_name = "router.nbg1.bratwurst.de"

disable_checks = true disable_notifications = true

assign where host.location == "nbg1" && \ host.role != "router"}

Safe and powerful commands

object CheckCommand "fancy-vendor-check" { import "plugin-check-command"

command = [ PluginDir + "/check_vendor_foo" ]

arguments = { "-H" = "$host.name$" "-C" = "$snmp_community$" "-m" = "$vendor_mode$" "-w" = "$vendor_warning$" "-c" = "$vendor_critical$" } vars.snmp_community = "public"}

Easy to use

apply Service "fancy-vendor test" { import "generic-service"

check_command = "fancy-vendor-check"

vars.snmp_community = "isthissecure" vars.vendor_mode = "proprietary-magic" vars.vendor_warning = "80" vars.vendor_warning = "90"

assign where host.type = "fancy-vendor-node"}

Using commands

● safe against shell injections● clean interface, easy to write● just set a var in service or host● check our ITL template library

ONE MORE THING...

Icinga 2 is enhanceable

object Service "webservice" { import "generic-service" check_command = "load" host_name = "a really great server"

vars.load_wload1 = {{ if (get_time_period("9to5").is_inside) { return 40 } else { return 60 } }}

}

WHAT YOU SEE IS WHAT YOU GET

Nagios CGI

Icinga Classic

Icinga Web 1

✗ limitations in current Icinga interfaces✗ parsing the status.dat is not fast✗ executing commands is tedious✗ really hard to extend and integrate✗ no unified interface so far

Icingaweb 2

• easy to extend and embed•multiple authentication providers• reads from IDO database • responsive

release soonTM

Web 2MySQL /PostgreSQL

MySQL /PostgreSQL2

or Icinga 1

The simplest setup

set up within a few minutes...

Web 2

MonitoringMonitoring DocsDocs

BPBP GraphiteGraphite PNPPNP

Demo

CONCLUSION

Where to start?

•Go to docs.icinga.org• Try our Vagrant VMs•Use Icinga 2 packages•Rethink you configuration• Install Icinga Web 2 and play with it•Give us feedback

#icinga

You?

Berlin 2016

March 1st

Berlin 2016

March 1st

Portland 2015

October 10th

Portland 2015

October 10th

Icinga Camp community meetups

THANK YOU!www.icinga.org

exchange.icinga.org

docs.icinga.org

dev.icinga.org

git.icinga.org

@icinga

/icinga

+icinga