Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
nsca-ng.cfg(5)		      The NSCA-ng Manual		nsca-ng.cfg(5)

NAME
       nsca-ng.cfg - NSCA-ng server configuration file

SYNOPSIS
       /usr/local/etc/nsca-ng.cfg

DESCRIPTION
       The nsca-ng(8) process reads configuration data from the	file specified
       with -c on the command line or from /usr/local/etc/nsca-ng.cfg.

   File	Format
       Zero or more global settings and	one or more authorizations must	be de-
       fined in	the configuration file (see the	Global Settings	subsection and
       the Authorizations subsection, respectively).  They may appear in arbi-
       trary order.  An	authorization is specified using the authorize keyword
       followed	 by a (possibly	quoted)	client identity	string and a brace-en-
       closed block of corresponding authorization settings.  However, an  au-
       thorization  setting  may also be specified as a	global setting outside
       of these	authorize sections.  In	this case, it serves as	a global fall-
       back for	authorization sections that don't define the setting in	 ques-
       tion.

       Global  settings	and authorization settings are defined by specifying a
       variable	name followed by an equals sign	("=") and a value (or possibly
       a list of values).  Values can be strings, integers, or	floating-point
       numbers.	  Strings  have	 to  be	enclosed in single or double quotes if
       they contain whitespace characters, hash	mark  characters,  or  literal
       quotation marks.	 Otherwise, quoting is optional.  To specify a literal
       single  or  double  quote in a string, either escape it by preceding it
       with a backslash	("\") or quote the string using	the other quote	 char-
       acter.  A literal backslash must	be preceded with a second backslash if
       the string is enclosed in double	quotes.

       A variable can be set to	the value of an	environment variable by	speci-
       fying  ${FOO},  where FOO is the	name of	the environment	variable.  The
       same can	be done	by specifying ${FOO:-bar}, except that in  this	 case,
       the value bar will be assigned when the environment variable FOO	is not
       set.

       Any whitespace surrounding tokens is ignored.  Empty lines and comments
       are  also  ignored.  Comments are introduced with a hash	mark character
       ("#") and span to the end of the	line.  If the last character of	a line
       is a backslash ("\"), the subsequent line is treated as a  continuation
       of the current line (and	the backslash is otherwise ignored).

       The  special  directive	include("file")	 tells nsca-ng(8) to treat the
       contents	of the specified file as if those contents had appeared	at the
       point where this	directive appears.  If a directory  is	specified  in-
       stead  of  a file, all files with a .cfg	or .conf extension in this di-
       rectory and all subdirectories will be included.	  Symbolic  links  are
       followed.

       In  the	following subsections, the type	of each	value is denoted after
       an equals sign in angle brackets.

   Global Settings
       The nsca-ng(8) server recognizes	the following global variables.

       chroot =	<string>
	      On startup, perform a chroot(2) operation	to the	specified  di-
	      rectory.	 By  default,  nsca-ng(8) does not call	chroot(2).  If
	      this directive is	used, the command_file,	pid_file, and temp_di-
	      rectory must be specified	relative to this directory.

       command_file = <string>
	      Submit monitoring	commands to the	 specified  path  name.	  This
	      should  be  the  named  pipe (FIFO) that Nagios (or a compatible
	      monitoring solution) checks for external	commands  to  process.
	      The   default  is	 /var/spool/nagios/nagios/rw/nagios.cmd.   The
	      specified	value will be overridden if nsca-ng(8) is called  with
	      the -C option.

       listen =	<string>
	      Bind to the specified IP address or host name.  The default set-
	      ting  is	"*", which tells nsca-ng(8) to listen on all available
	      interfaces.  A colon (":") followed by a service	name  or  port
	      number  may be appended to override the default port (5668) used
	      by the nsca-ng(8)	server.	 The specified value will  be  ignored
	      if  nsca-ng(8)  is called	with the -b option, of if it is	socket
	      activated	by systemd(1).

       log_level = <integer>
	      Use the specified	log level, which must be an integer value  be-
	      tween  0 and 5 inclusive.	 A value of 0 tells nsca-ng(8) to gen-
	      erate only fatal error messages, 1  adds	non-fatal  error  mes-
	      sages, 2 adds warnings, 3	additionally spits out every submitted
	      command  (plus  startup  and shutdown notices), 4	also logs each
	      message sent or received at the protocol level, and 5  generates
	      additional debug output.	The default log	level is 3.  The spec-
	      ified  value will	be overridden if nsca-ng(8) is called with the
	      -l option.

       max_command_size	= <integer>
	      Refuse monitoring	commands (including check result  submissions)
	      which  are  longer  than the specified number of bytes.  Setting
	      this variable to 0 tells nsca-ng(8) to accept commands of	 arbi-
	      trary length.  The default value is 16384.

       max_queue_size =	<integer>
	      Don't queue more than the	specified number of megabytes worth of
	      monitoring  commands  while Nagios isn't running (or not reading
	      the command file).  When the amount of  available	 data  exceeds
	      this  threshold,	the queued data	is thrown away.	 If this vari-
	      able is set to 0,	nsca-ng(8) queues an unlimited amount of  data
	      (until  it  exits	 due  to  running out of memory).  The default
	      value is 1024 (i.e., 1 gigabyte).

       pid_file	= <string>
	      During startup, try to create and	lock the  specified  file  and
	      write the	process	ID of the nsca-ng(8) daemon into it.  Bail out
	      if  another  process  holds a lock on that file.	By default, no
	      such PID file is written.	 The specified value will be  overrid-
	      den if nsca-ng(8)	is called with the -p option.

       temp_directory =	<string>
	      Write  temporary	files  to  the specified directory.  Temporary
	      files are	only written if	clients	 submit	 very  large  commands
	      (which  cannot  be written to the	named pipe atomically).	 It is
	      recommended to specify a directory which	resides	 on  a	memory
	      file system.  By default,	/tmp is	used.

       timeout = <floating-point>
	      Close  the  connection  if a client didn't show any activity for
	      the specified number of seconds.	If this	value is set  to  0.0,
	      nsca-ng(8)  won't	enforce	connection timeouts.  The default set-
	      ting is 60.0 seconds.

       tls_ciphers = <string>
	      Limit the	acceptable TLS-PSK cipher suites to the	specified list
	      of ciphers.  The format of the string is described  in  the  ci-
	      phers(1)	manual.	  By  default,	the  ciphers  in the list PSK-
	      AES256-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:PSK-
	      RC4-SHA will be accepted.

       user = <string>
	      Switch to	the specified user, and	to the groups the user belongs
	      to.  This	is done	early on startup: after	the configuration file
	      has been read, but before	the listening  socket  and  (possibly)
	      the  PID file are	created.  By default, nsca-ng(8) runs with the
	      privileges of the	invoking user.

   Authorizations
       As mentioned above, an authorization section is introduced with the au-
       thorize keyword and a client identity field followed by a  brace-delim-
       ited  block  of	one or more authorization settings.  A client provides
       its identity during the connection handshake.  The server uses the pro-
       vided identity string for looking up the	authorize  section  applicable
       to  the client.	The corresponding section, if any, defines the authen-
       tication	and authorization settings for the client in question.	If  no
       section	explicitly  defined  for  this client identity is found, but a
       section for the special client identity "*" (including the  quotes)  is
       defined,	 this section is used as a fallback.  Note that	no other wild-
       card characters are available, and that the "*" character has  no  spe-
       cial meaning in the client identity field except	when specified exactly
       as described.

       Within  the  brace-delimited  block of an authorization section,	values
       may be assigned to the variables	listed below.  The pattern strings as-
       signed to the commands, hosts, and services variables  are  POSIX  "ex-
       tended"	regular	expressions, but with an implicit "^" at the beginning
       and "$" at the end of the patterns.  Multiple patterns can be specified
       as a brace-enclosed, comma-separated list; check	results	 and  commands
       will  then  be  accepted	 if  they match	any of the specified patterns.
       Commands	and check results will be rejected unless these	 settings  au-
       thorize the client to submit them.

       commands	= <(list of) string(s)>
	      Match the	specified regular expression(s)	against	submitted mon-
	      itoring commands and accept commands that	match any of these ex-
	      pressions.   The	patterns  are matched against the full command
	      string supplied by the client, except for	the leading  bracketed
	      timestamp	and any	whitespace following that timestamp.

       hosts = <(list of) string(s)>
	      Match  the  specified  regular  expression(s)  against the "host
	      name" field of  client-supplied  PROCESS_HOST_CHECK_RESULT  com-
	      mands  and  accept  such commands	if they	match any of these ex-
	      pressions.

       password	= <string>
	      Reject connections from clients that  don't  use	the  specified
	      password.	 This setting is mandatory.

       services	= <(list of) string(s)>
	      Match  the  specified regular expression(s) against the "service
	      description" field of client-supplied  PROCESS_SERVICE_CHECK_RE-
	      SULT  commands  and  accept  such	 commands if they match	any of
	      these expressions.  If a specified string	includes one  or  more
	      at  signs	 ("@"),	 only  the part	preceding the last of these at
	      signs is matched against the "service description"  field.   The
	      part  following this at sign is used as a	separate pattern which
	      is matched against the "host name" field of the same command.  A
	      service check result is then accepted only if both matches  suc-
	      ceed for a given command.

EXAMPLES
       The /usr/local/etc/nsca-ng.cfg file might look similar to the following
       example.

	      user = "nagios"
	      chroot = "/var/nagios" # Other paths are relative	to this	one!
	      command_file = "/rw/nagios.cmd"
	      pid_file = "/run/nsca-ng.pid"
	      temp_directory = "/dev/shm"
	      listen = "monitoring.example.com:5668"
	      tls_ciphers = "PSK-AES256-CBC-SHA"
	      log_level	= 3
	      max_command_size = 65536
	      max_queue_size = 128
	      timeout =	15.0

	      #
	      #	Authenticated "root" clients may submit	arbitrary check
	      #	results	and any	other monitoring commands (see:
	      #	<http://nagios.org/developerinfo/externalcommands/>).
	      #
	      authorize	"root" {
		  password = "g3m25sMCUAO4NecZGld1H4xcJ9uDWvhH"
		  commands = ".*"
	      }

	      #
	      #	Authenticated "checker"	clients	may submit arbitrary check
	      #	results, but no	other commands.
	      #
	      authorize	"checker" {
		  password = "ilzNanlE9XjMLdjrMkXnk09XBCTFQrj5"
		  hosts	= ".*"
		  services = ".*"
	      }

	      #
	      #	Authenticated "web-checker" clients may	submit check results
	      #	for arbitrary services on hosts	whose names begin with "www".
	      #
	      authorize	"web-checker" {
		  password = "m2uaIWwiq3AIqN55m3QdjwptkU1Q4Oov"
		  services = ".+@www.*"
	      }

	      #
	      #	Authenticated "nsca-checker" clients may talk to the NSCA-ng
	      #	server,	but may	not submit anything to Nagios.
	      #
	      authorize	"nsca-checker" {
		  password = "ceOKwxpz14lKXroC4yUjJZbov6VAyKuT"
	      }

	      #
	      #	Other authenticated clients may	submit check results for the
	      #	"disk",	"swap",	and "load" services on arbitrary hosts.
	      #
	      authorize	"*" {
		  password = "awHW5vxr3DcA9EvcUC9T3a90QfEexsWd"
		  services = {
		      "disk",
		      "swap",
		      "load"
		  }
	      }

CAVEATS
       Please  set the permissions appropriately to make sure that only	autho-
       rized users can access the /usr/local/etc/nsca-ng.cfg file.

SEE ALSO
       nsca-ng(8), send_nsca(8), send_nsca.cfg(5), regex(7)

       http://www.nagios.org/developerinfo/externalcommands/

AUTHOR
       Holger Weiss <holger@weiss.in-berlin.de>

Version	1.6			March 19, 2019			nsca-ng.cfg(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=nsca-ng.cfg&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help