GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


       nsca-ng.cfg - NSCA-ng server configuration file




       The nsca-ng(8) process reads configuration data from the file specified
       with -c on the command line or from /etc/nsca-ng.cfg.

   File Format
       Zero or more global settings and one or  more  authorizations  must  be
       defined  in  the configuration file (see the Global Settings subsection
       and the Authorizations subsection, respectively).  They may  appear  in
       arbitrary  order.   An  authorization  is specified using the authorize
       keyword followed by a (possibly quoted) client identity  string  and  a
       brace-enclosed block of corresponding authorization settings.  However,
       an authorization setting may also be  specified  as  a  global  setting
       outside  of  these  authorize  sections.   In this case, it serves as a
       global fallback  for  authorization  sections  that  don't  define  the
       setting in question.

       Global  settings and authorization settings are defined by specifying a
       variable name followed by an equals sign (“=”) and a value (or possibly
       a  list of values).  Values can be strings, integers, or floating-point
       numbers.  Strings have to be enclosed in single  or  double  quotes  if
       they  contain  whitespace  characters, hash mark characters, or literal
       quotation marks.  Otherwise, quoting is optional.  To specify a literal
       single  or  double  quote in a string, either escape it by preceding it
       with a backslash (“\”) or  quote  the  string  using  the  other  quote
       character.   A  literal  backslash  must  be  preceded  with  a  second
       backslash if the string is enclosed in double quotes.

       A variable can be set to  the  value  of  an  environment  variable  by
       specifying  ${FOO},  where FOO is the name of the environment variable.
       The same can be done by specifying ${FOO:-bar},  except  that  in  this
       case,  the value bar will be assigned when the environment variable FOO
       is not set.

       Any whitespace surrounding tokens is ignored.  Empty lines and comments
       are  also  ignored.  Comments are introduced with a hash mark character
       (“#”) and span to the end of the line.  If the last character of a line
       is  a backslash (“\”), the subsequent line is treated as a continuation
       of the current line (and the backslash is otherwise ignored).

       The special directive include("file") tells  nsca-ng(8)  to  treat  the
       contents of the specified file as if those contents had appeared at the
       point where this  directive  appears.   If  a  directory  is  specified
       instead  of  a  file,  all files with a .cfg or .conf extension in this
       directory and all subdirectories will be included.  Symbolic links  are

       In  the  following subsections, the type of each value is denoted after
       an equals sign in angle brackets.

   Global Settings
       The nsca-ng(8) server recognizes the following global variables.

       chroot = <string>
              On startup, perform  a  chroot(2)  operation  to  the  specified
              directory.   By default, nsca-ng(8) does not call chroot(2).  If
              this  directive  is  used,  the  command_file,   pid_file,   and
              temp_directory must be specified relative to this directory.

       command_file = <string>
              Submit  monitoring  commands  to  the specified path name.  This
              should be the named pipe (FIFO) that  Nagios  (or  a  compatible
              monitoring  solution)  checks  for external commands to process.
              The default is /var/nagios/rw/nagios.cmd.  The  specified  value
              will be overridden if nsca-ng(8) is called with the -C option.

       listen = <string>
              Bind  to  the  specified  IP  address or host name.  The default
              setting  is  “*”,  which  tells  nsca-ng(8)  to  listen  on  all
              available  interfaces.  A colon (“:”) followed by a service name
              or port number may be appended  to  override  the  default  port
              (5668)  used by the nsca-ng(8) server.  The specified value will
              be ignored if nsca-ng(8) is called with the -b option.

       log_level = <integer>
              Use the specified log level, which  must  be  an  integer  value
              between  0  and  5  inclusive.  A value of 0 tells nsca-ng(8) to
              generate only fatal  error  messages,  1  adds  non-fatal  error
              messages,  2  adds  warnings,  3  additionally  spits  out every
              submitted command (plus startup and shutdown  notices),  4  also
              logs  each message sent or received at the protocol level, and 5
              generates additional debug output.  The default log level is  3.
              The  specified  value will be overridden if nsca-ng(8) is called
              with the -l option.

       max_command_size = <integer>
              Refuse monitoring commands (including check result  submissions)
              which  are  longer  than the specified number of bytes.  Setting
              this variable to  0  tells  nsca-ng(8)  to  accept  commands  of
              arbitrary length.  The default value is 16384.

       max_queue_size = <integer>
              Don't queue more than the specified number of megabytes worth of
              monitoring commands while Nagios isn't running (or  not  reading
              the  command  file).   When the amount of available data exceeds
              this threshold,  the  queued  data  is  thrown  away.   If  this
              variable  is  set to 0, nsca-ng(8) queues an unlimited amount of
              data (until it exits due to running out of memory).  The default
              value is 1024 (i.e., 1 gigabyte).

       pid_file = <string>
              During  startup,  try  to create and lock the specified file and
              write the process ID of the nsca-ng(8) daemon into it.  Bail out
              if  another  process  holds a lock on that file.  By default, no
              such  PID  file  is  written.   The  specified  value  will   be
              overridden if nsca-ng(8) is called with the -p option.

       temp_directory = <string>
              Write  temporary  files  to  the specified directory.  Temporary
              files are only written if clients  submit  very  large  commands
              (which  cannot  be written to the named pipe atomically).  It is
              recommended to specify a directory which  resides  on  a  memory
              file system.  By default, /tmp is used.

       timeout = <floating-point>
              Close  the  connection  if a client didn't show any activity for
              the specified number of seconds.  If this value is set  to  0.0,
              nsca-ng(8)  won't  enforce  connection  timeouts.   The  default
              setting is 60.0 seconds.

       tls_ciphers = <string>
              Limit the acceptable TLS-PSK cipher suites to the specified list
              of  ciphers.   The  format  of  the  string  is described in the
              ciphers(1) manual.  By default, the ciphers  in  the  list  PSK-
              RC4-SHA will be accepted.

       user = <string>
              Switch to the specified user, and to the groups the user belongs
              to.  This is done early on startup: after the configuration file
              has been read, but before the listening  socket  and  (possibly)
              the  PID file are created.  By default, nsca-ng(8) runs with the
              privileges of the invoking user.

       As mentioned above, an authorization section  is  introduced  with  the
       authorize  keyword  and  a  client  identity field followed by a brace-
       delimited block of  one  or  more  authorization  settings.   A  client
       provides its identity during the connection handshake.  The server uses
       the provided identity string  for  looking  up  the  authorize  section
       applicable  to  the client.  The corresponding section, if any, defines
       the  authentication  and  authorization  settings  for  the  client  in
       question.  If no section explicitly defined for this client identity is
       found, but a section for the special client identity "*" (including the
       quotes)  is  defined, this section is used as a fallback.  Note that no
       other wildcard characters are available, and that the “*” character has
       no  special  meaning in the client identity field except when specified
       exactly as described.

       Within the brace-delimited block of an  authorization  section,  values
       may  be  assigned  to  the variables listed below.  The pattern strings
       assigned to the commands,  hosts,  and  services  variables  are  POSIX
       “extended”  regular  expressions,  but  with  an  implicit  “^”  at the
       beginning and “$” at the end of the patterns.  Multiple patterns can be
       specified  as a brace-enclosed, comma-separated list; check results and
       commands will then be accepted if  they  match  any  of  the  specified
       patterns.   Commands  and  check  results will be rejected unless these
       settings authorize the client to submit them.

       commands = <(list of) string(s)>
              Match the  specified  regular  expression(s)  against  submitted
              monitoring  commands and accept commands that match any of these
              expressions.  The patterns are matched against the full  command
              string  supplied by the client, except for the leading bracketed
              timestamp and any whitespace following that timestamp.

       hosts = <(list of) string(s)>
              Match the specified  regular  expression(s)  against  the  “host
              name”   field   of   client-supplied   PROCESS_HOST_CHECK_RESULT
              commands and accept such commands if they  match  any  of  these

       password = <string>
              Reject  connections  from  clients  that don't use the specified
              password.  This setting is mandatory.

       services = <(list of) string(s)>
              Match the specified regular expression(s) against  the  “service
              description”          field          of          client-supplied
              PROCESS_SERVICE_CHECK_RESULT commands and accept  such  commands
              if  they  match any of these expressions.  If a specified string
              includes one or more at signs (“@”), only the part preceding the
              last   of  these  at  signs  is  matched  against  the  “service
              description” field.  The part following this at sign is used  as
              a  separate  pattern  which  is  matched against the “host name”
              field of the same command.   A  service  check  result  is  then
              accepted only if both matches succeed for a given command.


       The /etc/nsca-ng.cfg file might look similar to the following example.

              user = "nagios"
              chroot = "/var/nagios" # Other paths are relative to this one!
              command_file = "/rw/nagios.cmd"
              pid_file = "/run/"
              temp_directory = "/dev/shm"
              listen = ""
              tls_ciphers = "PSK-AES256-CBC-SHA"
              log_level = 3
              max_command_size = 65536
              max_queue_size = 128
              timeout = 15.0

              # Authenticated "root" clients may submit arbitrary check
              # results and any other monitoring commands (see:
              # <>).
              authorize "root" {
                  password = "g3m25sMCUAO4NecZGld1H4xcJ9uDWvhH"
                  commands = ".*"

              # Authenticated "checker" clients may submit arbitrary check
              # results, but no other commands.
              authorize "checker" {
                  password = "ilzNanlE9XjMLdjrMkXnk09XBCTFQrj5"
                  hosts = ".*"
                  services = ".*"

              # Authenticated "web-checker" clients may submit check results
              # for arbitrary services on hosts whose names begin with "www".
              authorize "web-checker" {
                  password = "m2uaIWwiq3AIqN55m3QdjwptkU1Q4Oov"
                  services = ".+@www.*"

              # Authenticated "nsca-checker" clients may talk to the NSCA-ng
              # server, but may not submit anything to Nagios.
              authorize "nsca-checker" {
                  password = "ceOKwxpz14lKXroC4yUjJZbov6VAyKuT"

              # Other authenticated clients may submit check results for the
              # "disk", "swap", and "load" services on arbitrary hosts.
              authorize "*" {
                  password = "awHW5vxr3DcA9EvcUC9T3a90QfEexsWd"
                  services = {


       Please  set  the  permissions  appropriately  to  make  sure  that only
       authorized users can access the /etc/nsca-ng.cfg file.


       nsca-ng(8), send_nsca(8), send_nsca.cfg(5), regex(7)


       Holger Weiss <>

  All copyrights belong to their respective owners. Other content (c) 2014-2017, GNU.WIKI. Please report site errors to
Page load time: 0.087 seconds. Last modified: November 09 2017 18:38:06.