Scanning for Parents

Defining Parents

Nagios lets you define parents of a host. A host definition including a parent could look like this:

define host {
    use            default-host
    host_name      zabc123
    address        192.168.77.18
    host_groups    linux,test
    parents        router-08-15
}

Defining parents is completely optional but has two benefits:

• You can get a nice map of your network topology either by Nagios or - better - by a NagVis automap.
• Nagios can detect network outages and thus reduce alerts in case a router goes down and makes a complete subnet unreachable.

Scanning for parents with Check_MK

If you have a large number of hosts and networks, defining the parents can be much work. As of version 1.1.7i2 Check_MK can help by performing an automatic scan for parents in network layer 3. That means that all routers visible by traceroute can be detected. Switches which work transparent on layer 3 will not be considered.

All you have to do for performing a scan is:

1. Set monitoring_host to the Nagios host name of your Nagios host in main.mk (or any other *.mk file).
2. Call check_mk with the option --scan-parents.
3. Let Check_MK re-create your configuration and restart Nagios
.

1. Setting the monitoring host

It is common practise that Nagios is monitoring the host it is running on. Some people name this host localhost in their Nagios configuration. Others use the external host name of the monitoring host. In the latter case you should define that host in main.mk. Check_MK will than use that host as parent for all hosts that are in the same LAN as Nagios:

monitoring_host = "znag01"

If the monitoring host is the only one without a parent, NagVis will be able to create a nice "automap" showing the topology of your network.

2. Calling --scan_parents

Before starting the scan, please make sure that traceroute is installed and in your executable $PATH. Then simply call:

root@linux# check_mk --scan-parents
Scanning for parents.......
Wrote /etc/check_mk/conf.d/parents.mk

Depending on your network, this operation can take some while. For each of your hosts traceroute is called once. Depending on the result of the scan for each scanned host one character is being output:

Symbol	Color	Explanation
N	white	This host is the monitoring host itself
L	cyan	This host is directly reachable by the monitoring host (which has been configured as parent)
*	red	traceroute has failed (exited with a non-zero code). No parent has been configured.
!	red	traceroute is not executable. Please note that root permissions or SUID is needed for executing traceroute.
o	red	Incomplete output from traceroute, no routes have been found.
o	blue	No usable routing information in the output from traceroute. No parent has been configured.
G	green	A gateway has been found and configured as parent

When the scan has finished, a new file parents.mk is created directly in your conf.d/ directory of Check_MK. That file contains parent definitions for all of your hosts except your monitoring host.

3. Restart

After that a simple restart of Check_MK is sufficient:

root@linux# check_mk -O
Generating Nagios configuration...OK
Validating Nagios configuration...OK
Precompiling host checks...OK
Reloading Nagios...OK

Limiting the parent scan to certain hosts

In some situations the scan with traceroute will not suffice, unfortunately. In yet other situations you will probably not agree with the outcome of the scan. In those cases you have two options:

1. Manually define parents for those hosts.
2. Disabling the scan for those hosts

Disabling the scan for hosts is done by positively defining all hosts a scan should take be done for in scanparent_hosts. It is a binary configuration list similar to bulkwalk_hosts. The following example will enable the scan for all hosts with the tags linux or windows and disable it for all other hosts:

scanparent_hosts = [
  ( [ "linux" ], ALL_HOSTS ),
  ( [ "windows" ], ALL_HOSTS ),
]

Another way is to exclude some hosts using NEGATE. The following example excludes the hosts srv01 and srv02 and all hosts with the tag snmp from the scan:

scanparent_hosts = [
  ( NEGATE, [ "srv01", "srv02" ] ),
  ( NEGATE, [ "snmp" ], ALL_HOSTS ),
  ( ALL_HOSTS, ),
]

Please note the comma after ALL_HOSTS in the last line: if you put only one value into brackets you need that comma in order to make a one-tuple.

How the parents are determined

In order to understand how Check_MK works, lets first look at the output a a traceroute to example.com:

root@linux# traceroute -n example.com
traceroute to example.com (192.0.32.10), 30 hops max, 40 byte packets
 1  * * *
 2  10.0.0.254  2.671 ms  2.201 ms  2.160 ms
 3  172.16.0.254  3.356 ms  0.240 ms  1.372 ms
 4  217.0.116.201  44.604 ms  50.215 ms  50.213 ms
 5  217.0.76.134  57.055 ms  59.370 ms  59.087 ms
 6  62.154.16.161  60.765 ms  60.687 ms  61.849 ms
 7  4.68.110.253  61.206 ms  69.780 ms *
 8  * 4.68.23.126  44.924 ms  62.137 ms
 9  4.69.140.29  48.850 ms  50.315 ms 4.69.140.25  49.714 ms
10  4.69.137.58  139.363 ms 4.69.137.54  138.738 ms 4.69.137.62  140.824 ms
11  4.69.134.154  150.716 ms 4.69.134.146  141.398 ms 4.69.134.158  146.083 ms
12  4.69.134.177  137.426 ms 4.69.134.185  145.482 ms  139.635 ms
13  4.69.132.81  229.420 ms  221.017 ms  222.144 ms
14  4.69.144.131  211.357 ms 4.69.144.195  211.594 ms 4.69.144.3  210.415 ms
15  * * *
16  192.0.32.10  210.644 ms  210.914 ms  210.555 ms

Check_MK's algorithm works like this:

1. First the IP address of the last hop before the target is determined. If that does not answer (line 15), the hop nearest to the target is being used (4.69.144.131).

2. If the only hop is the target host itself or if traceroute does not work at all, the target host is assumed to be directly reachable from the monitoring host and gets the monitoring_host as parent.

3. If the target host is the monitoring_host itself, it gets no parent.

4. Since parents are not IP addresses but host names in Nagios, Check_MK now tries to find a host with the IP address of the parent in your Check_MK definitions. This uses forward DNS and the variable ipaddresses, just as while creating the host configuration. If the parent is found that way, it is used as parent.

5. If no host with the IP address is found, Check_MK creates an artificial host and adds it to all_hosts. For the IP-address 4.69.144.131 the host name will be gw-4-69-144-131 and get the tag parent.

All data is written into parents.mk, which will be overwritten the next time you call --scan-parents. If you want to change the names of the artificial gateway hosts, do not do this in parents.mk but move the definitions of those hosts into another *.mk file. This will also prevent Check_MK to create a gateway host with that IP address next time you run --scan-parents.

Here is an example for the created file parents.mk:

# Automatically created by --scan-parents at Mon Jul 12 18:35:54 2010

# Do not edit this file. If you want to convert an
# artificial gateway host into a permanent one, then
# move its definition into another *.mk file
# Parents which are not listed in your all_hosts:
all_hosts += ['gw-217-243-218-38|parent',
 'gw-195-20-247-53|parent',
 'gw-209-85-254-114|parent']

# IP addresses of parents not listed in all_hosts:
ipaddresses.update({'gw-195-20-247-53': '195.20.247.53',
 'gw-209-85-254-114': '209.85.254.114',
 'gw-217-243-218-38': '217.243.218.38'})

# Parent definitions
parents += [('nagios1', ['gw-217-243-218-38']),
 ('gw-217-243-218-38', ['heise.de']),
 ('nagios1', ['gw-195-20-247-53']),
 ('gw-195-20-247-53', ['mathias-kettner.de']),
 ('nagios1', ['gw-209-85-254-114']),
 ('gw-209-85-254-114', ['google-dns'])]

Performance tuning

Doing a traceroute on all of your hosts can take quite a long time. Therefore, Check_MK always runs a number of processes in parallel. This number is 50 per default. You can change this in main.mk:

max_num_processes = 100

Another way is to add the option --procs when doing the scan:

root@linux# check_mk --scan-parents --procs 200

Check_MK can never start more processes than you have hosts to scan.

If you are experience problems with permission denied while running as normal user, please either reduce the number of processes or add the SUID bit to /usr/sbin/traceroute thus making run that command as root, if you do not care about a potential security problem here:

root@linux# chmod 4755 /usr/sbin/traceroute