用Nagios和OpenBSD监视

[leo]

原文地址: http://www.kernel-panic.it/openbsd/nagios/
感谢原作者的辛勤劳动，此翻译文档仅供JR社区会员内部讨论，请勿转载，多谢！
如果您在实操中发现问题，请跟帖说明。

1. 介绍
目前我们基于OpenBSD的网络包括 冗余的防火墙, 域名服务器, 邮件服务器 和一个 web代理缓存服务器. 所有这些提供服务的主机都特别重要，而且不能忍受最短的停机。 在愤怒的客户来敲门前，冗余可以为我们恢复失效的服务器争取一些时间，不过它可不能帮助检查和解决今后可能出现的问题。
简而言之, 现在我们需要考虑一个网络监视方案! 下面我们将介绍如何建立一个全功能、安全的可靠的网络监视系统:


OpenBSD
[INDENT]处处设防的操作系统, 在很长的时间内默认安装仅发现了两个远程漏洞!;
[/INDENT]Nagios
[INDENT]企业系统的网络应用和监视的领导者和工业标准;
[/INDENT]Apache
[INDENT]安全、高效、可扩展的符合当前HTTP标准的web服务器。
[/INDENT]
我选择Nagios是因为其易用性, 灵活性和可扩展性。它还具有非常干净、简单的设计, 因为它由3个基本组件组成:

• 一个守护进程, 在特定的主机上周期性地执行检查且在发现问题时提供提醒和管理服务;
• 一个可选的web接口, 可简单地通过一个web浏览器对当前状态信息、历史日志、报告的访问;
• 一组外部插件, 也就是 (可定制) 的由该守护进程执行的脚本，这些脚本可以完成检查和发送通知。

而且, 这些组件可以很简单地应用外部模块进行扩展, 这可以让Nagios满足你更多的需要! 因此, 安装和配置好Nagios的核心组件后, 我们还将简要介绍一些最流行和实用的 插件:

• NRPE, Nagios的远程执行程序, 它允许你在远程主机上执行本地插件;
• NSCA, Nagios服务检查接受器, 它检查从客户端提交到Nagios服务器的被动服务的结果;
• NagVis, Nagios可视化插件, 它允许你更深入地定制Nagios的数据显示方式;

我们假设你熟知OpenBSD, 因此这里不涉及如何进行系统基本配置和packages/ports安装的问题。

[leo]

2. 安装和基本配置

在深入讨论Nagios的安装和配置细节以前, 我们先熟悉一下将要监视的网络结构。这使一个简单的小型网络, 主要组成部件是:

• 一个LAN (172.16.0.0/24), 包含了客户端和无法从公共Internet访问的服务器(例如 file server, DHCP server);
• 一个DMZ (172.16.240.0/24), 包含了必须从Internet可访问的访问的服务器 (例如 mail, web 和 proxy servers);
• 一个小型子网 (172.16.250.0/24) 内的路由器, 这个路由器连接将DMZ和Internet。

我们的监视系统是一台安全的关键主机，不需要直接访问Internet, 所以它非常适合放置在内部的LAN里。
OpenBSD的安装步骤在 官方FAQ 里有详细的描述, 所以我们在这里就不费唇舌了。Nagios 并无特殊的要求，标准的OpenBSD安装就可以满足其需要: 根据此 文档, Nagios仅需一台运行Linux (或者各种 UNIX)的系统。并不挑剔对吧?

2.1 Packages安装


Nagios仅需要 安装很少的packages:

• libiconv-x.x.x.tgz
• gettext-x.x.x.tgz
• pcre-x.x.tgz
• glib2-x.x.x.tgz
• libltdl-x.x.tgz
• nagios-plugins-x.x.tgz
• nagios-x.x-chroot.tgz
• nagios-web-x.x-chroot.tgz

安装过程会自动创建Nagios运行所需的用户和组 (_nagios)，Nagios会以这个用户和组的身份运行监视进程。chroot的flavor（类型）的Nagios package可以适应chroot的 httpd(8), 也就是说，系统内的 CGIs 都是静态链接的，并且所有的配置文件和日志全包存在 /var/www 目录内。顺便说一下, Nagios具有一个特殊的目录结构，你必须对其有所了解 :

/var/www/nagios/
[INDENT]这个目录里包含为web接口准备的静态HTML网页以及在线文档;
[/INDENT]/var/www/cgi-bin/nagios/
[INDENT]包含了web接口的动态CGI网页, 它提取并显示当前实际监测目标的状态信息;
[/INDENT]/var/www/etc/nagios/
[INDENT]你应该将所有的Nagios配置文件放在这个目录内: 我们马上会逐个解释这些文件;
[/INDENT]/var/www/var/log/nagios/
[INDENT]Nagios将在这个目录创建 log, status 和 retention 文件;
[/INDENT]/var/www/var/log/nagios/archives/
[INDENT]Nagios的log文件被周期性地轮替并移到此目录下;
[/INDENT]/var/www/var/nagios/rw/
[INDENT]包含 外部命令文件;
[/INDENT]/usr/local/libexec/nagios/
[INDENT]包含标注的 插件。
[/INDENT]为了参考, 下面是一张Nagios的目录结构示意图, 多谢Bren Smith提供。



2.2 配置概述
Nagios配置对头一次接触人略显复杂; 虽然 文档 已经警告你了：Nagios是非常强大和灵活的, （leo:你已经大致上有些心理准备了）但是要将其调整为适合你的配置仍旧需要做很多工作了。不过, 别丧气! 一旦你了解了Nagios"object-oriented"配置的基本原理, 你就会喜欢上Nagios的灵活性和干净的设计了。作为初次尝试, 你可以从 /usr/local/share/examples/nagios/ 目录里的示例配置文件开始，然后逐渐调整为适合自己需要的配置。


Nagios配置文件的语法遵循一些基本原则:

• 注释行以 "#" 字符开始和结束;
• 变量名必须出现在每行的开头 (i.e. no indentation allowed不能出现在行中间);
• 变量名大小写敏感;
• "=" 号前后不能有空格。

配置包含设置一些相关 监视进程 参数, CGIs , 当然还有, 你需要监视的 主机和服务 。这些都分散在多个文件内: 我们会逐一检查。

2.2.1 主配置文件
Nagios的整体行为由包含在主配置文件/var/www/etc/nagios/nagios.cfg里的指令决定。尽管这个文件涵盖了数十个选项，但是它们中的多数使用默认值就很不错, 你可能仅需调整它们中极少的一部分 (一般是 cfg_file, cfg_dir 和 admin_email)。如果你需要了解细节，请参阅官方 文档 。
文件 /var/www/etc/nagios/nagios.cfg

代码: 全选

# Path to main log file and log archive directory. All pathnames are relative
# to the chroot directory '/var/www/'
log_file=/var/log/nagios/nagios.log
log_archive_path=/var/log/nagios/archives
 
# Paths to files managed internally by the application
object_cache_file=/var/nagios/objects.cache
precached_object_file=/var/nagios/objects.precache
status_file=/var/nagios/status.dat
state_retention_file=/var/nagios/retention.dat
command_file=/var/nagios/rw/nagios.cmd
lock_file=/var/run/nagios/nagios.pid
temp_file=/var/nagios/nagios.tmp
temp_path=/tmp
check_result_path=/var/spool/nagios
 
# Object definitions (see next chapter) can be split across multiple files.
# You may either list files individually (using the 'cfg_file' parameter) or
# group them into directories (using the 'cfg_dir' parameter). In the latter
# case, Nagios will process all files with a '.cfg' extension found in the
# specified directories and their subdirectories
cfg_file=/etc/nagios/timeperiods.cfg
cfg_file=/etc/nagios/contacts.cfg
cfg_file=/etc/nagios/commands.cfg
cfg_file=/etc/nagios/generic-hosts.cfg
cfg_file=/etc/nagios/generic-services.cfg
cfg_dir=/etc/nagios/hosts
cfg_dir=/etc/nagios/services
 
# Path to the resource file, containing user-defined macros (see below). You can
# specify more than one resource file using multiple 'resource_file' statements
resource_file=/etc/nagios/resource.cfg
 
# User and group the Nagios process will run as
nagios_user=_nagios
nagios_group=_nagios
 
# Email address and pager number for the administrator of the local machine
[email protected]
admin_pager=xxx-xxx-xxxx
 
# Date format (available options: us, euro, iso8601 or strict-iso8601)
date_format=euro
 
# Enable checks, notifications and event handlers. Passive checks allow external
# applications to submit check results to Nagios. Event handlers are optional
# commands that are executed whenever a host or service state change occurs
execute_service_checks=1
accept_passive_service_checks=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1
 
# Checks freshness options. Enabling these options will ensure that passive
# checks are always up-to-date
check_service_freshness=1
service_freshness_check_interval=60
check_host_freshness=0
host_freshness_check_interval=60
additional_freshness_latency=15
 
# External commands allow the web interface and external applications (such as
# NSCA) to issue commands to Nagios. With a check interval of '-1', Nagios will
# check for external commands as often as possible
check_external_commands=1
command_check_interval=-1
external_command_buffer_slots=4096
 
# Various logging options
log_rotation_method=d
use_syslog=1
log_notifications=1
log_service_retries=1
log_host_retries=1
log_event_handlers=1
log_initial_states=0
log_external_commands=1
log_passive_checks=1
 
# Enable retention of state information between program restarts (refer to
# documentation for details)
retain_state_information=1
retention_update_interval=60
use_retained_program_state=1
use_retained_scheduling_info=0
retained_host_attribute_mask=0
retained_service_attribute_mask=0
retained_process_host_attribute_mask=0
retained_process_service_attribute_mask=0
retained_contact_host_attribute_mask=0
retained_contact_service_attribute_mask=0
 
# State flapping detection options (refer to documentation for details)
enable_flap_detection=0
low_service_flap_threshold=5.0
high_service_flap_threshold=20.0
low_host_flap_threshold=5.0
high_host_flap_threshold=20.0
 
# Miscellaneous tuning, performance and security options (refer to
# documentation for details)
interval_length=60
service_inter_check_delay_method=s
max_service_check_spread=30
service_interleave_factor=s
host_inter_check_delay_method=s
max_host_check_spread=30
max_concurrent_checks=0
check_result_reaper_frequency=10
max_check_result_reaper_time=30
max_check_result_file_age=3600
cached_host_check_horizon=15
cached_service_check_horizon=15
enable_predictive_host_dependency_checks=1
enable_predictive_service_dependency_checks=1
soft_state_dependencies=0
auto_reschedule_checks=0
auto_rescheduling_interval=30
auto_rescheduling_window=180
status_update_interval=15
event_broker_options=-1
 
sleep_time=0.25
service_check_timeout=60
host_check_timeout=30
event_handler_timeout=30
notification_timeout=30
ocsp_timeout=5
perfdata_timeout=5
 
use_aggressive_host_checking=0
process_performance_data=0
obsess_over_services=0
obsess_over_hosts=0
translate_passive_host_checks=0
passive_host_checks_are_soft=0
 
check_for_orphaned_services=0
check_for_orphaned_hosts=1
 
p1_file=/usr/local/bin/p1.pl
enable_embedded_perl=1
use_embedded_perl_implicitly=1
 
illegal_object_name_chars=`~!$%^&*|'"<>?,()=
illegal_macro_output_chars=`~$&|'"<>
use_regexp_matching=0
use_true_regexp_matching=0
daemon_dumps_core=0
use_large_installation_tweaks=0
enable_environment_macros=1
 
# Debug options
debug_level=0
debug_verbosity=1
debug_file=/var/nagios/nagios.debug
max_debug_file_size=1000000

2.2.2 资源文件
在资源文件里，你可以指定用户可定义宏 "$USERn$" (这里的“n” 是一个1和32之间的数)。一般来说, 在Nagios里, macros代表变量 (起始和结尾处都有一个美元符号, "$") ，你可以将这些宏插入 命令定义 ，这样就可以将这些值应用于在正在运行的适当命令里。你可以通过用户定义的宏 (以及一些Nagios启用的其它宏 ) 保持命令的简单通用 (请参阅 下面的帖子 里更多示例)。
用户定义的宏通常用于储存命令里的常用选项 (例如目录路径) 以及敏感信息 (例如用户名和密码)。为了保护敏感信息，这里推荐您限制的资源文件的权限 (600) 。
文件 /var/www/etc/nagios/resource.cfg

代码: 全选

# Set $USER1$ to be the path to the plugins
$USER1$=/usr/local/libexec/nagios
 
# MySQL username and password
$USER2$=root
$USER3$=password

接下来的步骤是配置object data, 可能是配置里最棘手的部分。 下面的 章节 将全部围绕这个话题展开。

[leo]

3. Object data配置
那么现在就是要告诉Nagios用什么来保持这些附件标签的时候了。因此, 我们必须为它提供有关的信息:

• 什么时候 and 怎样 执行这些检查并发送通知;
• 要通知谁;
• 那些 主机和服务需要监视。

这些信息都由object来表示, 这些object在一组 "define" 声明里被定义, 这些声明包含在大括号内，并且含有不定数量的新行分割指令, 形式为 keyword/value。 Keyword和value之间是空白，多个values之间用都和分割; 声明里允许使用缩进。
简而言之, object的基本语法可以表示如下:

代码: 全选

define object {
    keyword-1     value-1
    keyword-2     value-2,value-3,...
    [...]
    keyword-n     value-n
}

Object定义可以分割成任意数量的文件: 你只需记住要通过 cfg_file 和/或 cfg_dir 指令将所有这些文件列在 主配置文件 里。

3.1 有时限的定义
有时限的声明允许你指定, 每周的每一天, 在一个或多个时段执行特定检查 和/或 通知特定的人。 时段不能跨越午夜(midnight)，而且排除的日期就省略了(leo: 不做检查) 。
在下面的例子中, 所有的时段定义被组合进一个名为 timeperiods.cfg 的文件里，这个文件保存在 /var/www/etc/nagios/ 目录。
文件 /var/www/etc/nagios/timeperiods.cfg

代码: 全选

# The following timeperiod definition includes normal work hours. The
# 'timeperiod_name' and 'alias' directives are mandatory. Note that weekend days
# are simply omitted
define timeperiod {
    timeperiod_name    workhours
    alias              Work Hours
    monday             09:00-18:00
    tuesday            09:00-18:00
    wednesday          09:00-18:00
    thursday           09:00-18:00
    friday             09:00-18:00
}
 
# The following timeperiod includes all time outside normal work hours. The
# time slot between 6 p.m. and 9 a.m. must be split into two intervals, to avoid
# crossing midnight
define timeperiod {
    timeperiod_name    nonworkhours
    alias              Non-Work Hours
    sunday             00:00-24:00
    monday             00:00-09:00,18:00-24:00
    tuesday            00:00-09:00,18:00-24:00
    wednesday          00:00-09:00,18:00-24:00
    thursday           00:00-09:00,18:00-24:00
    friday             00:00-09:00,18:00-24:00
    saturday           00:00-24:00
}
 
# Most checks will probably run on a continuous basis
define timeperiod {
    timeperiod_name    always
    alias              Every Hour Every Day
    sunday             00:00-24:00
    monday             00:00-24:00
    tuesday            00:00-24:00
    wednesday          00:00-24:00
    thursday           00:00-24:00
    friday             00:00-24:00
    saturday           00:00-24:00
}
 
# The right timeperiod when you don't want to bother with notifications (e.g.
# during testing)
define timeperiod {
    timeperiod_name    never
    alias              No Time is a Good Time
}
 
# Some exceptions to the normal weekly time (see documentation for more examples)
define timeperiod {
    timeperiod_name    exceptions
    alias              Some random dates
    2008-12-15         00:00-24:00        ; December 15th, 2008
    friday 3           00:00-24:00        ; 3rd Friday of every month
    february -1        00:00-24:00        ; Last day in February of every year
    march 20 - june 21 00:00-24:00        ; Spring
    day 1 - 15         00:00-24:00        ; First half of every month
    2008-01-01 / 7     00:00-24:00        ; Every 7 days from Jan 1st, 2008
}

3.2 命令定义
下面的步骤是告诉Nagios 怎样 执行各种检查并发送通知; 具体是通过定义多个命令object来完成的，这些定义的object指定了Nagios实际运行的命令。
命令定义是由多个 短名称+命令 (都是强制性的)的行构成的，而且可以包含宏。就像我们 以前 提到过的, 宏是变量, 前后都是 "$" 符, 在运行一条命令是宏会扩展为相应的数值; 使用宏可以使命令定义更加简单标准。我们举个简单明了的例子。
假设你要件事一个IP地址为 "1.2.3.4"的web服务器; 你可以这样定义一条命令:

代码: 全选

define command {
    command_name    check-http
    command_line    /usr/local/libexec/nagios/check_http -I 1.2.3.4
}

这条定义是正确的、而且可执行。不过，稍后你在需要添加一个新的web服务器怎么办? 怎样才能方便地定义一条只是IP不同的新命令(几乎一样)? 如果利用宏的高效特点，只需定义一条通用的命令:

代码: 全选

define command {
    command_name    check-http
    command_line    $USER1$/check_http -I $HOSTADDRESS$
}

然后，Nagios在运行时会将内置的宏 $HOSTADDRESS$ 扩展为相应的IP地址, 这个IP地址从主机定义里获取 (看 下面)。你对 前一章 应该有些印象, 这里的宏 $USER1$ 保存着到插件目录的路径。
现在我们考虑得稍微复杂一些! 怎样让Nagios检查每台服务器上的特定的URL是否有效呢? 这里所说的URL可能在每台服务器上均不同, 怎样才能用一条通信和有效的命令定义涵盖每台主机呢! 尽管听起来有些矛盾, 不过Nagios仍旧是使用宏来解决这个问题的: 事实上, 这里的宏 $ARGn$ (这个n是一个1到32之间的数值) 代表着特定服务的参数。这些参数将在后面的服务定义里指定 (看 下面 以获取了解的细节)。因此, 上面的命令定义可以演变成:

代码: 全选

define command {
    command_name    check-http
    command_line    $USER1$/check_http -I $HOSTADDRESS$ -u $ARG1$
}

除了我们刚看到的这些, Nagios还提供了其它一些有用的宏。请参考 文档 以了解有用的宏以及其有效语法。下面是一组简单的命令定义。
文件 /var/www/etc/nagios/commands.cfg

代码: 全选

################################################################################
# Notification commands                                                        #
# There are no standard notification plugins; hence notification commands are  #
# usually custom scripts or mere command lines.                                #
################################################################################
define command {
    command_name    host-notify-by-email
    command_line    $USER1$/host_notify_by_email.sh $CONTACTEMAIL$
}
 
define command {
    command_name    notify-by-email
    command_line    $USER1$/notify_by_email.sh $CONTACTEMAIL$
}
 
define command {
    command_name    host-notify-by-SMS
    command_line    /usr/local/bin/sendsms $ADDRESS1$ "Nagios: Host $HOSTNAME$ ($HOSTADDRESS$)is in state: $HOSTSTATE$"
}
 
define command {
    command_name    notify-by-SMS
    command_line    /usr/local/bin/sendsms $ADDRESS1$ "Nagios: Service $SERVICEDESC$ on $HOSTALIAS$ is in state: $SERVICESTATE$"
}
 
################################################################################
# Check commands                                                               #
# The official Nagios plugins should handle most of your needs for host and    #
# service checks. Anyway, should they not, we will discuss in a moment how to  #
# write custom plugins.                                                        #
################################################################################
define command {
    command_name    check-host-alive
    command_line    $USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 1
}
 
define command {
    command_name    check-ssh
    command_line    $USER1$/check_ssh $HOSTADDRESS$
}
 
define command {
    command_name    check-http
    command_line    $USER1$/check_http -I $HOSTADDRESS$ -u $ARG1$
}
 
define command {
    command_name    check-smtp
    command_line    $USER1$/check_smtp -H $HOSTADDRESS$
}
 
define command {
    command_name    check-imap
    command_line    $USER1$/check_imap -H $HOSTADDRESS$
}
 
define command {
    command_name    check-dns
    command_line    $USER1$/check_dns -s $HOSTADDRESS$ -H $ARG1$ -a $ARG2$
}
 
define command {
    command_name    check-mysql
    command_line    $USER1$/check_mysql -H $HOSTADDRESS -u $USER2$ -p $USER3$
}
 
[...]

3.3 Contact definition
contact objects 允许你指定在触发警告条件时应该自动通知的那些人。 Contacts 最初是分别定义的，然后被组合进contactgroup objects, 这是便于管理。
在下面的定义里，首先我们将参照先前定义的objects。实际这里的 host_notification_period 和 service_notification_period 指令的值肯定是 有时限的 objects; 而这里的the host_notification_command 和 service_notification_command 指令的值肯定是 命令 objects。
文件 /var/www/etc/nagios/contacts.cfg

代码: 全选

define contact {
# Short name to identify the contact
    contact_name                    john
# Longer name or description
    alias                           John Doe
 
# Enable notifications for this contact
    host_notifications_enabled      1
    service_notifications_enabled   1
 
# Timeperiods during which the contact can be notified about host and service
# problems or recoveries
    host_notification_period        always
    service_notification_period     always
 
# Host states for which notifications can be sent out to this contact
# (d=down, u=unreachable, r=recovery, f=flapping, n=none)
    host_notification_options       d,u,r
 
# Service states for which notifications can be sent out to this contact
# (w=warning, c=critical, u=unknown, r=recovery, f=flapping, n=none)
    service_notification_options    w,u,c,r
 
# Command(s) used to notify the contact about host and service problems
# or recoveries
    host_notification_commands      host-notify-by-email,host-notify-by-SMS
    service_notification_commands   notify-by-email,notify-by-SMS
 
# Email address for the contact
    email                           [email protected]
 
# Nagios provides 6 address directives (named address1 through address6) to
# specify additional "addresses" for the contact (e.g. a mobile phone number
# for SMS notifications)
    address1                        xxx-xxx-xxxx
 
# Allow this contact to submit external commands to Nagios from the CGIs
    can_submit_commands             1
}
 
# The following contact is split in two, to allow for different notification
# options depending on the timeperiod
define contact {
    contact_name                    danix@work
    alias                           Daniele Mazzocchio
    host_notifications_enabled      1
    service_notifications_enabled   1
    host_notification_period        workhours
    service_notification_period     workhours
    host_notification_options       d,u,r
    service_notification_options    w,u,c,r
    host_notification_commands      host-notify-by-email
    service_notification_commands   notify-by-email
    email                           [email protected] 
    can_submit_commands             1
}
 
define contact {
    contact_name                    danix@home
    alias                           Daniele Mazzocchio
    host_notifications_enabled      1
    service_notifications_enabled   1
    host_notification_period        nonworkhours
    service_notification_period     nonworkhours
    host_notification_options       d,u
    service_notification_options    c
    host_notification_commands      host-notify-by-email,host-notify-by-SMS
    service_notification_commands   notify-by-email,notify-by-SMS
    email                           [email protected]
    address1                        xxx-xxx-xxxx
    can_submit_commands             1
}
 
[...]
 
# All administrator contacts are grouped together in the "Admins"
# contactgroup
define contactgroup {
    contactgroup_name               Admins
    alias                           Nagios Administrators
    members                         danix@work,danix@home,john
}
 
[...]

3.4 主机定义
现在我们最终要处理Nagios配置里最重要的一个环节: 那些我们要监视的主机 (服务器, 工作站, 设备等) 的定义。这会让我们了解Nagios配置里一个最强大的特性: object inheritance（leo：inheritance — 遗传、继承）. 请注意, 尽管现在我们首先讨论它, object inheritance 实际上可以应用到所有的Nagios objects上; 不过, 在主机和服务的定义里，我们可以发挥出其最大的功效。。
事实上, 配置一台主机需要设置不少的参数; 而对多数的主机来说这些参数的数值都是一样的。如果没有object inheritance, 就意味着浪费大量的时间一遍遍地输入同样的参数，最终得到是长而无序、无法管理的配文件。
幸运的是, Nagios的设计人非常聪明地设计出了template objects，它的属性可以 "inherited" (继承) 给其它的objects，而无需重写这些objects 。下面是一个创建template的例子:

代码: 全选

define host {
    name                            generic-host-template  # Template name
 
    check_command                   check-host-alive
    check_period                    always
    max_check_attempts              5
    notification_options            d,u,r
 
    register                        0                      # Don't register it!
}

你可以看见, 一个模板object定义几乎和一个普通object的定义完全一样。唯一的区别是:

• 每个template必须用name指令分配了一个名字;
• 因为这并非一台真实的主机, 你必须告诉 Nagios 不要注册它。方法是将register指令的数值设为0; 这个特性不具备继承性，默认值是, 所以你不用担心所有的“子”object中改值被重写(leo: 我只是按照我的理解翻译的，如果读者觉得此处翻译的不对，请指出。);
• 一个template object可以保留未完成状态, 也就是说，它可以不强制应用所有的参数。

要template里创建一台真实的主机, 你只需用一个 use 指令将一个template名称指定为一个值，而且确保所有的强制性区域具有继承性或者是明确值 :

代码: 全选

define host {
    host_name                       hostname
    use                             generic-host-template
    alias                           alias
    address                         x.x.x.x
}

好了，现在我们从研究理论转到实际操作，我们将定义两个主机的templates。注意，第二个从第一个继承特性; 这是可能的，因为Nagios允许template objects具有多层。
文件 /var/www/etc/nagios/generic-hosts.cfg

代码: 全选

# The following is a template for all hosts in the LAN
define host {
# Template name
    name                            generic-lan-host
 
# Command to use to check the state of the host
    check_command                   check-host-alive
 
# Contact groups to notify about problems (or recoveries) with this host
    contact_groups                  Admins
 
# Enable active checks
    active_checks_enabled           1
# Time period during which active checks of this host can be made
    check_period                    always
# Number of times that Nagios will repeat a check returning a non-OK state
    max_check_attempts              3
 
# Enable the event handler
    event_handler_enabled           1
 
# Enable the processing of performance data
    process_perf_data               1
 
# Enable retention of host status information across program restarts
    retain_status_information       1
# Enable retention of host non-status information across program restarts
    retain_nonstatus_information    1
 
# Enable notifications
    notifications_enabled           1
# Time interval (in minutes) between consecutive notifications about the
# server being _still_ down or unreachable
    notification_interval           120
# Time period during which notifications about this host can be sent out
    notification_period             always
# Host states for which notifications should be sent out (d=down,
# u=unreachable, r=recovery, f=flapping, n=none)
    notification_options            d,u,r
 
# Don't register this definition: it's only a template, not an actual host
    register                        0
}
 
# DMZ hosts inherit all attributes from the generic-lan-host by means of the
# 'use' directive. The only difference is that Nagios has to go through the
# internal (CARP) firewalls to reach the DMZ servers, thus requiring the
# additional 'parents' directive.
define host {
    name                            generic-dmz-host
 
# The 'use' directive specifies the name of a template object that you want
# this host to inherit properties from
    use                             generic-lan-host
 
# This directive specifies the hosts that lie between the monitoring host
# and the remote host (more information here)
    parents                         fw-int
 
# This too is a template
    register                        0
}

现在我们应用template的长处只需几行就可以定义实际的主机。
文件 /var/www/etc/nagios/hosts/servers.cfg

代码: 全选

# Configuration for host dns1.lan.kernel-panic.it
define host {
    use                             generic-lan-host
    host_name                       dns1
    alias                           LAN primary master name server
    address                         172.16.0.161
 
# Extended information (completely optional)
    notes                           This is the internal primary master name server (Bind 9.4.2-P2)
# URL with more information about this host
    notes_url                       http://www.kernel-panic.it/openbsd/dns/
# Image associated with this host in the status CGI; images must be placed in
# /var/www/nagios/images/logos/
    icon_image                      dns.png
# String used in the 'alt' tag of the icon_image
    icon_image_alt                  [dns]
# Image associated with this host in the statusmap CGI
    statusmap_image                 dns.gd2
}
 
# Configuration for host mail.kernel-panic.it
define host {
    use                             generic-dmz-host
    host_name                       mail
    alias                           Mail server
    address                         172.16.240.150
    notes                           This is the Postfix mail server (with IMAP(S) and web access)
    notes_url                       http://www.kernel-panic.it/openbsd/mail/
    icon_image                      mail.png
    icon_image_alt                  [Mail]
    statusmap_image                 mail.gd2
}
 
# Configuration for host proxy.kernel-panic.it
define host {
    use                             generic-dmz-host
    host_name                       proxy
    alias                           Proxy server
    notes                           This is the Squid proxy server
    notes_url                       http://www.kernel-panic.it/openbsd/proxy/
    icon_image                      proxy.png
    icon_image_alt                  [Proxy]
    statusmap_image                 proxy.gd2
}
 
[...]

文件 /var/www/etc/nagios/hosts/firewalls.cfg

代码: 全选

# Configuration for host fw-int.kernel-panic.it
define host {
    use                             generic-lan-host
    host_name                       fw-int
    alias                           Internal firewalls' CARP address
    address                         172.16.0.202
    notes                           Virtual CARP address of the internal firewalls
    notes_url                       http://www.kernel-panic.it/openbsd/carp/
    icon_image                      fw.png
    icon_image_alt                  [FW]
    statusmap_image                 fw.gd2
}
 
# Configuration for host mickey.kernel-panic.it
define host {
    use                             generic-lan-host
    host_name                       mickey
    alias                           Internal Firewall #1
    address                         172.16.0.200
    notes                           Internal firewall (first node of a two-nodes CARP cluster)
    notes_url                       http://www.kernel-panic.it/openbsd/carp/
    icon_image                      fw.png
    icon_image_alt                  [FW]
    statusmap_image                 fw.gd2
}
 
[...]

主机这里可以选择用hostgroup声明组成的一个组，尽管这对监控意义不大，但是可以让你在CGI里显示所有在组内的主机。
文件 /var/www/etc/nagios/hosts/hostgroups.cfg

代码: 全选

# Domain Name Servers
define hostgroup {
    hostgroup_name                  DNS
    alias                           Domain Name Servers
    members                         dns1,dns2,dns3,dns4
    notes                           Our internal Domain Name Servers, running Bind 9.4.2-P2
}
 
# Firewalls
define hostgroup {
    hostgroup_name                  firewalls
    alias                           CARP Firewalls
    members                         mickey,minnie,donald,daisy,fw-int,fw-ext
    notes                           Our CARP-enabled firewalls (both virtual and physical addresses)
}
 
# Web servers
define hostgroup {
    hostgroup_name                  WWW
    alias                           Web Servers
    members                         www1,www2
    notes                           Our corporate web servers, running Apache 1.3
}

3.5 服务定义
配置监视的服务和配置监视的主机很像: object的继承性可以节省你大量的输入，而且你可以用选项 servicegroup 将所有的服务组合在一起。下面是我们服务template的定义:
文件 /var/www/etc/nagios/generic-services.cfg

代码: 全选

define service {
# Template name
    name                            generic-service
 
# Services are normally not volatile
    is_volatile                     0
 
# Contact groups to notify about problems (or recoveries) with this service
    contact_groups                  Admins
 
# Enable active checks
    active_checks_enabled           1
# Time period during which active checks of this service can be made
    check_period                    always
# Time interval (in minutes) between "regular" checks, i.e. checks that
# occur when the service is in an OK state or when the service is in a non-OK
# state, but has already been re-checked max_check_attempts number of times
    normal_check_interval           5
# Time interval (in minutes) between non-regular checks
    retry_check_interval            1
# Number of times that Nagios will repeat a check returning a non-OK state
    max_check_attempts              3
# Enable service check parallelization for better performance
    parallelize_check               1
# Enable passive checks
    passive_checks_enabled          1
 
# Enable the event handler
    event_handler_enabled           1
 
# Enable the processing of performance data
    process_perf_data               1
 
# Enable retention of service status information across program restarts
    retain_status_information       1
# Enable retention of service non-status information across program restarts
    retain_nonstatus_information    1
 
# Enable notifications
    notifications_enabled           1
# Time interval (in minutes) between consecutive notifications about the
# service being _still_ in non-OK state
    notification_interval           120
# Time period during which notifications about this service can be sent out
    notification_period             always
# Service states for which notifications should be sent out (c=critical,
# w=warning, u=unknown, r=recovery, f=flapping, n=none)
    notification_options            w,u,c,r
 
    register                        0
}

现在, 在考虑服务定义前, 我们应该完成将服务的特定参数传递给命令的 讨论 ，也就是宏 $ARGn$ 。可能你还记得, 宏作为承载体: 它们在服务里扩展传递给命令的第n个参数; 例如, 一条类似下面的命令希望得到两个传递参数:

代码: 全选

define command {
    command_name                    some-command
    command_line                    $USER1$/check_something $ARG1$ $ARG2$
}

因此, 要使用上面的命令那个配置一个服务检查, 我们必须分配给check_command 变量一个字符串，这个字符串包含一个命令的短名称，后面跟着这些参数, 由字符 "!" 分割。例如:

代码: 全选

define service {
    service_description             some-service
    check_command                   some-command!arg-1!arg-2
    [...]
}

现在我们可以着手实际服务的定义了:
文件/var/www/etc/nagios/services/services.cfg

代码: 全选

# Secure Shell service
define service {
    use                             generic-service
    service_description             SSH
# Short name(s) of the host(s) that run this service. If a service runs on all
# hosts, you may use the '*' wildcard character
    host_name                       *
    check_command                   check-ssh
# This directive is a possible alternative to using the members directive in
# service groups definitions
    servicegroups                   ssh-services
# Extended information
    notes                           Availability of the SSH daemon
    notes_url                       http://www.openssh.org/
    icon_image                      ssh.png
    icon_image_alt                  [SSH]
}
 
# Web service
define service {
    use                             generic-service
    service_description             WWW
    host_name                       www1,www2
    check_command                   check-http!/index.html
    notes                           Availability of the corporate web sites
    notes_url                       http://www.apache.org/
    icon_image                      www.png
    icon_image_alt                  [WWW]
}
 
define service {
    use                             generic-service
    service_description             WWW
    host_name                       mail
    check_command                   check-http!/webmail/index.html
    notes                           Availability of the web access to the mail server
    notes_url                       http://www.squirrelmail.org/
    icon_image                      www.png
    icon_image_alt                  [WWW]
}
 
[...]

Just like hosts, services can be grouped together with the servicegroup directive:
文件 /var/www/etc/nagios/services/servicegroups.cfg

代码: 全选

define servicegroup {
    servicegroup_name               www-services
    alias                           Web Services
# The 'members' directive requires a comma-separated list of host and
# service pairs, e.g. 'host1,service1,host2,service2,...'
    members                         www1,WWW,www2,WWW,mail,WWW
}
 
define servicegroup {
    servicegroup_name               dns-services
    alias                           Domain Name Service
    members                         dns1,DNS,dns2,DNS,dns3,DNS,dns4,DNS
}
 
# The members of the following servicegroup are specified with the
# 'serviecegroups' directive in the 'SSH' service definition
define servicegroup {
    servicegroup_name               ssh-services
    alias                           Secure Shell Service
}
 
[...]

好的, 现在大块的工作已经完成: 最后一步是 配置web接口 ，然后我们就让Nagios工作了!

[leo]

4. 设定web接口
Nagios没有一个特定的客户端程序去访问监视的信息; 相反, 它依赖 Apache web 服务器来提供一个非常简单但还很强大的web接口, 可以通过任何浏览器来访问，并且允许用户访问当前的状态信息, 浏览历史日志(logs), 生成报告, 并且如果你进行了配置，可以运行命令来监视进程。

4.1 CGIs 配置
Nagios的web接口依赖一系列用C语言写的CGI程序。这些CGI程序从 主配置文件 和 cgi.cfg 中读取它们的配置信息, 默认的这两个文件位于目录 /var/www/etc/nagios/。

下面是一个简单的配置文件; 在设置 authorized_for_* 指令时要格外小心, 因为你可以用它们为认证用户指定特殊的权限，所以这是安全的关机所在。在下小节里面我们会重温一下怎样在Apache里创建用户。
文件 /var/www/etc/nagios/cgi.cfg

代码: 全选

# Path to the main configuration file (relative to the chroot)
main_config_file=/etc/nagios/nagios.cfg
# Path to the directory where the HTML files reside (relative to the chroot)
physical_html_path=/nagios
# Path portion of the URL used to access the web interface
url_html_path=/nagios
 
# Disable context-sensitive help
show_context_help=0
 
# Enable authentication for the CGIs
use_authentication=1
# Uncomment the following directive to set a default user for unauthenticated
# sessions (strongly discouraged)
#default_user_name=guest
 
# The 'authorized_for_*' directives define a comma-separated list of
# authenticated web users who can:
# - view system/process information in the extended information CGI:
authorized_for_system_information=nagiosadmin,operator
# - view configuration information in the configuration CGI:
authorized_for_configuration_information=nagiosadmin,operator
# - issue system/process commands via the command CGI:
authorized_for_system_commands=nagiosadmin
# - view status and configuration information for all services
authorized_for_all_services=nagiosadmin,operator
# - view status and configuration information for all hosts
authorized_for_all_hosts=nagiosadmin,operator
# - issue commands for all services via the command CGI:
authorized_for_all_service_commands=nagiosadmin
# - issue commands for all hosts via the command CGI:
authorized_for_all_host_commands=nagiosadmin
 
# Options for the Status Map and Status World CGIs
statusmap_background_image=smbackground.gd2
default_statusmap_layout=5
default_statuswrl_layout=4
statuswrl_include=myworld.wrl
 
# Command to use when attempting to ping a host from the WAP interface
ping_syntax=/sbin/ping -n -c 5 $HOSTADDRESS$
 
# Time interval (in seconds) between page refreshes
refresh_rate=90
 
# List of audio files to play in the browser in case of problems. These files
# are assumed to be in the /var/www/nagios/media/ directory
host_unreachable_sound=hostdown.wav
host_down_sound=hostdown.wav
service_critical_sound=critical.wav
service_warning_sound=warning.wav
service_unknown_sound=warning.wav
#normal_sound=noproblem.wav
 
# HTML and URL target options
action_url_target=_blank
notes_url_target=_blank
escape_html_tags=1
 
# Restrict users from changing the author name when submitting comments,
# acknowledgements and scheduled downtime from the web interface
lock_author_names=1
 
# Splunk integration options
enable_splunk_integration=0
#splunk_url=http://127.0.0.1:8000/

4.2 Apache配置
web接口保存了有关网络和服务甚至可能还有直接影响监控进程的可运行命令等非常敏感的信息。结论是, 强烈推荐您为访问的CGIs配置认证。
htpasswd(1) 负责用户认证文件的管理。请注意，初次运行此命令时你必须使用 "-c" 选项来创建 password 文件:

代码: 全选

# htpasswd -c /var/www/users/nagios.passwd nagiosadmin
New password: password
Re-type new password: password
Adding password for user nagiosadmin
# htpasswd /var/www/users/nagios.passwd danix@work
New password: password
Re-type new password: password
Adding password for user danix@work
#

一个用户的用户名如果匹配contact定义里的短名称，则这个用户被称为认证的contact，系统会自动赋予这个用户访问它所联系的这些主机、服务的信息及命令的权限 (请参考这篇 文档 以了解在CGIs中认证的一些细节).
好, 现在我们已经让Apache要求访问用户进行认证，我们还需要配置SSL以避免密码以明文方式传输。下面是用 openssl(1) 命令创建一个自签名的认证证书 (更多有关认证证书管理的细节请参阅 这里)。

代码: 全选

# openssl genrsa -des3 -out server.3des-key 1024
Generating RSA private key, 1024 bit long modulus
..............++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for server.3des-key: passphrase
Verifying - Enter pass phrase for server.3des-key: passphrase
# openssl rsa -in server.3des-key -out server.key
Enter pass phrase for server.3des-key: passphrase
writing RSA key
# openssl req -new -key server.key -x509 -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []: IT
State or Province Name (full name) []: State
Locality Name (eg, city) []: Locality
Organization Name (eg, company) []: kernel-panic.it
Organizational Unit Name (eg, section) []: Information Technology
Common Name (eg, fully qualified host name) []: nagios.kernel-panic.it
Email Address []: [email protected]
# chmod 600 server.key
# rm server.3des-key
# mv server.crt /etc/ssl/
# mv server.key /etc/ssl/private/

最后一步是通过将下面几行加入到配置文件 /var/www/conf/httpd.conf 里将Apache配置为必须进行认证并加密访问Nagios接口:
文件 /var/www/conf/httpd.conf

代码: 全选

ScriptAlias /cgi-bin/nagios "/var/www/cgi-bin/nagios"
 
<Directory "/var/www/cgi-bin/nagios">
    SSLRequireSSL
 
    Options ExecCGI
 
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /users/nagios.passwd
    Require valid-user
 
    Order deny,allow
    Deny from all
    # Authorized clients
    Allow from 127.0.0.1 172.16.0.13
</Directory>
 
Alias /nagios "/var/www/nagios"
 
<Directory "/var/www/nagios">
    SSLRequireSSL
 
    Options None
    AllowOverride None
 
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /users/nagios.passwd
    Require valid-user
 
    Order deny,allow
    Deny from all
    # Authorized clients
    Allow from 127.0.0.1 172.16.0.13
</Directory>

4.3 运行Nagios
好了, 看起来所有的配置工作到目前为止基本上结束了! 那么我们就可以让Nagios评估一下我们所做的工作了——调用它时加上 "-v" 选项:

代码: 全选

# /usr/local/sbin/nagios -v /var/www/etc/nagios/nagios.cfg
 
Nagios 3.0.6
Copyright (c) 1999-2008 Ethan Galstad (http://www.nagios.org)
Last Modified: 12-01-2008
License: GPL
 
Reading configuration data...
 
Running pre-flight check on configuration data...
 
[...]
 
Total Warnings: 0
Total Errors:   0
 
Things look okay - No serious problems were detected during the pre-flight check
#

如果没有错误信息, 我们等候已久的时刻终于到来了: 我们将开始启动Nagios! 尽管没有预先为lock文件创建目录 (注意: 如果在安装Nagios后没有重新启动系统, /var/run/nagios/ 这个目录应该已经存在了):

代码: 全选

# apachectl startssl
/usr/sbin/apachectl startssl: httpd started
# install -d -o _nagios /var/run/nagios
# /usr/local/sbin/nagios -d /var/www/etc/nagios/nagios.cfg

你可以通过连接到web接口 (https://your.server.here/nagios/)或者查看一下日志文件 (/var/www/var/log/nagios/nagios.log) 来检查一下是否一切正常。
要完成最终设置, 我们需要让Apache和Nagios随系统启动, 只需在/etc/rc.conf.local 文件里设置一下 httpd_flags 变量:
文件 /etc/rc.conf.local

代码: 全选

httpd_flags="-DSSL"

然后将下面几行加入 /etc/rc.local 文件:
文件 /etc/rc.local

代码: 全选

if [ -x /usr/local/sbin/nagios ]; then
    install -d -o _nagios /var/run/nagios
    echo -n ' nagios'
    /usr/local/sbin/nagios -d /var/www/etc/nagios/nagios.cfg
fi

在 下一章 里我们将讨论如何使用一些流行的插件扩展Nagios。

[leo]

5. Nagios插件
Nagios的一个重要特性就是其可扩展性; 这要归功于Nagios基于插件的构架、外部命令接口、以及 Apache web服务器，通过这几者结合可以非常方便地添加新功能。在本章里，我们将就Nagios的一些常用 插件 的一般问题展开讨论。

5.1 NRPE
这里假设你想让Nagios在本地检测远程主机, 例如磁盘空间使用情况, 系统负荷或者当前用户登录人数。因为没有网络服务, 所以这些信息无法直接用插件提取: 我们需要的是在远程主机上安装某类代理，这样Nagios就可以周期性地查询本地服务了。


Nagios Remote Plugin Executor (NRPE) 正好可以完成这个任务: 它可以允许你在本地运行插件到远程主机上! 它由两部分构成:

• 一个代理, 运行 (无论是独立运行或者在 inetd(8) 下运行) 在监视的主机上, 它等待进站连接, 运行请求检查并返回本地服务的状态;
• 一个插件, "check_nrpe", 用于查询远程代理。

下面的package既包含代理也包含插件:

• nrpe-x.x.x.tgz

此外, 这个Nagios插件package将作为依赖包安装在被监视的主机上: 这将允许NRPE 代理利用标准Nagios插件的优势来执行本地查询。安装这个package时自动创建 一个名称 _nrpe 的用户和组，守护进程将以这个用户和组的身份运行并拷贝一个 /etc/ 里的示例配置文件:
文件 /etc/nrpe.cfg

代码: 全选

# The syslog facility that should be used for logging purposes
log_facility=daemon
 
# Path to the pid file (ignored if running under inetd)
pid_file=/var/run/nrpe.pid
 
# Address to bind to, to avoid binding on all interfaces (ignored if running
# under inetd)
server_address=172.16.0.170
# Port to wait connections on (ignored if running under inetd)
server_port=5666
 
# User and group the NRPE daemon should run as (ignored if running under inetd)
nrpe_user=_nrpe
nrpe_group=_nrpe
 
# Comma-delimited list of IP addresses or hostnames that are allowed to connect
# to the NRPE daemon (ignored if running under inetd)
allowed_hosts=127.0.0.1,172.16.0.164
 
# Don't allow clients to specify arguments to commands that are executed
dont_blame_nrpe=0
 
# Uncomment the following option to prefix all commands with a specific string
#command_prefix=/usr/bin/sudo
 
# Don't log debugging messages to the syslog facility
debug=0
 
# Maximum length (in seconds) of executed plugins
command_timeout=60
 
# Command definitions are in the form
#
#   command[<command_name>]=<command_line>
#
# Thus, when the NRPE daemon receives a request to execute the command
# 'command_name', it will run the *local* script specified by 'command_line'.
# Note: macros are NOT allowed within command definitions
command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10
command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20
command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 20 -c 10 -p /dev/wd0a
command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200

要以独立运行的方式运行NRPE的守护进程, 只需键入:

代码: 全选

# /usr/local/sbin/nrpe -c /etc/nrpe.cfg -d

然后，将下列行加入到文件 /etc/rc.local 里以便其随系统启动:
文件/etc/rc.local/

代码: 全选

if [ -x /usr/local/sbin/nrpe ]; then
    echo -n ' nrpe'
    /usr/local/sbin/nrpe -c /etc/nrpe.cfg -d
fi

可选方案, 你可以将下列行加入到 in /etc/inetd.conf(8) 里，这样可以让NRPE在 inetd(8) 下运行:
文件 /etc/inetd.conf

代码: 全选

nrpe    stream    tcp    wait    _nrpe:_nrpe    /usr/local/sbin/nrpe    nrpe -c /etc/nrpe.cfg -i

然后，在 /etc/services(5) 添加nrpe服务:
文件 /etc/services

代码: 全选

nrpe    5666/tcp    # Nagios Remote Plugin Executor

然后发送给守护进程 inetd(8) 一个hangup信号, 命令其重新读取自己的配置文件:

代码: 全选

# pkill -HUP inetd

现在, Nagios服务器可以执行检查了，你只需定义一个如下的命令 (只需要注意传递给 “-c”选项的命令名称在远程的服务器上的nrpe.cfg文件里有一个相应的命令定义!):
文件 /var/www/etc/nagios/commands.cfg

代码: 全选

define command {
    command_name    check-disk1-nrpe
    command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_disk1
}

5.2 NSCA
现在假设你想检测远程主机上一个程序是否正确执行, 例如：一个周期性的备份或者一个crontab任务。虽然这还是一个 "本地" 服务, 但是, 与磁盘空间使用情况或系统负荷不同, 我们需要调整一下，让其更有逻辑性以便使Nagios在其处于退出状态时得到通知。这正是Nagios服务检查接收器(NSCA)拿手的, 它是一个守护进程程序, 意味着运行在Nagios服务器上, 被设计为被动地接受来自客户端的服务结果提取（leo:可从客户端上请求要查询的服务结果）。
NSCA和NRPE有个相同点：它也由一个守护进程和一个客户端程序构成, 但是角色却是倒置的: 守护进程运行在Nagios服务器上，而远程主机使用 send_nsca 工具将其状态通知给这个守护进程。NSCA就使用外置的命令接口(所以，请确认已经在主配置文件里启用了外置命令)。

5.2.1 服务器配置

NSCA既可以以独立的方式运行，也可以运行在 inetd(8)下面。 要安装NSCA的服务器部分，我们需要在Nagios服务器上安装如下的packages:

• mhash-x.x.x.tgz
• libmcrypt-x.x.x.tgz
• nsca-x.x.tgz

接下来, 我们需要编辑配置文件 /etc/nsca.cfg :
文件 /etc/nsca.cfg

代码: 全选

# Path to the pid file (ignored if running under inetd)
pid_file=/var/run/nrpe.pid
 
# Address to bind to (optional)
server_address=172.16.0.164
# Port to wait connections on
server_port=5667
 
# User and group the NSCA daemon should run as (ignored if running under inetd)
nsca_user=_nagios
nsca_group=_nagios
 
# chroot(2) directory for the NSCA daemon
nsca_chroot=/var/www/var/nagios/rw
 
# Don't log debugging messages to the syslog facility
debug=0
 
# Path to the command file (relative to the chroot directory)
command_file=nagios.cmd
# File where to dump service check results if the command file does not exist
alternate_dump_file=nsca.dump
 
# Do not aggregate writes to the external command file
aggregate_writes=0
# Open the external command file in write mode
append_to_file=0
 
# Maximum packet age (in seconds)
max_packet_age=30
 
# Password to use to decrypt incoming packets
password=password
# Decryption method (16 = RIJNDAEL-256). It must match the encryption method
# used by the client
decryption_method=16

要保护密码你应该将这个配置文件的权限设置为600。要让NSCA独立运行(standalone daemon), 你只需输入:

代码: 全选

# /usr/local/sbin/nsca -c /etc/nsca.cfg

然后哦将下列行加入到 /etc/rc.local 以便其自动随系统启动:
文件 /etc/rc.local

代码: 全选

if [ -x /usr/local/sbin/nsca ]; then
    echo -n ' nsca'
    /usr/local/sbin/nsca -c /etc/nsca.cfg
fi

可选方案是, 你可以在 inetd(8) 下运行它，只需将下行加入到 /etc/inetd.conf(8):
文件 /etc/inetd.conf

代码: 全选

nsca    stream    tcp    wait    _nagios:_nagios    /usr/local/sbin/nsca    nsca -c /etc/nsca.cfg --inetd

然后将nsca服务加入到 /etc/services(5):
文件 /etc/services

代码: 全选

nsca    5667/tcp    # Nagios Service Check Acceptor

然后发送一个hangup信号给 inetd(8) 进程, 告诉它重新阅读自己的配置文件：

代码: 全选

# pkill -HUP inetd

5.2.2 客户端配置

在客户端方面, 我们需要安装下列数据包:

• mhash-x.x.x.tgz
• libmcrypt-x.x.x.tgz
• nsca-client-x.x.tgz

然后在配置文件 /etc/send_nsca.cfg 里编辑加密参数:
文件 /etc/send_nsca.cfg

代码: 全选

# Password to use to encrypt outgoing packets
password=password
# Encryption method (16 = RIJNDAEL-256)
encryption_method=16

这里的 send_nsca 程序从标准输入读取数据，然后等待提取服务信息，需要用一个标签（tab）分开主机名序列和服务描述 (也就是在服务定义里的service_description 设置的值), 返回代码和输出; 例如:

代码: 全选

echo "www1\tbackup\t0\tBackup completed successfully" | /usr/local/libexec/nagios/send_nsca -H nagios.kernel-panic.it

而对主机信息提取来说, 使用一个标签（tab）分割主机名序列及返回的代码和输出; 例如:

代码: 全选

echo "router1\t2\tRouter #1 is down" | /usr/local/libexec/nagios/send_nsca -H nagios.kernel-panic.it

你可以修改默认的 delimiter (tab) ，使用一个 send_nsca的 "-d" 选项。现在, 一切正常, NSCA进程接收的每条信息将在Nagios日志文件里产生如下的一行内容:
文件 /var/www/var/log/nagios/nagios.log

代码: 全选

[1167325538] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;www1;backup;0;Backup completed successfully

5.3 NagVis and NDO

NagVis 是一个Nagios的可视化插件; 它可以为用户提供一个 图形化 Nagios数据。它需要安装 PHP 以及一些库文件:

• libxml-x.x.x.tgz
• t1lib-x.x.x.tgz
• jpeg-x.tgz
• png-x.x.x.tgz
• php5-core-x.x.x.tgz
• php5-gd-x.x.x-no_x11.tgz
• mysql-client-x.x.x.tgz
• php5-mysql-x.x.x.tgz

Apache已经启动了, 所以我们只需启用刚安装的php模块:

代码: 全选

# ln -s /var/www/conf/modules.sample/php5.conf /var/www/conf/modules
# ln -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/php5/gd.ini
# ln -fs /var/www/conf/php5.sample/mysql.ini /var/www/conf/php5/mysql.ini

删除掉配置文件 /var/www/conf/httpd.conf 里下列行的注释符:
文件 /var/www/conf/httpd.conf

代码: 全选

AddType application/x-httpd-php .php

然后重新启动Apache:

代码: 全选

# apachectl restart
/usr/sbin/apachectl restart: httpd restarted

5.3.1 安装NDO和MySQL
在版本NagVis 1.0时, NagVis可以直接从Nagios拖回数据; 不过现在这个特性已经不再支持了，而NagVis希望数据保存在一个MySQL数据库内, 因为需要安装Nagios 数据输出工具 —— NDOUTILS 插件。


NDOUTILS 插件允许你从一个或多个Nagios实例输出当前、历史数据到一个 MySQL 数据库, 所以它在Nagios和Mysql之间提供了一个接口。这个插件包含几个部件, 但是我们只需要其中的两个:

• the NDOMOD event broker module, which is loaded by Nagios at startup and dumps all events and data from Nagios to a Unix or TCP socket;
• the NDO2DB daemon, which is a standalone daemon and reads the output produced by the NDOMOD module through the Unix or TCP socket and dumps it into the database.

首先, 我们需要安装MySQL; 下面是所需的packages清单:

• p5-Net-Daemon-x.x.tgz
• p5-PlRPC-x.x.tgz
• p5-DBI-x.x.tgz
• p5-DBD-mysql-x.x.tgz
• mysql-server-x.x.x.tgz

接下来, 我们需要 下载, 提取和编译NDOUTILS tarball:

代码: 全选

# tar -zxvf ndoutils-x.x.x.tar.gz
[ ... ]
# cd ndoutils-x.x.x
# ./configure --disable-pgsql --enable-mysql --with-mysql-lib=/usr/local/lib \
>   --with-mysql-inc=/usr/local/include
[ ... ]
# make

注意: 如果在这里无法成功编译文件dbhandlers.c, 安装 这个补丁 试试，这个补丁应用于版本1.4b9， 你只需在源代码树外面运行下列命令:

代码: 全选

# patch -p0 < ndo-openbsd.patch

现在我么你可以启动 MySQL 了, 为root用户设置一个密码，然后创建相应的数据库和用户。数据库创建脚本在提取的tarball的 db/ 目录。

代码: 全选

# cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf
# /usr/local/bin/mysql_install_db
[ ... ]
# mysqld_safe &
Starting mysqld daemon with databases from /var/mysql
# /usr/local/bin/mysql_secure_installation
[ ... ]
Enter current password for root (enter for none): <enter>
[ ... ]
Set root password? [Y/n] Y
New password: root
Re-enter new password: root
[ ... ]
Remove anonymous users? [Y/n] Y
[ ... ]
Disallow root login remotely? [Y/n] Y
[ ... ]
Remove test database and access to it? [Y/n] Y
[ ... ]
Reload privilege tables now? [Y/n] Y
[ ... ]
# mysql -u root -p
password: root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Server version: 5.0.51a-log OpenBSD port: mysql-server-5.0.51a
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> create database nagios;
Query OK, 1 row affected (0.02 sec)
 
mysql> use nagios;
Database changed
mysql> \.  db/mysql.sql
[...]
mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON nagios.* TO 'ndouser'@'localhost' IDENTIFIED BY 'ndopasswd';
mysql> \q

现在我们需要手动拷贝二进制和配置文件:

代码: 全选

# cp src/ndomod-3x.o /usr/local/libexec/nagios/ndomod.o
# cp config/ndomod.cfg-sample /var/www/etc/nagios/ndomod.cfg
# cp src/ndo2db-3x /usr/local/sbin/ndo2db
# cp config/ndo2db.cfg-sample /var/www/etc/nagios/ndo2db.cfg

然后编辑NDOMOD的配置文件:
文件 /var/www/etc/nagios/ndomod.cfg

代码: 全选

instance_name=default
output_type=unixsocket
output=/var/nagios/rw/ndo.sock
 
output_buffer_items=5000
buffer_file=/var/nagios/rw/ndomod.tmp
 
file_rotation_interval=14400
file_rotation_timeout=60
 
reconnect_interval=15
reconnect_warning_interval=15
data_processing_options=-1
config_output_options=3

接下来是NDO2DB的配置文件:
文件 /var/www/etc/nagios/ndo2db.cfg

代码: 全选

lock_file=/var/run/nagios/ndo2db.lock
 
ndo2db_user=_nagios
ndo2db_group=_nagios
 
socket_type=unix
socket_name=/var/www/var/nagios/rw/ndo.sock
 
db_servertype=mysql
db_host=localhost
db_port=3306
db_name=nagios
db_prefix=nagios_
db_user=ndouser
db_pass=ndopasswd
 
max_timedevents_age=1440
max_systemcommands_age=10080
max_servicechecks_age=10080
max_hostchecks_age=10080
max_eventhandlers_age=44640
 
debug_level=0
debug_verbosity=1
debug_file=/var/www/var/log/nagios/ndo2db.debug
max_debug_file_size=1000000

接着，我们必须让Nagios在启动时调用 event broker 模块, 将下行加入到 主配置文件里:
文件 /var/www/etc/nagios/nagios.cfg

代码: 全选

broker_module=/usr/local/libexec/nagios/ndomod.o config_file=/var/www/etc/nagios/ndomod.cfg

最后, 我们可以启动NDO2DB进程了，然后重新启动Nagios:

代码: 全选

# /usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg
# chmod 770 /var/www/var/nagios/rw/ndo.sock
# pkill nagios
# nagios -d /var/www/etc/nagios/nagios.cfg

将下列行加入到文件 /etc/rc.local 里以便 NDO2DB 进程随系统启动:
文件 /etc/rc.local

代码: 全选

if [ -x /usr/local/sbin/ndo2db ]; then
    echo -n ' ndo2db'
    /usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg
    chmod 770 /var/www/var/nagios/rw/ndo.sock
fi

5.3.2 配置NagVis
现在我们已经完成了先决条件, 我们可以 下载 和提取NagVis tarball:

代码: 全选

# tar -zxvf nagvis-x.x.x.tar.gz -C /var/www/nagios/
[ ... ]
# mv /var/www/nagios/nagvis-x.x.x /var/www/nagios/nagvis
# chown -R www /var/www/nagios/nagvis/{etc,var}

下面是一个简单的 NagVis 配置文件; 请参考 文档 以了解每个参数的细节:
文件 /var/www/nagios/nagvis/etc/nagvis.ini.php

代码: 全选

; <?php return 1; ?>
 
[global]
language               = "en_US"
refreshtime            = 60
dateformat             = "Y-m-d H:i:s"
 
[defaults]
backend                = "ndomy_1"
; Default icons' size (icons can be found in
; /var/www/nagios/nagvis/images/iconsets)
icons                  = "std_medium"
recognizeservices      = 1
onlyhardstates         = 0
backgroundcolor        = "#fff"
contextmenu            = 1
eventbackground        = 0
eventhighlight         = 1
eventhighlightduration = 10000
eventhighlightinterval = 500
eventlog               = 0
eventloglevel          = "info"
eventlogheight         = 75
eventloghidden         = 1
eventscroll            = 1
eventsound             = 1
headermenu             = 1
headertemplate         = "default"
hovermenu              = 1
hovertemplate          = "default"
hoverdelay             = 0
hoverchildsshow        = 1
hoverchildslimit       = 10
hoverchildsorder       = "asc"
hoverchildssort        = "s"
icons                  = "std_medium"
onlyhardstates         = 0
recognizeservices      = 1
showinlists            = 1
urltarget              = "_self"
hosturl                = "[htmlcgi]/status.cgi?host=[host_name]"
hostgroupurl           = "[htmlcgi]/status.cgi?hostgroup=[hostgroup_name]"
serviceurl             = "[htmlcgi]/extinfo.cgi?type=2&host=[host_name]&service=[service_description]"
servicegroupurl        = "[htmlcgi]/status.cgi?servicegroup=[servicegroup_name]&style=detail"
 
[wui]
autoupdatefreq         = 25
maplocktime            = 5
allowedforconfig       = nagiosadmin
 
[paths]
base                   = "/nagios/nagvis/"
htmlbase               = "/nagios/nagvis"
htmlcgi                = "/cgi-bin/nagios"
 
[index]
backgroundcolor        = #fff
cellsperrow            = 4
headermenu             = 1
headertemplate         = "default"
showrotations          = 1
 
[automap]
defaultparams          = "&maxLayers=2"
showinlists            = 0
 
[worker]
interval               = 10
requestmaxparams       = 0
requestmaxlength       = 1900
updateobjectstates     = 30
 
[backend_ndomy_1]
backendtype            = "ndomy"
dbhost                 = "127.0.0.1"
dbport                 = 3306
dbname                 = "nagios"
dbuser                 = "ndouser"
dbpass                 = "ndopasswd"
dbprefix               = "nagios_"
dbinstancename         = "default"
maxtimewithoutupdate   = 180
htmlcgi                = "/cgi-bin/nagios"
 
; In this example, the browser switches between the 'dmz' and 'lan' maps every
; 15 seconds. The rotation is enabled by specifying the URL:
; https://your.nagios.server/nagios/nagvis/index.php?rotation=kp
[rotation_kp]
maps                   = "dmz,lan"
interval               = 15

5.3.3 Maps 定义
现在我们需要为NagVis创建用于每张map的图形背景，然后将其放在 /var/www/nagios/nagvis/images/maps/ 目录。你可以从 这里 找到一些实例。
一旦做好了map图形, 我们可以告诉NagVis将目标存放在map的什么位置上，这只需通过创建和产生maps的配置文件来完成。每个map必须有同名的相应的配置文件 (在 /var/www/nagios/nagvis/etc/maps/) , 加上 ".cfg" 扩展名。下面是一个简单的 map 配置文件; 语法很简单, 所以你可以自行调整，包含自己的主机和服务 (请参阅此 文档 以了解细节)。
文件 /var/www/nagios/nagvis/etc/maps/dmz.cfg

代码: 全选

# The 'global' statement sets some default values that will be inherited by all
# other objects
define global {
# List of users allowed to view this map
    allowed_user=nagiosadmin,operator
# List of users allowed to modify this map via the web interface
    allowed_for_config=nagiosadmin
# Defaul iconset (if omitted, it is inherited from the main configuration file)
    iconset=std_medium
# Background image
    map_image=dmz.png
}
 
# Display the status of our 'www1' web server
define host {
    host_name=www1
# Coordinates of the host on the map
    x=268
    y=166
# Set this to '1' if you want the host status to also include the status
# of its services
    recognize_services=0
}
 
# Display the status of the 'WWW' service on the 'www1' web server
define service {
    host_name=www1
    service_description=WWW
    x=588
    y=165
# As you can see, 'global' options can be overridden in subsequent objects
    iconset=std_small
}
 
# Display the worst state of hosts in the 'WWW' hostgroup
define hostgroup {
    hostgroup_name=WWW
    x=298
    y=363
    recognize_services=1
}
 
# Display the worst state of services in the 'www-services' servicegroup
define servicegroup {
    servicegroup_name=www-services
    x=609
    y=363
}
 
# Display the worst state of objects represented in another NagVis map
define map {
    map_name=lan
    x=406
    y=323
}
 
# Draw a textfield on the map
define textbox {
# Text may include HTML
    text="This is the DMZ network"
    x=490
    y=394
    w=117
}

要允许通过web接口修改 NagVis 的配置, 请确保所有的配置文件隶属于、可写于 www 用户。

代码: 全选

# chown www /var/www/nagios/nagvis/etc/maps/*.cfg
# chmod 644 /var/www/nagios/nagvis/etc/maps/*.cfg

[leo]

这里就不翻译了，相信要自己写插件的朋友自然读得懂
6. 编写自己的Nagios插件
Plugins are executable files run by Nagios to determine the status of a host or service. By default, Nagios comes with a very rich set of official plugins that should cover most people's needs; in addition, you can find lots of contributed plugins on the Monitoring Exchange website, some of which are also available via OpenBSD's packages and ports system.
However, despite the abundance of plugins, there may be occasions in which no existing plugin is suitable for monitoring a particular service, thus forcing you to write a fully custom plugin, tailored to your exact needs. Luckily, this is a very simple task!
Nagios doesn't bind you to a specific programming language: plugins may be either compiled C programs or interpreted scripts, in Perl, shell, Python or any other language. Nagios doesn't mess with the internals of plugins; however, it asks developers to follow a few basic guidelines, just for standard's sake.

6.1 Command line options

A plugin's command line must follow some specific requirements:

• positional arguments are strongly discouraged;
• all plugins should provide a "-V" command-line option (and "--version" if long options are enabled) to display the plugin's revision number;
• the "-?" option, as well as any incorrect option, displays a short usage statement that should fit on a standard 80x25 terminal;
• the "-h", or "--help", option displays detailed help information;
• the "-v", or "--verbose", option adjusts the verbosity level; multiple "-v" options (up to 3) should increase the verbosity level, as described in the official guidelines;
• There are a few other reserved options that should not be used for other purposes:
  • "-t" or "--timeout" (plugin timeout);
  • "-w" or "--warning" (warning threshold);
  • "-c" or "--critical" (critical threshold);
  • "-H" or "--hostname" (name of the host to check).

6.2 Plugin return codes
此处请直接参阅原文
6.3 A sample plugin script


Just a couple of notes before moving to a practical example:

• plugins can access macros as environment variables; such variables have the same name as the corresponding macros, with "NAGIOS_" prepended. For instance, the "$HOSTNAME$" macro will be accessible through the "NAGIOS_HOSTNAME" environment variable;
• always specify the full path of any system commands run from your plugins.

Well, so let's see, as an example, what a plugin to monitor the amount of free memory on the local machine could look like:
文件 /usr/local/libexec/nagios/check_free_mem.sh

代码: 全选

#!/bin/ksh
 
################################################################################
# Sample Nagios plugin to monitor free memory on the local machine             #
# Author: Daniele Mazzocchio (http://www.kernel-panic.it/)                     #
################################################################################
 
VERSION="Version 1.0"
AUTHOR="(c) 2007-2009 Daniele Mazzocchio ([email protected])"
 
PROGNAME=`/usr/bin/basename $0`
 
# Constants
BYTES_IN_MB=$(( 1024 * 1024 ))
KB_IN_MB=1024
 
# Exit codes
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
 
# Helper functions #############################################################
 
function print_revision {
   # Print the revision number
   echo "$PROGNAME - $VERSION"
}
 
function print_usage {
   # Print a short usage statement
   echo "Usage: $PROGNAME [-v] -w <limit> -c <limit>"
}
 
function print_help {
   # Print detailed help information
   print_revision
   echo "$AUTHOR\n\nCheck free memory on local machine\n"
   print_usage
 
   /bin/cat <<__EOT
 
Options:
-h
   Print detailed help screen
-V
   Print version information
 
-w INTEGER
   Exit with WARNING status if less than INTEGER MB of memory are free
-w PERCENT%
   Exit with WARNING status if less than PERCENT of memory is free
-c INTEGER
   Exit with CRITICAL status if less than INTEGER MB of memory are free
-c PERCENT%
   Exit with CRITICAL status if less than PERCENT of memory is free
-v
   Verbose output
__EOT
}
 
# Main #########################################################################
 
# Total memory size (in MB)
tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB))
# Free memory size (in MB)
free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB ))
# Free memory size (in percentage)
free_mem_perc=$(( free_mem * 100 / tot_mem ))
 
# Verbosity level
verbosity=0
# Warning threshold
thresh_warn=
# Critical threshold
thresh_crit=
 
# Parse command line options
while [ "$1" ]; do
   case "$1" in
       -h | --help)
           print_help
           exit $STATE_OK
           ;;
       -V | --version)
           print_revision
           exit $STATE_OK
           ;;
       -v | --verbose)
           : $(( verbosity++ ))
           shift
           ;;
       -w | --warning | -c | --critical)
           if [[ -z "$2" || "$2" = -* ]]; then
               # Threshold not provided
               echo "$PROGNAME: Option '$1' requires an argument"
               print_usage
               exit $STATE_UNKNOWN
           elif [[ "$2" = +([0-9]) ]]; then
               # Threshold is a number (MB)
               thresh=$2
           elif [[ "$2" = +([0-9])% ]]; then
               # Threshold is a percentage
               thresh=$(( tot_mem * ${2%\%} / 100 ))
           else
               # Threshold is neither a number nor a percentage
               echo "$PROGNAME: Threshold must be integer or percentage"
               print_usage
               exit $STATE_UNKNOWN
           fi
           [[ "$1" = *-w* ]] && thresh_warn=$thresh || thresh_crit=$thresh
           shift 2
           ;;
       -?)
           print_usage
           exit $STATE_OK
           ;;
       *)
           echo "$PROGNAME: Invalid option '$1'"
           print_usage
           exit $STATE_UNKNOWN
           ;;
   esac
done
 
if [[ -z "$thresh_warn" || -z "$thresh_crit" ]]; then
   # One or both thresholds were not specified
   echo "$PROGNAME: Threshold not set"
   print_usage
   exit $STATE_UNKNOWN
elif [[ "$thresh_crit" -gt "$thresh_warn" ]]; then
   # The warning threshold must be greater than the critical threshold
   echo "$PROGNAME: Warning free space should be more than critical free space"
   print_usage
   exit $STATE_UNKNOWN
fi
 
if [[ "$verbosity" -ge 2 ]]; then
   # Print debugging information
   /bin/cat <<__EOT
Debugging information:
  Warning threshold: $thresh_warn MB
  Critical threshold: $thresh_crit MB
  Verbosity level: $verbosity
  Total memory: $tot_mem MB
  Free memory: $free_mem MB ($free_mem_perc%)
__EOT
fi
 
if [[ "$free_mem" -lt "$thresh_crit" ]]; then
   # Free memory is less than the critical threshold
   echo "MEMORY CRITICAL - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)"
   exit $STATE_CRITICAL
elif [[ "$free_mem" -lt "$thresh_warn" ]]; then
   # Free memory is less than the warning threshold
   echo "MEMORY WARNING - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)"
   exit $STATE_WARNING
else
   # There's enough free memory!
   echo "MEMORY OK - $free_mem_perc% free ($free_mem MB out of $tot_mem MB)"
   exit $STATE_OK
fi

[leo]

7. Appendix

7.1 References

• OpenBSD installation guide
• The OpenBSD packages and ports system
• Nagios official documentation
• NagiosExchange, the central repository for Nagios plugins
• mod_ssl F.A.Q. list
• NagVis official documentation
• Nagios plug-in development guidelines

7.2 Bibliography

• Pro Nagios 2.0, James Turnbull, Apress, 2006
• Nagios System and Network Monitoring, W. Barth, No Starch Press, 2006
• FreeBSD and OpenBSD Security, Y. Korff, P. Hope & B. Potter, O'Reilly, 2005

[junfengfan]

请leo等能否写一个nagios的教程，这个东西我觉得好~~因为我们学校有150台电脑左右，如果能监控起来，那真是了不起，也很有成就感，很有意思！可是我总觉得这个很难~~~~

[leo]

这个教程还不够详细吗？

[junfengfan]

纯理论介绍的多,实际操作的步骤写的不清晰,如果做的象您做 openbsd apache13+php+mysql那样才感觉好,它的这个文章真比不上您的那篇~~~~~~理论性知识放在安装步骤中间,或者详细安装后面再讲,我认为应该更好,谢谢您

[leo]

我觉得人家这篇已经相当得细致了，堪称力作，也很佩服作者的share精神，不清楚您说的是哪里不明晰？我总觉得直接提出具体问题好一些。