Shinken on RedHat 6 with Thruk and PNP4Nagios HOWTO

We’ll install Shinken with the Thruk web user interface and the PNP4Nagios graphs. We’ll also configure SNMP, NRPE and SSH access to the monitored hosts.

Packages will be installed in /opt unless they are already packaged.


Prepare sources:

mkdir /opt/shinken-dl/
tar xzf shinken-1.4.tar.gz


cd /opt/shinken-dl/shinken-1.4/
TARGET=/opt/shinken SKUSER=shinken SKGROUP=shinken ./install -i
./install -p nagios-plugins
./install -p manubulon  # snmp checks
./install -p check_netint  # network/traffic checks
Mandatory configuration:
  • In /opt/shinken/etc/shinken-specific.cfg, define auth_secret with a random password
  • Fix path to the mail command:
sed -i -e 's,/usr/bin/mail,mail,' /opt/shinken/etc/commands.cfg
Optional configuration:
  • Change in /opt/shinken/etc/nagios.cfg:
  • Avoid flapping due to having the same timeout for service checks (UNKNOWN) and for check_https (CRITICAL):
  • Support long event handlers:
  • Change in templates.cfg:
  • If you need hosts that can’t be ping’d, comment out in generic-host:
#check_command                  check_host_alive
  • Notifications may be sent even if the host is out of its notification hours, but you can force host>service inheritance by commenting this in generic-service:
#notification_period             24x7
  • Same for check periods:
#check_period             24x7
  • Notifications are sent every hour by default, you can change that to every day:
notification_interval           1440
  • Add ‘u,f’ to service notifications in notificationway:service_notification_options
  • If you need a global event handler (workaround issue 717), modify generic-service:
event_handler_enabled           1
event_handler                   test_log_service


In case you need to configure the Shinken mail sender:

echo "shinken   shinken-notifications@mydomain.tld" >> /etc/postfix/canonical
postmap /etc/postfix/canonical
cat <<'EOF' >> /etc/postfix/
sender_canonical_maps = hash:/etc/postfix/canonical

Shinken also sends mail to none@localhost which is the contact for user ‘guest’. This triggers bounces, so you can auto-trash these mails:

echo 'none: /dev/null' >> /etc/aliases && newaliases


Follow use_with_thruk:
rpm -ivh

Thruk is available at: http://YOUR_SHINKEN_IP/thruk/


Follow integrationwithothersoftware/pnp:
  • Go to the Shinken sources and set the installation path in /opt/shinken-dl/shinken-1.4/install.d/shinken.conf:

PNP4Nagios is now linked from Thruk though action_url, and more generally available at http://YOUR_SHINKEN_IP/pnp4nagios/

Monitored hosts


Let’s enable SNMP on our monitored hosts.

# Install SNMP server:
yum install net-snmp

# Read-only access:
echo "rocommunity public" > /etc/snmp/snmpd.conf

# Don't log each SNMP request:
[ -e /etc/sysconfig/snmpd ]         && echo 'OPTIONS="-LS0-4d -Lf /dev/null -p /var/run/"'  >> /etc/sysconfig/snmpd  # RHEL6
[ -e /etc/sysconfig/snmpd.options ] && echo 'OPTIONS="-LSwd -Lf /dev/null -p /var/run/ -a"' >> /etc/sysconfig/snmpd.options  # RHEL5

# Launch SNMP server on startup:
chkconfig snmpd on
service snmpd restart


Let’s enable NRPE on our monitored hosts (port 5666).

# Activate the EPEL6 repository - install:

# Install NRPE server:
yum install nrpe

# Allow access from Shinken poller:
sed -i -e 's/^allowed_hosts=.*/allowed_hosts=,YOUR_SHINKEN_IP/' /etc/nagios/nrpe.cfg

# Launch NRPE server on startup:
chkconfig nrpe on
service nrpe start

Enable and configure remote checks in /etc/nagios/nrpe.cfg.


Let’s give Shinken access to our monitored hosts, e.g. to execute event handlers or run NRPE through SSH:

On the Shinken Server, generate a SSH key /home/shinken/.ssh/id_rsa:

sudo -u shinken ssh-keygen</code>

On each monitored host:

  • Create a ‘’monitaction’’ user with limited rights, accessed by Shinken:<code>
useradd -r monitaction -m
mkdir -pm 700 ~monitaction/.ssh/
echo "ssh-rsa AAAAB3...EKtMx/9o0ApJl shinken@rh6" > ~monitaction/.ssh/authorized_keys  # from /home/shinken/.ssh/
chown -R monitaction: ~monitaction/.ssh/
mkdir -pm 750 /etc/sudoers.d/
touch /etc/sudoers.d/local
chmod 440 /etc/sudoers.d/local
  • Edit ‘’/etc/sudoers.d/local’’ to give it privileges, e.g.:
Defaults !requiretty
monitaction ALL= NOPASSWD: /sbin/service jbossas7 *
monitaction ALL= NOPASSWD: /sbin/service thunderhead *
monitaction ALL= NOPASSWD: /sbin/service httpd *

Test from the Shinken server:

ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null 192.168.X.X -l monitaction -t sudo /sbin/service httpd reload

Of course, open firewall access from the Shinken server to the monitored host’s SSH.

Extra: Graphite

If you’re interested in Graphite, you can start from this basis:

Additional configuration:

echo "/opt/graphite/bin/ start" >> /etc/rc.local
chgrp apache /opt/graphite/storage/
chmod g+w /opt/graphite/storage/
sudo -u apache /opt/graphite/bin/python /opt/graphite/webapp/graphite/ runserver  # TODO: access from Apache
# Remove the numerous dummy network graphs creating by mistake by Graphite:
echo "rm -f /opt/graphite/storage/whisper/*/shinken/NetworkUsage/*_13????????_.wsp" >> /etc/cron.daily/graphite-cleanup
chmod 755 /etc/cron.daily/graphite-cleanup
Read the Docs v: latest
On Read the Docs
Project Home

Free document hosting provided by Read the Docs.