Install Nagios Server on Rocky Linux 10 / AlmaLinux 10

Nagios Core remains one of the most battle-tested infrastructure monitoring platforms available. It watches your hosts, services, and network devices, then fires off alerts when something falls over. Its real strength sits in the plugin architecture. Thousands of community and official plugins let you monitor nearly anything: HTTP endpoints, disk usage, CPU load, database replication lag, certificate expiry, and far more. If you can write a script that returns an exit code, you can turn it into a Nagios plugin.

This guide walks through a full Nagios Core installation on Rocky Linux 10 or AlmaLinux 10, compiled from source. We will compile the core daemon and the standard plugin pack, wire up the Apache web interface, lock down SELinux and the firewall, add a remote Linux host with NRPE, and configure email notifications. By the end you will have a working monitoring server ready for production use.

Prerequisites

Before you start, confirm the following are in place:

• A server running Rocky Linux 10 or AlmaLinux 10 with a minimal or server installation.
• Root or sudo access.
• A static IP address or a DNS name that resolves to the server.
• A working internet connection so the server can pull packages and source tarballs.
• Apache (httpd), PHP, and GCC will be installed during this guide. GCC is needed because we compile Nagios and its plugins from source.

Update the system packages first so you are working from a clean baseline.

sudo dnf update -y

Step 1: Install Build Dependencies

Nagios Core compiles from C source, and the plugins have their own dependency tree. Install everything in one pass so the build does not stall halfway through.

sudo dnf install -y gcc glibc glibc-common make gettext automake autoconf \
  wget openssl-devel net-snmp net-snmp-utils epel-release \
  perl-Net-SNMP postfix unzip httpd php php-fpm gd gd-devel

After the EPEL repository is enabled, pull in a few more packages that some plugins rely on.

sudo dnf install -y perl-IPC-Run perl-IO-Tty

Step 2: Create the Nagios User and Group

Nagios runs under its own unprivileged user. The web server needs membership in the nagios group so Apache can read the command pipe.

sudo useradd nagios
sudo groupadd nagcmd
sudo usermod -aG nagcmd nagios
sudo usermod -aG nagcmd apache

Step 3: Download and Compile Nagios Core

Grab the latest stable tarball from the Nagios GitHub releases page. At the time of writing, version 4.5.9 is current.

cd /tmp
VER="4.5.9"
wget https://github.com/NagiosEnterprises/nagioscore/releases/download/nagios-${VER}/nagios-${VER}.tar.gz

Extract the archive and move into the source directory.

tar xzf nagios-${VER}.tar.gz
cd nagios-${VER}

Run the configure script. The --with-command-group flag ties into the nagcmd group we created earlier.

./configure --with-command-group=nagcmd

Compile the source. The -j$(nproc) flag uses all available CPU cores to speed up the build.

make -j$(nproc) all

Now install Nagios, the init scripts, the sample configuration, and the Apache configuration in sequence.

sudo make install
sudo make install-init
sudo make install-commandmode
sudo make install-config
sudo make install-webconf

Step 4: Download and Compile Nagios Plugins

Without plugins, Nagios has no way to actually check anything. The standard plugin pack provides the checks most administrators need out of the box.

cd /tmp
PLUGVER="2.4.12"
wget https://github.com/nagios-plugins/nagios-plugins/releases/download/release-${PLUGVER}/nagios-plugins-${PLUGVER}.tar.gz

Extract and compile the plugins.

tar xzf nagios-plugins-${PLUGVER}.tar.gz
cd nagios-plugins-${PLUGVER}
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make -j$(nproc)
sudo make install

The compiled plugin binaries land in /usr/local/nagios/libexec/. You can list them to confirm the build completed properly.

ls /usr/local/nagios/libexec/

Step 5: Configure Apache for the Nagios Web UI

The make install-webconf step earlier dropped an Apache config file at /etc/httpd/conf.d/nagios.conf. That file handles the URL alias and directory permissions. The only manual step left is creating the nagiosadmin user that the web interface uses for authentication.

sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

You will be prompted to set a password. Choose something strong. This account controls access to the entire Nagios web interface, including the ability to acknowledge alerts and schedule downtime.

Enable and start both Apache and PHP-FPM.

sudo systemctl enable --now httpd
sudo systemctl enable --now php-fpm

Step 6: Configure the Firewall

Rocky Linux 10 and AlmaLinux 10 ship with firewalld active by default. Open HTTP and HTTPS so you can reach the web interface from your workstation.

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Verify the rules took effect.

sudo firewall-cmd --list-all

You should see http and https listed under the services section of the active zone.

Step 7: SELinux Configuration

If SELinux is in enforcing mode (and it should be on a production server), Apache will be blocked from communicating with the Nagios CGI binaries and the command pipe. Apply the following SELinux booleans to allow the necessary access.

sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_network_connect_db 1

Next, set the correct SELinux context on the Nagios CGI directory and the command pipe.

sudo chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
sudo chcon -R -t httpd_sys_rw_content_t /usr/local/nagios/var/rw/

For the changes to survive a relabel, create a permanent file context rule.

sudo semanage fcontext -a -t httpd_sys_content_t "/usr/local/nagios/sbin(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/usr/local/nagios/var/rw(/.*)?"
sudo restorecon -Rv /usr/local/nagios/sbin/
sudo restorecon -Rv /usr/local/nagios/var/rw/

If semanage is not found, install the policycoreutils-python-utils package.

sudo dnf install -y policycoreutils-python-utils

Step 8: Start Nagios and Verify the Web UI

Before starting the daemon, run the built-in configuration verifier. This catches syntax errors in your object definitions before they cause a startup failure.

sudo /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If the output ends with “Things look okay,” enable and start the Nagios service.

sudo systemctl enable --now nagios

Confirm the service is running without errors.

sudo systemctl status nagios

Open a browser and navigate to http://your-server-ip/nagios. Log in with the nagiosadmin credentials you created earlier. The dashboard should show the localhost with its default service checks already running. Click on “Services” in the left sidebar to see check results for PING, HTTP, Current Load, Root Partition, and other built-in checks against the local machine.

Step 9: Add Your First Remote Linux Host with NRPE

Nagios monitors remote Linux hosts through the NRPE (Nagios Remote Plugin Executor) agent. NRPE runs on the remote host, listens on port 5666, and executes local plugins when the Nagios server asks it to. This keeps check logic on the remote side and avoids the need for SSH-based checks.

On the Remote Host

Install NRPE and the Nagios plugins on the machine you want to monitor. EPEL provides prebuilt packages.

sudo dnf install -y epel-release
sudo dnf install -y nrpe nagios-plugins-all

Edit the NRPE configuration to allow connections from your Nagios server IP. Replace NAGIOS_SERVER_IP with the actual address.

sudo sed -i "s/^allowed_hosts=.*/allowed_hosts=127.0.0.1,::1,NAGIOS_SERVER_IP/" /etc/nagios/nrpe.cfg

Open port 5666 in the remote host firewall, then start NRPE.

sudo firewall-cmd --add-port=5666/tcp --permanent
sudo firewall-cmd --reload
sudo systemctl enable --now nrpe

On the Nagios Server

Install the check_nrpe plugin so the Nagios server can talk to remote NRPE agents.

cd /tmp
NRPEVER="4.1.1"
wget https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-${NRPEVER}/nrpe-${NRPEVER}.tar.gz
tar xzf nrpe-${NRPEVER}.tar.gz
cd nrpe-${NRPEVER}
./configure
make check_nrpe
sudo make install-plugin

Test connectivity from the Nagios server to the remote host.

/usr/local/nagios/libexec/check_nrpe -H REMOTE_HOST_IP

You should see the NRPE version string returned. If the connection times out, check the firewall rules and the allowed_hosts line on the remote side.

Now define the remote host and its services in Nagios. Create a configuration file for the new host.

sudo vi /usr/local/nagios/etc/objects/remotehost.cfg

Add the following object definitions. Adjust the host_name, alias, and address to match your remote machine.

define host {
    use                     linux-server
    host_name               web01
    alias                   Web Server 01
    address                 REMOTE_HOST_IP
    max_check_attempts      5
    check_period            24x7
    notification_interval   30
    notification_period     24x7
}

define service {
    use                     generic-service
    host_name               web01
    service_description     CPU Load
    check_command           check_nrpe!check_load
}

define service {
    use                     generic-service
    host_name               web01
    service_description     Disk Usage
    check_command           check_nrpe!check_disk
}

define service {
    use                     generic-service
    host_name               web01
    service_description     SSH
    check_command           check_ssh
}

You also need a command definition for check_nrpe if one does not already exist. Add it to your commands configuration.

sudo vi /usr/local/nagios/etc/objects/commands.cfg

Append the following block at the end of the file.

define command {
    command_name    check_nrpe
    command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

Tell Nagios to load the new host file by adding it to the main configuration.

echo "cfg_file=/usr/local/nagios/etc/objects/remotehost.cfg" | sudo tee -a /usr/local/nagios/etc/nagios.cfg

Verify the configuration and reload.

sudo /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
sudo systemctl reload nagios

Return to the web UI and click “Hosts” in the sidebar. Your new host should appear and begin returning check results within a few minutes.

Step 10: Configure Email Notifications

Nagios sends alerts through the local mail transfer agent. We installed Postfix earlier for this purpose. Make sure it is enabled and running.

sudo systemctl enable --now postfix

Edit the contact definition to point alerts at your real email address. Open the contacts configuration file.

sudo vi /usr/local/nagios/etc/objects/contacts.cfg

Find the nagiosadmin contact block and change the email directive to your address.

define contact {
    contact_name                    nagiosadmin
    use                             generic-contact
    alias                           Nagios Admin
    email                           [email protected]
}

Reload Nagios after saving the file.

sudo systemctl reload nagios

To test that mail delivery works, trigger a quick test from the command line.

echo "Nagios test alert" | mail -s "Test from Nagios" [email protected]

If the message does not arrive, check /var/log/maillog for relay errors. Many cloud providers block outbound port 25 by default, so you may need to configure Postfix to relay through an external SMTP service like Amazon SES or your organization’s mail gateway.

Useful Plugins to Know

The standard plugin pack installs dozens of checks. Here are four that you will use on nearly every deployment.

check_http verifies that a web server responds on a given port. It can check for specific response codes, follow redirects, and validate SSL certificate expiry dates. A typical use looks like this:

/usr/local/nagios/libexec/check_http -H example.com -p 443 -S --sni -C 30

That command connects over TLS and warns if the certificate expires within 30 days.

check_ssh confirms that the SSH daemon on a remote host is accepting connections. It is a simple availability check, but it catches situations where sshd has crashed or a firewall change has locked you out.

/usr/local/nagios/libexec/check_ssh -H REMOTE_HOST_IP

check_disk monitors filesystem usage. The -w and -c flags set warning and critical thresholds as percentages of free space remaining.

/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /

That returns a warning when the root partition drops below 20% free and goes critical at 10%.

check_load reports system load averages over the 1, 5, and 15 minute windows. Set thresholds based on the number of CPU cores on the target host.

/usr/local/nagios/libexec/check_load -w 5.0,4.0,3.0 -c 10.0,8.0,6.0

All four plugins follow the standard Nagios plugin API: exit code 0 for OK, 1 for WARNING, 2 for CRITICAL, and 3 for UNKNOWN. Any script or binary that follows this convention can serve as a Nagios plugin.

Troubleshooting

Monitoring setups tend to break in predictable ways. Here are the issues I see most often and how to resolve them.

Nagios service fails to start. Run the configuration verifier first. Nine times out of ten, a typo in an object definition is the cause.

sudo /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Read the output carefully. It will point to the exact file and line number where the problem lives.

Web UI returns 403 Forbidden. This is almost always SELinux. Check the audit log for denials.

sudo ausearch -m avc -ts recent

If you see denials related to httpd accessing Nagios paths, revisit the SELinux section above and confirm the file contexts are applied correctly.

Web UI shows “Could not open command file.” The external command pipe has incorrect permissions. Verify that the nagcmd group owns the pipe and that Apache belongs to that group.

ls -la /usr/local/nagios/var/rw/nagios.cmd
groups apache

If the pipe does not exist, restart Nagios. It creates the pipe at startup.

NRPE connection refused or timed out. On the remote host, verify that NRPE is listening on port 5666.

sudo ss -tlnp | grep 5666

If it is listening but the connection still fails, the firewall on the remote host is likely blocking the port. Double check the firewalld rule and confirm the Nagios server IP is in the allowed_hosts directive of /etc/nagios/nrpe.cfg.

Email notifications not arriving. Check the Postfix mail queue and logs.

sudo postqueue -p
sudo tail -50 /var/log/maillog

Common causes include DNS resolution failures for the recipient domain, blocked outbound port 25, and missing reverse DNS on the server IP. For cloud instances, relaying through an authenticated SMTP provider is usually the most reliable path.

Plugins return “UNKNOWN” status. This usually means the plugin binary is missing, has wrong permissions, or a required library is not installed. Run the plugin manually from the command line to see the actual error output.

sudo -u nagios /usr/local/nagios/libexec/check_http -H localhost

Running as the nagios user is important because permission errors will not show up when you run as root.

Wrapping Up

You now have a fully functional Nagios Core installation on Rocky Linux 10 or AlmaLinux 10. The server is compiled from source, the web interface is accessible through Apache, SELinux is properly configured, and you have a remote host reporting through NRPE. From here, you can expand the deployment by adding more hosts, writing custom plugins, integrating with PagerDuty or Slack through notification commands, and organizing hosts into hostgroups for cleaner dashboards. The configuration verifier is your best friend as the setup grows. Run it every time before you reload, and your monitoring platform will stay solid.