Monitor a PostgreSQL database in AWS RDS with check_postgres

Written by - 0 comments

Published on - Listed in Nagios Icinga Monitoring AWS


Monitoring an AWS RDS database (using PostgreSQL as database engine) is not particularly difficult. The most important points can be checked with check_postgres.pl. This monitoring plugin is already part of the Icinga2 ITL definition and can be used (in a standard setup) using the check "postgres".

An example to monitor the number of connections on a DB:

# check postgres connections
object Service "Postgres Connections" {
  import "service-5m-normal"
  host_name = "aws-rds"
  check_command = "postgres"
  vars.postgres_host = "myfancypgsql.XXXXXXXXXXXX.eu-west-1.rds.amazonaws.com"
  vars.postgres_dbuser = "mydbuser"
  vars.postgres_dbpass = "mydbpass"
  vars.postgres_dbname = "mydbname"
  vars.postgres_action = "backends"
}

This results in the following output:

POSTGRES_BACKENDS OK: DB "mydbname" (host:myfancypgsql.XXXXXXXXXXXX.eu-west-1.rds.amazonaws.com) 4 of 648 connections (1%)

But certain checks require special attention. One of them is the plugin's action "database_size". This action checks all databases running on the target host for their current size and compare the size against thresholds:

# check postgres connections
object Service "Postgres Connections" {
  import "service-5m-normal"
  host_name = "aws-rds"
  check_command = "postgres"
  vars.postgres_host = "myfancypgsql.XXXXXXXXXXXX.eu-west-1.rds.amazonaws.com"
  vars.postgres_dbuser = "mydbuser"
  vars.postgres_dbpass = "mydbpass"
  vars.postgres_dbname = "mydbname"
  vars.postgres_action = "database_size"
  vars.postgres_warning = "500MB"
  vars.postgres_critical = "1000MB"
}

This resulted in the following error message:

Permission denied on database rdsadmin.

That's right. AWS creates a database called "rdsadmin" on each RDS instance. Purpose? Most likely handle privileges coming from the AWS console/UI. But what else is in there? We'll never know because only AWS know the credentials to this database. However this causes a problem with check_postgres.pl.
A way to handle this "hidden database" and exclude it is to only check for database objects belonging to the instance's master user. This can be achieved by using the plugin's option "includeuser". In Icinga 2's service object definition, this looks like:

# check postgres connections
object Service "Postgres Connections" {
  import "service-5m-normal"
  host_name = "aws-rds"
  check_command = "postgres"
  vars.postgres_host = "myfancypgsql.XXXXXXXXXXXX.eu-west-1.rds.amazonaws.com"
  vars.postgres_dbuser = "mydbuser"
  vars.postgres_dbpass = "mydbpass"
  vars.postgres_dbname = "mydbname"
  vars.postgres_action = "database_size"
  vars.postgres_includeuser = "masteruser"
  vars.postgres_warning = "500MB"
  vars.postgres_critical = "1000MB"
}

This tells the plugin to look only for objects (like databases) which belong to "masteruser" (database owner). Result:

POSTGRES_DATABASE_SIZE CRITICAL: DB "mydbname" (host:host:myfancypgsql.XXXXXXXXXXXX.eu-west-1.rds.amazonaws.com) mydbname: 32215345336 (30 GB) postgres: 6744248 (6586 kB) template1: 6744248 (6586 kB)

As you can see, the database "rdsadmin" was excluded. All the checked databases are owned by the master user "masteruser".

Note: Another way would be to define "excludeuser" but at this moment I am not aware of the username being owner of "rdsadmin".


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.