I would like to know if there is an MIB/OID for IPSEC in Vyatta for monitoring? I would like to monitor the status of IPSEC via Nagios (just like the clustering that I posted before).. thanks.
Wed, 12/28/2011 - 20:49
#1
IPSEC MIB (Monitoring)
Hi,
I assume you don't want to check to see if ipsec is running, but you want to know if your tunnels are up. The easiest way would be to just run nagios doing check host alive to a host on the subnet across the tunnel. If the tunnel goes down, you get alerted that the host is unreachable. If you really, really want to directly monitor the tunnels, you can use snmp and extend to get custom scripts to place values at a specific OID, then you can use nagios to poll that OID and check the result against an expected value. It takes a little hacking, but can be done. This is just one of so many ways to do it. Once you figure it out, you can apply the concept and figure out how to monitor clustering with nagios (and reply back on that thread with your answer). I'm running VC6.2 on this test machine, so things might be a little different if you have a different version. I will assume you have snmp running and you are able to poll from your nagios host. Also, something to keep in mind is that any of the changes made here might be wiped out by upgrades, and definitely will be if you reinstall.
First create a tunnel check script:
and ad the following ((taken from /opt/vyatta/bin/sudo-users/vyatta-show-ipsec-status.pl)):
make it executable
run it to test
In my case this test system has 3 ipsec tunnels, all of which are active. We will monitor this number with nagios. Nagios will be configured to show critical if the number of tunnels returned from this script is less than 3. You could do individual scripts for each tunnel and monitor each one separately if you choose to, but I'm just hacking this up quickly just to show the concept.
Even though the script runs fine as root, it will fail if you try to run it as user snmp. In order to get around this, we need to allow snmp to sudo to root in order to run this script (and only this script) without supplying a password.
adding the following line to /etc/sudoers in the "# User privilege specification" section:
This will allow user snmp to sudo and run the command tunnel_check.sh (and only this command) without a password.
On a regular Debian system the next step would be to edit /etc/snmp/snmpd.conf, however, Vyatta regenerates that file with a script every time changes are commited to the service snmp node of the conifguration. This will overwrite any changes you make to /etc/snmp/snmpd.conf. To get around this, place permanent configurations for snmpd.conf in the snmpd.conf generator script.
Right after line 155 (which looks like this: print "agentaddress ", join(',',@addr), "\n"; ) I added in the following:
print "# custom tunnel_check OID added by in /opt/vyatta/sbin/vyatta-snmp.pl line 156\n"; print "extend .1.3.6.1.4.1.111111.1 tunnel_check /usr/bin/sudo /usr/local/sbin/tunnel_check.sh\n";Now trigger a snmpd.conf regeneration:
check to see if your changes are present in snmpd.conf:
restart snmpd:
Now let's check to see if we can get our custom OID from your nagios host:
from this output and our extend statement in snmpd.conf, we can see the OID we want to monitor is .1.3.6.1.4.1.111111.1.4.1.2.12.116.117.110.110.101.108.95.99.104.101.99.107.1
Configuring the nagios side is outside the scope of this post, I'm sure you can figure that part out using the /usr/lib/nagios/plugins/check_snmp plugin. Your checkcommand should just check to see that the OID returns the number of tunnels you expect to be up (or "1" if you decide to do multiple scripts/oids for multiple tunnels) and return critical if returned# != expected#
Using this method you could really monitor anything you wanted to on a Vyatta box or any Linux machine, so hopefully it will be applicable in many situations. I'd love to hear if anyone else has a better solution, or knows if there is an MIB/OID for ipsec.
This was super fun. Good luck :)