使用SNMP + RRDTOOL + CACTI 監控網站 ( on FreeBSD 10.1 )

聽說在Ubuntu上做大概2小時內就可以搞定這次作業
我在FreeBSD上搞了快3天啊…被Nan搞到崩潰
如果想偷懶的人可以右轉ubuntu版

NA HW5 – Network Management

Part 1 – SNMP (30%)

• net-snmp
• community Access Control. (10%)
  > On bsd1-6.
  > narouser can read the SNMP info while public can’t.
• IP address Access Control. (10%)
  > Use narouser community.
  > On bsd1-6 can read .1.3.6.1.2.1.25.3.2.1.3 while linux1-6 can’t.
  > HOST-RESOURCES-MIB::hrDeviceDescr
• Write Access Control (10%)
  > On bsd1-6.
  > Set 1.3.6.1.2.1.1.4.0 to the value given at demo.
  > SNMPv2-MIB::sysContact.0
  > narwuser can set the value, while narouser can’t.

Part 2 – RRD (20%)

• rrdtool
  > Draw your file system usage graph.
  > Use df command to get your file system usage.
  > Monitor one of the file system. Update it every minute.
  > Draw the graph in the past 1 hour.
  > Output file should be in PNG format.
• Example: http://i.imgur.com/bMd3NU4.png

Part 3 – cacti (50%)

• cacti
  > Show localhost CPU loading info graph. (15%)
  > Show localhost network traffic graph. (15%)
  > Show the other computer’s network traffic graph. (20%)

Bonus – Make your own graph

• Make your own data template, graph template, and draw your own graph.
• What graphs you can make:
  > Calculate the memory used instead of memory free.
  > Calculate the times of login failed.

前置作業

首先先裝好FAMP
/usr/ports/www/apache24
/usr/ports/lang/php5
/usr/ports/www/mod_php5
/usr/ports/databases/mysql56-server/

再裝這次作業需求的port
/usr/ports/net-mgnt/net-snmp
/usr/ports/net-mgnt/cacti
/usr/ports/databases/rrdtool

最好都用port裝，pkg爛掉的機率太大了

rc.conf

apache24_enable="YES"
mysql_enable="YES"
snmpd_enable="YES"
snmpd_flags="-a"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"

Part 1 – SNMP (30%)

rocommunity public (for SNMPv1/2c)
rwcommunity private
rouser user1 (for SNMPv3)
rwuser user2
ro 就是 read only
rw 就是 read&write
本次作業使用SNMPv1 v2為主並採用linux6(140.113.235.156 )和bsd6(140.113.235.136)作為demo機器

設定snmpd.conf

$ sudo vim /usr/local/share/snmp/snmpd.conf

# 打開對外的udp port
# agentAddress upd:127.0.0.1:161
agentAddress upd:161,udp6:[::1]:161

rocommunity public  localhost

#開read權限給另外一台snmp機器，讓他可以收到這台機器的snmp資訊
rocommunity another  128.199.167.53 

#新增有read,write權限的narwuser，並限制IP和可存取的OBJ
rwcommunity narwuser 140.113.235.136 .1.3.6.1.2.1.1.4.0

#       sec.name    source          community
com2sec bsd6        140.113.235.136 narouser   
com2sec linux6      140.113.235.156 narouser

#                      sec.model sec.name
group bsd_group        v1        bsd6
group bsd_group        v2c       bsd6
group linux_group      v1        linux6
group linux_group      v2c       linux6

#                    incl/excl subtree                  mask
view bsd_view        included  .1
view linux_view      excluded  .1.3.6.1.2.1.25.3.2.1.3

#                       context sec.model sec.level match  read           write  notif
access bsd_group        ""      any       noauth    exact  bsd_view        none none
access linux_group      ""      any       noauth    exact  linux_view      none none

#主機所在位置、管理員聯絡資料
# sysLocation    Sitting on the Dock of the Bay
# sysContact     me@example.org

強烈建議一定要讀過View Access Control

詳細的解釋了com2sec,group,view,access的設定方式
一般其實用ro/rwcommunity就可以搞定簡單的權限存取了
只不過作業要求的Spec比較複雜，必須用此方式實作

為什麼要註解掉Location跟Contact呢?

因為作業有個Spec要修改 SNMPv2-MIB::sysContact.0 的值
如果snmpd.conf內有設定此參數，該參數會變成read-only
snmpset會噴noSuchName(v1) 和 notWritable(v2c)

實際測試
bsd6 > snmpwalk -c narouser -v1 .1.3.6.1.2.1.25.3.2.1.3

HOST-RESOURCES-MIB::hrDeviceDescr.196608 = STRING: Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz
HOST-RESOURCES-MIB::hrDeviceDescr.262145 = STRING: network interface vtnet0
HOST-RESOURCES-MIB::hrDeviceDescr.262146 = STRING: network interface vtnet1
HOST-RESOURCES-MIB::hrDeviceDescr.262147 = STRING: network interface lo0
HOST-RESOURCES-MIB::hrDeviceDescr.786432 = STRING: Guessing that there's a floating point co-processor

linux6 > snmpwalk -c narouser -v1 .1.3.6.1.2.1.25.3.2.1.3

End of MIB

bsd6 > snmpset -c narwuser -v1 sysContact.0 s “admin@nctu.edu.tw"
bsd6 > snmpget -c narwuser -v1 sysContact.0

SNMPv2-MIB::sysContact.0 = STRING: admin@nctu.edu.tw

Part 2 – RRD (20%)

中文教學
名詞介紹
這個部份我的完成度比較低，貼上學長的SCRIPT供大家參考

timestep=60                       //每60秒更新一次
duration=3600                     //紀錄一小時(3600秒)
let numofdot=$duration/$timestep  //有60個點
starttime=$(date +%s)
rrdtool create disk.rrd --step "$timestep" --start "$starttime" DS:disk:GAUGE:"$timestep":0:U RRA:AVERAGE:0.5:2:"$numofdot"

for i in `seq 0 1 $numofdot`
do
  usage=$(df -m / | awk 'NR > 1 {print $3}')      //使用df得到使用量
  nowtime=$(date +%s)                             //現在時間
        rrdtool update disk.rrd "$nowtime":"$usage"
        sleep $timestep
done

rrdtool dump disk.rrd
rrdtool graph disk.png --title "Disk Usage" -v "Disk Usage (MByte)" -X 9 --start "$starttime" DEF:t1=disk.rrd:disk:AVERAGE LINE1:t1#ff0000:"/dev/sda6"

要展示給助教看的話，把圖片放到網頁上即可
$sudo vim /usr/local/www/apache24/data/index.html
加入此行 (記得把你的disk.png跟index.html放到同目錄底下)

我是把這個script放到crontab
用root定期去撈資料

<img src="./disk.png"></img>

Part 3 – cacti (50%)

這篇文章有非常詳細的解釋，看他就夠了

Create the MySQL database, a cacti user, and initialize:

mysql_secure_installation
mysql -u root -p
CREATE DATABASE cacti;
CREATE USER ‘cacti’@’localhost’ IDENTIFIED BY ‘password’;
FLUSH PRIVILEGES;

GRANT ALL ON cacti.* TO ‘cacti’@’localhost’;
FLUSH PRIVILEGES;

Import the default cacti database:
mysql –database=cacti -ucacti -p > /usr/local/share/cacti/cacti.sql

定期讓poller去撈資料
crontab -u cacti -e

*/5 * * * * /usr/local/bin/php /usr/local/share/cacti/poller.php > /dev/null 2>&1

時區要設定好，不然cacti會噴給你看
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

date.timezone =Asia/Taipei

vim /usr/local/etc/apache24/httpd.conf

LoadModule php5_module libexec/apache22/libphp5.so

AddType application/x-httpd-php .php .php5 .phtml
AddType application/x-httpd-php-source .phps

DirectoryIndex index.php index.html

Alias /cacti "/usr/local/share/cacti/"
Alias /Cacti "/usr/local/share/cacti/"
<Directory "/usr/local/share/cacti">;
Require all granted
AllowOverride None

Device皆使用Generic SNMP-enable HOST，SNMP Version選v2

該如何獲得Traffic?

Associated Data Queries內必需要有SNMP – Interface Statistics這個來源
且Status內的Items和Rows要有資料，如果都為0就表示SNMP有問題，資料沒抓好

該如何獲得Load Average 和 CPU Usage?

在Associated Graph Templates內選擇
ucd/net – CPU Usage
Unix – Load Average
看起來應該會長這樣

another是我監控別台機器的Traffic
homework上顯示了CPU usage,Load Average和Traffic
完工!!

疑難雜症區

cacti圖表都是nan

• 直接清cacti的cache
  system utilities –> Rebuild poller cache
  如果上面方法無法解決,那就要進行細部檢查
• 看看cacti server能不能抓到被監控主機(假設IP是192.168.1.1)的snmp資料
  snmpwalk -v 2c -c public 192.168.1.1
  如果正常,你會看到一連串的資訊,不然你就要檢查雙方主機的snmp或者之間的連線
• 檢查cacti/rra/有沒有文件,正常會有很多rrd的檔案,隨便找一個web1192_168_0_50_traffic_in_713.rrd做測試
  rrdtool fetch web1192_168_0_50_traffic_in_713.rrd AVERAGE
  如果是-nan -nan -nan就是不正常,因為rrdtool沒正常運作
• 從apache的log中查找是否有相關的資訊,也能提供問題解決的方向

CMDPHP: Poller[0] Host[1] DS[3] WARNING: Result from CMD not valid.

chmod a+x /var/www/html/cacti/cmd.php
cacti log內發現的

error on subcontainer ‘swrun container’ insert (-1)

https://forums.freebsd.org/threads/snmpd-spams-log-with-error-on-subcontainer-swrun-container-insert-1.51799/
snmp log內發現的