2016年11月20日 星期日

論 logfmon 簡單的網管運用

依據 NetAdmin網管人文章

2016/5/24
用logfmon即時比對 Log 透過 gcalcli 存入線上行事曆
指令列串接 Google 日曆打造超炫全自動系統日誌
吳惠麟
URL http://netadmin.pcuser.com.tw/article_content.aspx?sn=1605130016&jump=1

這個 Idea 真的很好,但我這裡僅只試了 logfmon 這個程式.
主要拿它來做簡單的網管運用,
依據上面的文章 logfmon 這支程式是放在
http://sourceforge.net/projects/logfmon/
供人下載與安裝,但我使用之時,它是在 github 上.
https://github.com/nicm/logfmon
不過沒差,還是OK的.
看一下 logfmon 流程
http://netadmin.pcuser.com.tw/images/news/NP160513001616051315272705.png



應該跟 Swatch 的用法差不多,
https://sourceforge.net/projects/swatch/

拿它來做簡單的網路設備 log 分析應該不錯.
所以參照我之前用 Swatch 的技法,
改為 logfmon 的技法!

Swatch 的技法,請自行參閱

http://xrcd2.blogspot.tw/2012/05/cacti-xsmsapi-soap-cacti-sms.html
or
http://xrcd2.blogspot.tw/2016/01/cisco-ios-configuration-cisco-config.html

本文開始


以 CentOS 6.X Linux 為 LAB

(1) 安裝 logfmon


#git clone https://github.com/nicm/logfmon
#cd logfmon
#./autogen.sh
#./configure
#make
#make install

預設裝在哪??

[root@bbb logfmon]# whereis logfmon
logfmon: /usr/local/bin/logfmon

man 一下好了..

[root@bbb logfmon]# man logfmon
LOGFMON(8)                BSD System Manager’s Manual               LOGFMON(8)

NAME
     logfmon - log file monitoring daemon

SYNOPSIS
     logfmon [-dsv] [-f conffile] [-c cachefile] [-p pidfile]

DESCRIPTION
     The logfmon daemon monitors a set of syslog log files and matches each new entry against the rules defined in its configuration file. Each rule may be
     tested against entries from a single file, a set of files or from all files. Depending on the rule, a command may be executed or the entry may be
     ignored. All unmatched messages are batched together and mailed every 15 minutes, or whatever alternative time is specified in the configuration file.

     Messages may also be collected into contexts and piped to a command after a final message is found or a number of messages is reached. See
     logfmon.conf(5) for more details of this.

     The options are as follows:

     -c cachefile
                 Specify the cache file location. Default is /var/db/logfmon.cache.

                 This overrides any location specified in the configuration file.

     -d          Run in the foreground and log to stderr.

                 This option also causes additional debugging messages to be generated.  This option may be specified multiple times for increasing levels of
                 verbosity.

     -s          Monitor stdin.  This causes logfmon to remain in the foreground and filter log messages passed on stdin.

     -f conffile
                 Specify the configuration file location. Default is /etc/logfmon.conf.

     -p pidfile  Specify the pid file location. Default is /var/run/logfmon.pid.

                 This overrides any location specified in the configuration file.

     -v          Display the logfmon version, and exit.

FILES
     /etc/logfmon.conf     default logfmon configuration file

SEE ALSO
     syslog(3), logfmon.conf(5)

.....


這樣  logfmon 就裝好了.

(2) 設定 rsyslog

[root@bbb net]# vi /etc/rsyslog.conf
      1 # rsyslog v5 configuration file
      2
      3 # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
      4 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
      5
      6 #### MODULES ####
      7
      8 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      9 $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
     10 #$ModLoad immark  # provides --MARK-- message capability
     11
     12 # Provides UDP syslog reception
     13 $ModLoad imudp
     14 $UDPServerRun 514

設定 rsyslog 可以對外收 syslog message

     12 # Provides UDP syslog reception
    --> $ModLoad imudp
    --> $UDPServerRun 514

並指定收到  主機或某網段 的 syslog message 存入某一個檔案中,
預備成為  logfmon 被監控的檔案

    --> 88 if $fromhost-ip == '192.168.111.61' then  /var/log/net/vyos.log

重啟 rsyslog 服務

#service rsyslog restart


設定 192.168.111.61 (client )這台 vyos 的 config ,
宣告它的 syslog host 為 192.168.111.247 ( Rsyslog + logfmon Server )

所以 topolog 為 192.168.111.61 (client ) ---> 192.168.111.247 (Server)

Client 端只要是支援標準的 syslog 即可使用.
Server 端是透過 Rsyslog 作為 syslog server 的角色.
用其它的也可,只是 logfmon 只能用在 log 檔案的分析.


vyos 的設定如下;(模擬成網路設備,Client 端角色)

vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$wycLUv4kpl$WEywQMIvFUqIC9yA3HPb42IG0328X1iNqa1967sFWEce6oC6SrvcV3Nn2hQF1n4bTE/vyQ9e9LyF813VEx9HS.'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system name-server '168.95.192.1'
set system ntp server 'clock.hinet.net'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system syslog host 192.168.111.247 facility all level 'all'
set system time-zone 'Asia/Taipei'
vyos@vyos:~$


到目前為止,已有 Syslog Message Client + Server 也安裝好了  logfmon 了.


設定 logfmon.conf (依據 man 的說明是寫在 /etc/logfmon.conf 中),
內容依實務需求撰寫之.

# cat /etc/logfmon.conf
set logregexp "(.*)"
file "/var/log/net/vyos.log" tag login
match in  login  "(.*)(Accepted password for)(.*)"  exec  "/usr/bin/perl /root/shell/sendmail.pl \"$1\" \"$2\" \"$3\""
match in  login  "(.*)(session closed for user)(.*)"  exec  "/usr/bin/perl /root/shell/sendmail.pl \"$1\" \"$2\" \"$3\""


原始的 log 內文 如下.

Nov 18 14:00:25 vyos sshd[7071]: Accepted password for vyos from 192.168.1.115 port 50960 ssh2
Nov 18 14:01:08 vyos sshd[7071]: pam_unix(sshd:session): session closed for user vyos

參照(正規化表示法比對)

match in  login  "(.*)(Accepted password for)(.*)"
match in  login  "(.*)(session closed for user)(.*)"


exec ... sendmail .... (執行自定指令)


# cat /root/shell/sendmail.pl

#!/usr/bin/perl
use Mail::Sender;
print " \n Start \n ";
$sender = new Mail::Sender
{smtp => '192.168.1.xxx', from => 'Test-Alert@abc.com.tw'}  or die "Error in mailing : $Mail::Sender::Error\n";
$sender->MailMsg({to => 'xrcd2@abc.com.tw',subject => 'Test_Alert',msg => "My Test \n\n $ARGV[0] $ARGV[1] $ARGV[2] \n ",debug => $DEBUG,debug_level => 4});
print " \n END \n\n";
print " \n $DEBUG \n ";

DEMO

執行 logfmon

[root@bbb net]# logfmon -f /etc/logfmon.conf

驗證 logfmon 是否有被正常執行,如它無法正常被執行,
請再檢核該 conf 的設定與配置是否正確?!

[root@bbb net]# ps -ef | grep logfmon
root     19091     1  0 15:56 ?        00:00:00 logfmon -f /etc/logfmon.conf
root     19113 15664  0 15:59 pts/1    00:00:00 grep logfmon
[root@bbb net]#

rsyslog 收到 log 後會存入於此.

[root@bbb net]# pwd
/var/log/net
[root@bbb net]# ll
total 0
-rw------- 1 root root 0 Nov 18 15:58 vyos.log
[root@bbb net]#


ssh 到 vyos 做 登入與登出的以驗證 rsyslog + logfmon + sendmail

[root@bbb net]# cat  /var/log/net/vyos.log
Nov 18 16:04:01 vyos sshd[7653]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Nov 18 16:04:05 vyos sshd[7653]: Accepted password for vyos from 192.168.1.115 port 52045 ssh2
Nov 18 16:04:05 vyos sshd[7653]: pam_unix(sshd:session): session opened for user vyos by (uid=0)
Nov 18 16:04:34 vyos sshd[7655]: error: Received disconnect from 192.168.1.115: 0:
Nov 18 16:04:34 vyos sshd[7653]: pam_unix(sshd:session): session closed for user vyos
[root@bbb net]#


 Accepted password for   ( Mail Alert )















session closed for user  ( Mail Alert )
















Topology

運用的實例可參考如下:

圖中的 syslog2msn 即為 rsyslog + logfmon + shell (組合變化而來)


























http://xrcd2.blogspot.tw/2012/05/cacti-xsmsapi-soap-cacti-sms.html




其它更進階的運如下:

那個 Swatch 可由 logfmon 取代之,也是可由 rsyslog + swatch + shell (組合變化而來)

http://xrcd2.blogspot.tw/2016/01/cisco-ios-configuration-cisco-config.html


2016年11月15日 星期二

FortiGate Firmware Upgrade Paths

FortiGate Firmware Upgrade

有時候,它就是一版,一版升上來..

如 5.0.12 --> 5.2.8 ---> 5.4.2


在 fortios-v5.4.2-release-notes.pdf 有指出
...

Upgrade Information

Upgrading to FortiOS 5.4.2
FortiOS version 5.4.2 officially supports upgrading from version 5.4.0 and later and 5.2.8 and later.
.....

=================

另在 fortios-v5.2.8-release-notes.pdf 又指出

..

Upgrade Information


Upgrading from FortiOS 5.0.12 or later
FortiOS version 5.2.8 officially supports upgrade from version 5.0.12 or later

.....

================

其實另外亦也可以參考  Upgrade Paths 的 URL

http://cookbook.fortinet.com/sysadmins-notebook/supported-upgrade-paths-fortios/3/

照它上面是寫 應該也是 OK 的....待驗證

如 5.0.12--> 5.2.9 ---> 5.4.2




2016年11月8日 星期二

三論 SNMP OIDs


三論 SNMP OIDs

基礎入門

(1)利用SNMP OIDs 加入 Zabbix 監控
http://xrcd2.blogspot.tw/2012/10/snmp-oids-zabbix.html

(2)再論 SNMP OIDs
http://xrcd2.blogspot.tw/2012/10/snmp-oid.html

本文開始

(3)三論 SNMP OIDs


在 CheckPoint官網  DownLoad 該 MIB 以 R77 為例.
透過修改 snmpd.conf 的方式,可載入該 MIB.


[root@bbb /]# cat /etc/snmp/snmpd.conf
rocommunity public 127.0.0.1/32
MIB +/usr/share/snmp/mibs/CHECK-R77-MIB.txt
[root@bbb /]#



CHECK-R77-MIB 內文
.....

CHECKPOINT-MIB DEFINITIONS ::= BEGIN

 -- SUBTREE: 1.3.6.1.4.1.2620.1
 -- iso.org.dod.internet.private.enterprises.checkpoint.products

.....

checkpoint OBJECT IDENTIFIER ::= { enterprises 2620 }
products OBJECT IDENTIFIER ::= { checkpoint 1 }
tables      OBJECT IDENTIFIER ::= { checkpoint 500 }
fw OBJECT IDENTIFIER ::= { products 1 }

.....

fwPolicyStat  OBJECT IDENTIFIER ::= { fw 25 }

.......

fwNumConn OBJECT-TYPE
  SYNTAX  INTEGER
  ACCESS  read-only
  STATUS  mandatory
  DESCRIPTION
         "Number of connections"
  ::= { fwPolicyStat 3 }

.......


下面這個值是可以從上面的內文中看出....當然用 snmptranslate 這個最快...
但是要會找 MIB 文中的 Key Word...因為這才是根本的出處...
要不然 fwNumConn 這個東西怎麼來呢??!!

MIB OID ===> .1.3.6.1.4.1.2620.1.1.25.3.0
====> "Number of connections"


驗證

[root@bbb tmp]#  snmptranslate -m CHECKPOINT-MIB  -IR -On    fwNumConn
.1.3.6.1.4.1.2620.1.1.25.3
[root@bbb tmp]#


[root@bbb tmp]#  snmptranslate -m CHECKPOINT-MIB  -IR -Onf    fwNumConn
.iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwPolicyStat.fwNumConn
[root@bbb tmp]#


取得

[root@bbb tmp]#  snmpget -v2c -c public 192.168.xxx.xxx  .1.3.6.1.4.1.2620.1.1.25.3.0
SNMPv2-SMI::enterprises.2620.1.1.25.3.0 = Counter32: 2
[root@bbb tmp]#


那網管軟體就可以做 template 了,以 cacti 為例:





















其它參考資訊.

https://sc1.checkpoint.com/documents/R76/CP_R76_Splat_AdminGuide/51553.htm



http://www.oidview.com/mibs/2620/CHECKPOINT-MIB.html









其它 監控 






















SmartView Monitor