Integration with SNMP Monitoring Systems |
Dr.Web SNMP agent can perform functions of a data provider for any monitoring system that uses SNMP protocol version 2c or 3. The list of available data and their structure are provided in a Dr.Web MIB description file called DrWeb-Snmpd.mib, supplied with the product. This file is located in the <opt_dir>/share/drweb-snmpd/mibs directory. For easy configuration, the component is supplied with templates of settings for popular monitoring systems: Customization templates for monitoring systems are located in the <opt_dir>/share/drweb-snmpd/connectors directory. Integration with Munin Monitoring System The monitoring system includes the central server (master) , which collects statistics from clients residing locally on the monitored hosts. At request of the server, each monitoring client collects data about monitored host operation by starting plug-ins that provide data transferred to the server. To enable connection between Dr.Web SNMPD and the monitoring system, a ready-to-use plug-in Dr.Web used by is supplied. The plug-in resides in the <opt_dir>/share/drweb-snmpd/connectors/munin/plugins directory. This plug-in collects data required for construction of the following two graphs: •Number of detected threats •File scan statistics •Email message scanning statistics. These plug-ins support SNMP protocols versions 1, 2c and 3. Based on these template plug-ins, you can create any other plug-ins to poll the status of Dr.Web for UNIX Internet Gateways components via Dr.Web SNMPD. In the <opt_dir>/share/drweb-snmpd/connectors/munin directory, the following files are located.
Connecting a host to Munin In the present instruction, it is assumed that the monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with ) and . 1.Monitored host configuration •Copy the snmp__drweb_* files to the directory with plug-in libraries (the directory depends on the OS). For example, in operating systems, the path is /usr/share/munin/plugins. •Configure by connecting to it the supplied Dr.Web plug-ins. To do this, use the utility that is distributed with . For example, the following command
will display on a terminal screen a list of commands for creation of required symbolic links to plug-ins. Copy and execute them in the command line. Note that the specified command presumes that: 1) is installed at the same host where Dr.Web SNMPD is installed. If it is not the case, please specify the correct FQDN or an IP address of the monitored host instead of a localhost value; 2)Dr.Web SNMPD uses SNMP version 2c. If it is not the case, specify the correct SNMP version in command. The command has several arguments for flexible configuration of plug-ins, e.g., you can specify the SNMP protocol version, port that is listened by SNMP agent at the monitored host, an actual value of the community string, and so on. If required, refer to the manual on command. •If necessary, define (or redefine) parameter values of the environment, where installed Dr.Web plug-ins for must be executed. As the environment parameters, the value community string is used. It is the port utilized by the SNMP agent, etc. These parameters must be defined in the file /etc/munin/plugin-conf.d/drweb (create it if required). As an example of this file, use the supplied file drweb.cfg. •In the configuration file (munin-node.conf), specify a regular expression to include all IP addresses of hosts that are allowed to connect servers (masters) to for receiving the values of the monitored parameters, for example:
In this case, only the IP address 10.20.30.40 is allowed to receive host parameters. •Restart , for example, by using the following command:
2. server (master) configuration Add the address and identifier of the monitored host to the configuration file munin.conf, which is located, by default, in /etc directory (in operating systems it is /etc/munin/munin.conf):
where <ID> is the displayed host’s identifier, <hostname> is the name of the host, <domain> is the name of the domain, <host IP address> is the IP address of the host. For official documentation on configuration of the monitoring system, refer to http://munin.readthedocs.io. Integration with Zabbix Monitoring System File templates, required for establishing connection between Dr.Web SNMPD and the monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/zabbix directory.
Template for description of the monitored host features: •Description of counters (“items”, according to the terminology of ). By default, the template is set to be used with SNMP v2. •The set of predefined graphs: number of scanned files and distribution of detected threats by their type. Connecting a host to Zabbix In the present instruction, it is assumed that the monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with ). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX Internet Gateways on a protected server), install the net-snmp package on the monitoring server (standard tools and are used). 1.In the web interface, on the –> tab import the template of the monitored host from the <opt_dir>/share/drweb-snmpd/connectors/zabbix/zbx_drweb.xml file. 2.Add the monitored host to the appropriate list (at –> ). Specify correct parameters of the host and settings of the SNMP interface (they must match the settings of and on the host): •The tab: : drweb-host : DRWEB_HOST : select Linux servers : Click specify the IP address and port are used by Dr.Web SNMPD (it is considered that Dr.Web SNMPD operates on the local host, so the address 127.0.0.1 and the port 161 are specified by default). •The tab: Click , check DRWEB, click . •The tab: : {$SNMP_COMMUNITY} : specify “read community” for SNMP V2c (by default, public). Click . Note: The {$SNMP_COMMUNITY} macro can be specified directly in the host template.
3.After the template is bound to the monitored host, if SNMP settings are specified correctly, the monitoring system will start to collect data for counters (items) of the template; the collected data will be displayed on the –> and –> . 4.A special item drweb-traps is used for collecting SNMP trap notifications from Dr.Web SNMPD. The log pf received SNMP trap notifications is available on the –> –> –> page. To collect notifications, uses standard tools and from the net-snmp package. For details on how to configure the tools for receiving SNMP trap notifications from Dr.Web SNMPD, see below. 5.If necessary, you can configure a trigger that will change its state upon receiving an SNMP trap notification from Dr.Web SNMPD. Changing of its state can be used as an event source for generation appropriate notifications. The example below shows an expression for configuration of a trigger; the expression is specified in the field: •For 2.x:
•For 3.x:
An event is triggered (the value is set to 1) if the log of SNMP trap notifications from Dr.Web SNMPD was updated within a minute. If the log was not updated within the next minute, the value of the trigger is set to 0 again. It is recommended to set in the field for this trigger a notification type that is differ from Not classified value, for example, Warning. Configuring Receipt of SNMP trap notifications for Zabbix 1.On the monitored host, in Dr.Web SNMPD settings (the TrapReceiver parameter), you should specify an address to be listened by on the host where operates, for example:
2.In the configuration file of (snmptrapd.conf), specify the same address and an application for processing received SNMP trap notifications (in this example, , component):
Add the following string to the file, so that does not discard SNMP trap sent by Dr.Web SNMPD as unknown:
3.The component saves received SNMP trap notifications to the file on the disk in accordance with the specified format, which corresponds to the regular expression set in the host template for (drweb-traps item). The format of the saved notification is specified in the <opt_dir>/share/drweb-snmpd/connectors/zabbix/snmptt.drweb.zabbix.conf. file. The file must be copied to /etc/snmp. 4.Moreover, the path to the format files must be specified in the snmptt.ini:
After that, restart if it was started in daemon mode. 5.In the configuration file of the server (zabbix-server.conf), specify (or check if they are already specified) the following settings:
where /var/log/snmptt/snmptt.log is a log file used by to register information on received SNMP trap notifications. For official documentation on , refer to https://www.zabbix.com/documentation/. Integration with Nagios Monitoring System Files with configuration examples, required for establishing connection between Dr.Web SNMPD and the monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/nagios directory.
Connecting a host to Nagios In the present instruction, it is assumed that the monitoring system is already deployed on the monitoring server, including configuration of the web server and the graphical tool , and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with ). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX Internet Gateways on a protected server), install the net-snmp package on the monitoring server (standard tools and are used). In the current manual, the following path conventions are used (real paths depend on the operating system and installation): •<NAGIOS_PLUGINS_DIR>—directory with plug-ins, for example: /usr/lib64/nagios/plugins. •<NAGIOS_ETC_DIR>—directory with settings, for example: /etc/nagios. •<NAGIOS_OBJECTS_DIR>—directory with objects, for example: /etc/nagios/objects. •<NAGIOSGRAPH_DIR>— directory, for example: /usr/local/nagiosgraph. •<NAGIOS_PERFDATA_LOG>—file where records results of service check (must be the same as the perflog file from <NAGIOSGRAPH_DIR>/etc/nagiosgraph.conf). Records from this file are read by the <NAGIOSGRAPH_DIR>/bin/insert.pl script and are recorded to the corresponding RRA archives . Configuring : 1.Copy the check_drweb file to the <NAGIOS_PLUGINS_DIR> directory and the drweb.cfg file to the <NAGIOS_OBJECTS_DIR> directory. 2.Add hosts with Dr.Web that are to be monitored to the drweb group. On the hosts Dr.Web SNMPD must be running. By default, only localhost is added to this group. 3.If required, edit the check_drweb command which contains instruction to contact Dr.Web SNMPD on drweb hosts via the tool:
specify the correct version of SNMP protocol and parameters (such as “community string” or authentication parameters) as well as the port. The $HOSTADDRESS$ variable must be included in the command (as this variable is later automatically substituted by to the correct host address when the command is invoked). OID is not required in the command. It is also recommended that you specify the command together with the full path to the executable file (usually /usr/local/bin/snmpwalk). 4.Connect DrWeb objects in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following string to the file:
5.Add settings for DrWeb graphics from the rrdopts.conf-sample file to the <NAGIOSGRAPH_DIR>/etc/rrdopts.conf file. 6.If is yet to be configured, do the following steps for its configuration: •Copy the nagiosgraph.cfg file to the <NAGIOS_OBJECTS_DIR> directory and edit the path to the insert.pl script in the command; for example, as follows:
•Connect this file in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following line to it:
7.Check values of parameters in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file:
Configuring Receipt of SNMP trap notifications for Nagios 1.On the monitored host in Dr.Web SNMPD settings (the TrapReceiver parameter), specify an address to be listened by on the host where operates, for example:
2.Check for existing the <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result script which will be invoked when SNMP trap is received. If the script is missing, copy the submit_check_result file to this location from the <opt_dir>/share/drweb-snmpd/connectors/nagios/plugins/eventhandlers/ directory. In this file, change the path specified in the CommandFile parameter. It must have the same value as the command_file parameter in the <NAGIOS_ETC_DIR>/nagios.cfg file. 3.Copy the snmptt.drweb.nagios.conf file to the /etc/snmp/snmp/ directory. In this file, change the path to the submit_check_result—for example, by using the following command:
4.Add the “ /etc/snmp/snmptt.drweb.nagios.conf” string to the /etc/snmp/snmptt.drweb.nagios.conf file. After that, restart if it was started in daemon mode. After all required configuration files of are added and edited, run in debug mode by using the following command:
Upon receipt of this command, will check for configuration errors. If no error is found, can be restarted as usual (for example, by using the service nagios restart command). For official documentation on , refer to http://www.nagios.org/documentation/. |