Integration with SNMP Monitoring Systems

Dr.Web SNMP agent can perform functions of a data provider for any monitoring system that uses SNMP protocol version 2c or 3. The list of available data and their structure are provided in the description file MIB Dr.Web DrWeb-Snmpd.mib, supplied with the product and residing in the <opt_dir>/share/drweb-snmpd/mibs directory.

For easy configuration, the module is supplied with templates of settings for popular monitoring systems:

Customization templates for monitoring systems reside in the <opt_dir>/share/drweb-snmpd/connectors directory.

Cacti monitoring system uses object descriptions and object counts that are imported from templates for displaying statistics on application operation on hosts and network equipment. Thus, templates for all required counts are prepared at first, and then the count templates are bound, as objects, to the graph templates. Then the graph templates are assigned to data host templates. Thus, the template of a host (or network equipment) is the root template and it describes the host added to Cacti for monitoring; this means that all count lists and predefined templates, which data are included in collected statistics, become available for the host.

To include Dr.Web SNMPD to the Cacti monitoring system, the <opt_dir>/share/drweb-snmpd/connectors/cacti directory contains a ready-to-use XML file cacti_host_template_drweb.xml with a template description of the monitored host that features installed Dr.Web solution.

This template file provides for connection of the host to the monitoring system and collection of statistics on detection of various threats and on file scanning. This template can also be imported to Cacti as well as be modified or used as the basis for creating new templates.

In the present instruction, it is assumed that the Cacti monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning (it is possible for the component to function in proxy mode together with snmpd).

1.In the Cacti web interface, import the host template cacti_host_template_drweb.xml (for that, click Console –> Import Templates, specify path to the template file, and click Import). If the import was successful, its results will contain the list of imported objects (DrWeb Host template).

2.Add the host that is to be monitored to the Devices list of Cacti web interface (Console –> Devices –> Add). As the host template, you can select the DrWeb Host template imported in the previous step. When adding the host, assign it an identifier (for example, DrWeb-Device), specify the host's network address (FQDN or IP address) and correct SNMP parameters: version, port, read community, and other (depending on the protocol version). Click Save. The added host will appear on the Devices list of the Cacti web interface.

3.For the added device, create graphs that demonstrate operation of Dr.Web on the host. Select Console –> New Graphs, then select the monitored host from the device list (DrWeb-Device in the example), specify the graphs type — Graph Template Based. Then select the check boxes of available counts from the imported template. Click Create.

4.Make sure that new data sources were created in the previous step. For that, select Console –> Data Sources. This page must contain the following data sources:

It is recommended to make sure that for every data source a corresponding RRA archive RDD Tool was added. For that, click the source and then click Turn On Data Source Debug Mode. This shows the command of generating a data source and results of its execution.

5.By selecting Console –> Graph Management, activate these graphs. You can view graphs that were already built by clicking the name of the required graph. If it is not displayed, click Turn On Graph Debug Mode to view the command of creating the graph and its execution result. Select the following graphs on the list:

In the Choose an action field, select Place on a Tree (Default Tree) and click Go.

6.To view graphs, which were built, click graphs. Note that the results must appear 10 minutes after data sources were added. At that, creation of graphs and data sources can be still incomplete before the first SNMP polling (about 5 minutes after the device was added).

If required, you can extend the set of data sources and corresponding graphs. For that, add a new data source generated from the system SNMP — Generic OID Template. In the generation settings, specify OID of the required count. Then add the received Data Template as an object to other graph templates.

The basic configuration of Cacti does not support collection and display of SNMP traps and does not support notification on different events. To enable support for both these functions, install the corresponding plug-ins.

Configuration of the SNMP trap plug-in to enable Dr.Web SNMPD notifications is similar to configuration of SNMP trap for any other source.

The Munin monitoring system includes the central server (master) munin, which collects statistics from clients munin-node residing locally on the monitored hosts. At request of the server, each monitoring client collects data about monitored host operation by starting plug-ins that provide data transferred to the server.

To enable connection between Dr.Web SNMPD and the Munin monitoring system, a ready-to-use plug-in drweb is supplied. The plug-in resides in the <opt_dir>/share/drweb-snmpd/connectors/munin/plugins directory. This plug-in collects data required for construction of the following two graphs:

The plug-in supports SMNP protocols 1, 2c, and 3. Based on this template plug-in, you can create any other plug-ins to poll for the status of Dr.Web for UNIX File Servers components via Dr.Web SNMPD. This plug-in represents a set of plug-ins as one plug-in returns data for only one graphic, as it is seen by Munin.

In the <opt_dir>/share/drweb-snmpd/connectors/munin directory, the following files are located.

File	Description
plugins/drweb	The munin-node plug-in used for polling Dr.Web SNMPD via SNMP.
plugin-conf.d/drweb.cfg	The munin-node configuration template for establishing connection to Dr.Web SNMPD

In the present instruction, it is assumed that the Munin monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning (it is possible for the component to function in proxy mode together with snmpd), munin-node, and snmpget (net-snmp package).

•Copy drweb file to the directory with plug-in libraries munin-node <munin_lib_plugins>

•Create two symbolic links in the <munin_plugins> directory with munin-node plug-ins

<munin_plugins>/drweb_malware -> <munin_lib_plugins>/drweb
<munin_plugins>/drweb_scanstat -> <munin_lib_plugins>/drweb

•Copy the drweb.cfg file to the munin-node configuration path /etc/munin/munin-node and edit the parameters for connecting drweb plug-ins and Dr.Web SNMPD:

[drweb_*]
user root
group root
env.SNMP_WALK_COMMAND snmpwalk -c public -v 2c localhost:161

•Adjust these parameters by assigning them actual values (matching the configuration of Dr.Web SNMPD). The given example uses default values.

•In the munin-node.conf configuration file, specify a regular expression to include all IP addresses of hosts that are allowed to connect to munin-node for receiving the values of monitored parameters, for example:

In this case, only the IP address 10.20.30.40 is allowed to receive host parameters.

•Restart munin-node (for example, by using service munin-node restart command).

The paths <munin_lib_plugins> and <munin_plugins> depend on the operating system. In Debian/Ubuntu operating systems, these paths are as follows: /usr/share/munin/plugins and /etc/munin/plugins respectively.

Add the address and identifier of the monitored host to the Munin configuration file munin.conf, which is located, by default, in /etc (in Debian/Ubuntu operating systems: /etc/munin/munin.conf:

where <ID> is the displayed host's identifier, <hostname> is the name of the host, <domain> is the name of the domain, <host IP address> is the IP address of the host.

File templates, required for establishing connection between Dr.Web SNMPD and the Zabbix monitoring system, are residing in the <opt_dir>/share/drweb-snmpd/connectors/zabbix directory.

File	Description
zbx_drweb.xml	Template for description of the monitored host that features installed Dr.Web solution.
snmptt.drweb.zabbix.conf	Configuring SMNP trap SMNP handler snmptt

•Description of counts ("Items", according to the terminology of Zabbix). By default, the template is set to be used with SNMP v2.

•The set of predefined graphs: number of scanned files and distribution of detected threats by their type.

In the present instruction, it is assumed that the Zabbix monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX File Servers), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).

1.In the Zabbix web interface, on the Configuration –> Templates tab import the template of the monitored host from the <opt_dir>/share/drweb-snmpd/connectors/zabbix/zbx_drweb.xml directory.

2.Add the monitored host to the appropriate list (at Hosts –> Create host). Specify correct parameters of the host and settings of the SNMP interface (they must match the settings of drweb-se and snmpd on the host).

Agent interfaces: specify IP address and port of Dr.Web SNMPD (127.0.0.1 and 10050 by default).

Snmp interfaces: Click add specify the IP address and port listened at snmptrapd on the host where Zabbix is installed (see below, 127.0.0.1 and 161 by default).

Note: The {$SNMP_COMMUNITY} macro can be specified directly in the host template.

By default, the imported DRWEB template is configured for SNMP v2. If you want to use another version of SNMP, edit the template accordingly on the appropriate page.

3.After the template is bound to the monitored host, if the settings are specified correctly, the Zabbix monitoring system will start to collect data for counts (items) of the template; the collected data will be displayed on the Monitoring –> Latest Data and Monitoring –> Graphs tabs.

4.A special item drweb-traps is used for collecting SNMP traps from Dr.Web SNMPD. The log pf received SNMP trap notifications is available on the Monitoring –> Latest Data –> drweb-traps –> history page. To collect notifications, Zabbix uses standard tools snmptt and snmptrapd from the net-snmp package. For details on how to configure the tools for receiving SNMP trap notifications from Dr.Web SNMPD, see below.

5.If necessary, you can configure a trigger that will change its state upon receipt of an SNMP trap notification from Dr.Web SNMPD. Changing its state can be used as an event source for generation appropriate notifications. The example below shows an expression for configuration of a trigger; the expression is specified in the trigger expression field:

({TRIGGER.VALUE}=0 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=1 )|({TRIGGER.VALUE}=1 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=0)

An event is triggered (the value is set to 1) if the log of SNMP trap notifications from Dr.Web SNMPD was updated within a minute. If the log was not updated within the next minute, the value of the trigger is set to 0 again).

1.On the monitored host in Dr.Web SNMPD settings (SNMPD.TrapReceiver), specify an address to be listened by snmptrapd on the host where Zabbix operates, for example:

2.In the configuration file of snmptrapd (snmptrapd.conf), specify the same address and an application for processing received SNMP traps (in this example, snmptthandler, snmptt component):

3.The snmptthandler component saves received SNMP trap notifications to the file on the disk in accordance with the specified format, which corresponds to the regular expression set in the host template for Zabbix (item drweb-traps). The format of the saved notification is specified in the <opt_dir>/share/drweb-snmpd/connectors/zabbix/snmptt.drweb.zabbix.conf file. The file must be copied to /etc/snmp.

4.Moreover, the path to the format files must be specified in the snmptt.ini file:

[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file).
# The COMPLETE path and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/snmptt.drweb.zabbix.conf
END

5.In the configuration file of the Zabbix server (zabbix-server.conf), specify (or check if they are already specified) the following settings:

where /var/log/snmptt/snmptt.log is a log file used by snmptt to register information on received SNMP trap notifications.

Files with configuration examples, required for establishing connection between Dr.Web SNMPD and the Nagios monitoring system, are residing in the <opt_dir>/share/drweb-snmpd/connectors/nagios directory.

File	Description
nagiosgraph/rrdopts.conf-sample	Example of the RRD configuration file
objects/drweb.cfg	Configuration file describing drweb objects
objects/nagiosgraph.cfg	The configuration file of the component for graph plotting used by Nagiosgraph
plugins/check_drweb	The script for collecting data from the host where Dr.Web is installed
plugins/eventhandlers/submit_check_result	Script for processing SNMP traps
snmp/snmptt.drweb.nagios.conf	Configuring SMNP trap SMNP handler snmptt

In the present instruction, it is assumed that the Nagios monitoring system is already deployed on the monitoring server, including configuration of the web server and the graphical tool Nagiosgraph, and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX File Servers), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).

In the current manual, the following path conventions are used (real paths depend on the operating system and Nagios installation):

•<NAGIOS_PLUGINS_DIR> — directory with Nagios plug-ins, for example: /usr/lib64/nagios/plugins

•<NAGIOS_ETC_DIR> — directory with Nagios settings, for example: /etc/nagios

•<NAGIOS_OBJECTS_DIR> — directory with Nagios objects, for example: /etc/nagios/objects

•<NAGIOSGRAPH_DIR> — Nagiosgraph directory, for example: /usr/local/nagiosgraph

•<NAGIOS_PERFDATA_LOG> — file where Nagios records results of service check (must be the same as the perflog file from <NAGIOSGRAPH_DIR>/etc/nagiosgraph.conf). Records from this file are read by the <NAGIOSGRAPH_DIR>/bin/insert.pl script and are recorded to the corresponding RRA archives RRD Tool.

1.Copy the check_drweb file to the <NAGIOS_PLUGINS_DIR> directory and the drweb.cfg file to the <NAGIOS_OBJECTS_DIR> directory.

2.Add hosts with Dr.Web that are to be monitored to the drweb group. On the hosts Dr.Web SNMPD must be running. By default, only localhost is added to this group.

3.If required, edit the check_drweb command which contains instruction to contact Dr.Web SNMPD on drweb hosts via the snmplwalk tool:

specify the correct version of SNMP protocol and parameters (such as "community string" or authentication parameters) as well as the port. The $HOSTADDRESS$ variable must be included in the command (as this variable is later substituted by Nagios to the correct host address when the command is automatically invoked). OID is not required in the command. It is also recommended to specify the command together with the full path to the executable file (usually /usr/local/bin/snmpwalk).

4.Connect DrWeb objects in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following string to the file:

5.Add RRD Tool settings for DrWeb graphics from the rrdopts.conf-sample file to the <NAGIOSGRAPH_DIR>/etc/rrdopts.conf file.

6.If Nagiosgraph is yet to be configured, do the following steps for its configuration:

•Copy the nagiosgraph.cfg file to the <NAGIOS_OBJECTS_DIR> directory and edit the path to the insert.pl script in the process-service-perfdata-for-nagiosgraph command; for example, as follows:

$ awk '$1 == "command_line" { $2 = "<NAGIOSGRAPH_DIR>/bin/insert.pl" }{ print }' ./objects/nagiosgraph.cfg > <NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg

•Connect this file in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following line to it:

7.Check values of Nagios parameters in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file:

check_external_commands=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1

process_performance_data=1
service_perfdata_file=/usr/nagiosgraph/var/rrd/perfdata.log
service_perfdata_file_template=$LASTSERVICECHECK$||$HOSTNAME$||$SERVICEDESC$||$SERVICEOUTPUT$||$SERVICEPERFDATA$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=30
service_perfdata_file_processing_command=process-service-perfdata-for-nagiosgraph

check_service_freshness=1
enable_flap_detection=1
enable_embedded_perl=1
enable_environment_macros=1

1.On the monitored host in Dr.Web SNMPD settings (SNMPD.TrapReceiver), specify an address to be listened by snmptrapd on the host where Nagios operates, for example:

2.Check for existing the <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result script, which will be invoked when SNMP trap is received. If the script is missing, copy the submit_check_result file to this location from <opt_dir>/share/drweb-snmpd/connectors/nagios/plugins/eventhandlers/. In this file, change the path specified in the CommandFile parameter. It must have the same value as the command_file parameter in the <NAGIOS_ETC_DIR>/nagios.cfg file.

3.Copy the snmptt.drweb.nagios.conf file to the /etc/snmp/snmp/ directory. In this file, change the path to the submit_check_result; for example, by using the following command:

$ awk '$1 == "EXEC" { $2 = <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result }{ print}' ./snmp/snmptt.drweb.nagios.conf > /etc/snmp/snmp/snmptt.drweb.nagios.conf

4.Add the /etc/snmp/snmptt.drweb.nagios.conf string to the /etc/snmp/snmptt.drweb.nagios.conf file. After that, restart snmptt if it was started in daemon mode.

After all required configuration files of Nagios are added and edited, run Nagios in debug mode by using the following command:

Upon receipt of this command, Nagios will check for configuration errors. If no error is found, Nagios can be restarted as usual (for example, by using the service nagios restart command).