[Xymon] Monitoring network traffic

nor krie norkrie at gmail.com
Thu Apr 4 23:27:33 CEST 2024 

Hi,

I created a server side script for all the *nix servers where I extract the
network info from the clientlog.
The script identifies all server with a ssh column (this is clearly a *nix
server) and then loops over all these targets to create a "nic" column with
interface info.
Nothing to configure especially, a new *nic server will be automatically
identified and get the column with detailed info and some graphs.

Some snippets to get the idea:

# grab all client info

get_all_info(){

  $XYMONBIN localhost "clientlog $TARGET"

}

ALLINFO=`get_all_info`


##################################################

# grab the nic details

get_nic_info(){

  echo "$ALLINFO" | \

    $NAWK '/^\[ifconfig/,/^\[route/' | \

    $GREP -v "^\["

}


##################################################

# grab the route

get_route_info(){

  echo "$ALLINFO" | \

    $NAWK '/^\[route/,/^\[netstat/' | \

    $GREP -v "^\["

}


##################################################

# grab the ports

get_ports_info(){

  ALLPORTS=`echo "$ALLINFO" | \

    $NAWK '/^\[ports/,/^\[ifstat/' | \

    $GREP -v "^\["`

  PORTSTATUS=`echo "$ALLPORTS" | \

    $NAWK '/^tcp/{print $NF}' | \

    $SORT -u`

  for stat in $PORTSTATUS

  do

    NUM=`echo "$ALLPORTS" | \

         $NAWK 'BEGIN{i=0}

                /'$stat'/{i++};BEGIN{i=0}

                END{print i}'`

    echo "tcp ports in status $stat: $NUM"

  done

}


# create the output to send to xymon


    echo "<h4>interface info</h4>"

    get_nic_info



    echo "<h4>route info</h4>"

    get_route_info



    echo "<h4>active tcp connections</h4>"

    get_ports_info


    showgraph ifstat_kB


All these data are then send to the xymon server daemon and create a nic
column.

A complete run over 500 servers will take approx. 60 secs (but you can run
more scripts in parallel if needed).


HTH


Norbert

Am Do., 4. Apr. 2024 um 19:21 Uhr schrieb Josh Luthman <
josh at imaginenetworksllc.com>:

> The clientlog includes [netstat] which has a snapshot of activity in text
>
> The trends puts it in a pretty graph stored in rrd.
>
> On Thu, Apr 4, 2024 at 4:30 AM Schrittenlocher, Rolf <
> R.Schrittenlocher at ub.uni-frankfurt.de> wrote:
>
>> Hi,
>>
>>
>> thanks Axel. I just saw that "trends" shows network traffic. So the data
>> is already collected and available on the server. xymon server is Linux,
>> only the clients are Solaris. So someone can tell me how I can access the
>> data either with a client script or on server side?
>>
>>
>> kind regards
>>
>> Rolf
>>
>>
>> Rolf Schrittenlocher
>>
>> Bibliotheksmanagementsystem IT | IT-Services (ITS)
>>
>>
>>
>> Universitätsbibliothek Johann Christian Senckenberg
>>
>> Goethe-Universität Frankfurt  |  Campus Bockenheim
>>
>> Zentralbibliothek  |  Freimannplatz 1
>>
>> 60325 Frankfurt am Main  |  GERMANY
>>
>> Telefon Sammelnummer +49 (0)69  798 28830
>>
>> Telefon persönlich +49 (0)69  798 28908
>>
>> E-Mail: lbs-it at ub.uni-frankfurt.de
>>
>> E-Mail (persönlich) r.schrittenlocher at ub.uni-frankfurt.de
>>
>> Website: https://www.ub.uni-frankfurt.de
>>
>>
>>
>> ------------------------------
>> *Von:* Axel Beckert <abe at deuxchevaux.org>
>> *Gesendet:* Donnerstag, 4. April 2024 10:17
>> *An:* Schrittenlocher, Rolf
>> *Cc:* Xymon at xymon.com
>> *Betreff:* Re: [Xymon] Monitoring network traffic
>>
>> Hi Rolf,
>>
>> Schrittenlocher, Rolf schrieb am Thu, Apr 04, 2024 at 07:45:58AM +0000:
>> > Our challenge at moment is how to monitor traffic quantity in/out in
>> > order to detect suspicious activities on Solaris 10. Is there are
>> > way to do this with xymon?
>>
>> Definitely. ;-)
>>
>> For our own use (in a university, too :-) and published via Debian's
>> hobbit-plugins package, I've written a plugin simply called "net"
>> which can check many network interface characteristics including
>> monitoring network traffic (calculating bytes/second average from the
>> rx/tx difference of 10 seconds), but so far it's just for Linux and
>> uses common Linux commandline tools and
>> /proc/ links:
>>
>>
>> https://salsa.debian.org/debian/hobbit-plugins/-/blob/master/src/usr/lib/xymon/client/ext/net
>>
>> (It also uses the Hobbit.pm Perl module from the same package:
>>
>> https://salsa.debian.org/debian/hobbit-plugins/-/blob/master/src/usr/share/perl5/Hobbit.pm
>> )
>>
>> It though shouldn't be too hard to adapt it to some Solaris
>> commandline tools and their output. I'm just not sure how to convert
>> the /proc/ stuff. Maybe there's a Linux compat mode like in FreeBSD?
>> (Haven't touched any Solaris for like 20 years or so, back when I was
>> a student.)
>>
>>                 Regards, Axel
>> --
>> PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign,
>> http://arc.pasp.de/
>> Mail: abe at deuxchevaux.org  \ /  Gegen HTML in E-Mails und Usenet
>> Mail+Jabber: abe at noone.org  X
>> https://axel.beckert.ch/   / \  I love long mails:
>> https://email.is-not-s.ms/
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240404/d2277d6e/attachment.htm>

More information about the Xymon mailing list