<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 03 May 2016, at 08:46, Adam Goryachev <<a href="mailto:mailinglists@websitemanagers.com.au" class="">mailinglists@websitemanagers.com.au</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">On 03/05/16 12:02, Jeremy Laidman
wrote:<br class="">
</div>
<blockquote cite="mid:CAAnki7B0TdiV407bo8xYtcHR2CCPSJnbrTROV04gi=LrtJVEqQ@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="gmail_quote">
<div dir="ltr" class="">On Sun, Apr 24, 2016 at 5:44 PM Thomas Eckert
<<a moz-do-not-send="true" href="mailto:thomas.eckert@it-eckert.de" class="">thomas.eckert@it-eckert.de</a>>
wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr" class="">Galen,</p><p dir="ltr" class="">if egress SSH is allowed you could use an SSH
tunnel from the central to the regional Servers opening
say port 1985. Then use that for the communication between
the Xymon servers.</p><p dir="ltr" class="">This will weaken the intentions of the security
policy of course ...</p><p dir="ltr" class="">The tunnel can be managed by the ssh-tunnels
extension by Padraig Lennon (on Xymonton) or my slightly
extended version (on <a moz-do-not-send="true" href="http://www.it-eckert.com/software/patches/ssh-tunnel/" target="_blank" class="">http://www.it-eckert.com/software/patches/ssh-tunnel/</a>).
There are also some blog posts on my site on setup and
combining with xymonproxy.</p>
</blockquote>
<div class="">Sorry to be so late to the scene. I have a similar
requirement, but don't quite get the proposed solutions. I
have a couple of headless "probe" Xymon servers located on
less trusted networks, and a pair of Xymon servers that
primarily probe devices (testing TCP services, ping checks
etc) on our internal network. I want to be able to view the
results of the probe servers on the internal server
screens. I can't have the probe servers connect inbound to
the internal Xymon servers, except perhaps via ssh tunnel.</div>
<div class=""><br class="">
</div>
<div class="">JC suggested that xymonfetch could be run on the regional
(probe) servers to send in to the internal servers. I
haven't used xymonfetch before, so I'm not intimately
familiar with how it's used. Nevertheless, in reading the
documentation I can see that xymonfetch is intended to run
on a Xymon server to connect to a Xymon client that has
msgcache running. This doesn't seem to be the model
described by JC, where msgcache isn't mentioned. Or am I
misunderstanding something?</div>
<div class=""><br class="">
</div>
<div class="">Perhaps relevant to a solution, the Xymon probe servers
periodically connect to the Xymon clients over ssh, create a
reverse tunnel, and run xymonclient.sh with suitable
environment variables to push the client data through the
reverse tunnel.</div>
<div class=""><br class="">
</div>
<div class="">Perhaps what I need to do is something like this. I fire
up a msgcache on each probe server, having everything feed
into the msgcache instead of xymond, and I periodically run
xymonfetch on each probe server to push the messages into
the real xymond running there. (I'd probably have xymond
listen on an alternative port, and have msgcache run on
1984.) I would then have the ability to run a second
instance of xymonfetch on the probe servers, but being
called via ssh from each internal server, complete with a
reverse tunnel, so that the xymonfetch would inject into the
xymond on the internal server. What I can't figure out here
is how to allow a msgcache queue to be pushed into the probe
server's xymond without being emptied and hence unavailable
for the internal xymon server.</div>
<br class="">
</div>
</div>
</blockquote>
<br class="">
<br class="">
I would guess you can pass messages to xymonproxy, which will pass
messages to the local xymon server plus xymonmsgcache, then the
remote server will connect with ssh and collect the pending messages
from the xymonmsgcache?<br class="">
<br class="">
I hope that is what you were asking about.<br class=""></div></div></blockquote><br class=""></div><div>I’ve only used `msgcache` on a single client up to now (for isolated hosts).</div><div>But I _seem_ to remember that there are limits on the amount of messages it can cache (beside other drawbacks, listed here <<a href="http://www.it-eckert.com/blog/2014/remote-site-monitoring-with-ssh-tunnel/" class="">http://www.it-eckert.com/blog/2014/remote-site-monitoring-with-ssh-tunnel/</a>>).</div><div><br class=""></div><div>As I understand the intended use is</div><div><br class=""></div><div>Xymon (central) — Xymon (region1) — multiple clients region1</div><div> |</div><div> — Xymon (region2) — multiple clients region2</div><div> |</div> — … <div class=""><br class=""></div><div class="">This would lead to a potential huge number of messages on the regional Xymon servers that might well go beyond the capacity of `msgcache`.</div><div class=""><br class=""></div><div class="">Using `xymonproxy` on the regional servers would allow to deliver the status-messages to the (local) regional server _and_ the central one.</div><div class="">This is outlined here <<a href="http://www.it-eckert.com/blog/2014/combine-ssh-tunnel-with-xymonproxy/" class="">http://www.it-eckert.com/blog/2014/combine-ssh-tunnel-with-xymonproxy/</a>> (the "remote-datacenter” would be a regional server). To have the data available on the regional server as well the `xymond` there has to listen on say `127.0.0.1:1986` and xymonproxy report to that location as well (xymonproxy-option for sending to multiple servers `--server=SERVERIP[:PORT][,SERVER2IP[:PORT]]` — according to `xymonproxy(8)` up to 3 servers are possible, configuration it pulled from the _last_ in the list!). The order of the xymonproxy “receivers” would also allow the configuration of the regions to be either from central or from the regional server.</div><div class=""><br class=""></div><div class="">This setup is completely transparent to the client, the data they send and how (either directly, via ssh reverse-tunnel, …) as the xymonproxy listens on 1984 on the regional servers and “just takes care” to distribute the data.</div><div class="">The ssh-tunnel is handled by the central server using the `ssh-tunnel` extension (either original <<a href="https://wiki.xymonton.org/doku.php/addons:ssh_tunnel" class="">https://wiki.xymonton.org/doku.php/addons:ssh_tunnel</a>> or extended version <<a href="http://www.it-eckert.com/software/patches/ssh-tunnel/" class="">http://www.it-eckert.com/software/patches/ssh-tunnel/</a>>) that takes care the tunnel is up.</div><div class=""><br class=""></div><div class="">All this only works out if the ssh-tunnels — initiated from central to regionals — is an option in your specific environment (mostly a question of security policy) of course. To sweeten the ssh-tunnel approach it should be noted that</div><div class=""><br class=""></div><div class="">- the msgcache solution would send the messages in clear-text — potentially exposing sensitive information.</div><div class="">- it allows to compress the data (with all the benefits for latency and bandwidth consumption).</div><div class=""><br class=""></div><div class="">Thomas</div><div class=""><br class=""></div></body></html>