[Xymon] PORTS and STATE syntax

Jeremy Laidman jlaidman at rebel-it.com.au
Mon Mar 14 12:02:13 CET 2016 

David

On Thu, Mar 10, 2016 at 1:15 AM Boldt, David <dboldt at usgs.gov> wrote:

> I'm not successful filtering on the connection state associated with a
> port.
>

I couple of things to note, but first some explanation of how things work.
The STATE and PORT rules are matched against the text in the [ports]
section of the client data, which is generally the output of "netstat -na"
in one form or another, but including only TCP sockets.  The output of this
command, and hence the required processing varies between operating
systems, but in most cases the local IP and port is in column 3 (numbered
from 0), the remote is in column 4 and the state is in column 5.  (The
exceptions to this are Solaris, using columns 0, 1 and 6 respectively; and
Windows which uses columns 1, 2 and 3.)

The output of "ss" is most definitely different to any "netstat" that I've
seen.  In particular, the socket state is on column 0 - before either of
the local or report addresses/ports.  It might be helpful to know what OS
you're using, that doesn't have a netstat command.

None of the syntax variations I have tried have been successful.
> If I remove the STATE specifier, matches are found.
>

It's just a coincidence that the column numbers for local and remote are
the same for netstat and ss.  Had this not been the case, you'd have had
more trouble getting matches even with STATE unspecified.


> I've set up several port monitoring specifications, but none of them
> match the state
>


> PORT LOCAL=%[:](61617) REMOTE=%10.160.8.133   STATE=ESTABLISHED MIN=3
> MAX=3 COLOR=yellow TEXT=ActiveMQ-nsp.er
>

The normal "netstat" output uses the string "ESTABLISHED".  But "ss" uses
"ESTAB".  If [ports] shows ESTAB then that's what you need to match.


> PORT LOCAL=%[:](61617) REMOTE=%136.177.16.3   STATE=ESTAB MIN=3 MAX=3
> COLOR=yellow TEXT=ActiveMQ-ns.cr
>

Would work, if ESTAB was in the correct column.


> PORT LOCAL=%[:](61617) REMOTE=%137.227.240.32 STATE=%ESTAB MIN=3 MAX=3
>

I think this will match only when the state starts and ends with "ESTAB"
and so it'd probably work, provided the state was in the first column.


> COLOR=yellow TEXT=ActiveMQ-ns.er
> PORT LOCAL=%[:](61617) REMOTE=%130.118.4.2    STATE=%ESTAB* MIN=3
> MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.wr
>

The "%" marks the string that follows as a regular expression.  The
asterisk in a regular expression means to match zero or more of the
previous character.  So this would match "ESTAB" as well as "ESTA" and
"ESTABB" and "ESTABBBBBB" but it wouldn't match "ESTABLISHED".

Note: On this server netstat does not exist and ss is being used,.
>

Yep, this is your problem.  I'm assuming that you edited the
xymonclient-<os>.sh script and replaced "netstat -na" with "ss"?

Observation: Discovering the syntax for REMOTE was trial and error.
> Specifying the IP address alone did not work, and I found no examples
> for the type of filtering above.


The analysis.cfg file has several examples for the use of LOCAL.  The
REMOTE usage is the same.

So, what to do?  The simplest thing would be to adjust the output of "ss"
so that the columns match up.  Simply replicating the state column would
suffice.  Something like so:

ss -nt | awk '{ print $0 $1 }'

Cheers
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160314/9fd106cd/attachment.html>

More information about the Xymon mailing list