[Xymon] Regional Servers to Central

Jeremy Laidman jlaidman at rebel-it.com.au
Tue May 3 04:02:22 CEST 2016 

On Sun, Apr 24, 2016 at 5:44 PM Thomas Eckert <thomas.eckert at it-eckert.de>
wrote:

> Galen,
>
> if egress SSH is allowed you could use an SSH tunnel from the central to
> the regional Servers opening say port 1985. Then use that for the
> communication between the Xymon servers.
>
> This will weaken the intentions of the security policy of course ...
>
> The tunnel can be managed by the ssh-tunnels extension by Padraig Lennon
> (on Xymonton) or my slightly extended version (on
> http://www.it-eckert.com/software/patches/ssh-tunnel/). There are also
> some blog posts on my site on setup and combining with xymonproxy.
>
Sorry to be so late to the scene.  I have a similar requirement, but don't
quite get the proposed solutions.  I have a couple of headless "probe"
Xymon servers located on less trusted networks, and a pair of Xymon servers
that primarily probe devices (testing TCP services, ping checks etc) on our
internal network.  I want to be able to view the results of the probe
servers on the internal server screens.  I can't have the probe servers
connect inbound to the internal Xymon servers, except perhaps via ssh
tunnel.

JC suggested that xymonfetch could be run on the regional (probe) servers
to send in to the internal servers.  I haven't used xymonfetch before, so
I'm not intimately familiar with how it's used.  Nevertheless, in reading
the documentation I can see that xymonfetch is intended to run on a Xymon
server to connect to a Xymon client that has msgcache running.  This
doesn't seem to be the model described by JC, where msgcache isn't
mentioned.  Or am I misunderstanding something?

Perhaps relevant to a solution, the Xymon probe servers periodically
connect to the Xymon clients over ssh, create a reverse tunnel, and run
xymonclient.sh with suitable environment variables to push the client data
through the reverse tunnel.

Perhaps what I need to do is something like this.  I fire up a msgcache on
each probe server, having everything feed into the msgcache instead of
xymond, and I periodically run xymonfetch on each probe server to push the
messages into the real xymond running there.  (I'd probably have xymond
listen on an alternative port, and have msgcache run on 1984.)  I would
then have the ability to run a second instance of xymonfetch on the probe
servers, but being called via ssh from each internal server, complete with
a reverse tunnel, so that the xymonfetch would inject into the xymond on
the internal server.  What I can't figure out here is how to allow a
msgcache queue to be pushed into the probe server's xymond without being
emptied and hence unavailable for the internal xymon server.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20160503/ed5918f2/attachment.html>

More information about the Xymon mailing list