[Xymon] Monitoring if a remote IP is connected to particular local port
Root, Paul T
Paul.Root at CenturyLink.com
Thu Jan 9 15:38:22 CET 2020
Thanks Jeremy,
Yes, that works. I interpreted PORT as looking at either LOCAL or REMOTE.
PORT LOCAL=%[.:]11001 REMOTE=%172\.28\.104\.66:.
[green] local=%[.:]11001 remote=%172\.28\.104\.66:. : (found 2, req. 1 or more)
Paul.
From: Jeremy Laidman <jeremy at laidman.org>
Sent: Thursday, January 09, 2020 5:01 AM
To: Root, Paul T <Paul.Root at CenturyLink.com>
Cc: Xymon MailingList <xymon at xymon.com>
Subject: Re: [Xymon] Monitoring if a remote IP is connected to particular local port
Paul
On Thu, 9 Jan 2020 at 08:04, Root, Paul T via Xymon <xymon at xymon.com<mailto:xymon at xymon.com>> wrote:
Hi,
I’ve got an application that has a specific port open 11001, that multiple connections, most looped back on itself.
However, we have another server (that is another groups machine, and isn’t monitored by Xymon), that connects to this port.
An interesting use case.
Reading the analysis.cfg man page, it looks like criteria is either local or remote, not both.
I'm not sure I read it the same way. The format is "PORT criteria [MIN=mincount] ...etc" and what you're wanting to do is specify "criteria". The example in the man page for usage of "TEXT=" shows:
PORT LOCAL=%[.:]22$ STATE=LISTEN "TEXT=SSH listener"
So this is giving two criteria: LOCAL and STATE. This implies that the format is really "PORT criteria [...criteria] [MIN=mincount] ...etc" and thus you can chain multiple criteria. In your use case I would expect you to be able to use something like:
PORT LOCAL=%[.:]10001 REMOTE=172.28.104.66:* STATE=ESTABLISHED
Not sure if the wildcard is valid for REMOTE port number; perhaps use a regex here as well:
PORT LOCAL=%[.:]10001 REMOTE=%172\.28\.104\.66:.* STATE=ESTABLISHED
The analysis.cfg file distributed with the source code specifies this format:
PORT [LOCAL=addr] [EXLOCAL=addr] [REMOTE=addr] [EXREMOTE=addr] [STATE=state] [EXSTATE=state] [MIN=mincount] [MAX=maxcount] [COLOR=color] [TRACK=id] [TEXT=displaytext]
So I can see no problem specifying a local port and a remote IP address as you seem to require.
Is there a way to monitor this situation?
# netstat -ant |grep 11001
tcp 0 0 0.0.0.0:11001<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f0.0.0.0%3a11001&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-03e525d730319f9801beb93968f05752249248da> 0.0.0.0:* LISTEN
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 192.168.30.15:37852<http://192.168.30.15:37852> ESTABLISHED
tcp 0 0 192.168.30.15:37852<http://192.168.30.15:37852> 192.168.30.15:11001<http://192.168.30.15:11001> ESTABLISHED
tcp 0 0 192.168.30.15:37864<http://192.168.30.15:37864> 192.168.30.15:11001<http://192.168.30.15:11001> ESTABLISHED
tcp 0 0 192.168.30.15:37856<http://192.168.30.15:37856> 192.168.30.15:11001<http://192.168.30.15:11001> ESTABLISHED
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 172.28.104.66:39904<http://172.28.104.66:39904> ESTABLISHED
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 192.168.30.15:37862<http://192.168.30.15:37862> ESTABLISHED
tcp 81 0 192.168.30.15:11001<http://192.168.30.15:11001> 204.155.140.230:53680<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53680&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-80eeeb348376af10e27f130bf96c86184aeb85e3> ESTABLISHED
tcp 486 0 192.168.30.15:11001<http://192.168.30.15:11001> 172.28.104.66:39910<http://172.28.104.66:39910> ESTABLISHED
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 204.155.140.230:53682<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53682&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-dd0e6f7e4c27302e44bbc66d49630b88d870f08f> ESTABLISHED
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 204.155.140.230:53679<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53679&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-e68f419f6642896f570e66b69b44c1c937088695> ESTABLISHED
tcp 0 0 192.168.30.15:37862<http://192.168.30.15:37862> 192.168.30.15:11001<http://192.168.30.15:11001> ESTABLISHED
tcp 34 0 192.168.30.15:11001<http://192.168.30.15:11001> 192.168.30.15:37864<http://192.168.30.15:37864> ESTABLISHED
tcp 0 0 192.168.30.15:11001<http://192.168.30.15:11001> 192.168.30.15:37856<http://192.168.30.15:37856> ESTABLISHED
Paul Root
Lead Operations Engineer - IT Managed Services
390 Commerce Dr
Woodbury, Mn 55125
651-312-5207 paul.root at centurylink.com<mailto:paul.root at centurylink.com>
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20200109/c07118a4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 118 bytes
Desc: image001.gif
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20200109/c07118a4/attachment.gif>
More information about the Xymon
mailing list