[Xymon] Looking for clarification on Xymon client / server hierarchy.

[Grant Taylor]

On 10/16/23 7:08 PM, Jeremy Laidman wrote:
> Hi Grant

Hi Jeremy,

> The xymonnet process needs to be able to send probe packets (eg ping, 
> web requests, and whatever you're trying to monitor) to the clients. If 
> the firewall is blocking the probe traffic, then it's not going to work.

ACK

> The xymon proxy only proxies xymon messages, such as the ones sent by 
> the xymonnet process to the xymond process when reporting the status of 
> the probes (success or failure, and round-trip times).

That's what I've deduced.  I'm hoping this (new) thread helps confirm or 
clarify my deductions.

> It seems to me that you need a xymonnet process running on the client 
> side of the firewall. For example, if you can run xymonnet on one of the 
> clients, then the firewall only needs to allow xymon traffic from the 
> client to the Xymon server, so that xymonnet can report the status of 
> its probes.

ACK

The scenario that I'm working with can be described as a primary Xymon 
(display) server in one network with a small lab network behind a NATing 
/ SPI firewall.  Clients on the inside side / opposite of the Xymon 
server are free to send outgoing packets.  It's just that xymonnet 
running on the Xymon server can't send probes into the clients.

> You can run xymonnet stand-alone, and set environment variables to tell 
> it where to send its messages. If you already have a xymon client 
> installed on the client host, you can execute xymonnet from 
> clientlaunch.cfg and it should then know where to send packets due to 
> the environment that is setup.

Oh!  This is promising.

I misinterpreted comments in the tasks.cfg file to mean that xymonnet 
depended on xymond.  Now it sounds like xymonnet can be satisified by 
the xymon client.

Running xymonproxy + xymonnet + xymonclient on a system inside of the 
firewall might do what I'm wanting to do.

> The only thing I'm not certain of, is how xymonnet knows which hosts to 
> probe and what probes to send to them. When xymonnet is running on the 
> Xymon server, it has access to the hosts.cfg file that's there. When 
> running elsewhere, I'm not sure. I know that there's a way to fetch the 
> hosts.cfg contents using xymon messages, so my guess is that xymonnet 
> can do that too, but might need to be told to do so.

I currently have a full Xymon (display) server running inside the 
firewalled network.  But I think that having the full server is 
complicating things.

I'm guessing that running only the three daemons; xymonclient + 
xymonproxy + xymonnet inside the firewall, would make my life simpler 
and wouldn't complicate things with multiple Xymon (display) servers 
that need to share state.

I'm quite okay with '${XYMON} ${XYMSRV} "config hosts.cfg" > hosts.cfg' 
on the internal system running xymonnet.

> And if so, you would only want that xymonnet instance to probe devices 
> inside the client network, so you might need to make use of the "NET:" 
> tags in hosts.cfg.

I currently have NET: tags and XYMONNETWORK parameters on the systems 
running xymonnet.

It's working.  But I'm needing to run a xymonproxy on 1984 and 
distributing messages to xymond on 1985 on localhost and xymond on 1984 
on the main Xymon (display) server.

Hence this thread inquiring about a cleaner method of having a topology.

Thank you again Jeremy.



-- 
Grant. . . .
unix || die