[Xymon] Remote Xymon Client Execution via ssh

[Jeremy Laidman]

Listmembers

There exist a few different proxy-ish ways of getting Xymon working
through a firewall.  None of the ones I looked into solved my
particular problem, so I've cobbled together an alternative that some
of you might a) comment on, b) inform me that I've re-implemented the
wheel, or c) be able to use yourself.

My solution is a server-side script, that collects all of the "data"
(disk, memory, CPU idle, ports, procs, etc) from a remote server,
without having any Xymon components installed on it.  All it needs is
a way to get a shell.  The appropriate xymonclient-<ostype>.sh script
is grabbed from the Xymon server and sent over the connection to be
executed in the shell.

As a bonus (and the real reason for me doing this), I can connect to
the server via any mechanism that gives me a shell.  I'm using it to
connect via a jump-box over ssh, so it runs "ssh -T user1 at box1 ssh -T
user2 at box2" and pulls back all of the data values, but it could run
rsh, netcat, stunnel or a socks proxy.

I call the script xymon-rclient.sh, in the same vein as the remote
tools rsh and rexec.

Here are some hosts.cfg examples to give an idea:

  # get data from remserver1 over a ssh login, use %{H} to substitute
with the hostname in field 2
  10.99.1.1 remserver1.example.com # noping dialup "RCLIENT:cmd(ssh -T
otheruser@%{H}),ostype(sunos)"
  # ssh to gateway and then ssh to remserver2
  10.99.1.2 remserver2.example.com # dialup "RCLIENT:cmd(ssh -T
user1 at gateway ssh -T -l user1 %{H}),ostype(sunos)"
  # use rsh and automatically append hostname
  10.99.1.3 remserver3.example.com # "RCLIENT:cmd(rsh),ostype(linux)"
  # connect to remserver4 on its management IP address
  10.99.1.4 remserver4.example.com # "RCLIENT:cmd(ssh -T
remserver4.mgtnet),ostype(linux)"
  # connect via https proxy using corkscrew
  10.99.1.5 remserver5.example.com # noping dialup "RCLIENT:cmd(ssh -o
ProxyCommand='corkscrew proxy 8080 %h %p' user@%{H}),ostype(linux)"

The ssh/rsh examples assume that you've setup password-less
authentication for the Xymon user (although if you're using rsh...well
you shouldn't), that you have created suitable user accounts, and that
added the ssh host keys have been added to *known_hosts.  The
xymon-rclient.sh script is run from tasks.cfg every 5 minutes, and it
automatically pulls out the appropriate hosts and their RCLIENT
settings from hosts.cfg, and probes them accordingly.

If it's an encrypted connection, of course all data is kept secure.
Our security people like this.

This is how the script works.  The relevant client script is selected
according to the ostype setting (eg xymonclient-linux.sh).  On the
fly, the script is adjusted slightly (some code to produce the
"[clock]" section, XYMONTMP and MACHINEDOTS are defined) and it is
then sent over the connetion to the remote shell to be executed as if
typed by a user.  The output is then fed into the local Xymon server
via the "xymon" command.

Because the script is stored on the Xymon server, there's no
installation or upgrades to be done on the "client".  It's the
ultimate in centralisation.  The down-side, of course, is that there
are no smarts on the client, so for example there's no logfetch and so
no messages/file/dir processing possible.  The script needs to be sent
every single time (every 5 minutes), but its size is no more than a
couple of ethernet packets, so I don't consider this to be a major
problem.  The size of the output is typically an order of magnitude
larger than this.

I suppose if people think this script might be useful, I should put it
somewhere, such as Xymonton?

Cheers
Jeremy