[Xymon] PORTS and STATE syntax

Boldt, David dboldt at usgs.gov
Wed Mar 16 00:00:10 CET 2016


On Mon, Mar 14, 2016 at 7:02 AM, Jeremy Laidman
<jlaidman at rebel-it.com.au> wrote:
>
> David
>
> On Thu, Mar 10, 2016 at 1:15 AM Boldt, David <dboldt at usgs.gov> wrote:
>>
>> I'm not successful filtering on the connection state associated with a port.
>
>
> I couple of things to note, but first some explanation of how things work.  The STATE and PORT rules are matched against the text in the [ports] section of the client data, which is generally the output of "netstat -na" in one form or another, but including only TCP sockets.  The output of this command, and hence the required processing varies between operating systems, but in most cases the local IP and port is in column 3 (numbered from 0), the remote is in column 4 and the state is in column 5.  (The exceptions to this are Solaris, using columns 0, 1 and 6 respectively; and Windows which uses columns 1, 2 and 3.)
>
> The output of "ss" is most definitely different to any "netstat" that I've seen.  In particular, the socket state is on column 0 - before either of the local or report addresses/ports.  It might be helpful to know what OS you're using, that doesn't have a netstat command.

Sapphire OS, a Linux derivative of unknown provenance, customized for
use in IPAM/DHCP/DNS appliances sold by BT Diamond.

>> None of the syntax variations I have tried have been successful.
>> If I remove the STATE specifier, matches are found.
>
>
> It's just a coincidence that the column numbers for local and remote are the same for netstat and ss.  Had this not been the case, you'd have had more trouble getting matches even with STATE unspecified.
>
>>
>> I've set up several port monitoring specifications, but none of them
>> match the state
>
>
>>
>> PORT LOCAL=%[:](61617) REMOTE=%10.160.8.133   STATE=ESTABLISHED MIN=3
>> MAX=3 COLOR=yellow TEXT=ActiveMQ-nsp.er
>
>
> The normal "netstat" output uses the string "ESTABLISHED".  But "ss" uses "ESTAB".  If [ports] shows ESTAB then that's what you need to match.
>
>>
>> PORT LOCAL=%[:](61617) REMOTE=%136.177.16.3   STATE=ESTAB MIN=3 MAX=3
>> COLOR=yellow TEXT=ActiveMQ-ns.cr
>
>
> Would work, if ESTAB was in the correct column.
>
>>
>> PORT LOCAL=%[:](61617) REMOTE=%137.227.240.32 STATE=%ESTAB MIN=3 MAX=3
>
>
> I think this will match only when the state starts and ends with "ESTAB" and so it'd probably work, provided the state was in the first column.
>
>>
>> COLOR=yellow TEXT=ActiveMQ-ns.er
>> PORT LOCAL=%[:](61617) REMOTE=%130.118.4.2    STATE=%ESTAB* MIN=3
>> MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.wr
>
>
> The "%" marks the string that follows as a regular expression.  The asterisk in a regular expression means to match zero or more of the previous character.  So this would match "ESTAB" as well as "ESTA" and "ESTABB" and "ESTABBBBBB" but it wouldn't match "ESTABLISHED".
>
>> Note: On this server netstat does not exist and ss is being used,.

I should have taken the documentation at its word, but was led astray
by Internet examples which didn't make a lot of sense to me as regex
expressions. Simplifying, now:.

PORT LOCAL=%:61617 REMOTE=%10.160.8.132   STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-DHCP
PORT LOCAL=%:61617 REMOTE=%10.160.8.133   STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-nsp.er
PORT LOCAL=%:61617 REMOTE=%136.177.16.3   STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-ns.cr
PORT LOCAL=%:61617 REMOTE=%137.227.240.32 STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-ns.er
PORT LOCAL=%:61617 REMOTE=%130.118.4.2    STATE=ESTAB MIN=3 MAX=3
COLOR=yellow TEXT=ActiveMQ-ns.wr

and working

> Yep, this is your problem.  I'm assuming that you edited the xymonclient-<os>.sh script and replaced "netstat -na" with "ss"?

yes

>> Observation: Discovering the syntax for REMOTE was trial and error.
>> Specifying the IP address alone did not work, and I found no examples
>> for the type of filtering above.
>
>
> The analysis.cfg file has several examples for the use of LOCAL.  The REMOTE usage is the same.

ah, but none of the LOCAL examples specifies an IP address, only port
distinctions.

> So, what to do?  The simplest thing would be to adjust the output of "ss" so that the columns match up.  Simply replicating the state column would suffice.  Something like so:
>
> ss -nt | awk '{ print $0 $1 }'

Thanks for your thorough descriptions of the underlying process,and
the example conversion.

-- 
                                         -- David Boldt
                                            <dboldt at usgs.gov>


   "... you cannot reason a person out of a position that the person
has not been reasoned into."
    --Washington Post editorial comment on political positions



More information about the Xymon mailing list