This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HowTo: Monitoring RED Device State with Nagios

Hi folks,

in normal Site2Site VPN setups you could monitor the tunnel state by pinging the remote end of the vpn. If it doesn't respond it's down! [;)] With the REDs being a local interface on the ASG it's no longer possible to check the tunnel state with ping.

We wrote a nagiosplugin which checks the link state of a given RED ID and returns OK when online and CRITICAL when offline. There are also some other values we report, on-/offline time and IP were it is connected from.

I'll give you a short description how to setup the plugin, expecting that you've got a running nagios environment:

1. Copy the check_asg_red_state.pl to your nagios plugn directory (normally /usr/local/nagios/libexec) and make it executable

2. Create a new check_command looking like this:
# 'check_' command definition

define command{
command_name check_asg_red_state
command_line $USER1$/check_asg_red_state.pl -H $HOSTADDRESS$ -R $ARG1$
}

3. You need to gennerate a key pair for the nagios user in order to use the passwordless authentication with the host. This can be done by running 
ssh-keygen -t rsa -N ""

as nagios user or
su - nagios -c 'ssh-keygen -t rsa -N "" '

4. Install your public key on your Astaro for passwordless login of loginuser.

5. Now you can test your setup:

nagios@debian:/usr/local/nagios/libexec$ ./check_asl_red_state.pl -H my.firewall.net -R A300001234567890
RED STATE OK - RED connected from 1.2.3.4, uptime 22h 15min | Uptime=1335min;;


Now you can start adding the REDs to your nagios configuration.

There maybe BUGs, please let me know if you found something unusual or if it doesn't work.

I hope this is helpful for other people, if you have questions feel free to ask!

Regards,
Cobotec GmbH

Mario Techel

Version 1.1:
- minor bugfixes, changed default value for StrictHostKeyChecking to no


This thread was automatically locked due to age.
check_asg_red_state_v1.1.zip
  • Hi,

    Very new to nagios core and I was able to successfully connect to the UTM and get the status of the Reds.  My problem is when services is defined in nagios, it gives a error of -

    connect to firewall (CAL) failed
    RED STATE CRITICAL - Failed to connect to host

    here's my service definition:

    define service {
        use                     generic-service                                     
        host_name               CAL RED50                                     
        service_description     check_utm_red_state                                           
        check_command           check_utm_red_state! -H 192.xxx.xxx.xxx -R A340xxxxxxxxxx       
        normal_check_interval   5                                                      
        retry_check_interval    1                                                      
        }

     

    Any help will be greatly appreciated. Thanks

  • Hi Chris,

    is your nagios service running under another account?

    If you run the command with a -v for verbose you may get a better error description

    I'm not sure if the hostname is allowed to have a space in it.

     

  • Daniel,

    I just realized that sending an ssh command from nagios server to sophos using ssh nagios@192.168.xxx.xxx will ask for a password.  But again, sending a command ./check_red_utm_state -H 192.168.xxx.xxx -R Axxxxxx (red serial number) gives me the correct result.  I suspect that problem is coming from the username.  When I use loginuser as user, sophos does not ask for password.

    Any Idea?

  • Hi,

    Yes that is be your problem.

    The firewall only allows the use of username loginuser. That username is hard coded in the check.

    But if you do run the check if your are login as nagios?

    In the user context of the nagios user the check must run without asking you for the password and this "nagios#> ssh loginuser@192.168.xxx.xxx " too.

    You can witch to the nagios user context with a "su - nagios" if your are root.

  • thanks for the explanation

    i had UTM 9 with Nagios system, but after switching to the XG nagios is not detecting the REDs

    the configuration migrated with conversion tool from the UTM to the XG so am not sure if i have the nagios config moved or not

    i already generated the pub key from nagios but not sure where to add it

     

     

    thanks

  • Hello leo,

    the check only works with the UTM/SG software. The XG software is completely different.

    If you only switch the hardware from SG model to XG model with the UTM software it works.

     

    If enough interest exists I'll try to have a look and get a new check for the XG OS 18.x versions.

  • thanks for reply!

    so i had UTM software and i switched to XG hardware..

     

    i was able to generate the key from Nagios for passwordless access but i dont know where to use it in the XG...my XG is XG230 (SFOS 17.5.5 MR-5)

     

    best

  • Hello Daniel,

     

    it could be usefull for all the Community to have this check working also with XG, can we help you with this development?

     

    Please let me know

    thanks

    Riccardo