Professional Documents
Culture Documents
Linux: How To Create A New MRTG Graph in 8 Steps
Linux: How To Create A New MRTG Graph in 8 Steps
Linux: How To Create A New MRTG Graph in 8 Steps
#1Usecfgmakertocreatea.cfgfileforyourdevice YoushouldhaveyourdevicesIPaddress(123.123.123.123)andtheSNMPcommunityname (SNMPnewdevice)atthispoint.Mineoutputstoafilecallednewdevice.cfg. cfgmaker SNMPnewdevice@123.123.123.123 --global "WorkDir: /var/www/mrtg/newdevice" --output /etc/mrtg/newdevice.cfg *Theabovecommandisonesingleline. **/var/www/mrtgiswheremyMRTGpageis,youshouldedititaccordingly. ***/etc/mrtgiswheremyMRTG.cfgfilesare. #2Tidyupthe.cfgfile Edityour.cfgfileandremoveanyinterfacesyoumightnotwanttomonitor;use#tocommentthemout. vi /etc/mrtg/newdevice.cfg Checkoutthewikionviifyourenewtoit. #3Beorganised:createdthenewworkdirectory YoucanseethatwespecifiedaWorkDirinstep#1,andnowweneedtocreateit.Thiswillholdallthegraphs forthenewdevice. mkdir /var/www/mrtg/
#7Addajobtoyourcrontabtoregeneratethegraphsevery5minutes vi /etc/cron.d/mrtg 0-55/5 * * * * root if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg/newdevice.cfg ]; then env LANG=C /usr/bin/mrtg /etc/mrtg/newdevice.cfg >> /var/log/mrtg/mrtg.log 2>&1; fi *MyMRTGcronisin/etc/cron.d,soedityoursaccordingly. **Thisisveryimportant:MAKESUREthesecondcommandremainsasonesinglelinewhenyouenterit; copypastesometimesbreaksthelineintotwo,andthiseffectivelyrendersthecronfromworking.Andworst, itsthenextthingtobeinginvisible.Ittookmeagoodhalfhourtofindtheerror(ThankstoShaolinTigers postonWindowSecurity.com). #8Restartyourcron /etc/init.d/cron restart Andthatsall,weredone!Feelfreetoleaveanycommentsorsuggestionsthatyoumighthaveonimproving thisarticle. ~ Additionaltip: Ifyouwanttomakeyourgraphstimelinegofromrighttoleft,dothis: vi /etc/mrg/newdevice.cfg Addthissectionofcodeatthetop,below###GlobalDefaults Options[_]: growright Optional:Addthistoallowthevaluestobeconvertedintomegabitsautomatically: Options[_]: bits Tomakeitgofromlefttoright,addthisinstead: Options[_]: growright, bits Remembertouse#tocommentouttheotherOptions!
RPMNRTG
Step#1:Makesuresnmpserverinstalled
PleasenotethatsnmpdconfigurationdoesnotrequireusingmrtgwithremotenetworkdevicessuchasRouters andswitches.Ifyoujustwantmrtggraphsforrouterorswitchthenpleaserefertostep#4(asallthesedevices comespreconfiguredwithsnmpdsoftware). Runrpmcommandsqueryoptiontofindoutsnmpserverinstalledornot:
# rpm -qa | grep snmp
(b)IfyouareRHELsubscriberthenuseup2datecommandasfollowstoinstall:
#up2date -v -i net-snmp-utils net-snmp
Step#2:Determineifsnmpserverisrunningornot
Run'ps'commandtoseeifsnmpserverisrunningornot:
# ps -aux | grep snmp
Output:
root 5512 0.0 2.3 5872 3012 pts/0 S 22:04 0:00 /usr/sbin/snmpd
Alternatively,youcantryanyofthefollowingtwocommandsaswell:
# lsof -i :199
Output:
COMMAND PID USER snmpd 5512 root FD 4u TYPE DEVICE SIZE NODE NAME IPv4 34432 TCP *:smux (LISTEN)
ORtryoutnetstatcommand:
# netstat -natv | grep ':199'
Output:
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN
Ifyoufoundserviceisrunningorlistingonport199thenpleaseseestep#3;otherwisestartserviceusing followingcommand:
# service snmpd start
Makesuresnmpdservicestartsautomatically,whenlinuxcomesus(addsnmpdservice):
# chkconfig --add snmpd
Step#3:Makesuresnmpserverconfiguredproperly
Runsnmpwalkutilitytorequestfortreeofinformationaboutnetworkentity.Insimplewordsquerysnmp serverforyourIPaddress(assignedtoeth0,eth1,loetc):
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1 ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2
IfyoucanseeyourIPaddressthenpleaseproceedtostep4;elseitisatimetoconfiguresnmpserveras follows(bydefaultRHELandRH8/9arenotconfiguredforsnmpserverforsecurityreason):
ConfigureSNMP
(1)Editfile/etc/snmp/snmpd.confusingtexteditor:
# vi /etc/snmp/snmpd.conf
Change/Modifyline(s)asfollows: FindfollowingLine:
com2sec notConfigUser default public
Replacewith(makesureyoureplace192.168.0.0/24replacewithyournetworkIPs)followinglines:
com2sec local localhost com2sec mynetwork 192.168.0.0/24 public public
Scrolldownbitandchange: FindLines:
group group notConfigGroup v1 notConfigGroup v2c notConfigUser notConfigUser
Replacewith:
group group group group group group MyRWGroup MyRWGroup MyRWGroup MyROGroup MyROGroup MyROGroup v1 v2c usm v1 v2c usm local local local mynetwork mynetwork mynetwork
Againscrolldownbitandlocatefollowingline: Findline:
view systemview included system
Replacewith:
view all included .1 80
Againscrolldownbitandchange: Findline:
access notConfigGroup "" any noauth exact systemview none none
Replacewith:
access MyROGroup "" access MyRWGroup "" any any noauth noauth exact exact all all none all none none
Scrolldownbitandchange: Findlines:
syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root (configure /etc/snmp/snmp.local.conf)
Replacewith(makesureyousupplyappropriatevalues):
syslocation Linux (RH3_UP2), Home Linux Router. syscontact Vivek G Gite <vivek@nixcraft.com>
(b)MakesureservicestartwheneverLinuxcomesup(afterreboot):
# service snmpd start
(c)Finallytestyoursnmpserver:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
Step#4:Installmrtgifnotinstalled
Mrtgsoftwaremayinstallduringinitialinstallation;youcanverifyifMRTGinstalledornotwithfollowing RPMcommand:
rpm -qa | grep mrtg
Ifmrtgalreadyinstalledpleaseseestep#5;elseuserpmfind.nettofindMRTGrpmorup2datecommandto installMRTGsoftware:
# up2date -v -i mrtg
FedoraLinuxusercanuseyumcommandasfollowstoinstallMRTG:
# yum install mrtg
Step#5:CommandstoConfiguremrtg
(a)Createdocumentroottostoremrtggraphs/htmlpages:
# mkdir -p /var/www/html/mymrtg/
(b)Runanyoneofthefollowingcfgmakercommandtocreatemrtgconfigurationfile:
#cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg.cfg public@localhost
OR(makesureyourFQDNresolves,infollowingexamplei'musingrh9.test.comwhichismyrouterFQDN address)
# cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg1.cfg public@rh9.test.com
(c)CreatedefaultindexpageforyourMRTGconfiguration:
# indexmaker --output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg
(d)Copyalltinypngfilestoyourmrtgpath:
# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/
Step#6Firsttestrunofmrtg
(a)Runmrtgcommandfromcommandlinewithyourconfigurationfile:
# mrtg /etc/mrtg/mymrtg.cfg
Step#7Createcrontabentrysothatmrtggraph/imagesgetgeneratedevery5minutes
(a)Loginasarootuserorloginasamrtguserandtypefollowingcommand:
# crontab -e
(b)Addmrtgcronjobentrytoconfigurationfile(appendfollowinglinetoit):
*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg --logging /var/log/mrtg.log
SavefileandyouaredonewithMRTGconfigissues:)
Step#8Blockports161&162atfirewall
Youdonotwanttogiveaccesstoeveryonetoyoursnmpserverforsecurityreasons.SNMPserverusesUDP 161,162portsforcommunication.UseLinuxIPTABLESfirewalltorestrictaccesstoSNMPserver (a)AllowoutgoingSNMPserverrequestfromyourLinuxcomputer.Thisisusefulwhenyouqueryremote host/router(replaceSERVERIOwithyourrealIP):
SERVER="xxx.xxx.xxx.xxx" iptables -A OUTPUT -p udp -s $SERVER --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 161:162 -d $SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
(b )Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world (replace SERVER IP with your real IP): SERVER="xxx.xxx.xxx.xxx" iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT Pleae note that above two are just SNMP specific iptables rules. Please consult iptables(8) man page for complete information on iptables
Step#9Optional:ProtectyourMRTGgraphs/htmlpageswithpasswordprotected directory
Onceagain,youwouldliketorestrictaccesstoyourMRTGreports.Thiscaneasilyaccomplishedwith Apachewebserver's.htaccessfile.Ifyouareonwebhostingserverwithcontrolpanel(suchasensimorplesk) thenyoucanusecontrolpanelitselftocreatepasswordprotecteddirectory. Belowisprocessoutlinedtoprotectgraphsusingapache's.htaccessfileandhtpasswdcommand: Step#1:Create.htaccessfilein/var/www/html/mymrtg/directory(addtextasfollows):
vi /var/www/html/mymrtg/.htaccess
Addfollowingtexttofile:
AuthName "MRTG Graphs/Html restricted access" AuthType Basic AuthUserFile /var/members/.htpasswd require user mrtgadmin
Step#2:Createauserandpasswordname(cassumesfirsttimeyouareusing.htpasswdfile):
# htpasswd -c /var/members/.htpasswd mrtgadmin