Linux:HowtocreateanewMRTGgraphin8steps

[CCtoDormMRTG]GeaSuanLinonFlickr,23Sep05. ThispostisforpeoplelikemewhohavehadlimitedexperiencewithMRTG(akaMultiRouterTraffic Grapher),andwerestrugglingtoconfigureitfortrafficanalysis.Itsalsoformyself,ifIeverforgethowtodo it. Note:configure,notsetupfromscratch.Setupinstructionscanbefoundhereonaguidewrittenby sylvain.maurin@isc.cnrs.fr,orattheMRTGImplementationManualbyFlorinPrunoiu. (ImusingDebiandistribution2.4.18bf2.4FYI.)

#1Usecfgmakertocreatea.cfgfileforyourdevice YoushouldhaveyourdevicesIPaddress(123.123.123.123)andtheSNMPcommunityname (SNMPnewdevice)atthispoint.Mineoutputstoafilecallednewdevice.cfg. cfgmaker SNMPnewdevice@123.123.123.123 --global "WorkDir: /var/www/mrtg/newdevice" --output /etc/mrtg/newdevice.cfg *Theabovecommandisonesingleline. **/var/www/mrtgiswheremyMRTGpageis,youshouldedititaccordingly. ***/etc/mrtgiswheremyMRTG.cfgfilesare. #2Tidyupthe.cfgfile Edityour.cfgfileandremoveanyinterfacesyoumightnotwanttomonitor;use#tocommentthemout. vi /etc/mrtg/newdevice.cfg Checkoutthewikionviifyourenewtoit. #3Beorganised:createdthenewworkdirectory YoucanseethatwespecifiedaWorkDirinstep#1,andnowweneedtocreateit.Thiswillholdallthegraphs forthenewdevice. mkdir /var/www/mrtg/

#4Useindexmakertocreatetheindexpageforyourgraphs /usr/bin/indexmaker --output /var/www/mrtg/newdevice/index.html /etc/mrtg/newdevice.cfg *Theabovecommandisonesingleline. Thisgeneratesthepageindex.html.

#5Populatethegraphsforthefirsttime cd /var/www/mrtg/newdevice mrtg /etc/mrtg/newdevice.cfg ThisgeneratesthegraphsandthenicelittleMRTGbanneratthebottom. #6Tidyupyourindexpage Addneededinformatione.g.thename/IPoftheinterface,whereitspointingto. vi /var/www/mrtg/newdevice/index.html

#7Addajobtoyourcrontabtoregeneratethegraphsevery5minutes vi /etc/cron.d/mrtg 0-55/5 * * * * root if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg/newdevice.cfg ]; then env LANG=C /usr/bin/mrtg /etc/mrtg/newdevice.cfg >> /var/log/mrtg/mrtg.log 2>&1; fi *MyMRTGcronisin/etc/cron.d,soedityoursaccordingly. **Thisisveryimportant:MAKESUREthesecondcommandremainsasonesinglelinewhenyouenterit; copypastesometimesbreaksthelineintotwo,andthiseffectivelyrendersthecronfromworking.Andworst, itsthenextthingtobeinginvisible.Ittookmeagoodhalfhourtofindtheerror(ThankstoShaolinTigers postonWindowSecurity.com). #8Restartyourcron /etc/init.d/cron restart Andthatsall,weredone!Feelfreetoleaveanycommentsorsuggestionsthatyoumighthaveonimproving thisarticle. ~ Additionaltip: Ifyouwanttomakeyourgraphstimelinegofromrighttoleft,dothis: vi /etc/mrg/newdevice.cfg Addthissectionofcodeatthetop,below###GlobalDefaults Options[_]: growright Optional:Addthistoallowthevaluestobeconvertedintomegabitsautomatically: Options[_]: bits Tomakeitgofromlefttoright,addthisinstead: Options[_]: growright, bits Remembertouse#tocommentouttheotherOptions!

RPMNRTG

Step#1:Makesuresnmpserverinstalled
PleasenotethatsnmpdconfigurationdoesnotrequireusingmrtgwithremotenetworkdevicessuchasRouters andswitches.Ifyoujustwantmrtggraphsforrouterorswitchthenpleaserefertostep#4(asallthesedevices comespreconfiguredwithsnmpdsoftware). Runrpmcommandsqueryoptiontofindoutsnmpserverinstalledornot:
# rpm -qa | grep snmp

Ifsnmpinstalledthenpleasereferstep#2;otherwisesnmpserverandutilswerenotpresentandyourneedto installthemusingfollowingsteps(loginasarootuser): (a)Visitrpmfind.nettogetsnmpserverandutilitiesrpms.Ifyouarefedorauserthenuseyumcommandas followstoinstallit:

# yum install net-snmp-utils net-snmp

(b)IfyouareRHELsubscriberthenuseup2datecommandasfollowstoinstall:
#up2date -v -i net-snmp-utils net-snmp

Step#2:Determineifsnmpserverisrunningornot
Run'ps'commandtoseeifsnmpserverisrunningornot:
# ps -aux | grep snmp

Output:
root 5512 0.0 2.3 5872 3012 pts/0 S 22:04 0:00 /usr/sbin/snmpd

Alternatively,youcantryanyofthefollowingtwocommandsaswell:
# lsof -i :199

Output:
COMMAND PID USER snmpd 5512 root FD 4u TYPE DEVICE SIZE NODE NAME IPv4 34432 TCP *:smux (LISTEN)

ORtryoutnetstatcommand:
# netstat -natv | grep ':199'

Output:
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN

Ifyoufoundserviceisrunningorlistingonport199thenpleaseseestep#3;otherwisestartserviceusing followingcommand:
# service snmpd start

Makesuresnmpdservicestartsautomatically,whenlinuxcomesus(addsnmpdservice):
# chkconfig --add snmpd

Step#3:Makesuresnmpserverconfiguredproperly
Runsnmpwalkutilitytorequestfortreeofinformationaboutnetworkentity.Insimplewordsquerysnmp serverforyourIPaddress(assignedtoeth0,eth1,loetc):
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1 ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2

IfyoucanseeyourIPaddressthenpleaseproceedtostep4;elseitisatimetoconfiguresnmpserveras follows(bydefaultRHELandRH8/9arenotconfiguredforsnmpserverforsecurityreason):

ConfigureSNMP
(1)Editfile/etc/snmp/snmpd.confusingtexteditor:
# vi /etc/snmp/snmpd.conf

Change/Modifyline(s)asfollows: FindfollowingLine:
com2sec notConfigUser default public

Replacewith(makesureyoureplace192.168.0.0/24replacewithyournetworkIPs)followinglines:
com2sec local localhost com2sec mynetwork 192.168.0.0/24 public public

Scrolldownbitandchange: FindLines:
group group notConfigGroup v1 notConfigGroup v2c notConfigUser notConfigUser

Replacewith:
group group group group group group MyRWGroup MyRWGroup MyRWGroup MyROGroup MyROGroup MyROGroup v1 v2c usm v1 v2c usm local local local mynetwork mynetwork mynetwork

Againscrolldownbitandlocatefollowingline: Findline:
view systemview included system

Replacewith:
view all included .1 80

Againscrolldownbitandchange: Findline:
access notConfigGroup "" any noauth exact systemview none none

Replacewith:
access MyROGroup "" access MyRWGroup "" any any noauth noauth exact exact all all none all none none

Scrolldownbitandchange: Findlines:
syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root (configure /etc/snmp/snmp.local.conf)

Replacewith(makesureyousupplyappropriatevalues):
syslocation Linux (RH3_UP2), Home Linux Router. syscontact Vivek G Gite <vivek@nixcraft.com>

Foryourconvenient,hereismy/etc/snmp/snmpd.conffile.Feelfreetousethisfile.Makesureyoumake backupofyourexistingfileifyouusethisfileasitis. Startyoursnmpserverandtestit: (a)Makesurewhenlinuxcomesupsnmpdalwaysstarts:

# chkconfig snmpd on

(b)MakesureservicestartwheneverLinuxcomesup(afterreboot):
# service snmpd start

(c)Finallytestyoursnmpserver:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Step#4:Installmrtgifnotinstalled
Mrtgsoftwaremayinstallduringinitialinstallation;youcanverifyifMRTGinstalledornotwithfollowing RPMcommand:
rpm -qa | grep mrtg

Ifmrtgalreadyinstalledpleaseseestep#5;elseuserpmfind.nettofindMRTGrpmorup2datecommandto installMRTGsoftware:
# up2date -v -i mrtg

FedoraLinuxusercanuseyumcommandasfollowstoinstallMRTG:
# yum install mrtg

Step#5:CommandstoConfiguremrtg
(a)Createdocumentroottostoremrtggraphs/htmlpages:
# mkdir -p /var/www/html/mymrtg/

(b)Runanyoneofthefollowingcfgmakercommandtocreatemrtgconfigurationfile:
#cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg.cfg public@localhost

OR(makesureyourFQDNresolves,infollowingexamplei'musingrh9.test.comwhichismyrouterFQDN address)
# cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg1.cfg public@rh9.test.com

(c)CreatedefaultindexpageforyourMRTGconfiguration:
# indexmaker --output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg

(d)Copyalltinypngfilestoyourmrtgpath:
# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

Step#6Firsttestrunofmrtg
(a)Runmrtgcommandfromcommandlinewithyourconfigurationfile:
# mrtg /etc/mrtg/mymrtg.cfg

Note:Youmaygetfewwarningmessageforfirsttime;ignorethem. (b)Fireyourfavoritewebbrowser(likeFireFox:D)andtypeurlhttp://www.your.com/mymrtg/orhttp://your ip/mymrtg/

Step#7Createcrontabentrysothatmrtggraph/imagesgetgeneratedevery5minutes
(a)Loginasarootuserorloginasamrtguserandtypefollowingcommand:
# crontab -e

(b)Addmrtgcronjobentrytoconfigurationfile(appendfollowinglinetoit):
*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg --logging /var/log/mrtg.log

SavefileandyouaredonewithMRTGconfigissues:)

Step#8Blockports161&162atfirewall
Youdonotwanttogiveaccesstoeveryonetoyoursnmpserverforsecurityreasons.SNMPserverusesUDP 161,162portsforcommunication.UseLinuxIPTABLESfirewalltorestrictaccesstoSNMPserver (a)AllowoutgoingSNMPserverrequestfromyourLinuxcomputer.Thisisusefulwhenyouqueryremote host/router(replaceSERVERIOwithyourrealIP):

SERVER="xxx.xxx.xxx.xxx" iptables -A OUTPUT -p udp -s $SERVER --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 161:162 -d $SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

(b )Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world (replace SERVER IP with your real IP): SERVER="xxx.xxx.xxx.xxx" iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT Pleae note that above two are just SNMP specific iptables rules. Please consult iptables(8) man page for complete information on iptables

Step#9Optional:ProtectyourMRTGgraphs/htmlpageswithpasswordprotected directory
Onceagain,youwouldliketorestrictaccesstoyourMRTGreports.Thiscaneasilyaccomplishedwith Apachewebserver's.htaccessfile.Ifyouareonwebhostingserverwithcontrolpanel(suchasensimorplesk) thenyoucanusecontrolpanelitselftocreatepasswordprotecteddirectory. Belowisprocessoutlinedtoprotectgraphsusingapache's.htaccessfileandhtpasswdcommand: Step#1:Create.htaccessfilein/var/www/html/mymrtg/directory(addtextasfollows):
vi /var/www/html/mymrtg/.htaccess

Addfollowingtexttofile:
AuthName "MRTG Graphs/Html restricted access" AuthType Basic AuthUserFile /var/members/.htpasswd require user mrtgadmin

Step#2:Createauserandpasswordname(cassumesfirsttimeyouareusing.htpasswdfile):
# htpasswd -c /var/members/.htpasswd mrtgadmin