Netsaint Improved Statd (kstatd) -------------------------------- This package is a modification of Nick Reinking's (nick.reinking@supervalu.com) netsaint_statd v2.11 with the following modifications: - 3DES encryption - inetd startup and tcp wrappers support - thresholds for service checks set on Netsaint server side instead of client side - changing of thresholds doesn't require Netsaint to be restarted - some functional changes on the different checks, and removal of certain ones I felt were not useful Much of the 3DES code was taken from Adam Jacob's (adam@cybertrails.com) nrpep v0.2. Both netsaint_statd and nrpep had useful features that I thought could be combined and improved upon, and this is the reason why I made these modifications. How it Works ------------ On each of the machines being monitored, netsaint_kstatd is installed and setup to run via inetd on TCP port 1040 and secured with tcp wrappers. It is further secured by defining a key that is used for communication with that host, which is used in the 3DES encryption algorithm. Any host connecting to the server without the correct key is silently disconnected. Keys for every host should be different, and they are stored locally on the Netsaint server in a similar way that radius client secrets are used. The netsaint_kstatd program is a server that accepts commands issued from the client check programs which are run on the Netsaint server. The thresholds for each service (warning/critical) are set on the Netsaint server side with an external configuration file (by default, hostconfig.txt) so changes in these thresholds do not require modifications on the monitored hosts. Also, since each check reads the local configuration file at startup, a changing of thresholds does not require restarting of Netsaint. Setup ----- On the Netsaint server and client machines, PERL and the Crypt::TripleDES needs to be installed. Get the module from CPAN. Client Setup ------------ On each machine machine being monitored, install netsaint_kstatd as follows. The following assumes you will use tcp wrappers installed in /usr/sbin/tcpd. 1. Create a netsaint group, and a netsaint user whose primary group is netsaint. Set this user's shell to '/bin/false' and home directory to '/dev/null'. 2. Copy netsaint_kstatd to /usr/local/scripts/netsaint/netsaint_kstatd. 3. chown -R netsaint:netsaint /usr/local/scripts/netsaint 4. chmod -R 700 /usr/local/scripts/netsaint 5. Add an entry to /etc/services: netsaint_kstatd 1040/tcp 6. Create an entry in inetd.conf to start netsaint_kstatd: netsaint_kstatd stream tcp nowait netsaint /usr/sbin/tcpd /usr/local/scripts/netsaint/netsaint_kstatd 7. Modify /etc/hosts.deny to deny all access: netsaint_kstatd: ALL@ALL 8. Modify /etc/hosts.allow to allow certain access: netsaint_kstatd: ALL@your.netsaint.server 9. Edit /usr/local/scripts/netsaint/netsaint_kstatd and set key at top of script. You should use a different, preferably random, key for EACH host. Netsaint Server Setup --------------------- 1. Copy *.pl and *.pm from this archive to /usr/local/netsaint/libexec/ or wherever you have installed netsaint plugins. Note that if you are not using the default Netsaint installation directores you will have to modify the top of ALL of the .pl and .pm files to refer to the right locations. 2. Create a /usr/local/netsaint/etc/hostconfig.txt file. See example_hostconfig.txt in this archive for the format of this file. Again, the path may be different if you are using non-standard netsaint directories. 3. Try connecting to a host you've installed netsaint_kstatd on: /usr/local/netsaint/libexec/check_load.pl host1.bogus.edu host1.bogus.edu I will explain why you need the hostname twice later. But if the above does not give you the machine load, stop here and look into what could be wrong. Netsaint Command Configuration ------------------------------ Here is what I added to commands.cfg for Netsaint: command[check_all_disks_k]=$USER1$/check_all_disks.pl $HOSTADDRESS$ $HOSTNAME$ command[check_load_k]=$USER1$/check_load.pl $HOSTADDRESS$ $HOSTNAME$ command[check_proc_k]=$USER1$/check_named_proc.pl $HOSTADDRESS$ $HOSTNAME$ $ARG1$ command[check_ping_k]=$USER1$/check_ping.pl $HOSTADDRESS$ $HOSTNAME$ Now you can see above that there are at least 2 arguments passed to the scripts. The first argument is the IP or FQDN of the machine to make the actual connection to. The second is the keyname to lookup. I have chosed to store hostnames in the hostconfig.txt file, and this is what I pass as the 2nd argument. Here is an example of the service definitions I would use: host[host1.bogus.edu]=host1.bogus.edu;1.2.3.4;;check-host-alive;10;20;24x7;1;1;1; service[host1.bogus.edu]=PING;0;24x7;3;3;1;dns-admins;20;24x7;1;1;1;;check_ping_k service[host1.bogus.edu]=DISK;0;24x7;3;5;1;dns-admins;20;24x7;1;1;1;;check_all_disks_k service[host1.bogus.edu]=CPU;0;24x7;3;5;1;dns-admins;20;24x7;1;1;1;;check_load_k You can just as easily do: command[check_load_k]=$USER1$/check_load.pl $HOSTADDRESS$ $HOSTADDRESS$ If you are sure the first argument is the same as the key name. However in the above example it means that your keynames would have to be IP addresses. Note that the actual host connected to can be changed by the 'host=' option in hostconfig.txt, which basically makes the first argument passed above unused. Types of Checks --------------- check_all_disks.pl Checks disk usage of all mount points. By default all mount points with the strings 'floppy' or 'cdrom' are ignored. check_load.pl Checks the load average check_named_proc.pl Checks to see whether a process is running. The process name is provided as the 3rd argument check_ping.pl Actually calls Netsaint supplied 'check_ping' with configurable settings Bugs and Suggestions -------------------- Send them to valankar@bigfoot.com