SNMP
Follow these instruction in order to set up SNMP monitoring and Cacti integration for an SPG/VSP appliance.
Contents |
Download and install the SNMP MIB
Halon Security provides its own MIB (Management Information Base) file, which defines all possible values that can be obtained through our SNMP service. It extends the standard MIB library with our own enterprise (33234) MIB. The latest version of this MIB file is provided on each appliance. Download it from http://the-appliance-ip-address/download/HALON-MIB.txt (when logged in).
Installation on Linux and Mac OS X
On most Unix/Linux systems, the MIB file is installed to /usr/share/snmp/mibs/HALON-MIB.txt in order for net-snmp (http://www.net-snmp.org/) to find it.
Activate SNMP in your VSP/SPG
On the SNMP tab of the Administration section there are two options for enabling SNMP; either SNMP v1/2c or v3 (which provides cryptographical security, but is not supported by all software).
SNMP v1/2c
Type a community (read-only) and press Save. We choose "public" for this example. ("public" is the default "password" for SNMP v1 and 2c)
SNMP v3
Add a new SNMP profile and fill in the necessary values.
* Username: halon * Password: halon123 * Encryption Key: 123halon
Press "Save as New".
Using Cacti
This section was written, and kindly contributed, by David Brodin, Exalt
This is a technical instruction for using H/OS 2 with Cacti. Prerequisites are knowledge about SNMP and RRD, and of course Cacti. The downloadable template files will be described, as well as information how to use them, and how they might be enhanced in the future. The templates don't include per-domain statistics, only the global (total) statistic counters. Therefore, Cacti's most simple data fetching technique (Data Input Method) can be used; Get SNMP Data. Even though there is a provided MIB file, it is not required for this method. Cacti sends an SNMP request to the H/OS 2 appliance (an SPG or VSP), which responds with a value, which Cacti stores in an RRD file which is read when generating graphs.
The template could be enhanced in the future by using the Data Query (DQ) to fetch indexable information, such as per-domain statistics, or by creating PHP scripts for Cacti's PHP Script Server. The advantage of that methods, is that custom indexes may be defined, perhaps based on domain instead of OID.
Preferred usage
Cacti is, strictly speaking, a trend measuring tool, by default fetching data at an interval of five minutes without alarms or other similar features. It is mainly used for analyzing statistics at a given time in the past. There are however options to create alarms when measures have been for example exceeded.
Structure of the Cacti template
The numerical OID is given in the Data Templates (DT), which also specify in which Data Source (DS) in the RRD file that the fetched data is to be stored, as well as it's type. Put in database terms; which column in which table.
The DT is connected to a Graph Template (GT). The GT specifies which DT and DS that are to be shown, and how they should be presented (as well as mathematic calculations on the data, before presentation). The GT is loosely connected to a Host Template (HT), which is a collection of GTs in order to create host-specific setup.
Installation, import and export
This host template (HT) XML file contains the GTs and DTs needed to create simple graphs for a H/OS 2 mail gateway appliance (SPG/VSP). Use Cacti's import function and create your own Device with the correct SNMP arguments. Choose Host Template and Halon Mail Gateway. Save, and return to your device, choose Create Graphs for this Host, and check all the GT checkboxes, and finally press Create. Wait for 10-15 minutes, in order for some initial polls to fill the RRD file. Keep in mind that importing overwrites existing data; backup is your friend.
Exporting
When exporting HTs, make them brief. For example, remove GTs such as SNMP - Interface Statistics that has little to do with the mail gateway. One good reason to do so, is that the person importing the HT doesn't get as many GTs overwritten by your definition.
Notes
- Since the H/OS SNMP service actually is a simple front end for the backend SOAP process, there might be longer-than-usual delays. Therefore, increase the SNMP timeout to 2000ms.
- The GT Halon Actions has a DS field named Deliver as Spam, which is copied from the MIB. This is simple to change from within Cacti.
Using net-snmp
This example shows you how to browse all values in our HALON-MIB using net-snmp (http://www.net-snmp.org/). All net-snmp commands can use both v1/2c and v3. But requires different authentications as shown above.
SNMP v1/2c
# snmpwalk -v 1 -c public 10.2.0.30 HALON-MIB::halonMIB # snmpwalk -v 2c -c public 10.2.0.30 HALON-MIB::halonMIB # snmpwalk -v 2c -c public udp6:2001::... HALON-MIB::halonMIB
SNMP v3
# snmpwalk -v 3 -u halon -A halon123 -a MD5 -x DES -X 123halon -l authPriv 10.2.0.30 HALON-MIB::halonMIB
Retrieve a single value
This example will retrieve the current configuration revision. To find out which value to fetch, use the snmpwalk command in the previous example.
Configuration revision
# snmpget -v 1 -c public -O qv 10.2.0.30 HALON-MIB::configurationRevision.0
Note: "-O qv" only prints the value, which is good for script et.c.
Show values in a table
SNMP supports displaying multiple values as a table. Below are a few examples.
Current license
# snmptable -v 1 -c public 10.2.0.30 HALON-MIB::halonMIB.halonsecurityProducts.system.licenseTable
Expected output:
SNMP table: HALON-MIB::licenseTable
licenseDescription licenseExpiration licenseQuantity
"rpd" 292:14:54:46.00 1
"rpdav" 292:14:54:46.00 1
"users" 0:0:00:00.00 -1
"clamav" 292:14:54:46.00 1
"kaspersky" 292:14:54:46.00 1
"operation" 364:23:54:20.00 1
"commercial" 292:14:54:46.00 1
"globalview" 292:14:54:46.00 1
"softwareupdate" 292:14:54:46.00 1
"accept-any-domain" 0:0:00:00.00 1
"outgoing-mx-transports" 0:0:00:00.00 1
"external-network-storage" 0:0:00:00.00 1
Mail Statistics
# snmptable -v 1 -c public 10.2.0.30 HALON-MIB::halonMIB.halonsecurityProducts.mailGateway.domainStatisticsTable
