Integration with SNMP Monitoring Systems

 Top  Previous  Next

Dr.Web SNMP agent can perform functions of a data provider for any monitoring system that uses SNMP protocol version 2c or 3. The list of available data and their structure are provided in a Dr.Web MIB description file called DrWeb-Snmpd.mib, supplied with the product and located in the <opt_dir>/share/drweb-snmpd/mibs directory.

For easy configuration, the component is supplied with templates of settings for popular monitoring systems:

Munin

Nagios

Zabbix

Customization templates for monitoring systems are located in the <opt_dir>/share/drweb-snmpd/connectors directory.

Integration with Munin Monitoring System

The Munin monitoring system includes the central server (master) munin, which collects statistics from clients munin-node residing locally on the monitored hosts. At request of the server, each monitoring client collects data about monitored host operation by starting plug-ins that provide data transferred to the server.

To enable connection between Dr.Web SNMPD and the Munin monitoring system, a ready-to-use plug-in drweb used by munin-node is supplied. The plug-in resides in the <opt_dir>/share/drweb-snmpd/connectors/munin/plugins directory. This plug-in collects data required for construction of the following graphs:

Number of detected threats

File scan statistics

Email messages scan statistics

The plug-in supports SNMP protocols 1, 2c, and 3. Based on this template plug-in, you can create any other plug-ins to poll for the status of Dr.Web for UNIX components via Dr.Web SNMPD. This plug-in represents a set of plug-ins as one plug-in returns data for only one graphic displayed by the system, as it is seen by Munin.

In the <opt_dir>/share/drweb-snmpd/connectors/munin directory, the following files are located.

File

Description

plugins/snmp__drweb_malware

munin-node plug-in for polling Dr.Web SNMPD via SNMP in order to gather number of threats detected by Dr.Web solution on the host.

plugins/snmp__drweb_filecheck

munin-node plug-in for polling Dr.Web SNMPD via SNMP in order to gather statistics of file scanning by Dr.Web solution on the host.

plugins/snmp__drweb_maild_multi

munin-node plug-in for polling Dr.Web SNMPD via SNMP in order to gather statistics of email messages scanning by Dr.Web solution on the host.

Note that this plug-in uses multigraph – an feature of Munin with version above 1.4.

plugin-conf.d/drweb.cfg

Example of munin-node configuration for Dr.Web plug-ins environment variables.

Connecting a host to Munin

In the present instruction, it is assumed that the Munin monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd) and munin-node.

1.Monitored host configuration

Copy drweb file to the directory with plug-in libraries munin-node (the directory depends on the operating system. In Debian/Ubuntu operating systems, the path is the following: /usr/share/munin/plugins).

Configure munin-node in order to connect to it the supplied Dr.Web plug-ins. To do that, use munin-node-configure utility (the utility is distributed together with munin-node).

For example, the following command

$ munin-node-configure --shell --snmp localhost

outputs to the terminal a list of commands that create the required symbolic links to the plug-ins. Copy the commands and issue them in the command line. Please note that the command above means that:

1)munin-node is installed at the same host where Dr.Web SNMPD installed. If not so, please specify the correct FQDN or IP address of a monitored host instead of localhost value.

2)Dr.Web SNMPD uses SNMP version 2с. If not so, please specify the correct SNMP version in munin-node-configure command. The command has several options (switches) for flexible configuration of plug-ins, e.g., you can specify the SNMP protocol version, port at the monitored host that is listened by SNMP agent, an actual value of the community string, and so on. If required, refer to manual on munin-node-configure command.

If required, define (or re-define) values of munin-node environment variables that are using for installed Dr.Web plug-ins. As the environment variables, the actual port for SNMP agent or community string value can be used. The values of environment variables for Dr.Web plug-ins are specified in the /etc/munin/plugin-conf.d/drweb file (create the file, if required). An example of this file is presented in the supplied file drweb.cfg.

In the munin-node configuration file (munin-node.conf), specify a regular expression to include all IP addresses of hosts that are allowed to connect munin masters to munin-node for receiving the values of monitored parameters, for example:

allow ^10\.20\.30\.40$

In this case, only the IP address 10.20.30.40 is allowed to receive host parameters.

Restart munin-node (for example, by using the service munin-node restart command).

2.Munin server (master) configuration

Add the address and identifier of the monitored host to the Munin configuration file munin.conf, which is located, by default, in /etc directory (in Debian/Ubuntu operating systems: /etc/munin/munin.conf):

[<ID>;<hostname>.<domain>]
address <host IP address>
use_node_name yes

where <ID> is the displayed host’s identifier, <hostname> is the name of the host, <domain> is the name of the domain, <host IP address> is the IP address of the host.

For official documentation on Munin, refer to http://munin.readthedocs.io.

Integration with Zabbix Monitoring System

File templates, required for establishing connection between Dr.Web SNMPD and the Zabbix monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/zabbix directory.

File

Description

zbx_drweb.xml

Template for description of the monitored host that features installed Dr.Web.

snmptt.drweb.zabbix.conf

Configuring the snmptt utility—which is an SNMP traphandler

Template for description of the monitored host features:

Description of counters (“items”, according to the terminology of Zabbix). By default, the template is set to be used with SNMP v2.

The set of predefined graphs: number of scanned files and distribution of detected threats by their type.

Connecting a host to Zabbix

In the present instruction, it is assumed that the Zabbix monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX on a protected server), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).

1.In the Zabbix web interface, on the Configuration –> Templates tab import the template of the monitored host from the <opt_dir>/share/drweb-snmpd/connectors/zabbix/zbx_drweb.xml file.

2.Add the monitored host to the appropriate list (at Hosts –> Create host). Specify correct parameters of the host and settings of the SNMP interface (they must match the settings of drweb-snmpd and snmpd on the host):

The Host tab:

Host name: drweb-host

Visible name: DRWEB_HOST

Groups: select Linux servers

Snmp interfaces: Click add specify the IP address and port are used by Dr.Web SNMPD (it is considered that Dr.Web SNMPD operates on the local host, so the address 127.0.0.1 and the port 161 are specified by default).

The Templates tab:

Click Add, check DRWEB, click select.

The Macros tab:

Macro: {$SNMP_COMMUNITY}

Value: specify “read community” for SNMP V2c (by default, public).

Click Save.

Note: The {$SNMP_COMMUNITY} macro can be specified directly in the host template.

By default, the imported DRWEB template is configured for SNMP v2. If you need to use another version of SNMP, edit the template accordingly on the appropriate page.

3.After the template is bound to the monitored host, if SNMP settings are specified correctly, the Zabbix monitoring system will start to collect data for counters (items) of the template; the collected data will be displayed on the Monitoring –> Latest Data and Monitoring –> Graphs tabs.

4.A special item drweb-traps is used for collecting SNMP trap notifications from Dr.Web SNMPD. The log pf received SNMP trap notifications is available on the Monitoring –> Latest Data –> drweb-trapshistory page. To collect notifications, Zabbix uses standard tools snmptt and snmptrapd from the net-snmp package. For details on how to configure the tools for receiving SNMP trap notifications from Dr.Web SNMPD, see below.

5.If necessary, you can configure a trigger that will change its state upon receiving an SNMP trap notification from Dr.Web SNMPD. Changing of its state can be used as an event source for generation appropriate notifications. The example below shows an expression for configuration of a trigger; the expression is specified in the trigger expression field:

({TRIGGER.VALUE}=0 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=1 )|({TRIGGER.VALUE}=1 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=0)

An event is triggered (the value is set to 1) if the log of SNMP trap notifications from Dr.Web SNMPD was updated within a minute. If the log was not updated within the next minute, the value of the trigger is set to 0 again.

Configuring Receipt of SNMP trap notifications for Zabbix

1.On the monitored host, in Dr.Web SNMPD settings (the TrapReceiver parameter), you should specify an address to be listened by snmptrapd on the host where Zabbix operates, for example:

SNMPD.TrapReceiver = 10.20.30.40:162

2.In the configuration file of snmptrapd (snmptrapd.conf), specify the same address and an application for processing received SNMP trap notifications (in this example, snmptthandler, snmptt component):

snmpTrapdAddr 10.20.30.40:162
traphandle default /usr/sbin/snmptthandler

Add the following string to the file, so that snmptt does not discard SNMP trap sent by Dr.Web SNMPD as unknown:

outputOption n

3.The snmptthandler component saves received SNMP trap notifications to the file on the disk in accordance with the specified format, which corresponds to the regular expression set in the host template for Zabbix (drweb-traps item). The format of the saved notification is specified in the <opt_dir>/share/drweb-snmpd/connectors/zabbix/snmptt.drweb.zabbix.conf. file. The file must be copied to /etc/snmp.

4.Moreover, the path to the format files must be specified in the snmptt.ini file:

[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file).
# The COMPLETE path and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/snmptt.drweb.zabbix.conf
END

After that, restart snmptt if it was started in daemon mode.

5.In the configuration file of the Zabbix server (zabbix-server.conf), specify (or check if they are already specified) the following settings:

SNMPTrapperFile=/var/log/snmptt/snmptt.log
StartSNMPTrapper=1

where /var/log/snmptt/snmptt.log is a log file used by snmptt to register information on received SNMP trap notifications.

For official documentation on Zabbix, refer to https://www.zabbix.com/documentation/.

Integration with Nagios Monitoring System

Files with configuration examples, required for establishing connection between Dr.Web SNMPD and the Nagios monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/nagios directory.

File

Description

nagiosgraph/rrdopts.conf-sample

Example of the RRD configuration file

objects/drweb.cfg

Configuration file describing drweb objects

objects/nagiosgraph.cfg

The configuration file of the component for graph plotting used by Nagiosgraph

plugins/check_drweb

The script for collecting data from the host on which Dr.Web is installed

plugins/eventhandlers/submit_check_result

The script for handling SNMP trap notifications

snmp/snmptt.drweb.nagios.conf

Configuring the snmptt utility—an SNMP traphandler

Connecting a host to Nagios

In the present instruction, it is assumed that the Nagios monitoring system is already deployed on the monitoring server, including configuration of the web server and the graphical tool Nagiosgraph, and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX on a protected server), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).

In the current manual, the following path conventions are used (real paths depend on the operating system and Nagios installation):

<NAGIOS_PLUGINS_DIR>—directory with Nagiosplug-ins, for example: /usr/lib64/nagios/plugins

<NAGIOS_ETC_DIR>—directory with Nagios settings, for example: /etc/nagios

<NAGIOS_OBJECTS_DIR>—directory with Nagios objects, for example: /etc/nagios/objects

<NAGIOSGRAPH_DIR>Nagiosgraph directory, for example: /usr/local/nagiosgraph

<NAGIOS_PERFDATA_LOG>—file where Nagios records results of service check (must be the same as the perflog file from <NAGIOSGRAPH_DIR>/etc/nagiosgraph.conf). Records from this file are read by the <NAGIOSGRAPH_DIR>/bin/insert.pl script and are recorded to the corresponding RRA archives RRD Tool.

Configuring Nagios:

1.Copy the check_drweb file to the <NAGIOS_PLUGINS_DIR> directory and the drweb.cfg file to the <NAGIOS_OBJECTS_DIR> directory.

2.Add hosts with Dr.Web that are to be monitored to the drweb group. On the hosts Dr.Web SNMPD must be running. By default, only localhost is added to this group.

3.If required, edit the check_drweb command which contains instruction to contact Dr.Web SNMPD on drweb hosts via the snmplwalk tool:

snmpwalk -c public -v 2c $HOSTADDRESS$:161

specify the correct version of SNMP protocol and parameters (such as “community string” or authentication parameters) as well as the port. The $HOSTADDRESS$ variable must be included in the command (as this variable is later automatically substituted by Nagios to the correct host address when the command is invoked). OID is not required in the command. It is also recommended that you specify the command together with the full path to the executable file (usually /usr/local/bin/snmpwalk).

4.Connect DrWeb objects in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following string to the file:

cfg_file= <NAGIOS_OBJECTS_DIR>/drweb.cfg

5.Add RRD Tool settings for DrWeb graphics from the rrdopts.conf-sample file to the <NAGIOSGRAPH_DIR>/etc/rrdopts.conf file.

6.If Nagiosgraph is yet to be configured, do the following steps for its configuration:

Copy the nagiosgraph.cfg file to the <NAGIOS_OBJECTS_DIR> directory and edit the path to the insert.pl script in the process-service-perfdata-for-nagiosgraph command; for example, as follows:

$ awk '$1 == "command_line" { $2 = "<NAGIOSGRAPH_DIR>/bin/insert.pl" }{ print }' ./objects/nagiosgraph.cfg > <NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg

Connect this file in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following line to it:

cfg_file=<NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg

7.Check values of Nagios parameters in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file:

check_external_commands=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1
 
process_performance_data=1
service_perfdata_file=/usr/nagiosgraph/var/rrd/perfdata.log
service_perfdata_file_template=$LASTSERVICECHECK$||$HOSTNAME$||$SERVICEDESC$||$SERVICEOUTPUT$||$SERVICEPERFDATA$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=30
service_perfdata_file_processing_command=process-service-perfdata-for-nagiosgraph
 
check_service_freshness=1
enable_flap_detection=1
enable_embedded_perl=1
enable_environment_macros=1

Configuring Receipt of SNMP trap notifications for Nagios

1.On the monitored host in Dr.Web SNMPD settings (the TrapReceiver parameter), specify an address to be listened by snmptrapd on the host where Nagios operates, for example:

SNMPD.TrapReceiver = 10.20.30.40:162

2.Check for existing the <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result script which will be invoked when SNMP trap is received. If the script is missing, copy the submit_check_result file to this location from the <opt_dir>/share/drweb-snmpd/connectors/nagios/plugins/eventhandlers/ directory. In this file, change the path specified in the CommandFile parameter. It must have the same value as the command_file parameter in the <NAGIOS_ETC_DIR>/nagios.cfg file.

3.Copy the snmptt.drweb.nagios.conf file to the /etc/snmp/snmp/ directory. In this file, change the path to the submit_check_result—for example, by using the following command:

$ awk '$1 == "EXEC" { $2 = <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result }{ print}' ./snmp/snmptt.drweb.nagios.conf > /etc/snmp/snmp/snmptt.drweb.nagios.conf

4.Add the “/etc/snmp/snmptt.drweb.nagios.conf” string to the /etc/snmp/snmptt.drweb.nagios.conf file. After that, restart snmptt if it was started in daemon mode.

After all required configuration files of Nagios are added and edited, run Nagios in debug mode by using the following command:

# nagios -v <NAGIOS_ETC_DIR>/nagios.cfg

Upon receipt of this command, Nagios will check for configuration errors. If no error is found, Nagios can be restarted as usual (for example, by using the service nagios restart command).

For official documentation on Nagios, refer to http://www.nagios.org/documentation/.