[75083] in North American Network Operators' Group
Re: Network Monitoring System - Recommendations?
daemon@ATHENA.MIT.EDU (Alexei Roudnev)
Tue Nov 2 01:40:25 2004
From: "Alexei Roudnev" <alex@relcom.net>
To: "J Sparacio" <jay@urbananomaly.com>,
"Joe Shen" <joe_hznm@yahoo.com.sg>
Cc: "Jon Lyons" <jlyons30@yahoo.com>, "Andy Dills" <andy@xecu.net>,
"Charlie Khanna - NextWeb" <charlie@nextweb.net>, <nanog@merit.edu>
Date: Mon, 1 Nov 2004 22:39:46 -0800
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_152B_01C4C063.B00995D0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 7bit
Nagios is one of the best systems (and widely used).
CCR is part of snmpstat (but separate installation tar), see http://snmpstat.sf.net
----- Original Message -----
From: J Sparacio
To: Joe Shen
Cc: Alexei Roudnev ; Jon Lyons ; Andy Dills ; Charlie Khanna - NextWeb ; nanog@merit.edu
Sent: Monday, November 01, 2004 9:54 PM
Subject: Re: Network Monitoring System - Recommendations?
There's a cool one that's open source called Nagios. www.nagios.org. We (local ISP) just started using it network
wide, and it rocks.
On Mon, 2004-11-01 at 20:53, Joe Shen wrote:
Hi,
I googled with "CCR" but it seems nothing useful in 5
pages. Would you please do me a favor to give the URL
of that tool ?
I tried to set up MRTG monitoring Unishpere BRAS 1400
and M160, but I failed with data collection because
wrong OID used ( CPU, mem, tempreture, BW etc ) :-(
regards
--- Alexei Roudnev <alex@relcom.net> wrote:
>
>
>
> > I read document of these tools and find they work
> with
> > Cisco products. But, how about Juniper M160 or
> M320,
> > Unishpere's BRAS products? Where can I find
> Juniper's
> > OID on its tempreture, chassis, CPU, bandwidth ?
> Does
> They use standart MIB2 and a little of Cisco
> specific MIB's. As I already
> said, it is a good tool to view and monitor traffic,
> utilisation, errors,
> and use additional tiool to deep monitor vendor
> specific parameters. We use
> 'snmpstat' to monitor routers, switches, ports and
> interfaces (and bgp) and
> cricket to watch few additional parameters (to
> configure alerts, we use
> aliases and mhonarc mail archives with auto
> expiration - for alerts,
> warnings, reports and audits, and for 'root' and
> 'oracle' e-mail.
>
> > anyone have a running configuration for M160 or
> > Unishpere's BRAS products?
> CCR can work with anything which (1) allow telnet or
> ssh, and (2) can 'write
> net' config (in any syntax).
> You can use encrypted password file (using
> passphrase) if you want. Using
> SNMP was rejected, because it is absolutely
> device-specific, impossible in
> many cases, and we never saw it as a security
> problem, because all devices
> are restricted to allow ssh or telnet from 2 or 3
> servers only, because
> passwords are encrypted, and because automated
> config reading and web access
> aree much more important vs very abstract
> possibility of hacking (in
> reality, problem can come from insiders, not from
> hackers, so no extra
> accounst are allowed on monitoring server).
>
> You can get configuratuion (initialize tftp
> transfer) using some snmp
> (WRITE) variable and pre-configured tftp parameters,
> but it works on a very
> few Cisco devices only.
>
> As I said, CCR uses 3 methods:
> - password file encrypted by public key
> - password file encrypted by 3des passphrase;
> - explicit password.
>
> In all cases, problem is with root user only - root
> can alway decrypt
> password or interseipt web session. User, who have
> permission to edit CCR
> config and know passphrase, can (in theory) see
> passwords as well. Other
> users can not, even if they know passphrase - they
> can only initiate config
> reading.
>
> Network admins do not know enable passwords, if they
> do not need it - they
> use passphrase
>
> To have automated config reading, any of first 2
> methods can be used
> (passphrase must be written into special file, if
> method 2 is used,
> root-only readable). For manual reading, any methgod
> can be used, without
> any file with passphrase.
>
> In reality, it is not serious security problem
> because all devices can be
> accessed from a very few servers only, and because
> we can use 'ssh' instead
> of 'telnet' (CCR can be configured or select
> ssh/telnet automatically). You
> can, in turn, play with security level , but it
> (again) does not work on
> generic case (any cisco device) and is very tricky.
>
> For Juniper or other device - you can try to program
> 'expect' script, or use
> 'snmp' initiated transfer - all other things will
> work.
>
>
>
> >
> > On configuration bankup, rancid use telnet (ssh).
> But,
> > I take this a not-secure methode as it has to code
> > password in login script. Is there any tool to get
> > configuration file from read-only SNMP cumminity?
> >
> >
> > Joe
> >
> >
> >
> > --- Jon Lyons <jlyons30@yahoo.com> wrote:
> > >
> > >
> > > Checkout http://perfparse.sourceforge.net/ lets
> you
> > > graph the data from the nagios plugins...
> > >
> > > --- Alexei Roudnev <alex@relcom.net> wrote:
> > >
> > > >
> > > > I generated config for 'snmpstatd'
> automatically,
> > > > from user;'s database (it
> > > > was simple; all I need was Router, Interface,
> > > > User-name, number for this
> > > > user, priority).
> > > >
> > > > For automated config backups, I use CCR (fully
> web
> > > > based Cisco
> > > > configuration -> CVS system).
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Andy Dills" <andy@xecu.net>
> > > > To: "Charlie Khanna - NextWeb"
> > > <charlie@nextweb.net>
> > > > Cc: <nanog@merit.edu>
> > > > Sent: Thursday, October 28, 2004 11:46 AM
> > > > Subject: Re: Network Monitoring System -
> > > > Recommendations?
> > > >
> > > >
> > > > >
> > > > > On Thu, 28 Oct 2004, Charlie Khanna -
> NextWeb
> > > > wrote:
> > > > >
> > > > > > Hi - I was interested in finding out what
> > > > software applications other
> > > > ISPs
> > > > > > are using for network monitoring? For
> > > example:
> > > > > >
> > > > > >
> > > > > >
> > > > > > 1) Overall network health - uptime
> > > reports
> > > > >
> > > > > http://www.nagios.org
> > > > >
> > > > > > 2) Backup router config
> automatically
> > > > >
> > > > > http://www.shrubbery.net/rancid/
> > > > >
> > > > > > 3) Bandwidth reporting (or
> integration
> > > > with an MRTG-type app)
> > > > >
> > > > > http://cricket.sourceforge.net/
> > > > >
> > > > > > 4) SNMP trap support (BGP/OSPF
> session
> > > > drops - emails out)
> > > > >
> > > > > http://www.snmptt.org/
> > > > > http://www.nagios.org
> > > > >
> > > > > > 5) Database back end (port info into
> or
> > > > over to other apps)
> > > > > >
> > > > > > I'm just looking for something well
> rounded
> > > for
> > > > a small ISP. I've heard
> > > > > > about OpenNMS and other apps but I'd like
> to
> > > get
> > > > everyone's feedback.
> > > > > > Thanks!
> > > > >
> > > > > Nothing all in one place, that I'm aware of.
> But
> > > > with a little work, you
> > > > > could probably integrate it all into nagios.
> > > After
> > > > all, you can make the
> > > > > host names or descriptions URLs that link to
> > > > bandwidth and error graphs or
> > > > > other tools.
> > > > >
> > > > > Andy
> > > > >
> > > > > ---
> > > > > Andy Dills
> > > > > Xecunet, Inc.
> > > > > www.xecu.net
> > > > > 301-682-9972
> > > > > ---
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Address AutoComplete - You start. We
> > > finish.
> > > http://promotions.yahoo.com/new_mail
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Log on to Messenger with your mobile phone!
> > http://sg.messenger.yahoo.com
>
>
__________________________________________________
Do You Yahoo!?
Log on to Messenger with your mobile phone!
http://sg.messenger.yahoo.com
------=_NextPart_000_152B_01C4C063.B00995D0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; CHARSET=3DUTF-8">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Nagios is one of the best systems (and widely=20
used).</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>CCR is part of snmpstat (but separate installation =
tar), see=20
<A =
href=3D"http://snmpstat.sf.net">http://snmpstat.sf.net</A></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Djay@urbananomaly.com href=3D"mailto:jay@urbananomaly.com">J =
Sparacio</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Djoe_hznm@yahoo.com.sg=20
href=3D"mailto:joe_hznm@yahoo.com.sg">Joe Shen</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Dalex@relcom.net=20
href=3D"mailto:alex@relcom.net">Alexei Roudnev</A> ; <A =
title=3Djlyons30@yahoo.com=20
href=3D"mailto:jlyons30@yahoo.com">Jon Lyons</A> ; <A =
title=3Dandy@xecu.net=20
href=3D"mailto:andy@xecu.net">Andy Dills</A> ; <A =
title=3Dcharlie@nextweb.net=20
href=3D"mailto:charlie@nextweb.net">Charlie Khanna - NextWeb</A> ; <A=20
title=3Dnanog@merit.edu =
href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, November 01, 2004 =
9:54=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Network Monitoring =
System -=20
Recommendations?</DIV>
<DIV><BR></DIV>There's a cool one that's open source called Nagios. <A =
href=3D"http://www.nagios.org">www.nagios.org</A>. We (local =
ISP) just=20
started using it network wide, and it rocks.<BR><BR>On Mon, 2004-11-01 =
at=20
20:53, Joe Shen wrote:=20
<BLOCKQUOTE TYPE=3D"CITE"><PRE><FONT color=3D#737373><I>Hi,
I googled with "CCR" but it seems nothing useful in 5
pages. Would you please do me a favor to give the URL
of that tool ?=20
I tried to set up MRTG monitoring Unishpere BRAS 1400
and M160, but I failed with data collection because
wrong OID used ( CPU, mem, tempreture, BW etc ) :-(
regards
--- Alexei Roudnev <<A =
href=3D"mailto:alex@relcom.net">alex@relcom.net</A>> wrote: =20
>=20
>=20
>=20
> > I read document of these tools and find they work
> with
> > Cisco products. But, how about Juniper M160 or
> M320,
> > Unishpere's BRAS products? Where can I find
> Juniper's
> > OID on its tempreture, chassis, CPU, bandwidth ?
> Does
> They use standart MIB2 and a little of Cisco
> specific MIB's. As I already
> said, it is a good tool to view and monitor traffic,
> utilisation, errors,
> and use additional tiool to deep monitor vendor
> specific parameters. We use
> 'snmpstat' to monitor routers, switches, ports and
> interfaces (and bgp) and
> cricket to watch few additional parameters (to
> configure alerts, we use
> aliases and mhonarc mail archives with auto
> expiration - for alerts,
> warnings, reports and audits, and for 'root' and
> 'oracle' e-mail.
>=20
> > anyone have a running configuration for M160 or
> > Unishpere's BRAS products?
> CCR can work with anything which (1) allow telnet or
> ssh, and (2) can 'write
> net' config (in any syntax).
> You can use encrypted password file (using
> passphrase) if you want. Using
> SNMP was rejected, because it is absolutely
> device-specific, impossible in
> many cases, and we never saw it as a security
> problem, because all devices
> are restricted to allow ssh or telnet from 2 or 3
> servers only, because
> passwords are encrypted, and because automated
> config reading and web access
> aree much more important vs very abstract
> possibility of hacking (in
> reality, problem can come from insiders, not from
> hackers, so no extra
> accounst are allowed on monitoring server).
>=20
> You can get configuratuion (initialize tftp
> transfer) using some snmp
> (WRITE) variable and pre-configured tftp parameters,
> but it works on a very
> few Cisco devices only.
>=20
> As I said, CCR uses 3 methods:
> - password file encrypted by public key
> - password file encrypted by 3des passphrase;
> - explicit password.
>=20
> In all cases, problem is with root user only - root
> can alway decrypt
> password or interseipt web session. User, who have
> permission to edit CCR
> config and know passphrase, can (in theory) see
> passwords as well. Other
> users can not, even if they know passphrase - they
> can only initiate config
> reading.
>=20
> Network admins do not know enable passwords, if they
> do not need it - they
> use passphrase
>=20
> To have automated config reading, any of first 2
> methods can be used
> (passphrase must be written into special file, if
> method 2 is used,
> root-only readable). For manual reading, any methgod
> can be used, without
> any file with passphrase.
>=20
> In reality, it is not serious security problem
> because all devices can be
> accessed from a very few servers only, and because
> we can use 'ssh' instead
> of 'telnet' (CCR can be configured or select
> ssh/telnet automatically). You
> can, in turn, play with security level , but it
> (again) does not work on
> generic case (any cisco device) and is very tricky.
>=20
> For Juniper or other device - you can try to program
> 'expect' script, or use
> 'snmp' initiated transfer - all other things will
> work.
>=20
>=20
>=20
> >
> > On configuration bankup, rancid use telnet (ssh).
> But,
> > I take this a not-secure methode as it has to code
> > password in login script. Is there any tool to get
> > configuration file from read-only SNMP cumminity?
> >
> >
> > Joe
> >
> >
> >
> > --- Jon Lyons <jlyons30@yahoo.com> wrote:
> > >
> > >
> > > Checkout </FONT><A =
href=3D"http://perfparse.sourceforge.net/"><U>http://perfparse.sourceforg=
e.net/</U></A><FONT color=3D#737373> lets
> you
> > > graph the data from the nagios plugins...
> > >
> > > --- Alexei Roudnev <alex@relcom.net> wrote:
> > >
> > > >
> > > > I generated config for 'snmpstatd'
> automatically,
> > > > from user;'s database (it
> > > > was simple; all I need was Router, Interface,
> > > > User-name, number for this
> > > > user, priority).
> > > >
> > > > For automated config backups, I use CCR (fully
> web
> > > > based Cisco
> > > > configuration -> CVS system).
> > > >
> > > >
> > > > ----- Original Message -----=20
> > > > From: "Andy Dills" <andy@xecu.net>
> > > > To: "Charlie Khanna - NextWeb"
> > > <charlie@nextweb.net>
> > > > Cc: <nanog@merit.edu>
> > > > Sent: Thursday, October 28, 2004 11:46 AM
> > > > Subject: Re: Network Monitoring System -
> > > > Recommendations?
> > > >
> > > >
> > > > >
> > > > > On Thu, 28 Oct 2004, Charlie Khanna -
> NextWeb
> > > > wrote:
> > > > >
> > > > > > Hi - I was interested in finding out what
> > > > software applications other
> > > > ISPs
> > > > > > are using for network monitoring? For
> > > example:
> > > > > >
> > > > > >
> > > > > >
> > > > > > 1) Overall network health - uptime
> > > reports
> > > > >
> > > > > </FONT><A =
href=3D"http://www.nagios.org"><U>http://www.nagios.org</U></A>
<FONT color=3D#737373>> > > > >
> > > > > > 2) Backup router config
> automatically
> > > > >
> > > > > </FONT><A =
href=3D"http://www.shrubbery.net/rancid/"><U>http://www.shrubbery.net/ran=
cid/</U></A>
<FONT color=3D#737373>> > > > >
> > > > > > 3) Bandwidth reporting (or
> integration
> > > > with an MRTG-type app)
> > > > >
> > > > > </FONT><A =
href=3D"http://cricket.sourceforge.net/"><U>http://cricket.sourceforge.ne=
t/</U></A>
<FONT color=3D#737373>> > > > >
> > > > > > 4) SNMP trap support (BGP/OSPF
> session
> > > > drops - emails out)
> > > > >
> > > > > </FONT><A =
href=3D"http://www.snmptt.org/"><U>http://www.snmptt.org/</U></A>
<FONT color=3D#737373>> > > > > </FONT><A =
href=3D"http://www.nagios.org"><U>http://www.nagios.org</U></A>
<FONT color=3D#737373>> > > > >
> > > > > > 5) Database back end (port info into
> or
> > > > over to other apps)
> > > > > >
> > > > > > I'm just looking for something well
> rounded
> > > for
> > > > a small ISP. I've heard
> > > > > > about OpenNMS and other apps but I'd like
> to
> > > get
> > > > everyone's feedback.
> > > > > > Thanks!
> > > > >
> > > > > Nothing all in one place, that I'm aware of.
> But
> > > > with a little work, you
> > > > > could probably integrate it all into nagios.
> > > After
> > > > all, you can make the
> > > > > host names or descriptions URLs that link to
> > > > bandwidth and error graphs or
> > > > > other tools.
> > > > >
> > > > > Andy
> > > > >
> > > > > ---
> > > > > Andy Dills
> > > > > Xecunet, Inc.
> > > > > </FONT><A =
href=3D"http://www.xecu.net"><U>www.xecu.net</U></A>
<FONT color=3D#737373>> > > > > 301-682-9972
> > > > > ---
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Address AutoComplete - You start. We
> > > finish.
> > > </FONT><A =
href=3D"http://promotions.yahoo.com/new_mail"><U>http://promotions.yahoo.=
com/new_mail</U></A>
<FONT color=3D#737373>> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Log on to Messenger with your mobile phone!
> > </FONT><A =
href=3D"http://sg.messenger.yahoo.com"><U>http://sg.messenger.yahoo.com</=
U></A>
<FONT color=3D#737373>>=20
> =20
__________________________________________________
Do You Yahoo!?
Log on to Messenger with your mobile phone!</FONT>
<A =
href=3D"http://sg.messenger.yahoo.com"><U>http://sg.messenger.yahoo.com</=
U></I></A></PRE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_152B_01C4C063.B00995D0--
