file: README.SNMP author: Alexander Haderer date: 17 Dec 2002 cvs: $Id: README.SNMP,v 1.2 2002/12/17 18:04:47 afrika Exp $ R E A D M E N E T - S N M P S E T U P This file describes how to take remote looks at kernel syslog messages using fetchlog together with NET-SNMP. NET-SNMP is a collection of SNMP utilities and can be downloaded from http://www.net-snmp.org . This is only a brief description to give an idea how to set this up. Read the manpages, faq and howto to understand what you do. HOW TO 'GET / POLLING' Do this if you want to get new kernel syslog messages from remote machine using SNMP's GET method. CONVENTION remote machine: A machine running NET-SNMP's snmpd. The snmpd will offer SNMP clients the last new messages of a kernel logfile. local machine: A machine from where one will take a look at the remote machines kernel logfile using SNMP. snmpd: The SNMP server part of NET-SNMP 1. install: Goto remote machine: install fetchlog, install NET-SNMP. For the following text assume default installations in /usr/local . 2. syslog: Find a way to create syslog messages from the kernel facility for testing: Look at your "generic" syslog file (/var/log/messages) and try to access the floppy drive or the CDROM drive with no media inserted. If you see messages with '/kernel' you are done. Note: logger(1) probably is unable to generate messages for the kernel facility. Note: On some systems (FreeBSD for example) the kernel writes a log message if any program dies with segmentation fault or bus error. 3. syslog: Assumption: There is no kernel logfile /var/log/kernelmsg Edit syslogd's config file, this can usually be found as /etc/syslog.conf . Add the following line somewhere at the beginning: 'kern.debug /var/log/kernelmsg' NOTE: Don't enter the quotes; use TAB, not SPACE Do a 'touch /var/log/kernelmsg' to create an empty logfile. 4. syslog: Restart syslogd. Again do something to create kernel syslog messages (see 2.) If the messages appear in your "generic" logfile and your new kernel logfile /var/log/kernelmsg you are done. 5. newsyslog: To rotate your logfile automatically by the system edit the config file for the logfile rotator (/etc/newsyslog.conf). Choose an appropriate rotation interval and DO NOT enable compression. Test the rotation by watching the rotation over the time. 6. fetchlog: Test fetchlog with your new created kernel logfile: fetchlog -f 1:80:1000: /var/log/kernelmsg /var/tmp/kernelbm Nagios users need the following, others may try it: If you want to skip the date-time stamp increase firstcol: Nagios will save a nearby timestamp for you. If you want to skip the hostname further increase firstcol: Nagios will save the hostname for you, because Nagios already knows the host it contacts. If you want to skip the '/kernel' message appearing every line further increase firstcol. The logfile holds only messages from the kernel faciltiy If you want to safe futher space set lastcol to 75 to abbreviate long message lines. Finally: The maximum value for len is 330, when using higher values information gets lost! This is because of a limitation in Nagios internal data structures. The line may now look like this: fetchlog -f 35:75:330:bnos /var/log/kernelmsg /var/tmp/kernelbm Note the conversion settings for safe HTML output, single line output, the OK message and shell metacharacter conversion. Nagios mail notification requires shell metacharacter conversion (new in 0.93) otherwise messages containing quotes probably will not be send out by Nagios. 7. snmpd: Create a config file for snmpd (/usr/local/share/snmp/snmpd.conf): --------------- snip ------------------- ############################################ # snmpd.conf ############################################ # SECTION: Access Control Setup # # This section defines who is allowed to talk to your running # snmp agent. # rocommunity: a SNMPv1/SNMPv2c read-only access community name # arguments: community [default|hostname|network/bits] [oid] rocommunity donttell ip_of_local_machine .1.3.6.1.4.1.2021 ############################################ # SECTION: Monitor Various Aspects of the Running Host # Run a command # exec kernel /usr/local/bin/fetchlog -F 1:80:1000:on \ /var/log/kernelmsg /var/tmp/kernelbm --------------- snap ------------------- where donttell is the SNMP community name and ip_of_local_machine is the IP adress or hostname of the local machine. (Not localhost! See CONVENTION above.) Note: Please choose the communityname carefully! It acts as a password. Note: Enter the exec line as one line, it is split here for optical reasons. Nagios users write the last line as: --------------- snip ------------------- exec kernel /usr/local/bin/fetchlog -F 35:75:330:bnos \ /var/log/kernelmsg /var/tmp/kernelbm --------------- snap ------------------- Note: Enter the exec line as one line, it is split here for optical reasons. Note: The option is a capital F Read protect the config file for others! It contains the community string for your snmpd server and acts like a password. Note: Using SNMPv1 rocommunity is insecure. man snmpd. 8. snmpd: (Re)start snmpd. 9. snmpget / snmpwalk: Goto the local machine and try to fetch the remote messages. If you have installed NET-SNMP at the local machine you can type: snmpget ip_of_remote_machine donttell .1.3.6.1.4.1.2021.8.1.101.1 where donttell is the SNMP community name and ip_of_remote_machine is the IP adress or hostname of the remote machine. If you disable single line output for fetchlog (leave conversion 'n') you can access each single line of output separatly. Read the manpage of snmpd and the example snmpd.conf that comes with NET-SNMP how to access multiline exec output via SNMP and how to setup this. Also try a snmpwalk ip_of_remote_machine donttell .1.3.6.1.4.1.2021.8.1 and option O (capital letter O, man snmpcmd) snmpwalk -On ip_of_remote_machine donttell .1.3.6.1.4.1.2021.8.1 Note: Because snmpd caches the result of exec commands for about 90 seconds successive snmpget calls may show some results twice without calling fetchlog at the remote machine. HOW TO 'TRAP / PUSH' Do this if you want a remote machine to generate SNMP traps if new kernel syslog messages appear. CONVENTION remote machine: A machine running NET-SNMP's snmptrap. The machine will send out SNMP-traps when new messages of a kernel logfile appear. 1. general setup: Goto remote machine. Follow steps 1..6 of "HOW TO 'GET / POLLING'" 2. snmptrap: Goto remote machine. Read and understand how NET-SNMP's snmptrap utility works. Look at the NET-SNMP webpages (http://www.net-snmp.org) for the FAQ and the tutorial. Play around with snmptrap, get it working. 3. script for cronjob Setup a shell script as shown in the EXAMPLE in README. Edit the shell script: Let fetchlog look at logfile /var/log/kernelmsg created in step 1. Instead of the mail command send out an SNMP trap with the snmptrap command and the fetched message as a parameter. Test what maximum len for fetchlog works together with snmptrap and the trap receiver. 4. shell script Test the script if it works as expected. 5. cron Setup a cron job running at regular basis as shown in the EXAMPLE in file README. SEE ALSO README.Nagios - How to setup Nagios using fetchlog local or remote. NET-SNMP - Various tools relating to the Simple Network Management Protocol SNMP (NET-SNMP: formerly known as UCD- SNMP) http://www.net-snmp.org LEGAL Nagios is a registered trademark of Ethan Galstad EOF