Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Sun Aug 20, 2017 8:44 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Thu Dec 20, 2007 10:46 am 
Offline
Cacti Guru User
User avatar

Joined: Fri Sep 19, 2003 8:36 am
Posts: 2326
Location: Sophia-Antipolis, France
  • Version 0.2 (01/09/2008) : added details about SSH options
  • Version 0.1 (12/20/2007) : intial release

This HowTo will explain how to use SSH tunnels to graph a Unix server that isn't directly reachable by your Cacti server :

Image

In this example, the Cacti server can reach the Gateway, which can reach the target server.



Chapter I: Configuring the SSH tunnel

On Gateway, create a "cactiuser" user :
Code:
# useradd -d /home/cactiuser -m cactiuser

Then you have to generate SSH keys (without passphrase) :
Code:
# su - cactiuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cactiuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cactiuser/.ssh/id_rsa.
Your public key has been saved in /home/cactiuser/.ssh/id_rsa.pub.
The key fingerprint is:
40:f6:91:a1:2d:d1:46:d4:76:e3:d8:c6:3f:c2:cf:f2 [email protected]

The public key of the "cactiuser" user has then to be authorized as an input key :
Code:
$ cd $HOME/.ssh
$ cp -p id_rsa.pub authorized_keys

Finally, create the SSH tunnel :
Code:
# su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 [email protected]"

This SSH tunnel will forward all packets sent to 192.168.0.2 on TCP port 10000, to 192.168.1.2 on port TCP 161.

The options that are used are the following :
  • -f : requests SSH to go to background just before command execution
  • -N : do not execute a remote command
  • -g : allows remote hosts to connect to local forwarded ports
  • -L : specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

You can add this command to /etc/rc.local, so it will be executed at boot time.



Chapter II: Configuring Net-SNMP

By default, the Net-SNMP agent listens on UDP port 161; we'll modify its configuration to listen on TCP port 161.

To do so, use that in snmpd.conf on the target server :
Code:
agentaddress tcp:161
rocommunity mycommunity

For a more detailed configuration of snmpd.conf, follow this other HowTo.



Chapter III: Testing the SNMP connectivity

From the Gateway host, run this command :
Code:
$ snmpwalk -v 1 -c mycommunity tcp:192.168.1.2 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server

From the Cacti server, run this command :
Code:
$ snmpwalk -v 1 -c mycommunity tcp:192.168.0.2:10000 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server

If everything works fine, your host is then ready to be added to Cacti.

If not, review your network configuration (firewall rules, especially).


Chapter IV: Adding the device to Cacti

In Cacti, create a new device like that :

Image

Voila ! Your target server is graphed by Cacti :)

_________________

HOWTOs :
Templates :


Last edited by fmangeant on Wed Jan 09, 2008 9:57 am, edited 2 times in total.

Top
 Profile  
 
 Post subject:
PostPosted: Thu Jan 03, 2008 1:27 pm 
Offline
Developer
User avatar

Joined: Thu Feb 20, 2003 10:16 am
Posts: 1635
Location: Canada
Nice howto - well done!

_________________
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 04, 2009 10:24 am 
Offline
Developer
User avatar

Joined: Thu Feb 20, 2003 10:16 am
Posts: 1635
Location: Canada
Posted to the howto section of Cacti Docs: http://docs.cacti.net/howto

_________________
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 30, 2010 6:40 pm 
Offline

Joined: Fri May 28, 2010 7:29 pm
Posts: 18
This is great, thanks for posting.

But what if there are servers you want to monitor and those servers are on private lans which use the same RFC 1918 private IP blocks ?

Thanks again
Diego


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 30, 2010 7:55 pm 
Offline
Developer
User avatar

Joined: Thu Feb 20, 2003 10:16 am
Posts: 1635
Location: Canada
VPNs and/or MPLS are your only solution.

_________________
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 30, 2010 8:24 pm 
Offline

Joined: Fri May 28, 2010 7:29 pm
Posts: 18
So multiple tunnels is not possible ?


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 30, 2010 9:35 pm 
Offline
Developer
User avatar

Joined: Thu Feb 20, 2003 10:16 am
Posts: 1635
Location: Canada
mercjoe wrote:
So multiple tunnels is not possible ?


Multiple tunnels, with multiple NATs is possible, but is easily managed.

_________________
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 30, 2010 11:04 pm 
Offline

Joined: Fri May 28, 2010 7:29 pm
Posts: 18
I meant establishing several tunnels on the gateway/FW, one for each internal server. Thats possible right ? Why do you talk about NAT ?


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Thu Nov 04, 2010 8:42 am 
Offline

Joined: Tue Dec 01, 2009 4:24 pm
Posts: 26
hello,
very good how to !

is it up to date ?
i can use it now for the new cacti please ?


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Thu Nov 24, 2011 12:09 am 
Offline

Joined: Thu Nov 24, 2011 12:05 am
Posts: 1
I cant use
su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 [email protected]"

Please help me !


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Wed May 01, 2013 12:05 pm 
Offline

Joined: Wed May 01, 2013 11:56 am
Posts: 5
I've been building my monitoring on my router and as I monitor some external servers also I felt that having that SSH pipe opened once and left unmonitored is a bit of problem. I also trimmed the SSH switches towards more direct connection :).
I assume that these pipes are opened from the Cacti host it self that is why I don't use -g nor IP information in my SSH connection. I created a script to monitor the connection status so I don't have to worry if the SSH tunnel gets disconnected for any reason. The script is ran by the cron every three minutes.
The host entry to Cacti also needs to be changed, the one shown in the screen captures didn't work (for me). hostname should be tcp:localhost and SNMP port should be 10000 (and up, as you go along your hosts)


Code:
#!/opt/bin/bash
#
#  SSH tunnel check script
#  Author Juha Leivo
#  versio: 1.0
#

# parameters for array are FQDN for host, location of RSA key, local port to redirect, hostname of the server, SNMP community
host_array=(myserver.mydomain.org /opt/cacti-keys/myserver001_rsa 10000 MYSERVER001 public myserver2.mydomain.org /opt/cacti-keys/myserver2_rsa 10001 MYSERVER002 public)
len=${#host_array[*]} #Num elements in array

debug="1" #debugging enabled if this value is 1
if [ "$debug" -eq "1" ] ; then echo "Array lenght is $len" ; fi

# Parameters SSHKEYLOCATION, LOCALPORTTOBINDTO, HOSTTOCONNECTTO
connect_to_host()
{
  ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3
  if [ "$debug" -eq "1" ] ; then echo "Connection string ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3"; fi
}

# Parameters SNMPCOMMUNITY LOCALPORT HOSTNAME
# returns 1 if host replies back with the same hostname string as given
# returns 2 if the host name doesn't match given name
test_host()
{
  hosttest=`snmpwalk -v 1 -c $1 tcp:localhost:$2 sysname|cut -d: -f 4|cut -c2-`

  if [ "$debug" -eq "1" ] ; then echo "snmpwalk result is $hosttest" ; fi

  if [ "$hosttest" = "$3" ]
  then
    return "1"
  else
    return "2"
  fi
}

# takes the host connection string as its parameter
# counts the amount of connections to determine if connection exist
# tries to kill connection
# returns 1 if no connections detected or connection successfully killed
# returns 2 if connection kill failed
kill_connection()
{
  isConnection=`ps |grep $1|grep -v grep| cut -d" " -f 1 |tail -1|wc -l`
  if [ "$debug" -eq "1" ] ; then echo "connection test result is $isConnection" ; fi
  if [ "$isConnection" -eq "1" ]
  then
    pid=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1`
    if [ "$debug" -eq "1" ] ; then echo "Trying to kill pid $pid" ; fi
    kill $pid
    isConnection=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1|wc -l`
    if [ "$isConnection" -eq "1" ]
    then
      echo "Tried killing, something went wrong, waiting for few minutes"
      return 2
    else
      if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful" ; fi
      return 1
    fi
  else
    if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful as there was no connection to being with" ; fi
    return 1
  fi
}

# looping array
i=0
while [ $i -lt $len ]; do
  echo "Testing host ${host_array[$i+3]}"
  test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
  if [ "$?" -eq "2" ]
  then
    echo "host connection lost, trying to connect"
    echo "checking for lingering connection"
    kill_connection ${host_array[$i]}
    if [ "$?" -eq "1" ]
    then
      connect_to_host ${host_array[$i+1]} ${host_array[$i+2]} ${host_array[$i]}
      echo "Testing new connection"
      test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
      if [ "$?" -eq "2" ]
      then
        echo "Still no connection, will retry again in few minutes"
      fi
    fi
  fi
  # going to next host
  let "i += 5"
done


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Mon Mar 09, 2015 6:50 am 
Offline

Joined: Mon Apr 16, 2012 10:08 am
Posts: 12
This is not working for me any more and i cannot seem to figure out why.

if i run it on cli it works and as cacti user, but on not working on the graphs.



Code:
ssh -f -N -g -L 20162:localhost:161 [email protected] > /dev/null 2>&1


Code:
[[email protected] share]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64


In the log file i get

Code:
03/09/2015 11:43:19 AM - CMDPHP: Poller[0] WARNING: SNMP Get Timeout for Host:'tcp:localhost:20162', and OID:'.1.3.6.1.2.1.1.1.0'


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Wed Mar 18, 2015 3:15 am 
Offline

Joined: Wed Mar 18, 2015 3:01 am
Posts: 1
:D I got the problem,

PS: Blog author wrongly defined the Ports in 'Hostname field' [tcp:<gateway>:10000] and in 161 in 'Snmp Port field'.

Configuration in cacti web-console should be:

in Hostname field: tcp:192.168.0.2
in Snmp Port field: 10000

Save the configuration and now it will work.

- Pankaj Sain


Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Wed Mar 18, 2015 5:39 am 
Offline

Joined: Mon Apr 16, 2012 10:08 am
Posts: 12
I have tried your update, it does not work.


Image


CLI works though

Code:
[[email protected] ~]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (77402861) 8 days, 23:00:28.61
SNMPv2-MIB::sysContact.0 = STRING: Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: spectrumgeo.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (6) 0:00:00.06



Top
 Profile  
 
 Post subject: Re: [HOWTO] Using SSH tunnels to graph a remote Unix server
PostPosted: Wed Jul 01, 2015 7:57 am 
Offline

Joined: Mon Apr 16, 2012 10:08 am
Posts: 12
i have found the bug, on version 0.8.8.c file snmp.php replace line 56 with

Code:
if($hostname == "tcp:localhost"){
            $output = exec("snmpget -c $community -v 1 tcp:localhost:$port $oid");[email protected]("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);
            $explode = explode("=",$output);
            $snmp_value = trim($explode[1]);            
         }else
            $snmp_value = @snmpget("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group