Stef
Nice idea on the Powershell patch. We don't monitor Windows hosts where I use Xymon, but others in this list might benefit.
Is the PS client able to use https natively, or do you need to install curl.exe on those hosts?
I'm interested in the wget/curl option. Have you had an opportunity to compare performance impact on the server running xymond and the CGI script vs the native TCP/1984 method? This is perhaps my biggest concern, knowing that xymond is written with high-performance socket handling, and although Apache also has code optimised thusly, the CGI script execution might become a bottleneck. I fear stunnel and similar solutions would suffer from the same problem, due to (I assume) being written for low socket turn-over environments.
Does the CGI provide the client local data (from client-local.cfg) to the client?
I'd be interested to see a HOWTO on this, even though it seems simple enough. If the CGI option works out for us, we'll be able to cut over a large proportion of hosts.
However we have a sizeable proportion of hosts that cannot make connections to the Xymon server, and so we have to do funky things like ssh from xymons server to client, setup a reverse tunnel and adjust XYMSRV to 127.0.0.1. It's encrypted, but it's not particularly clean, and we have to all sorts of extra hacks to support dual Xymon servers (so that the client message tempfile for one Xymon server isn't stomped on by the second instance running for the other Xymon server, and so the reverse tunnels don't interfere with each others' listening ports). I'm investigating using msgcache/xymonfetch option designed for server->client connections, but it's non-trivial to have it work through an ssh tunnel, and so far I've not succeeded.
J
On Wed, 23 Aug 2023 at 22:02, Stef Coene <stef.coene at docum.org> wrote:
Hi,
We solved the encryption by using a wget and/or curl script alternative for the xymon client. It's a drop-in replacement. We have a setup script that checks if wget or cups exists and it creates a symlink for the xymon command to the script that works. The script uses a username and password to connect to xymoncgimsg.cgi over https to send the data. We use 1 username / paswoord for all clients but with some scripting you can give each client it's own username / password.
If wget or cups is not available (some old AIX servers can not connect to a https server...), the good old binary is used without encryption :(
I can document it somewhere if anyone is interested. It's not that complicated.
For the Windows clients we also use https as much as possible.
I have some patches for the Powershell client that allows for testing a new XML file. We want to manage the XML files centrally and want to avoid mistakes that can disable the client. So this allows us to test a new config file before overwriting the old one. I also added the ping test command for this and did some changes so data can be send to multiple Xymon servers. I will create some patches and send them to the mailinglist.
Stef
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon