Listmembers

There exist a few different proxy-ish ways of getting Xymon working through a firewall. None of the ones I looked into solved my particular problem, so I've cobbled together an alternative that some of you might a) comment on, b) inform me that I've re-implemented the wheel, or c) be able to use yourself.

My solution is a server-side script, that collects all of the "data" (disk, memory, CPU idle, ports, procs, etc) from a remote server, without having any Xymon components installed on it. All it needs is a way to get a shell. The appropriate xymonclient-<ostype>.sh script is grabbed from the Xymon server and sent over the connection to be executed in the shell.

As a bonus (and the real reason for me doing this), I can connect to the server via any mechanism that gives me a shell. I'm using it to connect via a jump-box over ssh, so it runs "ssh -T user1 at box1 ssh -T user2 at box2" and pulls back all of the data values, but it could run rsh, netcat, stunnel or a socks proxy.

I call the script xymon-rclient.sh, in the same vein as the remote tools rsh and rexec.

Here are some hosts.cfg examples to give an idea:

get data from remserver1 over a ssh login, use %{H} to substitute

with the hostname in field 2 10.99.1.1 remserver1.example.com # noping dialup "RCLIENT:cmd(ssh -T otheruser@%{H}),ostype(sunos)"

ssh to gateway and then ssh to remserver2

10.99.1.2 remserver2.example.com # dialup "RCLIENT:cmd(ssh -T user1 at gateway ssh -T -l user1 %{H}),ostype(sunos)"

use rsh and automatically append hostname

10.99.1.3 remserver3.example.com # "RCLIENT:cmd(rsh),ostype(linux)"

connect to remserver4 on its management IP address

10.99.1.4 remserver4.example.com # "RCLIENT:cmd(ssh -T remserver4.mgtnet),ostype(linux)"

connect via https proxy using corkscrew

10.99.1.5 remserver5.example.com # noping dialup "RCLIENT:cmd(ssh -o ProxyCommand='corkscrew proxy 8080 %h %p' user@%{H}),ostype(linux)"

The ssh/rsh examples assume that you've setup password-less authentication for the Xymon user (although if you're using rsh...well you shouldn't), that you have created suitable user accounts, and that added the ssh host keys have been added to *known_hosts. The xymon-rclient.sh script is run from tasks.cfg every 5 minutes, and it automatically pulls out the appropriate hosts and their RCLIENT settings from hosts.cfg, and probes them accordingly.

If it's an encrypted connection, of course all data is kept secure. Our security people like this.

This is how the script works. The relevant client script is selected according to the ostype setting (eg xymonclient-linux.sh). On the fly, the script is adjusted slightly (some code to produce the "[clock]" section, XYMONTMP and MACHINEDOTS are defined) and it is then sent over the connetion to the remote shell to be executed as if typed by a user. The output is then fed into the local Xymon server via the "xymon" command.

Because the script is stored on the Xymon server, there's no installation or upgrades to be done on the "client". It's the ultimate in centralisation. The down-side, of course, is that there are no smarts on the client, so for example there's no logfetch and so no messages/file/dir processing possible. The script needs to be sent every single time (every 5 minutes), but its size is no more than a couple of ethernet packets, so I don't consider this to be a major problem. The size of the output is typically an order of magnitude larger than this.

I suppose if people think this script might be useful, I should put it somewhere, such as Xymonton?

Cheers Jeremy