Sorry, maybe I wasn’t clear… my question is more around the SSLCert column. The source of that column is the HTTP test, so when it fails of course it can’t send a status on the SSLCert because there’s no SSLCert to test on due to the failing HTTP test. So I’d like it to not go purple.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com From: Josh Luthman [mailto:josh at imaginenetworksllc.com] Sent: Wednesday, March 23, 2016 10:41 PM To: Scot Kreienkamp <Scot.Kreienkamp at la-z-boy.com> Cc: xymon at xymon.com Subject: Re: [Xymon] SSLCert test dependency on HTTP?

Did you compile xymon with SSL?

Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mar 23, 2016 10:36 PM, "Scot Kreienkamp" <Scot.Kreienkamp at la-z-boy.com<mailto:Scot.Kreienkamp at la-z-boy.com>> wrote: Hi all,

I have sslcert tests that keep going purple 30 minutes after the HTTP test starts failing. If the HTTP test is failing I know the sslcert test is going to fail, so I would expect there to be an implied dependency on the http test. There doesn’t seem to be one though. Is there any way to do this in the configuration? I tried adding a dependency but it doesn’t seem to have any effect.

Thanks!

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | • 734-384-6403<tel:734-384-6403> | | • 7349151444<tel:7349151444> | • Scot.Kreienkamp at la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>

[cid:image001.jpg at 01D18555.A4484890]

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right I’ve told it that the sslcert test depends on the http test on itself. It hasn’t had any effect though. As I recall, the depends is implemented in the network module so it may not be able to apply to the sslcert test. I know Henrik had wanted to reimplement that higher up in the processing order so it could apply to any test. Guess he didn’t get around to it.

JC, can I make a feature request? Reimplement depends so it can work for any test?

Thanks.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com From: Josh Luthman [mailto:josh at imaginenetworksllc.com] Sent: Wednesday, March 23, 2016 11:05 PM To: Scot Kreienkamp <Scot.Kreienkamp at la-z-boy.com> Cc: xymon at xymon.com Subject: RE: [Xymon] SSLCert test dependency on HTTP?

You could do nosslcert but I think depends= is better (make it depend on that http test).

Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mar 23, 2016 10:45 PM, "Scot Kreienkamp" <Scot.Kreienkamp at la-z-boy.com<mailto:Scot.Kreienkamp at la-z-boy.com>> wrote: Sorry, maybe I wasn’t clear… my question is more around the SSLCert column. The source of that column is the HTTP test, so when it fails of course it can’t send a status on the SSLCert because there’s no SSLCert to test on due to the failing HTTP test. So I’d like it to not go purple. From: Josh Luthman [mailto:josh at imaginenetworksllc.com<mailto:josh at imaginenetworksllc.com>] Sent: Wednesday, March 23, 2016 10:41 PM To: Scot Kreienkamp <Scot.Kreienkamp at la-z-boy.com<mailto:Scot.Kreienkamp at la-z-boy.com>> Cc:xymon at xymon.com<mailto:xymon at xymon.com> Subject: Re: [Xymon] SSLCert test dependency on HTTP?

Did you compile xymon with SSL?

Josh Luthman Office: 937-552-2340<tel:937-552-2340> Direct: 937-552-2343<tel:937-552-2343> 1100 Wayne St Suite 1337 Troy, OH 45373 On Mar 23, 2016 10:36 PM, "Scot Kreienkamp" <Scot.Kreienkamp at la-z-boy.com<mailto:Scot.Kreienkamp at la-z-boy.com>> wrote: Hi all,

I have sslcert tests that keep going purple 30 minutes after the HTTP test starts failing. If the HTTP test is failing I know the sslcert test is going to fail, so I would expect there to be an implied dependency on the http test. There doesn’t seem to be one though. Is there any way to do this in the configuration? I tried adding a dependency but it doesn’t seem to have any effect.

Thanks!

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | • 734-384-6403<tel:734-384-6403> | | • 7349151444<tel:7349151444> | • Scot.Kreienkamp at la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>

[cid:image001.jpg at 01D185AC.0C33B740]

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon

JC,

I think I have found either a bug or at least an inconsistency related to this. On three hosts that have SSLCert tests on them and are currently purple, when I query them with xymondboard I get green status back.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com -----Original Message----- From: J.C. Cleaver [mailto:cleaver at terabithia.org] Sent: Thursday, March 24, 2016 9:00 PM To: Scot Kreienkamp; Josh Luthman Cc: Xymon Mailing List Subject: RE: [Xymon] SSLCert test dependency on HTTP?

On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right I’ve told it that the sslcert test depends on the http test on itself. It hasn’t had any effect though. As I recall, the depends is implemented in the network module so it may not be able to apply to the sslcert test. I know Henrik had wanted to reimplement that higher up in the processing order so it could apply to any test. Guess he didn’t get around to it.

JC, can I make a feature request? Reimplement depends so it can work for any test?

Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own -- it's created if xymonnet does an SSL transaction, but not otherwise. So if there's no valid https connection made (because the site is down) and nothing else is being tested via SSL on the same host (eg, smtps, imaps, ldaps, ...) then no sslcert test gets created at all. Hence the purple. And, yes, since xymonnet is doing the depends calculation it doesn't even get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be possible to default to a dummy sslcert record if we think we're doing an SSL exchange (clear, most likely), which could solve this specific issue.

The broader question on 'depends' calculation in the core xymond is a bit trickier. Well, that's not right. It's tricky to do without adversely impacting performance by causing additional scans for incoming status messages. It's unimportant in smaller installs but the math adds up in larger ones.

Having dependency arbitrary dependency calculation done by the test submitter reduces xymond's load back to linear scans, but it also prevents depends from working as flexibly as it should, as you've seen.

There are some of the bits of logic that might be able to be consolidated together, however. Having a host-level enable/disable option (instead of test-level ones), and taking CONN_down = (red/purple->clear) logic to the core (and perhaps allowing that test to be selectable on a per-host basis) could get us close while still being efficient.

Regards, -jc

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Yep, verified that it actually thinks it’s green.

When I retrieve a list of just the host and test it reports green.

[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host=lzbvidm test=sslcert"

lzbvidm |sslcert|green||1458745371|1459196141|1459197941|0|0|10.1.1.200||green Mon Mar 28 16:15:20 2016

Verified by adding a color=purple filter to the test, which then reports nothing.

[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host= lzbvidm test=sslcert color=purple"

[root at monvxymon ~]#

Verified again by adding a color=green filter for the test.

[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host= lzbvidm test=sslcert color=green"

lzbvidm |sslcert|green||1458745371|1459196323|1459198123|0|0|10.1.1.200||green Mon Mar 28 16:18:23 2016

I Included a screenshot of the page showing purple with last report timestamp of Feb 26.

[cid:image002.png at 01D1890E.5D8E7660]

Names changed to protect the innocent.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com

-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Ryan Novosielski Sent: Monday, March 28, 2016 4:15 PM To: xymon at xymon.com Subject: Re: [Xymon] SSLCert test dependency on HTTP?

On 03/28/2016 04:12 PM, Scot Kreienkamp wrote:

JC,

I think I have found either a bug or at least an inconsistency

related to this. On three hosts that have SSLCert tests on them and

are currently purple, when I query them with xymondboard I get green

status back.

Are you certain that it's a green status, not a purple status that shows

the last known status of green?

--

|| \\UTGERS<file:///\\UTGERS>, |---------------------------*O*---------------------------

||_// the State | Ryan Novosielski - novosirj at rutgers.edu<mailto:novosirj at rutgers.edu>

|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus

|| \\ of NJ | Office of Advanced Research Computing - MSB C630, Newark

 `'

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Monday, March 28, 2016 4:54 PM To: xymon at xymon.com Subject: Re: [Xymon] SSLCert test dependency on HTTP?

Den 28-03-2016 kl. 22:26 skrev Scot Kreienkamp:

Yep, verified that it actually thinks it’s green.

When I retrieve a list of just the host and test it reports green.

[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host=lzbvidm test=sslcert"

lzbvidm |sslcert|green||1458745371|1459196141|1459197941|0|0|10.1.1.200||green Mon Mar 28 16:15:20 2016 Those three numbers are 1) timestamp when color last changed, 2) time the latest status message was received, and 3) time when status is no longer valid (i.e. when it should go purple).

The timestamp "1459197941" is Mar 28 20:45:41 UTC, so if you are checking the status after that time then it should be purple.

I don't see anything in the web status display code that can make the page show up as purple without a purple status being reported from xymondboard... So this is weird.

Regards, Henrik

Would either the nonongreen or nopropred tags cause that behavior? These are development systems so I didn’t want the status propagating upward. The purple still does though, not sure if there’s anything I can do about that.

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Err, sorry, meant that red HTTP tests return green when querying with xymondboard.

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com -----Original Message----- From: Scot Kreienkamp Sent: Monday, March 28, 2016 4:42 PM To: Scot Kreienkamp; J.C. Cleaver; Josh Luthman Cc: Xymon Mailing List Subject: RE: [Xymon] SSLCert test dependency on HTTP?

HTTP exhibits the same behavior. I don't have any other purple tests to try this on.

-----Original Message----- From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp Sent: Monday, March 28, 2016 4:13 PM To: J.C. Cleaver; Josh Luthman Cc: Xymon Mailing List Subject: Re: [Xymon] SSLCert test dependency on HTTP?

JC,

I think I have found either a bug or at least an inconsistency related to this. On three hosts that have SSLCert tests on them and are currently purple, when I query them with xymondboard I get green status back.

-----Original Message----- From: J.C. Cleaver [mailto:cleaver at terabithia.org] Sent: Thursday, March 24, 2016 9:00 PM To: Scot Kreienkamp; Josh Luthman Cc: Xymon Mailing List Subject: RE: [Xymon] SSLCert test dependency on HTTP?

On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right I’ve told it that the sslcert test depends on the http test on itself. It hasn’t had any effect though. As I recall, the depends is implemented in the network module so it may not be able to apply to the sslcert test. I know Henrik had wanted to reimplement that higher up in the processing order so it could apply to any test. Guess he didn’t get around to it.

JC, can I make a feature request? Reimplement depends so it can work for any test?

Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own -- it's created if xymonnet does an SSL transaction, but not otherwise. So if there's no valid https connection made (because the site is down) and nothing else is being tested via SSL on the same host (eg, smtps, imaps, ldaps, ...) then no sslcert test gets created at all. Hence the purple. And, yes, since xymonnet is doing the depends calculation it doesn't even get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be possible to default to a dummy sslcert record if we think we're doing an SSL exchange (clear, most likely), which could solve this specific issue.

The broader question on 'depends' calculation in the core xymond is a bit trickier. Well, that's not right. It's tricky to do without adversely impacting performance by causing additional scans for incoming status messages. It's unimportant in smaller installs but the math adds up in larger ones.

Having dependency arbitrary dependency calculation done by the test submitter reduces xymond's load back to linear scans, but it also prevents depends from working as flexibly as it should, as you've seen.

There are some of the bits of logic that might be able to be consolidated together, however. Having a host-level enable/disable option (instead of test-level ones), and taking CONN_down = (red/purple->clear) logic to the core (and perhaps allowing that test to be selectable on a per-host basis) could get us close while still being efficient.

Regards, -jc

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon