Cacti Cisco ASA Host Template

Came across a decent host template for Cisco ASA devices that works well with Cacti.

Grab the CISCO-FIREWALL-MIB if you don’t already have them.  Get either Version 1 or Version 2 directly from Cisco and also get CISCO-SMI Version 1 or Version 2:

Determine where your MIBs are stored on your linux system:

linuxhost:~# snmptranslate -Dinit_mib .1.3|grep MIBDIRS
init_mib: Seen MIBDIRS: Looking in [...snip...] for mib dirs ...

You can use wget to download the MIB file version you want and specify where to save it according to one of the paths in the MIBDIRS output…  I like putting them in /usr/share/snmp/mibs.  Make sure the directory exists, if it doesn’t, just issue the following command:

linuxhost:~# mkdir -p /usr/share/snmp/mibs

Now, download the each of the MIBs (CISCO-FIREWALL-MIB and CISCO-SMI).   Use the above links to get a direct link.  I’m getting Version 2 of each of the MIBs.

linuxhost:~# wget -d -O /usr/share/snmp/mibs/CISCO-FIREWALL-MIB "ftp://ftp.cisco.com/pub/mibs/v2/CISCO-FIREWALL-MIB.my"
linuxhost:~# wget -d -O /usr/share/snmp/mibs/CISCO-SMI "ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SMI.my"

After it’s downloaded, run a test on the server and see if you can poll an ASA in your network.  I’ll test the ConnectionStat entry:

linuxhost:~# snmpwalk -m +CISCO-FIREWALL-MIB  -c public -v 2c 192.168.9.253 -OS ConnectionStat
CISCO-FIREWALL-MIB::cfwConnectionStatDescription.protoIp.currentInUse = STRING: number of connections currently in use by the entire firewall
CISCO-FIREWALL-MIB::cfwConnectionStatDescription.protoIp.high = STRING: highest number of connections in use at any one time since system startup
CISCO-FIREWALL-MIB::cfwConnectionStatCount.protoIp.currentInUse = Counter32: 0
CISCO-FIREWALL-MIB::cfwConnectionStatCount.protoIp.high = Counter32: 0
CISCO-FIREWALL-MIB::cfwConnectionStatValue.protoIp.currentInUse = Gauge32: 113
CISCO-FIREWALL-MIB::cfwConnectionStatValue.protoIp.high = Gauge32: 508

It works without errors!

Notice you must specify the CISCO-FIREWALL-MIB using the -m +CISCO-FIREWALL-MIB argument.

To make this load automatically, modify your snmp.conf file.  This is typically located in /etc/snmp/snmp.conf on Sys-V systems;  To figure out where snmp reads it’s configuration file from, issue the following:

linuxhost:~# net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib/snmp:/root/.snmp:/var/lib/snmp

This shows it checks each of those paths, in order, until it finds the snmp.conf;  So, modify your snmp.conf file and add the following line: mibs +CISCO-FIREWALL-MIB

There may be an existing line mibs : — you can remove the colon and replace it with +CISCO-FIREWALL-MIB.

Next, run the snmpget command without the -m +CISCO-FIREWALL-MIB”and you should have success and no errors.

To get this setup in Cacti, log in to your cacti server as admin. In the console tab, navigate to the “Import Templates” menu item and click on it.

Download the Host Template zip file (from original site http://forums.cacti.net/download/file.php?id=7607 ).

Extract the files to your desktop or wherever.

In the Import Templates window, click “Browse…” and choose the cacti_host_template ZIP file to import.

You are now done.

You can create a new device and choose the Cisco ASA – Security Device from the host templates now.

LEMP + Cacti 0.8.7i

This is my setup of LEMP with Cacti 0.8.7i.

LEMP stands for Linux nginx (prounounced Engine x) MySQL and PHP.  Most notably, LEMP is just replacing Apache (LAMP) with nginx.

My base linux distribution is Debian 6 AMD64.

Software Required:

Debian 6 AMD64 (6.0.3) Business Card:  http://cdimage.debian.org/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-businesscard.iso
PHP 5.3
Nginx 1.0.11
MySQL 5

I boot my system from the ISO and go through the basic install.  On the software installation screen, I chose only SSH Server and Standard System Utilities as noted in the screenshot below.

width=800

Software

After install finishes up and a fresh reboot, I log in as root and add the following to my apt repository at the bottom:

# vim.tiny/etc/apt/sources.list

deb http://nginx.org/packages/debian/ squeeze nginx
deb-src http://nginx.org/packages/debian/ squeeze nginx

Add the key for nginx.org:

root@cacti-087i:~# wget http://nginx.org/packages/keys/nginx_signing.key
--2012-01-16 11:45:38--  http://nginx.org/packages/keys/nginx_signing.key
Resolving nginx.org... 206.251.255.63
Connecting to nginx.org|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1561 (1.5K) [text/plain]
Saving to: nginx_signing.key

100%[======================================>] 1,561       --.-K/s   in 0s

2012-01-16 11:45:38 (156 MB/s) - nginx_signing.key

root@cacti-087i:~# cat nginx_signing.key | apt-key add -
OK

Then run apt-get update

Now we’ll be downloading the latest version 1.0.11-1. You can verify this went as expected with apt-cache show nginx and look at the package’s version.

Install nginx

apt-get install nginx

Verify it is installed and running by visiting http://127.0.0.1/ or whatever the IP address of your server is configured as. You should see a “Welcome to nginx!” page displayed.

Install MySQL Server

root@cacti-087i:/var/www# apt-get install mysql-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl
  libplrpc-perl mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1
Suggested packages:
  libipc-sharedcache-perl libterm-readkey-perl tinyca
The following NEW packages will be installed:
  libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl
  libplrpc-perl mysql-client-5.1 mysql-server mysql-server-5.1
  mysql-server-core-5.1
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.0 MB of archives.
After this operation, 56.3 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Note:  You will need to provide a root password for MySQL during installation.

Install PHP CGI

The version I’m installing as of this writing is from the stable repository for Squeeze (Version: 5.3.3-7+squeeze3).

root@cacti-087i:~# apt-get install php5-cgi
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libonig2 libqdbm14 php5-common php5-suhosin
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libonig2 libqdbm14 php5-cgi php5-common php5-suhosin
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 6,827 kB of archives.
After this operation, 17.7 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Install PHP5 MySQL module

root@cacti-087i:/var/www# apt-get install php5-mysql
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libmysqlclient16 mysql-common
The following NEW packages will be installed:
  libmysqlclient16 mysql-common php5-mysql
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,132 kB of archives.
After this operation, 5,050 kB of additional disk space will be used.
Do you want to continue [Y/n]? y

Now I need to setup spawn fast cgi since this will be the PHP backend for nginx.

Install spawn-fcgi

root@cacti-087i:~# apt-get install spawn-fcgi

Install Daemontools service manager

I will use daemontools as my service manager for fastcgi process.

root@cacti-087i:~# aptitude install daemontools daemontools-run

Now to configure the service…

root@cacti-087i:~# mkdir -p /etc/sv/spawn-fcgi
root@cacti-087i:~# cd /etc/sv/spawn-fcgi

Create a file called ‘run’ in this directory. Use your favorite editor, like VIM!?

root@cacti-087i:/etc/sv/spawn-fcgi# vim.tiny run

Use the following content (tweaked to your environment) in the run file.

root@cacti-087i:/etc/sv/spawn-fcgi# cat run
#!/bin/sh
exec /usr/bin/spawn-fcgi -n -a 127.0.0.1 -p 9000 -u www-data -g www-data -C 5 /usr/bin/php5-cgi

Give the file executable permissions and add it to the services.

root@cacti-087i:/etc/sv/spawn-fcgi# chmod +x run

root@cacti-087i:/etc/sv/spawn-fcgi# update-service –add /etc/sv/spawn-fcgi spawn-fcgi
Service spawn-fcgi added.

Check to see if it is now running…

root@cacti-087i:/etc/sv/spawn-fcgi# ps -edf | grep cgi
root      1943  1931  0 11:59 ?        00:00:00 supervise spawn-fcgi
www-data  1944  1943  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1945  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1946  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1947  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1948  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1949  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi

Sweet, looks good so far!

Configure Nginx

Modify nginx’s default configuration file in /etc/ngxin/conf.d/default.conf

Change the following to reflect where your web content will be stored. I use /var/www and had to make the directory first.

root@cacti-087i:~#  mkdir /var/www

Modify /etc/nginx/conf.d/default.conf:

server {
    listen       80;
    server_name  localhost;
    root /var/www;
    include /etc/nginx/fastcgi_php;

    location / {
        index  index.php;
        if (!-e $request_filename) {
                rewrite ^(.*)$ /index.php last;
        }
    }
}

Create /etc/nginx/fastcgi_php file now with the following:

location ~ .php$ {
    include /etc/nginx/fastcgi_params;

    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    if (-f $request_filename) {
        fastcgi_pass 127.0.0.1:9000;
    }
}

Once these files are saved, restart nginx.

root@cacti-0871i:~# /etc/init.d/nginx/restart

I created a test file in /var/www/ named index.php:

root@cacti-0871i:~# echo <?php phpinfo(); ?> >/var/www/index.php

Test Nginx + PHP

Then I browsed to the site http://127.0.0.1/phptest.php.

Install rrdtool

apt-get install rrdtool

Install PHP5 needed modules

root@cacti-087i:~# apt-get install php5-snmp php5-ldap php5-xmlrpc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  fancontrol libperl5.10 libsensors4 libsnmp-base libsnmp15 lm-sensors
Suggested packages:
  snmp-mibs-downloader sensord read-edid i2c-tools
The following NEW packages will be installed:
  fancontrol libperl5.10 libsensors4 libsnmp-base libsnmp15 lm-sensors
  php5-ldap php5-snmp php5-xmlrpc
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,612 kB of archives.
After this operation, 7,008 kB of additional disk space will be used.
Do you want to continue [Y/n]?

Install Cacti Pre-requisites

PHP5-CLI

apt-get install php5-cli

SNMP tools

apt-get install snmp

Install Cacti 0.8.7i

I’m going to download 0.8.7i with PIA (plugin architecture):  http://www.cacti.net/downloads/cacti-0.8.7i-PIA-3.1.tar.gz

wget http://www.cacti.net/downloads/cacti-0.8.7i-PIA-3.1.tar.gz
tar zxvf cacti-0.8.7i-PIA-3.1.tar.gz
cd cacti-0.8.7i-PIA-3.1/

Follow install instructions per Cacti: http://docs.cacti.net/manual:087:1_installation.1_install_unix.5_install_and_configure_cacti

After following the instructions you should be able to get to the Cacti logon screen now.

This is for my own documentation notes.