Tag: Observium

Observium Notes

A few notes on my Observium setup on a Debian 8 Jessie system. All configuration options and details can be found at the Observium documentation page.

Bad Interfaces

These entries are in /opt/observium/config.php

$config['bad_if'][] = voip-null;
$config['bad_if'][] = virtual-;
$config['bad_if_regexp'][] = /serial[0-9]:/;
$config['bad_if'][] = loopback;
$config['bad_if'][] = lo;
$config['bad_if'][] = dummy;
$config['bad_if_regexp'][] = /tunnel_[0-9]/;
$config['bad_iftype'][] = voiceEncap;

Other Configuration Options

A few other customizations in the /opt/observium/config.php file.

$config['rrdgraph_real_95th'] = TRUE;
$config['allow_unauth_graphs']    = 1;
$config['login_message']    = Unauthorised access shall render the user liable to criminal and/or civil prosecution.;
$config['page_title_prefix'] = Rich Kreider - Monitoring :: ;

Observium nfsen configuration notes

Hacked my way through getting Observium to pick up the nfsen RRD so that I see the Netflow tab in the device in Observium.
2016-06-16_153005
Here’s what I did…

Install Prerequisite Software

apt-get install gcc flex librrd-dev make librrdp-perl librrds-perl libsocket6-perl libmailtools-perl mrtg rrdtool

Install nfdump

Download nfdump from SourceForge: https://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.13/

tar zxvf nfdump-1.6.13.tgz
cd nfdump-1.6.13/
./configure --enable-nfprofile --enable-nftrack
make && make install

Install nfsen

Download nfsen from SourceForge: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/

tar zxvf nfsen-1.3.7.tgz
cd nfsen-1.3.7
cp etc/nfsen.conf.dist etc/nfsen.conf

Make configuration changes to nfsen
Modify etc/nfsen.conf

$USER = www-data;
$WWWUSER = www-data;
$WWWGROUP = www-data;
%sources = (
'routername' => { 'port' => '9996', 'col' => '#0000ff', 'type' => 'netflow', 'IP' => '1.2.3.4' },
);
$MAIL_FROM = 'me@domain.com';
$SMTP_SERVER = 'mail.domain.com';

Save the file and then make a directory where nfsen will store data.

mkdir -p /var/nfsen
./install.pl etc/nfsen.conf

Start nfsen

cd /var/nfsen/bin
./nfsen start

Configure to start nfsen automatically at reboot.

ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen
update-rc.d nfsen defaults 20

Configure Apache2

Configure Apache2 so we can access nfsen while still using observium.
Make a directory to store nfsen HTML files

mkdir -p /var/www/html/nfsen

Edit /etc/apache2/conf-enabled/observium.conf and add the following line before the closing </VirtualHost>.

Alias /nfsen /var/www/html/nfsen

Restart Apache2

service apache2 restart

At this point you should be able to access http://yourip/nfsen/nfsen.php

Cannot create graph

If you see that error, check permissions of /var/nfsen and make sure it is accessible by www-data specified in /var/nfsen/etc/nfsen.conf.

Observium Configuration

Note: The %source in /var/nfsen/etc/nfsen.config must match the host you are using in Observium and it is case sensitive.
So I had a hard time with Observium configuration and decided to just hack it up.
I have Observium installed in /opt/observium, so substitute accordingly.
Add the following to /opt/observium/config.php.

$config['nfsen_enable'] = 1;
$config['nfsen_rrds'] = /var/nfsen/profiles-stat/live/;
$config['nfsen_split_char'] = ;
$config['nfsen_suffix'] = ;

Enjoy your graphs.
2016-06-16_155352

Sending SNMP Traps of Windows Events

Furthering my build-out for a monitoring solution which includes Observium as the primary SNMP polling system, I am writing an application to handle SNMP traps from my Windows servers.
Most of my servers are Windows 2008 R2 or Windows 2012 R2. With that being said, I can use evntwin.exe on the servers to setup traps for specific event logs on my Windows servers and send them to my trap receiver to further classify and alert/notify.
There are a few steps involved in the overall process here.

Create a Custom Event Log Source

Before I can translate a specific event log entry, I create an event log source DevTrap and use an Event ID of 1000.  This is optional, as you’ll see in the next step you can dig right in and start filtering traps from any existing Event Log sources.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap

2016-06-14_123757

Translate Events to Traps

Using evntwin.exe, I click on Custom and then Edit >>
2016-06-14_124208
From here, I can navigate the event log tree in the left pane and find my DevTrap source in the Application log.
2016-06-14_124334
Double clicking on the row will give me some properties for the event and allow me to modify when to generate the trap based on number of events within a specific time period.  I left this as default since I’ll be testing manually and this won’t generate hundreds of traps.
2016-06-14_124452
Now the event is listed in the Events to be translated to traps box.  I need to Apply and then Export the trap translations.  If I wanted to add more, I could simply keep going before clicking Apply and Export.
2016-06-14_124506
When the Export dialog box opens, it wants to know where to save the configuration for the translations.  Choose a location that makes sense.  After saving, you can close evntwin.exe program.
2016-06-14_124825

A Look at events.cnf

So the events.cnf file was exported in the previous step.  This file contains commands that will be used with evntcmd.exe to actually process and do something with the translations.  Here is what my file contains thus far.
2016-06-14_124937
The format of the #pragma add line is:

#pragma add <LogName> <SourceName> <EventID> <EventCount> <TimeInterval>

I need to add a trap destination and community to this file:

#pragma ADD_TRAP_DEST public 10.147.204.88

I add the line and save my changes and the file looks as follows.
2016-06-14_125836
Here is a useful table if you want to build the file manually and include the trap destination.  Find more information on the use of evntcmd.exe at Microsoft’s TechNet article.

ADD specifies that you want to add an event to trap configuration.
DELETE specifies that you want to remove an event to trap configuration
DELETE_TRAP_DEST specifies that you do not want trap messages to be sent to a specified host within a community
ADD_TRAP_DEST specifies that you want trap messages to be sent to a specified host within a community.
CommunityName specifies, by name, the community in which trap messages are sent.
HostID specifies, by name or IP address, the host to which you want trap messages to be sent
EventLogFile specifies the file in which the event is recorded
EventSource specifies the application that generates the event.
EventID specifies the unique number that identifies each event

Using evntcmd.exe

Now that I have the configuration file as needed, I use evntcmd.exe to configure the trap translations and trap destinations.  Run the command from an elevated command prompt.

evntcmd.exe events.cf

Here is what the output looks like after running the command.
2016-06-14_130149
At this point, any event logged in Application as source of DevTrap with ID of 1000 will send a trap to my manager on 10.147.204.88.  I can test this by generating an event and monitoring my trap manager server to make sure I see it come across.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap