CustoSec:Check SNMP

From CustosecWiki
Jump to navigation Jump to search
caption
Basic Information on Check
Name of Check SNMP Standard Technical Name check_snmp
Available in Standard Number of Arguments 6
From Version ARANSEC 2 Compability All ARANSEC and CustoSec



Scope of Check

Standard check to monitor the status of a remote machine and obtain system information via SNMP (Simple Network Management Protocol). SNMP is typically supported by all IP-Network devices like Servers, Routers, Firewalls, Switches, Workstations, Printers, Cameras etc. In most cases, it has to be activated on the device. Once activated, all information provided by this device can be monitored with this check.

This check is used for monitoring one or multiple OID's that deliver an integer value. A "WARNING" and a "CRITICAL"-Threshold can be entered to trigger notification.

A prefix and the units can be given as arguments, to make the output easier to read.


Requirements

For the check to work properly the following requirements must be met:

  • The check is configured as a service check on the target host that should be monitored.
  • SNMP must be activated on the target host (read only and a community name; It is also recommended to allow only the ARANSEC/CustoSec IP-Address to read SNMP information on the host). SNMP can easily be checked by starting a second session in a second browser tab and do a SNMP-Walk from ARANSEC's SNMP-Walk function (bottom entry in the left hand menu).
  • When working with OID's it might prove useful to have an explanation on individual OID's at hand. A good resource for this is i.e. the OID Repository where more information on OID's can be found.
  • The value returned from the SNMP query is expected as unsigned integer. (There is a special SNMP-Check available for returned strings).


Arguments

To configure the check, the following arguments are available:

Argument No. Argument Name Allowed Arguments Explanation Examples
Arg1 snmp-community string Community name for the SNMP agent. It is strongly recommended to change the default community on most systems from "public" to something like "aransec".
Must be entered or check cannot find OID.
custosec
Arg2 OID string OID: Object identifier(s) or SNMP variable(s) (labels) that are to be monitored. Those can be obtained either by doing a SNMP-Walk on the target system or search within MIB-Databases.
Must be entered or check will time out and come back with a long description of options.
It is possible to enter multiple OID's separated by a comma or a space (Internal spaces must be quoted with " "). The check will then return the values for each single OID.
hrStorageUsed.1 | 1.3.6.1.2.1.25.2.3.1.6.1
Arg3 warn integer
(range)
Warning threshold range(s). Unit of measure, even though not to be entered here, must be the same as the one delivered by the OID (See the Notes at the end).
Several values/ranges can be given, when checking multiple OID's and they have to be separated with commas
5000000
5000000,7000000,4000000
Arg4 crit integer
(range)
Critical threshold range(s). Unit of measure, even though not to be entered here, must be the same as the one delivered by the OID. (See the Notes at the end).
Several values/ranges can be given, when checking multiple OID's and they have to be separated with commas
1:10,15:,:35
Arg5 pref string Optional: Prefix label for output. Can be left out. If Arg6 "Unit" should be used, this Arg5 should be entered as a blank between two separators "!". If Arg6 also is not entered, nothing has to be entered. Used
Arg6 unit string Optional: Units label(s) for output data pieces

Returned Values of the Check

The Check returns the following values and information.

Status File Output Remarks
OK Check Output SNMP OK - value(s) A value for each OID (in case of multiple OID's) will be returned
OK Service Performance =value;warn;crtical; [=value;warn;crtical;]... The "equals"-sign is a fixed character between the optional prefix and the value. If there is no Prefix given, it will stay.
In case of multiple OID's being given, their return values will be given after the semicolon after the "critical"; They will be named and their value (and WARN,CRITICAL) being shown.
WARNING Check Output SNMP WARNING - *value*
WARNING Service Performance =value;warn;crtical; The "equals"-sign is a fixed character between the optional prefix and the value. If there is no Prefix given, it will stay.
In case of multiple OID's being given, their return values will be given after the semicolon after the "critical"; They will be named and their value being shown.
CRITICAL Check Output SNMP CRITICAL - *value*
CRITICAL Service Performance =value;warn;crtical; The "equals"-sign is a fixed character between the optional prefix and the value. If there is no Prefix given, it will stay.
In case of multiple OID's being given, their return values will be given after the semicolon after the "critical"; They will be named and their value being shown.
UNKNOWN Check Output reason The check will come back with "Unknown" in case an argument is missing or wrong (i.e. the OID). The reason will be displayed in the check output(i.e. Range format incorrect). In some cases a very long description of possible options of the check will be displayed.


Examples

The following examples should explain the usage of the check and how the arguments should be entered in ARANSEC.
(Please Note: Pipe Character in the fields of this table divide different options. Exception: Within the "Output" lines in the "Output" field, the pipe character is real and shows the division between the checks output and the checks performance data)

Example Description Output
!custosec!hrStorageUsed.1!5000000!7000000! On a remote system, the OID "hrStorageUsed.1" is queried. SNMP-community on this system is "custosec"; The check will go into "WARNING" status, if the used storage space (represented in units, according to hrStorageAllocationUnits. See the Notes below for details) is greater than 5.000.000 Units and it will go into "CRITICAL" status when more than 7.000.000 Units are used. Status: Critical
Output: SNMP CRITICAL - -u *15186575* | -u=15186575;5000000;7000000;
!custosec!hrStorageUsed.1!5000000!7000000!Used!Units Like the example above but with an optional Prefix and an optional Units label. Status: Critical
Output: SNMP CRITICAL - Used *15186415* Units | Used=15186415Units;5000000;7000000;
!custosec!hrStorageUsed.1!5000000!7000000!Used! in Units of 4.096 Bytes Like the examples above, but now we used the Prefix and the Label to make the output read correctly Status: Critical
Output: SNMP CRITICAL - Used *15186620* in Units of 4.096 Bytes | Used=15186620in Units of 4.096 Bytes;5000000;7000000;
!custosec!hrStorageUsed.1!50000000!70000000! Like the first example above but with higher "WARNING" and "CRITICAL" Thresholds to provoke an "OK". Status: OK
Output: SNMP OK - 15186849 | =15186849;50000000;70000000;
!custosec!hrStorageUsed.2 hrStorageUsed.3 hrStorageUsed.4! This time a list of OID to be checked without "WARNING" and "CRITICAL"-Threshold. OID's are separated by a space, could be a comma as well.
No "Warn" and "Critical" Argument are given which will lead the check to come back with a "Warning", since the Warning-Argument will be interpreted as "0". Critical stays empty.
SNMP WARNING - *15186841* 2117989 952306 | =15186841;0;; HOST-RESOURCES-MIB::hrStorageUsed.3=2117989 HOST-RESOURCES-MIB::hrStorageUsed.4=952306
!custosec!hrStorageUsed.2 hrStorageUsed.3 hrStorageUsed.4!10000000,8000000,5000000!200000000,10000000,7000000! This time again a list of OID's to be checked, but with "WARNING" and "CRITICAL"-Thresholds. OID's are separated by a space, could be a comma as well.
"WARNING" and "CRITICAL" Arguments are also given as comma-separated lists.
SNMP WARNING - -u *15186890* 2118019 952306 | -u=15186890;10000000;200000000; HOST-RESOURCES-MIB::hrStorageUsed.3=2118019;8000000;10000000; HOST-RESOURCES-MIB::hrStorageUsed.4=952306;5000000;7000000;
!custosec!.1.3.6.1.4.1.641.6.4.2.1.1.4.1.9!2000!5000!Total Printed !Pages This is a check to monitor the page counter of a single Lexmark Laser printer (Vendor No.: 641 - from the private MIB) with a Warning for 2.000 Pages and a Critical for 5.000 Pages.
Prefix ("Total Printed") and Units ("Pages") are given as well.
SNMP OK - Total Printed 1494 Pages | Total Printed =1494cPages;2000;5000;
!custosec!.1.3.6.1.2.1.43.11.1.1.9.1.2!@3000:4000!@1:501! !Imprints This example shows the usage of ranges. The OID used is a standard OID to provide the filling level of a printer cartridge expressed in available imprints.
In this example we have set the "WARNING"-Argument to a range from 3000 pages to 4000 imprints and the "CRITICAL"-Argument to a non-adjacent range from 1 to 501 imprints
SNMP WARNING - *3200* Imprints | =3200Imprints;4000;501;
!!custosec!.1.3.6.1.4.1.14848.2.1.2.1.4.4!50!90! ! This and the next example show another usage of ranges. This time the check is calling the OID of a contact sensor attached to an E-Box. The output of this OID can either be "0" (which means, contact sensor closed) or "100", (contact open).

The example here is the standard configuration in ARANSEC. The Warning-Value, set to "50", will never occur, since the E-Box only delivers the two values "0" or "100". The Critical Value, set to 90 will occur, when the contact sensor is opened and the value delivered is "100". In this case, the "Critical" status would be issued.

Status: OK
Output: SNMP OK - 0 | =0;50;90;
!!custosec!.1.3.6.1.4.1.14848.2.1.2.1.4.4!40:50!@0:5! ! This is the same example as above to check a contact sensor. But this time the alarming behavior has been turned around.
The Warning-Value, set to "40:50" means, only values greater than 40 and less than 50. Again, this will never happen, since the E-Box only delivers the two values "0" or "100".
The Critical Value, set to "@0:5" which means, anything within the range from 0 to 5 (including endpoints) is "CRITICAL". Thus, the check would turn "CRITICAL" when the contact sensor is closed.
And since everything else is interpreted as "OK", the check would return "OK", when the contact sensor is open.
Read more on Ranges.
Status: CRITICAL
Output: SNMP CRITICAL - 0 root@192.168.77.10 rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm | =0;50;5;

Notes

  • Don't get tricked by snmp-information: In the above examples, the OID "hrStorageUsed" returns a value (in our examples) of 15.186.575 Units. On a HP Server running a 32-Bit Windows operating system these units are representing 4.096 bytes (as returned by the OID "hr.Storage.Allocation.Units"). This means. the returned value of 15.186.575 Units equals (15.186.575 x 4.096) 62.204.211.200 Bytes (=57,93 GB). It should be kept in mind that the same logic has to apply to the "Warn" and "Critical" values, which have to be calculated in Units. When using this check, it is recommended to check the full OID table (in this case "hrStorageTable") to understand the Unit of measure of the individual MIB.
  • Be careful when entering OID, since OID's are case sensitive. OID always should be complete, including the device index number.
  • It does not matter if the MIB, that is monitored, is from a private MIB or from a standard MIB. In a lot of cases, device manufacturer offer additional MIBs to monitor their devices. This depends on the manufacturer, the software version, etc. An snmp-walk on the targeted device will show the available OIDs.
  • If the configuration of the host to be monitored is running the snmp-service on a different port (default is port 161), use Check SNMP Free Port.
  • WARNING and CRITICAL can be input as ranges. These do not have to be adjacent! Read more about Ranges