Integration with Monitoring Systems

The Dr.Web SNMP agent can act as a data provider for any monitoring system that uses SNMP 2c or 3. The list of data available for monitoring and their structure are provided in the Dr.Web MIB description file DRWEB-SNMPD-MIB.txt supplied together with Dr.Web for UNIX Mail Servers. This file is located in the <opt_dir>/share/drweb-snmpd/mibs directory.

For ease of configuration, the component is supplied with the required configuration templates for popular monitoring systems:

Munin

Nagios

Zabbix

Configuration templates for monitoring systems are located in the <opt_dir>/share/drweb-snmpd/connectors directory.

Integration with the Munin Monitoring System

The Munin monitoring system includes a munin centralized server (master), which collects statistics from munin-node clients installed locally on hosts to be monitored. At the request of the server, each monitoring client collects data about monitored host operation by starting plug-ins that provide data to be sent to the server.

To connect Dr.Web SNMPD to the Munin monitoring system, ready-to-use Dr.Web data collection plug-ins used by munin-node are supplied. These plug-ins are located in the <opt_dir>/share/drweb-snmpd/connectors/munin/plugins directory and collect data required for drawing the following graphs:

a number of detected threats;

file scan statistics;

statistics on email message scanning produced by the Dr.Web MailD component.

These plug-ins support SNMP 1, 2c and 3. Based on these template plug-ins, you can create any other plug-ins to poll the status of Dr.Web for UNIX Mail Servers components via Dr.Web SNMPD.

The <opt_dir>/share/drweb-snmpd/connectors/munin directory contains the following files.

File

Description

plugins/snmp__drweb_malware

munin-node plug-in for polling Dr.Web SNMPD via SNMP to get a number of threats detected by Dr.Web for UNIX Mail Servers on the host.

plugins/snmp__drweb_filecheck

munin-node plug-in for polling Dr.Web SNMPD via SNMP to gather statistics on scanning files by Dr.Web for UNIX Mail Servers on the host.

plugins/snmp__drweb_maild_multi

munin-node plug-in for polling Dr.Web SNMPD via SNMP to gather statistics on scanning email messages by Dr.Web for UNIX Mail Servers on the host.

This plug-in uses multigraph—a feature available in Munin later than 1.4.

 

plugin-conf.d/drweb.cfg

Example of the munin-node configuration for the runtime environment variables of the Dr.Web plug-ins.

Connecting a host to Munin

This instruction assumes that the Munin monitoring system is already deployed on the monitoring server, and the monitored host features installed and functioning Dr.Web SNMPD (optionally, in proxy mode together with snmpd) and munin-node.

1.Monitored host configuration

Copy the snmp__drweb_* files to the directory containing munin-node plug-in libraries. This path depends on the OS, for example, the path is /usr/share/munin/plugins on Debian and Ubuntu.

Configure munin-node by connecting the supplied Dr.Web plug-ins to it. To do this, use the munin-node-configure utility, which is distributed with munin-node.

For example, the command:

$ munin-node-configure --shell --snmp localhost

will display a list of commands for creation of required symbolic links to plug-ins on a terminal screen. Copy and run them in the command line. The specified command presumes that:

1)munin-node is installed on the same host as Dr.Web SNMPD. Otherwise, specify a valid FQDN or IP address of the monitored host instead of localhost.

2)Dr.Web SNMPD uses SNMP 2c. Otherwise, specify the correct SNMP version for the munin-node-configure command. This command accepts a set of parameters for flexible configuration of plug-ins, for example, you can specify the SNMP version in use, a port that is used by an SNMP agent at the monitored host, a value of community string and so on. If required, refer to the manual for the munin-node-configure command.

If necessary, define or redefine parameter values of the environment where the installed Dr.Web plug-ins for munin-node must be run. As the environment parameters, the value of community string, the port used by the SNMP agent and so on are used. These parameters must be defined in the /etc/munin/plugin-conf.d/drweb file (create it if required). You can use the supplied drweb.cfg file as an example.

In the munin-node configuration file (munin-node.conf), specify a regular expression to include IP addresses of hosts that are allowed to connect munin servers (masters) to munin-node on the current host for receiving the values of the monitored parameters, for example:

allow ^10\.20\.30\.40$

In this case, only a host with the IP address of 10.20.30.40 is allowed to receive the parameters of that host.

Restart munin-node, for example, with the command:

# service munin-node restart

2.Munin server (master) configuration

Add the address and identifier of the monitored host to the Munin configuration file (munin.conf), which is located, by default, in the /etc directory (/etc/munin/munin.conf on Debian and Ubuntu):

[<ID>;<hostname>.<domain>]
address <host IP address>
use_node_name yes

where <ID> is the displayed host identifier, <hostname> is the name of the host, <domain> is the name of the domain, <host IP address> is the IP address of the host.

For official documentation on configuring the Munin monitoring system, refer to http://guide.munin-monitoring.org/en/latest.

Integration with the Zabbix Monitoring System

The <opt_dir>/share/drweb-snmpd/connectors/zabbix directory contains the following template files required for connecting Dr.Web SNMPD to the Zabbix monitoring system:

File

Description

zbx_drweb.xml

Template for description of the monitored host that features installed Dr.Web for UNIX Mail Servers.

snmptt.drweb.zabbix.conf

Settings of the snmptt utility, which receives SNMP trap notifications.

The template for description of the monitored host features:

A set of descriptions of counters (“items” in the terminology of Zabbix). By default, the template is set to be used with SNMP v2.

A set of predefined graphs: a number of scanned files and distribution of detected threats by their types.

Connecting a host to Zabbix

In the present instruction, it is assumed that the Zabbix monitoring system is already properly deployed on the monitoring server and the monitored host features an installed and properly functioning Dr.Web SNMPD (optionally, in proxy mode together with snmpd). Furthermore, if you want to receive SNMP trap notifications from the monitored host (including notification of threats detected by Dr.Web for UNIX Mail Servers on the protected server), install the net-snmp package on the monitoring server (the snmptt and snmptrapd standard tools are used).

1.In the Zabbix web interface, on the Configuration → Templates tab, import the template of the monitored host from the file <opt_dir>/share/drweb-snmpd/connectors/zabbix/zbx_drweb.xml.

2.Add the monitored host to the list of hosts (at Hosts → Create host). Specify parameters of the host and valid settings of the SNMP interface (they must match the settings of drweb-snmpd and snmpd on the host):

Host tab:

Host name: drweb-host

Visible name: DRWEB_HOST

Groups: select Linux servers

Snmp interfaces: click Add and specify the IP address and the port used by Dr.Web SNMPD (by default, it is assumed that Dr.Web SNMPD operates on the local host, so the address 127.0.0.1 and the standard port 161 are indicated here).

Templates tab:

Click Add, select DRWEB, click Select.

Macros tab:

Macro: {$SNMP_COMMUNITY}

Value: select read community for SNMP V2c (public by default).

Click Save.

The {$SNMP_COMMUNITY} macro can be specified directly in the host template.

 

By default, the imported DRWEB template is configured for SNMP v2. If you need to use another version of SNMP, edit the template on the corresponding page.

3.After the template is bound to the monitored host, if SNMP settings are valid, the Zabbix monitoring system will start to collect data for counters (items) of the template. The collected data will be displayed on the following tabs of the web interface: Monitoring → Latest Data and Monitoring → Graphs.

4.A special item drweb-traps is used for collecting SNMP trap notifications from Dr.Web SNMPD. The log of received SNMP trap notifications is available on the page Monitoring → Latest Data → drweb-trapshistory. To collect notifications, Zabbix uses the standard snmptt and snmptrapd utilities from the net-snmp package. For details on how to configure these utilities for receiving SNMP trap notifications from Dr.Web SNMPD, see below.

5.If necessary, you can configure a trigger for the added monitored host. The trigger will change its state upon receiving SNMP trap notifications from Dr.Web SNMPD. Changing the state of this trigger can be used as an event source for generating corresponding notifications. A trigger for the monitored host is added in a common way. The example below shows an expression specified in the trigger expression field for the aforesaid trigger.

For Zabbix 2.x:

({TRIGGER.VALUE}=0 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=1 )|({TRIGGER.VALUE}=1 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=0)

For Zabbix 3.x:

({TRIGGER.VALUE}=0 and {drweb-host:snmptrap[".29690."].nodata(60)}=1 ) or
({TRIGGER.VALUE}=1 and {drweb-host:snmptrap[".29690."].nodata(60)}=0 )

This trigger is activated (its value is set to 1) if the log of SNMP trap notifications from Dr.Web SNMPD was updated within the last minute. If the log was not updated within the last minute, the trigger is deactivated (its value is set to 0).

It is recommended that a notification type different from Not classified, for example, Warning, is indicated in the Severity field for this trigger.

Configuring receipt of SNMP trap notifications for Zabbix

1.On the monitored host, in Dr.Web SNMPD settings (the TrapReceiver parameter), specify an address to be listened by snmptrapd on the Zabbix host, for example:

SNMPD.TrapReceiver = 10.20.30.40:162

2.In the snmptrapd configuration file (snmptrapd.conf), specify the same address and an application for processing received SNMP trap notifications (in this example, snmptthandler, which is a component of snmptt):

snmpTrapdAddr 10.20.30.40:162
traphandle default /usr/sbin/snmptthandler

Add the following line to the file, so that snmptt does not discard SNMP trap notifications sent by Dr.Web SNMPD, as unknown:

outputOption n

3.The snmptthandler component stores received SNMP trap notifications on the file on the disk in accordance with the specified format, which must correspond to the regular expression set in the host template for Zabbix (the drweb-traps item). The format of the stored message on the SNMP trap notification is specified in the <opt_dir>/share/drweb-snmpd/connectors/zabbix/snmptt.drweb.zabbix.conf file, which must be copied to the /etc/snmp directory.

4.Furthermore, the path to the format files must be specified in the snmptt.ini configuration file:

[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file).
# The COMPLETE path and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/snmptt.drweb.zabbix.conf
END

After that, restart snmptt if it was started in daemon mode.

5.Specify the following settings (or check if they are already specified) in the configuration file of the Zabbix server (zabbix-server.conf):

SNMPTrapperFile=/var/log/snmptt/snmptt.log
StartSNMPTrapper=1

where /var/log/snmptt/snmptt.log is a log file used by snmptt to register information about received SNMP trap notifications.

For official documentation on Zabbix, refer to https://www.zabbix.com/documentation/current/en.

Integration with the Nagios Monitoring System

The <opt_dir>/share/drweb-snmpd/connectors/nagios directory contains the following Nagios example configuration files required for connecting Dr.Web SNMPD to the Nagios monitoring system:

File

Description

nagiosgraph/rrdopts.conf-sample

Example of the RRD configuration file.

objects/drweb.cfg

Configuration file describing drweb objects.

objects/nagiosgraph.cfg

Configuration file of the Nagiosgraph component for graph plotting, used by Nagios.

plugins/check_drweb

Script for collecting data from a Dr.Web for UNIX Mail Servers host.

plugins/eventhandlers/submit_check_result

Script for handling SNMP trap notifications.

snmp/snmptt.drweb.nagios.conf

Settings of the snmptt utility, which receives SNMP trap notifications.

Connecting a host to Nagios

In the present instruction, it is assumed that the Nagios monitoring system is already properly deployed on the monitoring server (including configuring the web server and the Nagiosgraph graphical tool) and the monitored host features installed and properly functioning Dr.Web SNMPD (optionally, in proxy mode together with snmpd). Furthermore, if you want to receive an SNMP trap notification from the monitored host (including notifications of threats detected by Dr.Web for UNIX Mail Servers on the protected server), install the net-snmp package on the monitoring server (the snmptt and snmptrapd standard utilities are used).

In the current manual, the following path conventions are used (actual paths depend on the operating system and Nagios installation):

<NAGIOS_PLUGINS_DIR>—directory with Nagios plug-ins, for example, /usr/lib64/nagios/plugins.

<NAGIOS_ETC_DIR>—directory with Nagios settings, for example, /etc/nagios.

<NAGIOS_OBJECTS_DIR>—directory with Nagios objects, for example, /etc/nagios/objects.

<NAGIOSGRAPH_DIR>—Nagiosgraph directory, for example, /usr/local/nagiosgraph.

<NAGIOS_PERFDATA_LOG>—file in which Nagios stores results obtained from running service scan commands (must be the same as the perflog file from <NAGIOSGRAPH_DIR>/etc/nagiosgraph.conf). Records from this file are read by the <NAGIOSGRAPH_DIR>/bin/insert.pl script and are written to the corresponding RRA archives of RRDtool.

Nagios configuration

1.Copy the check_drweb file to the <NAGIOS_PLUGINS_DIR> directory and the drweb.cfg file to the <NAGIOS_OBJECTS_DIR> directory.

2.Add Dr.Web for UNIX Mail Servers hosts to be monitored to the drweb group (Dr.Web SNMPD must be running on them). By default, only the localhost local host is added to this group.

3.If required, edit the check_drweb command to communicate with Dr.Web SNMPD on drweb hosts via the snmplwalk utility:

snmpwalk -c public -v 2c $HOSTADDRESS$:161

Specify the correct SNMP version and such parameters as community string, or authentication parameters as well as a port. The $HOSTADDRESS$ variable must be included in the command (as this variable is later automatically substituted by Nagios with the correct host address when the command is invoked). It is not required to indicate OID in the command. It is also recommended that you specify the command together with the full path to the executable file (usually /usr/local/bin/snmpwalk).

4.Connect DrWeb objects in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by appending it with the following line:

cfg_file=<NAGIOS_OBJECTS_DIR>/drweb.cfg

5.Add RRDtool settings for DrWeb graphs from the rrdopts.conf-sample file to the <NAGIOSGRAPH_DIR>/etc/rrdopts.conf file.

6.Configure the Nagiosgraph component if it is still not configured:

Copy the nagiosgraph.cfg file to the <NAGIOS_OBJECTS_DIR> directory and edit the path to the insert.pl script in the process-service-perfdata-for-nagiosgraph command, for example, as follows:

$ awk '$1 == "command_line" { $2 = "<NAGIOSGRAPH_DIR>/bin/insert.pl" }{ print }' ./objects/nagiosgraph.cfg > <NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg

Connect this file in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by appending the following line to it:

cfg_file=<NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg

7.Verify Nagios parameter values in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file:

check_external_commands=1
execute_host_checks=1
accept_passive_host_checks=1
enable_notifications=1
enable_event_handlers=1
 
process_performance_data=1
service_perfdata_file=/usr/nagiosgraph/var/rrd/perfdata.log
service_perfdata_file_template=$LASTSERVICECHECK$||$HOSTNAME$||$SERVICEDESC$||$SERVICEOUTPUT$||$SERVICEPERFDATA$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=30
service_perfdata_file_processing_command=process-service-perfdata-for-nagiosgraph
 
check_service_freshness=1
enable_flap_detection=1
enable_embedded_perl=1
enable_environment_macros=1

Configuring receipt of SNMP trap notifications for Nagios

1.On the monitored host, in Dr.Web SNMPD settings (the TrapReceiver parameter), specify an address to be listened by snmptrapd on the Nagios host, for example:

SNMPD.TrapReceiver = 10.20.30.40:162

2.Ensure the existence of the <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result script to be run when SNMP trap notifications are received. If such script does not exist, copy the submit_check_result file to this location from the <opt_dir>/share/drweb-snmpd/connectors/nagios/plugins/eventhandlers/ directory. Change the path in this file; the path is specified in the CommandFile parameter. It must have the same value as the command_file parameter in the <NAGIOS_ETC_DIR>/nagios.cfg file.

3.Copy the snmptt.drweb.nagios.conf file to the /etc/snmp/snmp/ directory. Change the path to the submit_check_result script in this file, for example, with the command:

$ awk '$1 == "EXEC" { $2 = <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result }{ print}' ./snmp/snmptt.drweb.nagios.conf > /etc/snmp/snmp/snmptt.drweb.nagios.conf

4.Add the “/etc/snmp/snmptt.drweb.nagios.conf” line to the /etc/snmp/snmptt.ini file. After that, restart snmptt if it was started in daemon mode.

After all required Nagios configuration files are added and edited, run Nagios in debug mode with the command:

# nagios -v <NAGIOS_ETC_DIR>/nagios.cfg

Here, Nagios will check for configuration errors. If no errors have been found, restart Nagios in the usual manner, for example, with the command:

# service nagios restart

For official documentation for Nagios, refer to https://www.nagios.org/documentation.