Dr.Web SNMP agent can act as data provider for any monitoring system that uses the SNMP protocol, versions 2c or 3. The list of data that is available for control and the data structure are described in the Dr.Web MIB description file DRWEB-SNMPD-MIB.txt supplied together with Dr.Web for UNIX Mail Servers. This file is located in the directory <opt_dir>/share/drweb-snmpd/mibs.
For easy configuration, the component is supplied with templates of settings for popular monitoring systems:
Customization templates for monitoring systems are located in the <opt_dir>/share/drweb-snmpd/connectors directory.
Integration with Munin Monitoring System
The Munin monitoring system includes the central server (master) munin, which collects statistics from clients munin-node residing locally on the monitored hosts. At request of the server, each monitoring client collects data about monitored host operation by starting plug-ins (plug-ins) that provide data transferred to the server.
To enable connection between Dr.Web SNMPD and the Munin monitoring system, a ready-to-use plug-in Dr.Web used by munin-node is supplied. The plug-in resides in the <opt_dir>/share/drweb-snmpd/connectors/munin/plugins directory. This plug-in collects data required for construction of the following two graphs:
•Number of detected threats.
•File scan statistics.
•Email message scanning statistics (it is possible to get email statistics only with the Dr.Web MailD component. Dr.Web MailD is not included in .
These plug-ins support SNMP protocols versions 1, 2c and 3. Based on these template plug-ins, you can create any other plug-ins to poll the status of Dr.Web for UNIX Mail Servers components via Dr.Web SNMPD.
In the <opt_dir>/share/drweb-snmpd/connectors/munin directory, the following files are located.
File |
Description |
|---|---|
plugins/snmp__drweb_malware |
The munin-node plug-in for polling Dr.Web SNMPD via SNMP to gather the number of threats detected by Dr.Web for UNIX Mail Servers on the host. |
plugins/snmp__drweb_filecheck |
The munin-node plug-in for polling Dr.Web SNMPD via SNMP to gather the statistics of files scanned by Dr.Web for UNIX Mail Servers on the host. |
plugins/snmp__drweb_maild_multi |
The munin-node plug-in used for polling Dr.Web SNMPD via SNMP to gather the statistics of email messages scanned by Dr.Web for UNIX Mail Servers on the host. Note that this plug-in uses the multigraph, a feature available in Munin version above 1.4. |
plugin-conf.d/drweb.cfg |
An example of the munin-node configuration for the environment variables of the Dr.Web plug-ins. |
Connecting a host to Munin
In the present instruction, it is assumed that the Munin monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd) and munin-node.
1.Monitored host configuration
•Copy the snmp__drweb_* files to the directory with plug-in libraries munin-node (the directory depends on the OS). For example, in Debian/Ubuntu operating systems, the path is /usr/share/munin/plugins.
•Configure munin-node by connecting to it the supplied Dr.Web plug-ins. To do this, use the munin-node-configure utility that is distributed with munin-node.
For example, the following command:
$ munin-node-configure --shell --snmp localhost |
will display on a terminal screen a list of commands for creation of required symbolic links to plug-ins. Copy and execute them in the command line. Note that the specified command presumes that:
1)munin-node is installed at the same host where Dr.Web SNMPD is installed. If it is not the case, please specify the correct FQDN or an IP address of the monitored host instead of a localhost value;
2)Dr.Web SNMPD uses SNMP version 2c. If it is not the case, specify the correct SNMP version in munin-node-configure command. The command has several arguments for flexible configuration of plug-ins, e.g., you can specify the SNMP protocol version, port that is listened by SNMP agent at the monitored host, an actual value of the community string, and so on. If required, refer to the manual on munin-node-configure command.
•If necessary, define (or redefine) parameter values of the environment, where installed Dr.Web plug-ins for munin-node must be executed. As the environment parameters, the value community string is used. It is the port utilized by the SNMP agent, and so on. These parameters must be defined in the file /etc/munin/plugin-conf.d/drweb (create it if required). As an example of this file, use the supplied file drweb.cfg.
•In the munin-node configuration file (munin-node.conf), specify a regular expression to include all IP addresses of hosts that are allowed to connect munin servers (masters) to munin-node for receiving the values of the monitored parameters, for example:
allow ^10\.20\.30\.40$ |
In this case, only the IP address 10.20.30.40 is allowed to receive host parameters.
•Restart munin-node, for example, by using the following command:
# service munin-node restart |
2.Munin server (master) configuration
Add the address and identifier of the monitored host to the Munin configuration file munin.conf, which is located, by default, in /etc directory (in Debian/Ubuntu operating systems it is /etc/munin/munin.conf):
[<ID>;<hostname>.<domain>] |
where <ID> is the displayed host identifier, <hostname> is the name of the host, <domain> is the name of the domain, <host IP address> is the IP address of the host.
For official documentation on configuration of the Munin monitoring system, refer to http://guide.munin-monitoring.org/en/latest.
Integration with Zabbix Monitoring System
File templates, required for establishing connection between Dr.Web SNMPD and the Zabbix monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/zabbix directory.
File |
Description |
|---|---|
zbx_drweb.xml |
Template for description of the monitored host that features installed Dr.Web for UNIX Mail Servers |
snmptt.drweb.zabbix.conf |
Configuring the snmptt utility—which is an SNMP traphandler |
Template for description of the monitored host features:
•Description of counters (“items”, according to the terminology of Zabbix). By default, the template is set to be used with SNMP v2.
•The set of predefined graphs: number of scanned files and distribution of detected threats by their type.
Connecting a host to Zabbix
In the present instruction, it is assumed that the Zabbix monitoring system is already deployed on the monitoring server and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX Mail Servers on a protected server), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).
1.In the Zabbix web interface, on the Configuration → Templates tab import the template of the monitored host from the <opt_dir>/share/drweb-snmpd/connectors/zabbix/zbx_drweb.xml file.
2.Add the monitored host to the appropriate list (at Hosts → Create host). Specify correct parameters of the host and settings of the SNMP interface (they must match the settings of drweb-snmpd and snmpd on the host):
•The Host tab:
Host name: drweb-host
Visible name: DRWEB_HOST
Groups: select Linux servers
Snmp interfaces: Click Add specify the IP address and port are used by Dr.Web SNMPD (it is considered that Dr.Web SNMPD operates on the local host, so the address 127.0.0.1 and the port 161 are specified by default).
•The Templates tab:
Press Add, check DRWEB, press Select.
•The Macros tab:
Macro: {$SNMP_COMMUNITY}
Value: specify “read community” for SNMP V2c (by default, public).
Click Save.
Note: The {$SNMP_COMMUNITY} macro can be specified directly in the host template.
|
By default, the imported DRWEB template is configured for SNMP v2. If you need to use another version of SNMP, edit the template accordingly on the appropriate page. |
3.After the template is bound to the monitored host, if SNMP settings are specified correctly, the Zabbix monitoring system will start to collect data for counters (items) of the template; the collected data will be displayed on the Monitoring → Latest Data and Monitoring → Graphs.
4.A special item drweb-traps is used for collecting SNMP trap notifications from Dr.Web SNMPD. The log pf received SNMP trap notifications is available on the Monitoring → Latest Data → drweb-traps –> history page. To collect notifications, Zabbix uses standard tools snmptt and snmptrapd from the net-snmp package. For details on how to configure the tools for receiving SNMP trap notifications from Dr.Web SNMPD, see below.
5.If necessary, you can configure a trigger that will change its state upon receiving an SNMP trap notification from Dr.Web SNMPD. Changing of its state can be used as an event source for generation appropriate notifications. The example below shows an expression for configuration of a trigger; the expression is specified in the trigger expression field:
•For Zabbix versions 2.x:
({TRIGGER.VALUE}=0 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=1 )|({TRIGGER.VALUE}=1 & {DRWEB:snmptrap[.*\.1\.3\.6\.1\.4\.1\.29690\..*].nodata(60)}=0) |
•For Zabbix versions 3.x:
({TRIGGER.VALUE}=0 and {drweb-host:snmptrap[".29690."].nodata(60)}=1 ) or |
An event is triggered (the value is set to 1) if the log of SNMP trap notifications from Dr.Web SNMPD was updated within a minute. If the log was not updated within the next minute, the value of the trigger is set to 0 again.
In Severity, for this trigger it is recommended that notification type is different from Not classified, for example, Warning.
Configuring Receipt of SNMP trap notifications for Zabbix
1.On the monitored host, in Dr.Web SNMPD settings (the TrapReceiver parameter), you should specify an address to be listened by snmptrapd on the host where Zabbix operates, for example:
SNMPD.TrapReceiver = 10.20.30.40:162 |
2.In the configuration file of snmptrapd (snmptrapd.conf), specify the same address and an application for processing received SNMP trap notifications (in this example, snmptthandler, snmptt component):
snmpTrapdAddr 10.20.30.40:162 |
Add the following string to the file, so that snmptt does not discard SNMP trap sent by Dr.Web SNMPD as unknown:
outputOption n |
3.The snmptthandler component saves received SNMP trap notifications to the file on the disk in accordance with the specified format, which corresponds to the regular expression set in the host template for Zabbix (the item drweb-traps element). The SNMP trap format of the saved notification is specified in the <opt_dir>/share/drweb-snmpd/connectors/zabbix/snmptt.drweb.zabbix.conf. file. The file must be copied to /etc/snmp.
4.Moreover, the path to the format files must be specified in the snmptt.ini:
[TrapFiles] |
After that, restart snmptt if it was started in daemon mode.
5.In the configuration file of the Zabbix server (zabbix-server.conf), specify (or check if they are already specified) the following settings:
SNMPTrapperFile=/var/log/snmptt/snmptt.log |
where /var/log/snmptt/snmptt.log is a log file used by snmptt to register information on received SNMP trap notifications.
For official documentation on Zabbix, refer to https://www.zabbix.com/documentation/current/en.
Integration with Nagios Monitoring System
Files with Nagios configuration examples, required for establishing connection between Dr.Web SNMPD and the Nagios monitoring system, are located in the <opt_dir>/share/drweb-snmpd/connectors/nagios directory.
File |
Description |
|---|---|
nagiosgraph/rrdopts.conf-sample |
Example of the RRD configuration file |
objects/drweb.cfg |
Configuration file describing drweb objects |
objects/nagiosgraph.cfg |
The configuration file of the component for graph plotting used by Nagiosgraph used by Nagios |
plugins/check_drweb |
The script for collecting data from the host on which Dr.Web for UNIX Mail Servers is installed |
plugins/eventhandlers/submit_check_result |
The script for handling SNMP trap notifications |
snmp/snmptt.drweb.nagios.conf |
Configuring the snmptt utility—which is an SNMP traphandler |
Connecting a host to Nagios
In the present instruction, it is assumed that the Nagios monitoring system is already deployed on the monitoring server, including configuration of the web server and the graphical tool Nagiosgraph, and the monitored host features an installed and functioning Dr.Web SNMPD (it is possible for the component to function in proxy mode together with snmpd). Moreover, if you want to receive SNMP trap notifications from the monitored host (including notification on threats detected by Dr.Web for UNIX Mail Servers on a protected server), install the net-snmp package on the monitoring server (standard tools snmptt and snmptrapd are used).
In the current manual, the following path conventions are used (real paths depend on the operating system and Nagios installation):
•<NAGIOS_PLUGINS_DIR>—directory with Nagiosplug-ins, for example: /usr/lib64/nagios/plugins.
•<NAGIOS_ETC_DIR>—directory with Nagios settings, for example: /etc/nagios.
•<NAGIOS_OBJECTS_DIR>—directory with Nagios objects, for example: /etc/nagios/objects.
•<NAGIOSGRAPH_DIR>—Nagiosgraph directory, for example: /usr/local/nagiosgraph.
•<NAGIOS_PERFDATA_LOG>—file where Nagios records results of service check (must be the same as the perflog file from <NAGIOSGRAPH_DIR>/etc/nagiosgraph.conf). Records from this file are read by the <NAGIOSGRAPH_DIR>/bin/insert.pl script and are recorded to the corresponding RRA archives RRD Tool.
Configuring Nagios:
1.Copy the check_drweb file to the <NAGIOS_PLUGINS_DIR> directory and the drweb.cfg file to the <NAGIOS_OBJECTS_DIR> directory.
2.Add hosts with Dr.Web for UNIX Mail Servers that are to be monitored to the drweb group. On the hosts Dr.Web SNMPD must be running. By default, only localhost is added to this group.
3.If required, edit the check_drweb command which contains instruction to contact Dr.Web SNMPD on drweb hosts via the snmplwalk tool:
snmpwalk -c public -v 2c $HOSTADDRESS$:161 |
specify the correct version of SNMP protocol and parameters (such as “community string” or authentication parameters) as well as the port. The $HOSTADDRESS$ variable must be included in the command (as this variable is later automatically substituted by Nagios to the correct host address when the command is invoked). OID is not required in the command. It is also recommended that you specify the command together with the full path to the executable file (usually /usr/local/bin/snmpwalk).
4.Connect DrWeb objects in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following string to the file:
cfg_file=<NAGIOS_OBJECTS_DIR>/drweb.cfg |
5.Add RRD Tool settings for DrWeb graphics from the rrdopts.conf-sample file to the <NAGIOSGRAPH_DIR>/etc/rrdopts.conf file.
6.If Nagiosgraph is yet to be configured, do the following steps for its configuration:
•Copy the nagiosgraph.cfg file to the <NAGIOS_OBJECTS_DIR> directory and edit the path to the insert.pl script in the process-service-perfdata-for-nagiosgraph command; for example, as follows:
$ awk '$1 == "command_line" { $2 = "<NAGIOSGRAPH_DIR>/bin/insert.pl" }{ print }' ./objects/nagiosgraph.cfg > <NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg |
•Connect this file in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file by adding the following line to it:
cfg_file=<NAGIOS_OBJECTS_DIR>/nagiosgraph.cfg |
7.Check values of Nagios parameters in the <NAGIOS_ETC_DIR>/nagios.cfg configuration file:
check_external_commands=1 |
Configuring Receipt of SNMP trap notifications for Nagios
1.On the monitored host in Dr.Web SNMPD settings (the TrapReceiver parameter), specify an address to be listened by snmptrapd on the host where Nagios operates, for example:
SNMPD.TrapReceiver = 10.20.30.40:162 |
2.Check for existing the <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result script which will be invoked when SNMP trap is received. If the script is missing, copy the submit_check_result file to this location from the <opt_dir>/share/drweb-snmpd/connectors/nagios/plugins/eventhandlers/ directory. In this file, change the path specified in the CommandFile parameter. It must have the same value as the command_file parameter in the <NAGIOS_ETC_DIR>/nagios.cfg file.
3.Copy the snmptt.drweb.nagios.conf file to the /etc/snmp/snmp/ directory. In this file, change the path to the submit_check_result—for example, by using the following command:
$ awk '$1 == "EXEC" { $2 = <NAGIOS_PLUGINS_DIR>/eventhandlers/submit_check_result }{ print}' ./snmp/snmptt.drweb.nagios.conf > /etc/snmp/snmp/snmptt.drweb.nagios.conf |
4.Add the “ /etc/snmp/snmptt.drweb.nagios.conf” string to the /etc/snmp/snmptt.ini file. After that, restart snmptt if it was started in daemon mode.
After all required configuration files of Nagios are added and edited, run Nagios in debug mode by using the following command:
# nagios -v <NAGIOS_ETC_DIR>/nagios.cfg |
Upon receipt of this command, Nagios will check for configuration errors. If no error is found, Nagios can be restarted as usual (for example, by using the service nagios restart command).
For official documentation on Nagios, refer to https://www.nagios.org/documentation.