From chirag.parikh at thomsonreuters.com Thu Feb 3 18:24:10 2011 From: chirag.parikh at thomsonreuters.com (chirag.parikh at thomsonreuters.com) Date: Thu, 3 Feb 2011 18:24:10 -0500 Subject: Auto-discovery in a given subnet In-Reply-To: <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM> References: <21E92654447C56418B4186BC3E9C9A322084A7CEFB@horus.h2.com> <4CCF2F8F.1090200@jeremykister.com> <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM> Message-ID: <6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> Hi, Is this doable? -Chirag. -----Original Message----- From: Parikh, Chirag (M RTT) Sent: Thursday, February 03, 2011 1:58 AM To: Discussion about Argus Subject: Auto-discovery in a given subnet Hi, I'm actively using Argus and love its simplicity and flexibility. I have encountered a scenario where I'm stuck. I need to configure so a specific subnet is being scanned and report the objects that respond to ping. That is if someone adds a machine in the network it should show up in argus and start monitoring it with default services Ping and HTTP, etc. How would I code this? Much thanks in advance! Chirag. From argus-02 at jeremykister.com Thu Feb 3 21:20:32 2011 From: argus-02 at jeremykister.com (Jeremy Kister) Date: Thu, 03 Feb 2011 21:20:32 -0500 Subject: Auto-discovery in a given subnet In-Reply-To: <6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> References: <21E92654447C56418B4186BC3E9C9A322084A7CEFB@horus.h2.com> <4CCF2F8F.1090200@jeremykister.com> <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM> <6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> Message-ID: <4D4B6270.4050304@jeremykister.com> On 2/3/2011 6:24 PM, chirag.parikh at thomsonreuters.com wrote: > encountered a scenario where I'm stuck. I need to configure so a > specific subnet is being scanned and report the objects that respond to > ping. That is if someone adds a machine in the network it should show up > in argus and start monitoring it with default services Ping and HTTP, Argus will execute any files it finds in your config/ directory if you have made them executable. if you have one big config file instead of a directory of little files, i recommend you start by making one file called 000_defins that has your standard Argus definitions. you can make another file called 001_servers that is executable. in that, you can script in whatever language you want and output Argus config. what you want sounds rather easy, so if you want to give me some more details I might be able to whip something up. supposing we're scanning 10.0.0.0/24, and we find 10.0.0.2 is alive via ping, what should argus call this host? do you have reverse dns configured ? -- Jeremy Kister http://jeremy.kister.net./ From chirag.parikh at thomsonreuters.com Fri Feb 4 11:04:05 2011 From: chirag.parikh at thomsonreuters.com (chirag.parikh at thomsonreuters.com) Date: Fri, 4 Feb 2011 11:04:05 -0500 Subject: Auto-discovery in a given subnet In-Reply-To: <4D4B6270.4050304@jeremykister.com> References: <21E92654447C56418B4186BC3E9C9A322084A7CEFB@horus.h2.com> <4CCF2F8F.1090200@jeremykister.com> <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM><6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> <4D4B6270.4050304@jeremykister.com> Message-ID: <6E29A4562D245549B6A3EA1B18A0CE460CC2D1D8@TFUSNJPSCMBX04.ERF.THOMSON.COM> Thanks Jeremy for your prompt response. My requirement is actually quite simple. Let's say we want to monitor 10.0.0.0/24 and if someone puts up a system with IP, 10.0.0.2, Let Argus call it the same, 10.0.0.2 and start monitoring it with default Service Ping, HTTP and send necessary HUP to argusctl so new entry shows up in web (or by any other means). Later, DNS name can be updated in Argus config manually, once DNS push has been updated on our DNS servers. It would be further nice if Argus can check periodically if DNS name is updated or not on DNS servers (say by nslookup ??) and update its name for 10.0.0.2 host accordingly in Argus config. Am I clear? Thanks again for your help. -Chirag. -----Original Message----- From: arguslist-bounces at tcp4me.com [mailto:arguslist-bounces at tcp4me.com] On Behalf Of Jeremy Kister Sent: Thursday, February 03, 2011 9:21 PM To: Discussion about Argus Subject: Re: Auto-discovery in a given subnet On 2/3/2011 6:24 PM, chirag.parikh at thomsonreuters.com wrote: > encountered a scenario where I'm stuck. I need to configure so a > specific subnet is being scanned and report the objects that respond to > ping. That is if someone adds a machine in the network it should show up > in argus and start monitoring it with default services Ping and HTTP, Argus will execute any files it finds in your config/ directory if you have made them executable. if you have one big config file instead of a directory of little files, i recommend you start by making one file called 000_defins that has your standard Argus definitions. you can make another file called 001_servers that is executable. in that, you can script in whatever language you want and output Argus config. what you want sounds rather easy, so if you want to give me some more details I might be able to whip something up. supposing we're scanning 10.0.0.0/24, and we find 10.0.0.2 is alive via ping, what should argus call this host? do you have reverse dns configured ? -- Jeremy Kister http://jeremy.kister.net./ _______________________________________________ http://argus.tcp4me.com/ Arguslist at tcp4me.com http://www.tcp4me.com/mailman/listinfo/arguslist From bruce.e.howells at intel.com Fri Feb 4 11:12:13 2011 From: bruce.e.howells at intel.com (Howells, Bruce E) Date: Fri, 4 Feb 2011 09:12:13 -0700 Subject: Auto-discovery in a given subnet In-Reply-To: <6E29A4562D245549B6A3EA1B18A0CE460CC2D1D8@TFUSNJPSCMBX04.ERF.THOMSON.COM> References: <21E92654447C56418B4186BC3E9C9A322084A7CEFB@horus.h2.com> <4CCF2F8F.1090200@jeremykister.com> <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM><6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> <4D4B6270.4050304@jeremykister.com> <6E29A4562D245549B6A3EA1B18A0CE460CC2D1D8@TFUSNJPSCMBX04.ERF.THOMSON.COM> Message-ID: <3608CD331B387B48BB1C1EE1AD740FD1141E0DF740@azsmsx502.amr.corp.intel.com> Sounds like you want to combine the executable-as-map feature with something like nmap, which can ping-sweep a subnet and do DNS lookups for found hosts. If you use the IP address as the uname, you'll keep override and history even if the display name changes when the DNS record shows up. -----Original Message----- From: arguslist-bounces at tcp4me.com [mailto:arguslist-bounces at tcp4me.com] On Behalf Of chirag.parikh at thomsonreuters.com Sent: Friday, February 04, 2011 11:04 AM To: arguslist at tcp4me.com Subject: RE: Auto-discovery in a given subnet Thanks Jeremy for your prompt response. My requirement is actually quite simple. Let's say we want to monitor 10.0.0.0/24 and if someone puts up a system with IP, 10.0.0.2, Let Argus call it the same, 10.0.0.2 and start monitoring it with default Service Ping, HTTP and send necessary HUP to argusctl so new entry shows up in web (or by any other means). Later, DNS name can be updated in Argus config manually, once DNS push has been updated on our DNS servers. It would be further nice if Argus can check periodically if DNS name is updated or not on DNS servers (say by nslookup ??) and update its name for 10.0.0.2 host accordingly in Argus config. Am I clear? Thanks again for your help. -Chirag. -----Original Message----- From: arguslist-bounces at tcp4me.com [mailto:arguslist-bounces at tcp4me.com] On Behalf Of Jeremy Kister Sent: Thursday, February 03, 2011 9:21 PM To: Discussion about Argus Subject: Re: Auto-discovery in a given subnet On 2/3/2011 6:24 PM, chirag.parikh at thomsonreuters.com wrote: > encountered a scenario where I'm stuck. I need to configure so a > specific subnet is being scanned and report the objects that respond to > ping. That is if someone adds a machine in the network it should show up > in argus and start monitoring it with default services Ping and HTTP, Argus will execute any files it finds in your config/ directory if you have made them executable. if you have one big config file instead of a directory of little files, i recommend you start by making one file called 000_defins that has your standard Argus definitions. you can make another file called 001_servers that is executable. in that, you can script in whatever language you want and output Argus config. what you want sounds rather easy, so if you want to give me some more details I might be able to whip something up. supposing we're scanning 10.0.0.0/24, and we find 10.0.0.2 is alive via ping, what should argus call this host? do you have reverse dns configured ? -- Jeremy Kister http://jeremy.kister.net./ _______________________________________________ http://argus.tcp4me.com/ Arguslist at tcp4me.com http://www.tcp4me.com/mailman/listinfo/arguslist _______________________________________________ http://argus.tcp4me.com/ Arguslist at tcp4me.com http://www.tcp4me.com/mailman/listinfo/arguslist From jaw+arguslist at tcp4me.com Fri Feb 4 11:48:14 2011 From: jaw+arguslist at tcp4me.com (jeff weisberg) Date: Fri, 4 Feb 2011 11:48:14 -0500 Subject: Auto-discovery in a given subnet In-Reply-To: <4D4B6270.4050304@jeremykister.com> References: <21E92654447C56418B4186BC3E9C9A322084A7CEFB@horus.h2.com> <4CCF2F8F.1090200@jeremykister.com> <41AE2995626088468C886E1E688BD6020213AB4EA0@TFUSNJPSCMBX04.ERF.THOMSON.COM> <6E29A4562D245549B6A3EA1B18A0CE460CC2CFA2@TFUSNJPSCMBX04.ERF.THOMSON.COM> <4D4B6270.4050304@jeremykister.com> Message-ID: <60A39D07-726D-436C-A8C7-56CF3B80C0A7@tcp4me.com> On Feb 3, 2011, at 9:20 PM, Jeremy Kister wrote: > you can make another file called 001_servers that is executable. in > that, you can script in whatever language you want and output Argus > config. > > what you want sounds rather easy, so if you want to give me some > more details I might be able to whip something up. > > supposing we're scanning 10.0.0.0/24, and we find 10.0.0.2 is alive > via ping, what should argus call this host? do you have reverse dns > configured ? this sounds like it will do what he _says_ he wants to do, but I doubt it is really what he wants. I mean, we wouldn't want to stop monitoring something that happens to be down when argus restarts. That doesn't seem productive. Hope that you only restart argus when everything is good? That doesn't sound like a reliable solution. From chirag.parikh at thomsonreuters.com Thu Feb 24 12:13:02 2011 From: chirag.parikh at thomsonreuters.com (chirag.parikh at thomsonreuters.com) Date: Thu, 24 Feb 2011 12:13:02 -0500 Subject: Help with Prog Service Message-ID: <6E29A4562D245549B6A3EA1B18A0CE460D066BD7@TFUSNJPSCMBX04.ERF.THOMSON.COM> Hi, I need to monitor a ZPOOL status on a Solaris system using Prog Service where I can issue a ssh command such as: "ssh zpool status -xv" and the result should be "all pools are healthy". If its any otherwise or output contain any error on the Zpool, service should go red and alarm should trigger. I'm just not sure how to implement this using Prog Service. I mean how to use Pluck and/or Expect or what else. Could you please provide a sample of the code how would this be achieved? Thanks in advance. -Chirag. From argus-02 at jeremykister.com Thu Feb 24 23:12:34 2011 From: argus-02 at jeremykister.com (Jeremy Kister) Date: Thu, 24 Feb 2011 23:12:34 -0500 Subject: Help with Prog Service In-Reply-To: <6E29A4562D245549B6A3EA1B18A0CE460D066BD7@TFUSNJPSCMBX04.ERF.THOMSON.COM> References: <6E29A4562D245549B6A3EA1B18A0CE460D066BD7@TFUSNJPSCMBX04.ERF.THOMSON.COM> Message-ID: <4D672C32.6010208@jeremykister.com> On 2/24/2011 12:13 PM, chirag.parikh at thomsonreuters.com wrote: > I need to monitor a ZPOOL status on a Solaris system using Prog Service > where I can issue a ssh command such as: I solved this by installing the included argus-agent on the machine with the zfs. # copy the argus-agent from the argus host scp :/usr/local/sbin/argus-agent /usr/local/sbin # set up the argus-agent in /etc/services echo -e "argus-agent\t164/tcp" >> /etc/services # set up the argus-agent in inetd.conf echo -e "argus-agent\tstream\ttcp\tnowait\troot\t/usr/local/sbin/argus-agent\targus-agent" >> /etc/inetd.conf pkill -HUP inetd # if the host is solaris 10, run: inetconv # verify it's accepting sockets on port 164 (you telnet and type "zpool ) telnet localhost 164 Trying localhost... Connected to localhost. Escape character is '^]'. zpool rpool ONLINE Connection to localhost closed by foreign host. once you get this far, you just go to your argus config, and something like: Group "machine" { Service Ping Service Agent/zpool { arg: pool_name expect: ONLINE } } make sure any packet filters you might have set up between the two hosts allow port 164/tcp. that should get you all set. -- Jeremy Kister http://jeremy.kister.net./ From chirag.parikh at thomsonreuters.com Fri Feb 25 14:55:22 2011 From: chirag.parikh at thomsonreuters.com (chirag.parikh at thomsonreuters.com) Date: Fri, 25 Feb 2011 14:55:22 -0500 Subject: Help with Prog Service In-Reply-To: <4D672C32.6010208@jeremykister.com> References: <6E29A4562D245549B6A3EA1B18A0CE460D066BD7@TFUSNJPSCMBX04.ERF.THOMSON.COM> <4D672C32.6010208@jeremykister.com> Message-ID: <6E29A4562D245549B6A3EA1B18A0CE460D10E019@TFUSNJPSCMBX04.ERF.THOMSON.COM> Jeremy, Thanks for the update. Though there are 2 points to note here... 1) In our environment, we could not and did not want to use argus-agent on target system which is being monitored. 2) In this particular case, alarm would only trigger if a particular zpool is not in 'ONLINE' state. Rather we wanted alarm to be triggered even if pool contains any data errors and still ONLINE. To solve these, I used below approach with Prog service which seems to work nicely since now I get alarms if my pool contains any data errors despite it being ONLINE and in turn I can run 'zpool clear ' on target system to clear any data errors and alarm would reset (turn back to green). Do note that ssh keys need to be set so that ssh command in below service works without any password prompts. In this case argus host's public ssh-key need to be appended in client/target host's ~/.ssh/authorized_keys2 file so ssh to the host works without any prompts. ...just another way of handling this... Service Prog { command: ssh zpool status -xv iscsipool drawgrid: yes expect: healthy graph: yes label: iscsipool Status messagedn: pool 'iscsipool' contains errors messageup: pool 'iscsipool' has been cleared of errors and now healthy title: iscsipool Health Status uname: iscsipool Status } Thanks for your help though. Much appreciated. Its nice to know different options to handle this type of situation. :) Thanks again. -Chirag. -----Original Message----- From: arguslist-bounces at tcp4me.com [mailto:arguslist-bounces at tcp4me.com] On Behalf Of Jeremy Kister Sent: Thursday, February 24, 2011 11:13 PM To: Discussion about Argus Subject: Re: Help with Prog Service On 2/24/2011 12:13 PM, chirag.parikh at thomsonreuters.com wrote: > I need to monitor a ZPOOL status on a Solaris system using Prog Service > where I can issue a ssh command such as: I solved this by installing the included argus-agent on the machine with the zfs. # copy the argus-agent from the argus host scp :/usr/local/sbin/argus-agent /usr/local/sbin # set up the argus-agent in /etc/services echo -e "argus-agent\t164/tcp" >> /etc/services # set up the argus-agent in inetd.conf echo -e "argus-agent\tstream\ttcp\tnowait\troot\t/usr/local/sbin/argus-agent\tar gus-agent" >> /etc/inetd.conf pkill -HUP inetd # if the host is solaris 10, run: inetconv # verify it's accepting sockets on port 164 (you telnet and type "zpool ) telnet localhost 164 Trying localhost... Connected to localhost. Escape character is '^]'. zpool rpool ONLINE Connection to localhost closed by foreign host. once you get this far, you just go to your argus config, and something like: Group "machine" { Service Ping Service Agent/zpool { arg: pool_name expect: ONLINE } } make sure any packet filters you might have set up between the two hosts allow port 164/tcp. that should get you all set. -- Jeremy Kister http://jeremy.kister.net./ _______________________________________________ http://argus.tcp4me.com/ Arguslist at tcp4me.com http://www.tcp4me.com/mailman/listinfo/arguslist