Best way to monitor server in a DMZ ? or remote LAN ?
list L.M.J
Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ? I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the information from the DMZ Hobbit server. I remember something related using bbproxy or NET. Am I right ? What is your experience in that domain again ? (bis) Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and "LAN4" . Those LAN* Hobbit server will monitor servers around them. Will they send information to LAN Hobbit server or the LAN Hobbit server will pull the information from LAN* Hobbit servers ? Thanks by advance for any answers or point of view of my ideas. I'm looking for a global view of my issues + tutorial links to setup the right things. Thanks by advance.
list Thomas Kern
I like the idea of having a hobbit server inside a DMZ just to monitor the servers inside the DMZ. I am sure that between the network firewalls and the iptables and other tools available in a Linux server, that you can make sure that the public cannot see the hobbit server but let admins inside your network see the web pages. Alerts might be more of a problem but should be doable with proper firewall rules. The bbproxy facility may make it easier to get the firewall stuff set right. Thomas Kern XXX-XXX-XXXX (O) XXX-XXX-XXXX (M)
▸
----- Original Message -----
From: user-78bb6d5d9024@xymon.invalid <user-78bb6d5d9024@xymon.invalid>
To: user-ae9b8668bcde@xymon.invalid <user-ae9b8668bcde@xymon.invalid>
Sent: Tue Feb 05 09:01:48 2008
Subject: [hobbit] Best way to monitor server in a DMZ ? or remote LAN ?
Hi,
I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push
the information to the server, they are not able reach the LAN Hobbit server :
communication from the DMZ to the LAN is forbidden...
What is your experience in that area guys ?
I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the
information from the DMZ Hobbit server. I remember something related using
bbproxy or NET. Am I right ?
What is your experience in that domain again ? (bis)
Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and "LAN4" .
Those LAN* Hobbit server will monitor servers around them.
Will they send information to LAN Hobbit server or the LAN Hobbit server will
pull the information from LAN* Hobbit servers ?
Thanks by advance for any answers or point of view of my ideas. I'm looking
for a global view of my issues + tutorial links to setup the right things.
Thanks by advance.
list Frédéric Mangeant
▸
user-78bb6d5d9024@xymon.invalid a écrit :
Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?
Hi to monitor hosts in a DMZ, I use Hobbit in "fetch" mode, which works fine. -- Frédéric Mangeant Steria EDC Sophia Antipolis
list Pkc_mls
▸
user-78bb6d5d9024@xymon.invalid a écrit :
Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?
I used bb-central back to bb times. worked quite fine. I suppose it should work with hobbit also. the idea is that an internal host runs the commands via ssh, and the results are sent by the internal host to the hobbit server. It's quite interesting to have only one hobbit server. (I imagine you'll have to create as many hobbit server as you have different DMZ networks).
▸
I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the information from the DMZ Hobbit server. I remember something related using bbproxy or NET. Am I right ? What is your experience in that domain again ? (bis) Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and "LAN4" . Those LAN* Hobbit server will monitor servers around them. Will they send information to LAN Hobbit server or the LAN Hobbit server will pull the information from LAN* Hobbit servers ? Thanks by advance for any answers or point of view of my ideas. I'm looking for a global view of my issues + tutorial links to setup the right things. Thanks by advance.
list Buchan Milne
▸
On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:
Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?
I use msgcache and the pulldata tag, so that the Hobbit server connects to the
hosts being monitored ...
▸
I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the information from the DMZ Hobbit server. I remember something related using bbproxy or NET. Am I right ? What is your experience in that domain again ? (bis)
bbproxy works fine as well (but I don't use it for a DMZ, however for a 2nd site that forwards all the data (from clients, it's own bbtest-net, and it's own devmon) to the single display that is "monitored" by the monitoring team.
▸
Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and "LAN4" . Those LAN* Hobbit server will monitor servers around them. Will they send information to LAN Hobbit server or the LAN Hobbit server will pull the information from LAN* Hobbit servers ?
Either way, depending on how you configure them ... (see above).
▸
Thanks by advance for any answers or point of view of my ideas. I'm looking for a global view of my issues + tutorial links to setup the right things.
Honestly, I don't think this is so complex that a tutorial is required ... Regards, Buchan
list H. Klomp
Is this also possible with BBwin Client systems. Regards, Bert Klomp
▸
-----Original Message-----
From: Buchan Milne [mailto:user-9b139aff4dec@xymon.invalid]
Sent: dinsdag 5 februari 2008 15:20
To: user-ae9b8668bcde@xymon.invalid
Cc: user-78bb6d5d9024@xymon.invalid
Subject: Re: [hobbit] Best way to monitor server in a DMZ ? or remote LAN ?
On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?
I use msgcache and the pulldata tag, so that the Hobbit server connects to the hosts being monitored ...
I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the information from the DMZ Hobbit server. I remember something related using bbproxy or NET. Am I right ? What is your experience in that domain again ? (bis)
bbproxy works fine as well (but I don't use it for a DMZ, however for a 2nd site that forwards all the data (from clients, it's own bbtest-net, and it's own devmon) to the single display that is "monitored" by the monitoring team.
Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and "LAN4" . Those LAN* Hobbit server will monitor servers around them. Will they send information to LAN Hobbit server or the LAN Hobbit server will pull the information from LAN* Hobbit servers ?
Either way, depending on how you configure them ... (see above).
Thanks by advance for any answers or point of view of my ideas. I'm looking for a global view of my issues + tutorial links to setup the right things.
Honestly, I don't think this is so complex that a tutorial is required ... Regards, Buchan
list Steve McConnell
▸
Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ? I used bb-central back to bb times. worked quite fine. I suppose it should work with hobbit also.
I have the exact same requirement, but I tunnelled the hobbit communications over ssh. There is a nice tutorial by Keith Sebesta on the old BB script repository: http://www.deadcat.net/3/BB-ssh.txt Took me about 6 minutes to get it working. steve steve mcconnell gsk unix application hosting support XXX-XXX-XXXX "pkc_mls" <user-06f34394900f@xymon.invalid> 05-Feb-2008 09:17 Please respond to user-ae9b8668bcde@xymon.invalid To user-ae9b8668bcde@xymon.invalid cc
▸
Subject
Re: [hobbit] Best way to monitor server in a DMZ ? or remote LAN ?
user-78bb6d5d9024@xymon.invalid a écrit :Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?
I used bb-central back to bb times. worked quite fine. I suppose it should work with hobbit also. the idea is that an internal host runs the commands via ssh, and the results are sent by the internal host to the hobbit server. It's quite interesting to have only one hobbit server. (I imagine you'll have to create as many hobbit server as you have different DMZ networks).
I'm thinking to setup a DMZ Hobbit server. The LAN Hobbit server will pull the information from the DMZ Hobbit server. I remember something related using bbproxy or NET. Am I right ? What is your experience in that domain again ? (bis) Finally, I would like to setup a Hobbit Server in "LAN2", "LAN3" and
"LAN4" .
Those LAN* Hobbit server will monitor servers around them. Will they send information to LAN Hobbit server or the LAN Hobbit server will pull the information from LAN* Hobbit servers ? Thanks by advance for any answers or point of view of my ideas. I'm looking for a global view of my issues + tutorial links to setup the right things. Thanks by advance.
list L.M.J
▸
user-78bb6d5d9024@xymon.invalid a écrit :Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?Hi to monitor hosts in a DMZ, I use Hobbit in "fetch" mode, which works fine.
Alright Frédéric, seems the things I need. Any extra information how to get this "fetch" mode working ? Anyway, thanks for all your answers!
Frédéric Mangeant Steria EDC Sophia Antipolis
list Buchan Milne
▸
On Wednesday 06 February 2008 13:17:26 L.M.J. wrote:
user-78bb6d5d9024@xymon.invalid a écrit :
to monitor hosts in a DMZ, I use Hobbit in "fetch" mode, which works fine.Alright Frédéric, seems the things I need. Any extra information how to get this "fetch" mode working ?
Besides that in the man pages (msgcache(8), hobbitfetch(8), bb-hosts(5)) ? 1)Enable the msgcache task on the clients (in clientlaunch.cfg) in the DMZ, and set BBDISP to 127.0.0.1 in the client configuration 2)Add the pulldata option to bb-hosts for these clients 3)Enable the hobbitfetch task on the server in hobbitlaunch.cfg This is relatively obvious from the man pages ... Regards, Buchan
list L.M.J
▸
On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?I use msgcache and the pulldata tag, so that the Hobbit server connects to the hosts being monitored ...
Alright, I've added "pulldata" in the bb-hosts from the server. I've removed "DISABLED" msgcache in the clientlaunch.cfg file client. Is there something else ? I still see my client inside the DMZ trying to reach the server without success (blocked by the Firewall). I also see the server who make the request to the clients which is normal BUT my DMZ hosts switched to purple! Did I mist something ?
list Buchan Milne
▸
On Monday 11 February 2008 14:05:17 L.M.J. wrote:
On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:Hi, I would like to monitor servers inside a DMZ. Since the Hobbit-Clients push the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?I use msgcache and the pulldata tag, so that the Hobbit server connects to the hosts being monitored ...Alright, I've added "pulldata" in the bb-hosts from the server. I've removed "DISABLED" msgcache in the clientlaunch.cfg file client. Is there something else ? I still see my client inside the DMZ trying to reach the server without success (blocked by the Firewall). I also see the server who make the request to the clients which is normal BUT my DMZ hosts switched to purple! Did I mist something ?
Configure the client to report to itself (the msgcache), by setting BBDISP=127.0.0.1 in hobbitclient.cfg. Regards, Buchan
list L.M.J
▸
On Monday 11 February 2008 14:05:17 L.M.J. wrote:On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:Hi, I would like to monitor servers inside a DMZ. Since theHobbit-Clientspush the information to the server, they are not able reach the LAN Hobbit server : communication from the DMZ to the LAN is forbidden... What is your experience in that area guys ?I use msgcache and the pulldata tag, so that the Hobbit server connects to the hosts being monitored ...Alright, I've added "pulldata" in the bb-hosts from the server. I've removed "DISABLED" msgcache in the clientlaunch.cfg file client. Is there something else ? I still see my client inside the DMZ trying to reach the server without success (blocked by the Firewall). I also see the server who make the request to the clients which is normal BUT my DMZ hosts switched to purple! Did I mist something ?Configure the client to report to itself (the msgcache), by setting BBDISP=127.0.0.1 in hobbitclient.cfg.
BBDISP=127.0.0.1 + "pulldata" in the bb-hosts + removed "DISABLED" msgcache in the clientlaunch.cfg I see the Hobbit server connection to the DMZ client now. The DMZ clients do not try to reach the Hobbit server anymore. Good point! I *still* don't have any report from the DMZ host. Help please.
list Mike Eggleston
On Tue, 12 Feb 2008, L.M.J. might have said:
▸
On Monday 11 February 2008 14:05:17 L.M.J. wrote:Alright, I've added "pulldata" in the bb-hosts from the server. I've removed "DISABLED" msgcache in the clientlaunch.cfg file client.BBDISP=127.0.0.1 + "pulldata" in the bb-hosts + removed "DISABLED" msgcache in the clientlaunch.cfg I see the Hobbit server connection to the DMZ client now. The DMZ clients do not try to reach the Hobbit server anymore. Good point! I *still* don't have any report from the DMZ host. Help please.
When this is fixed, please post the changed files showing how you have the 'pulldata' working. No need to post all hosts, just the lines for this configuration. Mike
list Buchan Milne
▸
On Tuesday 12 February 2008 15:51:14 L.M.J. wrote:
On Monday 11 February 2008 14:05:17 L.M.J. wrote:On Tuesday 05 February 2008 16:01:48 user-78bb6d5d9024@xymon.invalid wrote:
Did I mist something ?
BTW, did you read the other recent posts (in between your first set of many questions in this thread, and when you started implementing)? Because, all the steps were listed in my reply to one of those posts.
▸
Configure the client to report to itself (the msgcache), by setting BBDISP=127.0.0.1 in hobbitclient.cfg.BBDISP=127.0.0.1 + "pulldata" in the bb-hosts + removed "DISABLED" msgcache in the clientlaunch.cfg
Did you enable the 'hobbitfetch' task in hobbitlaunch.cfg on the Hobbit server?
▸
I see the Hobbit server connection to the DMZ client now. The DMZ clients do not try to reach the Hobbit server anymore. Good point!
Can you connect from the Hobbit server to port 1984 on the clients in the DMZ?
I *still* don't have any report from the DMZ host. Help please.
You should also check if you have any entries in the msgcache.log on the clients. Regards, Buchan
list L.M.J
▸
Did I mist something ?BTW, did you read the other recent posts (in between your first set of many questions in this thread, and when you started implementing)? Because, all the steps were listed in my reply to one of those posts.Configure the client to report to itself (the msgcache), by setting BBDISP=127.0.0.1 in hobbitclient.cfg.BBDISP=127.0.0.1 + "pulldata" in the bb-hosts + removed "DISABLED" msgcache in the clientlaunch.cfgDid you enable the 'hobbitfetch' task in hobbitlaunch.cfg on the Hobbit server?
Yep :
[hobbitfetch]
# DISABLED
ENVFILE ....
▸
I see the Hobbit server connection to the DMZ client now. The DMZ clients do not try to reach the Hobbit server anymore. Good point!Can you connect from the Hobbit server to port 1984 on the clients in the DMZ?I *still* don't have any report from the DMZ host. Help please.You should also check if you have any entries in the msgcache.log on the clients.
Here we go : 2008-02-11 15:27:29 Listening on 0.0.0.0:1984 2008-02-11 15:30:58 Caught TERM signal, terminating 2008-02-11 15:30:58 Hobbit msgcache version 4.2.0 starting 2008-02-11 15:30:58 Listening on 0.0.0.0:1984 2008-02-13 07:55:50 Caught TERM signal, terminating 2008-02-13 07:58:24 Hobbit msgcache version 4.2.0 starting 2008-02-13 07:58:24 Listening on 0.0.0.0:1984 Nothing look abnormal. Any ideas why my server won't retrieve informations from the DMZ clients ?
list L.M.J
Le Tue, 12 Feb 2008 07:58:13 -0600,
▸
Mike Eggleston <user-4ff7b7cae5b8@xymon.invalid> a écrit :
On Tue, 12 Feb 2008, L.M.J. might have said:On Monday 11 February 2008 14:05:17 L.M.J. wrote:Alright, I've added "pulldata" in the bb-hosts from the server. I've removed "DISABLED" msgcache in the clientlaunch.cfg file client.BBDISP=127.0.0.1 + "pulldata" in the bb-hosts + removed "DISABLED" msgcache in the clientlaunch.cfg I see the Hobbit server connection to the DMZ client now. The DMZ clients do not try to reach the Hobbit server anymore. Good point! I *still* don't have any report from the DMZ host. Help please.When this is fixed, please post the changed files showing how you have the 'pulldata' working. No need to post all hosts, just the lines for this configuration.
Here we go : HOWTO monitor servers in a DMZ.
CLIENT SIDE
hobbitclient.cfg
BBDISP="127.0.0.1" <-- Changed from Hobbit server IP to localhost
clientlaunch.cfg
[msgcache]
# DISABLED <-- Comment it
ENVFILE $HOBBITCLIENTHOME/etc/hobbitclient.cfg
CMD $HOBBITCLIENTHOME/bin/msgcache --no-daemon --pidfile=$HOBBITCLIENTHOME/logs/msgcache.pid
LOGFILE $HOBBITCLIENTHOME/logs/msgcache.log
[client]
ENVFILE $HOBBITCLIENTHOME/etc/hobbitclient.cfg
CMD $HOBBITCLIENTHOME/bin/hobbitclient.sh --local <-- Add --local
LOGFILE $HOBBITCLIENTHOME/logs/hobbitclient.log
INTERVAL 5m
SERVER SIDE
hobbitlaunch.cfg
[hobbitfetch]
# DISABLED <-- Comment it
ENVFILE /home/users/hobbit/application/server/etc/hobbitserver.cfg
CMD $BBHOME/bin/hobbitfetch --server=XX.XX.XX.XX --no-daemon
--pidfile=$BBSERVERLOGS/hobbitfetch.pid <-- replace the IP by your Hobbit server one LOGFILE
$BBSERVERLOGS/hobbitfetch.log
bb-hosts
zz.zz.zz.zz fqdn # conn hobbitfetch pulldata <- Add hobbitfetch pulldata, do NOT forget to put the IP
And it should work. Do not forget to restart client & server just in case.