Mrtg logging for Dachstein/LEAF (rev 10/18/02)

Pete Dubler (pete@dublerfamily.com)

Scope: Provide a helpful guide to getting the necessary stuff in place to run mrtg logging of a Dachstein/LEAF system. Mrtg is run on another linux system (in my case Redhat 7.1). Mrtg is highly configurable and flexible. One can log anything from network traffic to weather history with mrtg. We will only worry about getting a Dachstein-based LEAF router set-up to be accessed by another system which is running mrtg.

Appendix A provides information on using mrtg to remotely log signal strength and quality for a Cisco Aironet 802.11b wireless lan card in your Dachstein system.

Concept: Mrtg provides a full set of automatically scaled, automatically updated graphs for each NIC specified on a given router. Mrtg automatically assembles the graphs into a web page for each NIC. The router must be running a version of snmpd to allow mrtg to gather the necessary information. The html files generated by mrtg are most easily accessed if the mrtg server has a web server (like apache).

Files Needed:

On the router:

netsnmpd.lrp, libm.lrp, and libdb.lrp available from:

http://leaf.sourceforge.net/devel/petedd/

(This is the most complete and functional version I have found and includes my edited
snmpd.conf file). This .conf file is also a great reference as it is loaded with comments and explanations. (It also has the hooks in it, ready to be un-commented, for implementing radio signal logging)

On the mrtg server:

perl (must be running on your server since large parts of mrtg are written in perl

mrtg

You can build it from source from: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

OR, you can find an rpm and get on the air right away… http://www.rpmfind.net

Documentation Recommended:

The following documentation tells you how to build mrtg, but also provides valuable configuration and start-up information: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/unix-guide.html

Information Needed:

You must have the following information available:

  1. Adding snmp to Dachstein:

 

  1. Configuring for snmpd on Dachstein:

- Set SNMP_BLOCK=NO in /etc/network.conf so the firewall isn't blocking ports 161:162.

  1. Install mrtg on server:
  1. Configure mrtg on server:

# mrtg.cfg

WorkDir: /var/www//html/mrtg #this is as directory on your web server

Options[_]: growright,bits #this makes the charts grow from l to r

RunAsDaemon: Yes #you can choose yes or no, see doc

Interval: 5 #probe router every 5 minutes

Target[fwext]: /123.456.123.456:public@123.555.666.777

MaxBytes[fwext]: 1250000

Title[fwext]: Stats for External

PageTop[fwext]: <H1>Stats for External</H1>

# end of mrtg.cfg

 

123.456.123.456 is the ip of the port of the router you will be monitoring (eg. the external port {eth0}).  NOTE: The "/" is very important.  It tells mrtg to use the ip address.  If you do not include the leading "/", mrtg will try to use interface number 456 in this case.

123.555.666.777 is the ip of the port of the router that your mrtg server can access (eg. the internal port {eth1})

fwext is the name you assign for mrtg to use for the files it will store related to these statistics

The Title and PageTop are up to you. Keep it simple at first.

NOTE: There must be no spaces at the beginning of each line of the mrtg.conf file for the parameters to take.

  1. Run mrtg:

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/unix-guide.html

6 – View mrgt files via server’s web server. Files will have names like fwext.html (based on the on the name you assigned in step 4 above. Wow! Can you believe how easy it was to create such detailed, auto-scaling, auto-updating graphic web pages!

You can do lots more with mrtg, just check out the mrtg website: www.mrtg.org for more ideas.

APPENDIX: A: Using MRTG to Log Signal Strength and Quality on a Wireless Dachstein LEAF

Mrtg is very versatile and can log just about anything graphically. There is a great document on this at:

http://www.willy.com/Scripps/mrtg-data.html

In less than two pages, Willy describes how to log other data using mrtg. I will leverage that to document how I remotely log the signal strength and quality of my Cisco Aironet ISA-342 card.

CONCEPTS: Snmpd has the ability to execute a command on the target system (in our case, the Dachstein firewall) and return the output (and other infomation) from the script. We will use this feature to run two short and simple scripts, checksig1 and checksig2 to output the signal strength and signal quality numbers respectively. We can then probe the respective OID for these exec commands using mrtg or for testing purposes, you could use snmpget or snmpwalk.

DETAILS: Snmpd.conf, as provided, has closed snmpd to probes outside of the "system" subset. In order to probe the OID for the output of scripts or commands specified by "exec" in snmpd.conf, we must open up the system to such probes. If you search the snmpd.conf file suggested at the beginning of this document (http://www.dublerfamily.com/leaf/snmpd.conf) for the word CHECKSIG, you will find exactly what to comment out and what uncomment to get this working. (Once you have it up and running, you can try to make the security tighter by tightening up the OID specifier in the view setting, if you like.)

view systemview included system

# for CHECKSIG comment out the above line and uncomment the next line

#view all included .1

 

access notConfigGroup "" any noauth exact systemview none none

# for CHECKSIG comment out the above line and uncomment the next line

#access notConfigGroup "" any noauth exact all none none

 

# for CHECKSIG, uncomment the next two lines

#exec .1.3.6.1.4.1.2021.51 pete /root/checksig1

#exec .1.3.6.1.4.1.2021.52 pete /root/checksig2

 

The first two sets of commented lines will open up the snmpd to other probes beyond the system subset. The last set of commented lines, flagged by the word CHECKSIG, are the exec commands. Note that the complete OID for the single line of output you need for each signal strength and signal quality are specified here and that they begin with a period.

You must of course have these scripts on your system. (sorry for the grep… but I’m not that great at regular expressions). So, copy checksig1 and checksig2 to /root or wherever you would like to keep it. Make sure the permissions are set to 755.

#!/bin/sh

#

# checksig1 outputs signal strength

# OID .1.3.6.1.4.1.2021.52.101.1

cat /proc/aironet/eth0/Status | grep Signal | sed -e '2d' -e 's/[^0-9]*: //'

exit

 

AND

#!/bin/sh

#

# checksig2 outputs signal quality

# OID .1.3.6.1.4.1.2021.52.101.1

cat /proc/aironet/eth0/Status | grep Signal | sed -e '1d' -e 's/[^0-9]*: //'

exit

 

Now, on the system that is running mrtg, you simply add the following to your mrtg.cfg file:

Target[fwsig]: .1.3.6.1.4.1.2021.51.101.1&.1.3.6.1.4.1.2021.52.101.1:public@firewall

MaxBytes[fwsig]: 80

Options[fwsig]: gauge, nopercent, growright

Title[fwsig]: Radio Signal Strength and Quality

ageTop[fwsig]: <H1>Radio Signal Strength and Quality</H1>

YLegend[fwsig]: strength/signal

(since mrtg wants to probe for two numbers, using two separate OIDs and exec works quite nicely here)

Restart mrtg on your server and check at the results in the file fwsig.html.

Hopefully you can now see how to log other things remotely using the combination of snmpd with exec, and mrtg. Good luck!

 

APPENDIX B: Workaround for syslinux.cfg Line Length Limit

DACHSTEIN FEATURE: (From Charles Steinkuehler) the hack to linuxrc to extend the kernel command line [show below] is not necessary in Dachstein.

Long package paths and module lists can be added to the files pkgpath.cfg and lrpkg.cfg, respectively, on the boot= device. Details are documented in

the Dachstein-CD Readme, but the functionality is in the floppy releases as well... http://lrp.steinkuehler.net/Packages/LRP-CD.htm

 

GENERIC WORKAROUND: (edited from work by Jim Moy, thanks Jim!)

There's a 256 char limit on the syslinux.cfg kernel params line. Go and do this:

$ cat /proc/cmdline

and if it looks like your module list is getting truncated, well, there's the problem. If yours looks right then you haven't hit the limit yet, so you're fine As you add more functionality to your leaf, you might hit this limit. If you want to fix it, go look for the line in /linuxrc that looks like this:

ROOTMAP="`sed 's/.*LRP=/\1/; s/ .*//1' /proc/cmdline`"

and replace it with this:

pkglist=`cat /boot/etc/lrppkgs.cfg`

ROOTMAP=`echo $pkglist | sed 's/ /,/g'`

then put all your module names in /boot/etc/lrppkgs.cfg in a simple list, one per line. Backup the root module. Actually, I'm probably going to move it to somewhere in /etc, the root module takes longer to backup :-P From then on, it ignores the LRP= value in syslinux.cfg.

 

 REVISION HISTORY:

3/11/02: converted to html, changed dublerfamily links to sourceforge

3/13/02: Corrected Appendix B to add Dachstein Feature.

10/18/02:  added note regarding importance "/" in mrtg.cfg section.

### end of document