### SOPHOS ANTIVIRUS PASSIVE CHECKS FOR NAGIOS HOWTO ###
DATE: 05-08-2010
Written by Remco Hage
RealOpenIT BV
Informaticalaan 7
2628ZD DELFT
The Netherlands
Phone: 0031 15 256 8969
email: rhage@realopenit.nl
In this readme, i describe howto reveive passive service results from Sophos Antivirus backup into Nagios.
It requires Nagios knowlegde, also you need to know how passive checks works in Nagios, and know some bash scripting.
Global view on how it works:
1) snmptrapd service receives traps from Sophos server.
2) snmptrapd sends traps to SNMPTT. SNMPTT "translate" these traps, for this translation it uses the MIBS in SNMPTT.CONF.
3) SNMPTT forwards translated traps to Nagios via $USER1/submit_check_result to the external command file wih an status code and plugin output from the sophos message.
4) Nagios recognizes this as a passice check result and display's it as service (if there is one).
# Software requirements
Suse: install snmp-net perl-snmp en snmptt via 1 click installer
ubuntu/debian: install libnet-snmp-perl libsnmp snmptrapfmt snmpd
# suse only
Set in /etc/init.d/snmptrapd:
CONFIG="-c /etc/snmp/snmptrapd.conf"
startproc $BINARY $OPTIONS $CONFIG
# Ubuntu/Debian:
make sure snmpd, snmptrapfmt and snmptt service are running.
###########################
#### CONFIGURATION SNMP ###
###########################
vi /etc/snmp/snmptrapd.conf:
traphandle default /usr/sbin/snmptt
disableAuthorization yes
donotlogtraps yes
execute:
/etc/init.d/snmptrapd restart
### ADD MIBS to the system ###
touch TRAP-TEST-MIB.txt in /usr/share/snmp/mibs (just for testing snmptraps)
put in the file:
TRAP-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS ucdExperimental FROM UCD-SNMP-MIB;
demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 }
demo-trap TRAP-TYPE
STATUS current
ENTERPRISE demotraps
VARIABLES { sysLocation }
DESCRIPTION "This is just a demo"
::= 17
END
restart the snmpd services and send a test string:
snmptrap -v 1 -c public localhost TRAP-TEST-MIB::demotraps localhost 6 17 '' SNMPv2-MIB::sysLocation.0 s "Just here"
If no errors, you should see some results in /var/log/snmptrapd.log, like this:
2009-12-10 15:49:22 localhost [127.0.0.1] (via UDP: [127.0.0.1]:44084->[127.0.0.1]) TRAP, SNMP v1, community public
.1.3.6.1.4.1.2021.13.990 Enterprise Specific Trap (17) Uptime: 2 days, 0:01:19.23
.1.3.6.1.2.1.1.6.0 = STRING: Just here
Reveiving strings via snmp-trapd service is working...
# FOR MORE INFO: http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS
########################
### SNMPTT TO NAGIOS ###
########################
Now we take care that snmptt sends it's results to Nagios.
touch /usr/local/nagios/libexec/eventhandlers/submit_check_result && chmod +x /usr/local/nagios/libexec/eventhandlers/submit_check_result && chown nagios.nagios /usr/local/nagios/libexec/eventhandlers/submit_check_result
put this in:
############
## SCRIPT ##
############
#!/bin/sh
# SUBMIT_CHECK_RESULT
# Written by Ethan Galstad (egalstad@nagios.org)
# Last Modified: 02-18-2002
#
# This script will write a command to the Nagios command
# file to cause Nagios to process a passive service check
# result. Note: This script is intended to be run on the
# same host that is running Nagios. If you want to
# submit passive check results from a remote machine, look
# at using the nsca addon.
#
# Arguments:
# $1 = host_name (Short name of host that the service is
# associated with)
# $2 = svc_description (Description of the service)
# $3 = return_code (An integer that determines the state
# of the service check, 0=OK, 1=WARNING, 2=CRITICAL,
# 3=UNKNOWN).
# $4 = plugin_output (A text string that should be used
# as the plugin output for the service check)
#
#logger -p warning nagios_passive_test
echocmd="/bin/echo"
CommandFile="/usr/local/nagios/var/rw/nagios.cmd"
# get the current date/time in seconds since UNIX epoch
datetime=`date +%s`
# create the command line to add to the command file
cmdline="[$datetime] PROCESS_SERVICE_CHECK_RESULT;$1;$2;$3;$4"
# append the command to the end of the command file
`$echocmd $cmdline >> $CommandFile`
#### EOF #####
####################
### CONVERT MIBS ###
####################
Now convert the mibs, so SNMPTT knows wat to send:
for all mibs:
snmpttconvertmib --in=sophos-sav-mib --out=/etc/snmp/snmptt.conf --exec='/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 0'
see in /etc/snmp/SNMPTT.conf you'l have something like this (only this is output from the demo mib):
EVENT demo-trap .1.3.6.1.4.1.2021.13.990.0.17 "Status Events" Normal
FORMAT This is just a demo $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TEST 1 "This is just a demo $*"
SDESC
This is just a demo
Variables:
1: sysLocation
EDESC
See "submit_check_result $r TEST 1 "This is just a demo $*" is important.
This means the hostname is $r, the service name is TEST and gets status 1 in Nagios.
Go to the Sophos Antivirus management interface and set your nagios server as SNMP server, and sent a test string (not available in newer versions, then you should dowload an eicar test virus), so you can see if the results are received.
SNMPTT recognizes the mibs/oids and send the results to the submit_check_result script
Submit_check_result processes the data, and puts it in the external command file so Nagios can understand the data.
To check if the script is being executes at all, you could put something like this in the submit_check_result for testing: logger -p WARNING SUBMIT_CHECK_RESULT_TEST
Then you should at least see something in /var/log/messages, BUT... Nagios is not regognizing the hosts/service yet... We continue..
# SEE MORE INFO: http://www.snmptt.org/docs/snmpttconvertmib.shtml
# MORE INFO: http://www.snmptt.org/docs/snmptt.shtml#Nagios-Netsaint
###############################################
### PASSIVE RESULTS FROM SYNCSORT IN NAGIOS ###
###############################################
To show trap results in Nagios create a new service template. I call it just "passive_service" here for test, but you might want to call it sophos_passive_service or anything.
# passive check template
define service{
name passive_service
use generic-service
active_checks_enabled 0
passive_checks_enabled 1
obsess_over_service 1
flap_detection_enabled 1
register 0
is_volatile 0
retain_status_information 1
retain_nonstatus_information 1
check_period 24x7
max_check_attempts 3
normal_check_interval 60
retry_check_interval 30
contact_groups admins
check_freshness 1
freshness_threshold 5000
check_command give_ok
}
add to commands.cfg:
define command{
command_name give_ok
command_line /usr/local/nagios/libexec/check_dummy 0 "OK: NO ERRORS RECEIVED.."
}
(give_ok set status as OK if Nagios not receives any results from Sophos, because there is no virus or alert in that case.
If Nagios reveices an error via SNMP, it gives critical, but watch the freshness_threshold carefull, while the error is gone before you've noticed!!!)
In the case of "submit_check_result $r TEST 1" from the snmptt.conf, the service name is called "TEST", create a service that uses the passive service template, for the Sophos servername.
define service{
use passive_template
host_name your-sophos-server-name
service_description TEST # or anything what you created for servicename above
}
execute
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If no errors, restart nagios. Try to send some errors etc. from Sophos, and see in the webinterface and/or logs, if you receive them.
######################################
### EXTRA INFORMATION ABOUT MIBS ETC #
######################################
### write you own mibs ###
http://www.net-snmp.org/wiki/index.php/Writing_your_own_MIBs
### Sources ###
http://xavier.dusart.free.fr/joomla/index.php/en/nagios/47-traps-snmp-dans-nagios
http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap.html
http://technotes.twosmallcoins.com/?p=369
http://www.sage.org/lists/sage-members-archive/2005/msg03326.html