Monitoring network connection states with Zabbix (+ iptables + iptstate)

This is a little howto about displaying some small n’ nice graphs regarding to network connections of your machine. In the way of “Nothing is silly if it involves getting graphs”, the goal of this article is to get a realtime graph showing numbers of current server connections according to protocols,

and current TCP states:

Certainly worh at least for displaying SYN flood attacks. Here is the recipe:

1. iptables, iptstate, zabbix server/agent

2. iptables Zabbix template

3. monitoring scripts

We need to get the template from point 2. and import it to Zabbix sever. Then we will rename it’s application from “Network” to e.g. Network_iptables, due to namespace conflict with default Linux template. Now when we have a possibility to display TCP states and type of connections, let’s fill it with data.

/etc/zabbix_agentd.conf:

UserParameter=iptstate.tcp,/etc/zabbix/scripts/net-tcp
UserParameter=iptstate.tcp.syn,/etc/zabbix/scripts/net-syn
UserParameter=iptstate.tcp.timewait,/etc/zabbix/scripts/net-time-wait
UserParameter=iptstate.tcp.established,/etc/zabbix/scripts/net-established
UserParameter=iptstate.tcp.close,/etc/zabbix/scripts/net-close
UserParameter=iptstate.udp,/etc/zabbix/scripts/net-udp
UserParameter=iptstate.icmp,/etc/zabbix/scripts/net-icmp

Bold font are the names of keys in our newly imported iptables/iptstate zabbix template. Then you need to authorize zabbix user to run iptstate command (potentially without password) and you do it in /etc/sudoers file. Since zabbix agent doesn’t allow to call sudo command directly from it’s config ( you will end up with error log “you must have a tty to run sudo” ), it is also required to turn off “Defaults requiretty” by commenting it out. The scripts which are called in the example above are located in point 3.

#!/bin/bash
est=`sudo iptstate -s | grep ESTABLISHED | wc -l`
echo $est

Output of this simple script is a number of connections which are in ESTABLISHED TCP state. These checks are periodical, so after restarting zabbix-agentd, you’ll get graphs like from beggining of this article. Good part is that you don’t need to be stuck with defaults, you can define some more like this:

iptstate -s -t | head -2 |tail -1 | sed 's/^.*OTHER: //'

Have fun!

daan.

Tags: , , , , ,

This entry was posted on Sunday, October 30th, 2011 at 7:37 pm and is filed under Sysadmin. You can follow any comments to this entry through the RSS 2.0 feed. You can leave a comment, or trackback.

{ 3 comments to read ... please submit one more! }

  1. Walter Heck
    October 31, 2011 at 4:02 pm

    Hello, looks like a nice template, would you like to add it to http://zabbixtemplates.com? We’re buidling a free and open source template library there. Just create an account and upload the template and it’ll be available for everyone to use.

    Reply
  2. Daniel Portwood Daniel Portwood
    November 1, 2011 at 12:27 am

    Hi! Actually, I haven’t created the whole template, it can found on Zabbix forums – http://www.zabbix.com/forum/showthread.php?t=9758

    By the way, the site is really great idea!

    Reply

{ 1 Pingbacks/Trackbacks }

  1. Monitoring network connection states with Zabbix (+ iptables + … | Linux Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

756 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">