### SOPHOS ANTIVIRUS PASSIVE CHECKS FOR NAGIOS HOWTO ### DATE: 05-08-2010 Written by Remco Hage RealOpenIT BV Informaticalaan 7 2628ZD DELFT The Netherlands Phone: 0031 15 256 8969 email: rhage@realopenit.nl In this readme, i describe howto reveive passive service results from Sophos Antivirus backup into Nagios. It requires Nagios knowlegde, also you need to know how passive checks works in Nagios, and know some bash scripting. Global view on how it works: 1) snmptrapd service receives traps from Sophos server. 2) snmptrapd sends traps to SNMPTT. SNMPTT "translate" these traps, for this translation it uses the MIBS in SNMPTT.CONF. 3) SNMPTT forwards translated traps to Nagios via $USER1/submit_check_result to the external command file wih an status code and plugin output from the sophos message. 4) Nagios recognizes this as a passice check result and display's it as service (if there is one). # Software requirements Suse: install snmp-net perl-snmp en snmptt via 1 click installer ubuntu/debian: install libnet-snmp-perl libsnmp snmptrapfmt snmpd # suse only Set in /etc/init.d/snmptrapd: CONFIG="-c /etc/snmp/snmptrapd.conf" startproc $BINARY $OPTIONS $CONFIG # Ubuntu/Debian: make sure snmpd, snmptrapfmt and snmptt service are running. ########################### #### CONFIGURATION SNMP ### ########################### vi /etc/snmp/snmptrapd.conf: traphandle default /usr/sbin/snmptt disableAuthorization yes donotlogtraps yes execute: /etc/init.d/snmptrapd restart ### ADD MIBS to the system ### touch TRAP-TEST-MIB.txt in /usr/share/snmp/mibs (just for testing snmptraps) put in the file: TRAP-TEST-MIB DEFINITIONS ::= BEGIN IMPORTS ucdExperimental FROM UCD-SNMP-MIB; demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 } demo-trap TRAP-TYPE STATUS current ENTERPRISE demotraps VARIABLES { sysLocation } DESCRIPTION "This is just a demo" ::= 17 END restart the snmpd services and send a test string: snmptrap -v 1 -c public localhost TRAP-TEST-MIB::demotraps localhost 6 17 '' SNMPv2-MIB::sysLocation.0 s "Just here" If no errors, you should see some results in /var/log/snmptrapd.log, like this: 2009-12-10 15:49:22 localhost [127.0.0.1] (via UDP: [127.0.0.1]:44084->[127.0.0.1]) TRAP, SNMP v1, community public .1.3.6.1.4.1.2021.13.990 Enterprise Specific Trap (17) Uptime: 2 days, 0:01:19.23 .1.3.6.1.2.1.1.6.0 = STRING: Just here Reveiving strings via snmp-trapd service is working... # FOR MORE INFO: http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS ######################## ### SNMPTT TO NAGIOS ### ######################## Now we take care that snmptt sends it's results to Nagios. touch /usr/local/nagios/libexec/eventhandlers/submit_check_result && chmod +x /usr/local/nagios/libexec/eventhandlers/submit_check_result && chown nagios.nagios /usr/local/nagios/libexec/eventhandlers/submit_check_result put this in: ############ ## SCRIPT ## ############ #!/bin/sh # SUBMIT_CHECK_RESULT # Written by Ethan Galstad (egalstad@nagios.org) # Last Modified: 02-18-2002 # # This script will write a command to the Nagios command # file to cause Nagios to process a passive service check # result. Note: This script is intended to be run on the # same host that is running Nagios. If you want to # submit passive check results from a remote machine, look # at using the nsca addon. # # Arguments: # $1 = host_name (Short name of host that the service is # associated with) # $2 = svc_description (Description of the service) # $3 = return_code (An integer that determines the state # of the service check, 0=OK, 1=WARNING, 2=CRITICAL, # 3=UNKNOWN). # $4 = plugin_output (A text string that should be used # as the plugin output for the service check) # #logger -p warning nagios_passive_test echocmd="/bin/echo" CommandFile="/usr/local/nagios/var/rw/nagios.cmd" # get the current date/time in seconds since UNIX epoch datetime=`date +%s` # create the command line to add to the command file cmdline="[$datetime] PROCESS_SERVICE_CHECK_RESULT;$1;$2;$3;$4" # append the command to the end of the command file `$echocmd $cmdline >> $CommandFile` #### EOF ##### #################### ### CONVERT MIBS ### #################### Now convert the mibs, so SNMPTT knows wat to send: for all mibs: snmpttconvertmib --in=sophos-sav-mib --out=/etc/snmp/snmptt.conf --exec='/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 0' see in /etc/snmp/SNMPTT.conf you'l have something like this (only this is output from the demo mib): EVENT demo-trap .1.3.6.1.4.1.2021.13.990.0.17 "Status Events" Normal FORMAT This is just a demo $* EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TEST 1 "This is just a demo $*" SDESC This is just a demo Variables: 1: sysLocation EDESC See "submit_check_result $r TEST 1 "This is just a demo $*" is important. This means the hostname is $r, the service name is TEST and gets status 1 in Nagios. Go to the Sophos Antivirus management interface and set your nagios server as SNMP server, and sent a test string (not available in newer versions, then you should dowload an eicar test virus), so you can see if the results are received. SNMPTT recognizes the mibs/oids and send the results to the submit_check_result script Submit_check_result processes the data, and puts it in the external command file so Nagios can understand the data. To check if the script is being executes at all, you could put something like this in the submit_check_result for testing: logger -p WARNING SUBMIT_CHECK_RESULT_TEST Then you should at least see something in /var/log/messages, BUT... Nagios is not regognizing the hosts/service yet... We continue.. # SEE MORE INFO: http://www.snmptt.org/docs/snmpttconvertmib.shtml # MORE INFO: http://www.snmptt.org/docs/snmptt.shtml#Nagios-Netsaint ############################################### ### PASSIVE RESULTS FROM SYNCSORT IN NAGIOS ### ############################################### To show trap results in Nagios create a new service template. I call it just "passive_service" here for test, but you might want to call it sophos_passive_service or anything. # passive check template define service{ name passive_service use generic-service active_checks_enabled 0 passive_checks_enabled 1 obsess_over_service 1 flap_detection_enabled 1 register 0 is_volatile 0 retain_status_information 1 retain_nonstatus_information 1 check_period 24x7 max_check_attempts 3 normal_check_interval 60 retry_check_interval 30 contact_groups admins check_freshness 1 freshness_threshold 5000 check_command give_ok } add to commands.cfg: define command{ command_name give_ok command_line /usr/local/nagios/libexec/check_dummy 0 "OK: NO ERRORS RECEIVED.." } (give_ok set status as OK if Nagios not receives any results from Sophos, because there is no virus or alert in that case. If Nagios reveices an error via SNMP, it gives critical, but watch the freshness_threshold carefull, while the error is gone before you've noticed!!!) In the case of "submit_check_result $r TEST 1" from the snmptt.conf, the service name is called "TEST", create a service that uses the passive service template, for the Sophos servername. define service{ use passive_template host_name your-sophos-server-name service_description TEST # or anything what you created for servicename above } execute /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg If no errors, restart nagios. Try to send some errors etc. from Sophos, and see in the webinterface and/or logs, if you receive them. ###################################### ### EXTRA INFORMATION ABOUT MIBS ETC # ###################################### ### write you own mibs ### http://www.net-snmp.org/wiki/index.php/Writing_your_own_MIBs ### Sources ### http://xavier.dusart.free.fr/joomla/index.php/en/nagios/47-traps-snmp-dans-nagios http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap.html http://technotes.twosmallcoins.com/?p=369 http://www.sage.org/lists/sage-members-archive/2005/msg03326.html