From owner-freebsd-isp@FreeBSD.ORG Thu Apr 10 07:16:31 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A69B37B401 for ; Thu, 10 Apr 2003 07:16:31 -0700 (PDT) Received: from skyweb.ca (smtp-2.vancouver.ipapp.com [216.152.192.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48EF743F85 for ; Thu, 10 Apr 2003 07:16:30 -0700 (PDT) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-2.vancouver.ipapp.com ; Thu, 10 Apr 2003 07:16:29 -0700 From: "Mark Johnston" To: =?iso-8859-1?Q?'S=EAr=EAciya_Kurdistan=EE'?= Date: Thu, 10 Apr 2003 09:21:50 -0500 Message-ID: <002401c2ff6c$87978440$be0fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20030410033834.GA15292@kurdistan.ath.cx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal cc: freebsd-isp@freebsd.org Subject: Re: (long) MRTG :: SELECT suggestions,recommendations,configurations FROM%expert_users X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 14:16:31 -0000 S=EAr=EAciya Kurdistan=EE wrote: > > 1) On my FreeBSD router, do I need to install any snmp tools, > ie ucd-snmp-4.2.6, net-snmp-5.0.6 etc in order to use > mrtg and/or cricket?=20 > > Suggestions/Recommendations: > > Look outs, pitfalls etc... please let me know ;) >=20 Well, maybe. MRTG, in its regular configuration, uses SNMP to pull data from routers, so to use it in the standard way you'll need an SNMP daemon on your router. However. If you want to get away without SNMP, it's also possible to run MRTG with arbitrary data. (q.v. RRDTool, a program from the MRTG author that's much more flexible for this kind of situation.) You can use a periodic script to take data from ipfw show/netstat/whatever and put it into your MRTG/RRD database on the same host, then generate your graphs from that. As a bonus, you can graph other useful things like load averages, mbufs, or vmstat. To add a bit of complication, you probably don't want to install a bunch of graphing software and store your data right on your routers. Here's what I'd do: Add a user account to each router. Set the password so the user can't log in, but make a .ssh/authorized_keys file in the home directory, and in that file specify 'command=3D"stats_collect.pl"' before the key (see sshd(8) for more info.) That way, the user can log in only with the key, and can only execute the stats_collect.pl command. You may also want to use 'no-port-forwarding', 'no-X11-forwarding', and the like for better security. Then, from your centralized host, use a periodic process to ssh into your routers with your key and collect the output from stats_collect.pl. You can then insert it into MRTG or RRDTool. Keep in mind that if you want to use ipfw in your data collection script, you'll need to do some suid tricks (perhaps mode 4750 and a special ipfw group.) You can probably get all the data you're looking for from netstat if you don't want to do that. I like this setup because you can collect data more flexibly than you can with SNMP, you get all the security of ssh, and you don't have to run another daemon on your routers. Bear in mind, though, that it's a significantly heavier load on your network (a full TCP connection instead of a couple of UDP packets) and CPU (SSH negotiation isn't cheap) than using SNMP. HTH, Mark