LibreNMS Installation and Configuration in RHEL 7

What is LibreNMS :

LibreNMS is an auto-discovering php/mysql/snmp based network monitoring tool. It's includes support for a wide range of network hardware and operating systems like Cisco, Linux, juniper and many more. LibreNMS is a community-based fork of the latest GPL-Licensed version of Observium.

Features :

• Automatic Discovery
• Customisable Alerting
• API Access
• Billing System
• Automatic updates
• Distributed Polling

Automatic Discovery :

LibreNMS is automatically discovers our entire network using CDP, FDP, LLDP, OSPF, BGP, SNMP and ARP.

Customisable Alerting :

Highly flexible alerting system, notification via email, irc, slack and more.

API Access :

A full API to manage graph and retrieve data from our install.

Billing System :

Generate bandwidth bills for ports on your network based on usage or transfer.

Automatic Updates :

With this option it update automatically and fix the bugs and get new features and more.

Distributed Polling :

Horizontal scaling to grow with your network.

More features 

• NfSen
• collectd
• SmokePing
• RANCID
• Oxidized

NfSen :

NfSen is a graphical web based front end for the nfdumb netflow tools.

NfSen allows

1. Display netflow data, flows, packets and bytes using RRD ( Round Robin Database )
2. Easily navigate through the netflow data.
3. Process the netflow data within the specified time span.
4. Create history as well as continious profiles.
5. Set alerts, based on various conditions.
6. Write our own plugin to process netflow data on a regular interval

For more details click here.

Collectd :

Collectd is a daemon which collects system and application performance metrics periodically and provides mechanisms to store the variety of ways.

It gathers metrics from various sources like OS, Applications, Log, and external device and stores this information or make it available over the network. It will help us to monitor systems and find the performance bottlenecks also it predict system load of future.

For more details click here. 

SmokePing:

SmokePing keeps track of our network latency. Best of breed latency visualization, interactive graph explorer, Wide range of measurement plugins, Master/slave system for distributed measurement. Highly configurable alerting system, Live latency charts with most interesting graphs and free and opensource software written in Perl written by Oetiker, the creator of MRTG and Toolbar. 

RANCID :

RANCID monitors a router's configuratiobn, including software and hardware and uses CVS subversion or git to maintain history of changes.

For more details click here.

Oxidized : 

Oxidized is a network device configuration backup tool. It's a RANCID replacement.

1. automatically adds/removes threads to meet configured retrieval interval.
2. restful API to move node immediately to head-of-queue (GET/POST /node/next/[NODE])
3. syslog udp+file example to catch config change event (ios/junos) and trigger config fetch
4. will signal ios/junos user who made change, which output modules can use (via POST)
5. The git output module uses this info - 'git blame' will for each line show who made the change 
6. restful API to reload list of nodes (GET /reload)
7. restful API to fetch configurations (/node/fetch/[NODE] or /node/fetch/group/[NODE])
8. restful API to show list of nodes (GET /nodes)
9. restful API to show list of version for a node (/node/version[NODE]) and diffs

For more details click here.

Multiple authentication methods :

• Mysql
• HTTP
• LDAP
• Radius
• Active Directory

Installation :

For LibreNMS installation we need root privilege.

In rhel 7 have mariadb instead of mysql in official repo. both are same rhel 7 compatible with mariadb only.

Step 1

Install mariaDB :

yum install mariadb-server mariadb

start the service of mariadb 

systemctl start mariadb

systemctl enable mariadb

then login mariadb with root

mysql -u root -p

then create database as below or you can use it with your own

CREATE DATABASE librenms;

GRANT ALL PRIVILEGES ON librenms.*

TO 'librenms'@'localhost'

IDENTIFIED BY '<password>'

;

FLUSH PRIVILEGES;

exit

Step 2

Edit the mariadb configuration and add the following line as below shown.

vi /etc/my.cnf

add the following line as

innodb_file_per_table=1

Now restart the mariadb 

systemctl restart mariadb

Step 3

Need to install necessary packages. We need to install epel-release because lot of packages only available at epel-release only.

php-snmp, jwhois, graphviz, php-mcrypt, fping these are all in eple-release only.

yum install epel-release -y

now install the required packages

yum install php php-cli php-gd php-mysql php-snmp php-pear php-curl httpd net-snmp graphviz graphviz-php mysql ImageMagick jwhois nmap mtr rrdtool MySQL-python net-snmp-utils cronie php-mcrypt fping git

then

pear install Net_IPv4-1.3.4

pear install Net_IPv6-1.2.2b2

make sure the snmpd start and turn on on boot

systemctl enable snmpd

systemctl start snmpd

Step 4

Configuration of snmp on localhost

make a backup of the snmpd.conf file and create new snmpd.conf file as below

# Change RANDOMSTRINGGOESHERE to your preferred SNMP community string

com2sec readonly  default         public

group MyROGroup v2c        readonly

view all    included  .1                               80

access MyROGroup ""      any       noauth    exact  all    none   none

syslocation Rack, Room, Building, City, Country [GPSX,Y]

syscontact Your Name <your@email.address>

#Distro Detection

extend .1.3.6.1.4.1.2021.7890.1 distro /usr/bin/distro

rocommunity public 127.0.0.1

save and exit

Step 5

LibreNMS user creation for apache.

useradd librenms -d /opt/librenms -M -r

usermod -a -G librenms apache

make sure httpd on boot

systemctl enable httpd

then change timezone as your current city in php.ini

vi /etc/php.ini

and make sure that allow_url_fopen is enabled like below image

Step 6

now apache configuration for librenms.

add below lines in /etc/http/conf.d/librenms.conf

<VirtualHost *:80>

  DocumentRoot /opt/librenms/html/

  ServerName  librenms.example.com

  CustomLog /opt/librenms/logs/access_log combined

  ErrorLog /opt/librenms/logs/error_log

  AllowEncodedSlashes NoDecode

  <Directory "/opt/librenms/html/">

    AllowOverride All

    Options FollowSymLinks MultiViews

    Require all granted

  </Directory>

</VirtualHost>

and most important we need to remove welcome.conf file in /etc/httpd/conf.d/welcome.conf or rename it.

mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bkp

Step 7

Download the package from git means clone the package to local

cd /opt

git clone https://github.com/librenms/librenms.git librenms

cd /opt/librenms

prepare for the web interface, need to create some directory and make it own for librenms

mkdir rrd logs

chown -R librenms:librenms /opt/librenms

chmod 775 rrd

most important is disable the selinux or follow the command to allow from selinux.

yum install policycoreutils-python

semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'

semanage fcontext -a -t https_sys_rw_content_t '/opt/librenms/logs(/.*)?'

restorecon -RFvv /opt/librenms/logs/

Set selinux to allow httpd to sendmail

setsebool -P httpd_can_senmail=1

Step 8

start the webserver

systemctl start httpd

now open the url with you browser and provide the required details.

if you face any issue on that close the browser and follow the manual steps that mentioned below.

cp config.php.default config.php

vi config.php

add the following line in last 

$ config['fping'] = "/usr/sbin/fping";

Be sure you have no characters like spaces, tabs etc outside of the <?php?> blocks. If it then graph will be breake.

Now initialize the database

pwd

/opt/librenms

php build-base.php

it will install all the required packages of php for librenms

create admin user with following command

php adduser.php username password 10 emailid

Now validate your installation

php validate.php

this will check all the installation and verify it. if web portal is having issue then this command will gives the error which acquired. if it's gives ok then proceed below.

now add the your local snmp with following command.

php addhost.php localhost public v2c

replace the public with your own community name and v2c to ypur own version.

now discover the local host with following command

php discovery.php -h all

Step 9

The polling method used by librenms is poller-wrapper.py. By default the librenms cronjob runs poller-wrapper.py with 16 threads. The current LibreNMS recommanded to use 4 threads per core. The default if no thread count is 16 threads.

We can change the count using below command.

/opt/librenms/poller-wrapper.py 12 >> /dev/null 2>&1

now create the cronjob

cp librenms.nonroot.cron /etc/cron.d/librenms

Thats all now we can login and start adding the devices for monitoring.......

Basic HAProxy Installation and configurations

What is HAProxy : 

HAProxy is a very fast and reliable solution for high availability, load balancing. It supports TCP and HTTP-based applications. Now a days all website need 99.9% of up-time required for their site. It's not possible with single server setup. So we need high availability environment which can easily manage single server failure. 



Installation of HAProxy

Installation of HAProxy is very easy follow the simple step to install

yum install haproxy -y

that's all only you need internet access. After that we have configure not configure just add some lines to the haproxy configuration file and need to start the service.

Configurations of HAProxy

Main configuration file is in /etc/haproxy/haproxy.cfg, in that we need to add some details that we need to access. Follow the steps below.

add the below mentioned line in EOD 

vi /etc/haproxy/haproxy.cfg

add below lines

######### Configure frondend Server ################

frontend webapp
        bind *:80

        default_backend webserver

######### Configure Backend Server #################

backend webserver
        balance roundrobin
        server  web1 10.0.0.11:80 check
        server  web1 10.0.0.12:80 check
        server  web1 10.0.0.13:80 check
        server  web1 10.0.0.14:80 check

Save & Exit

start the haproxy service and enable it for start when booting

In RHEL 6

service haproxy start
chkconfig haproxy on

In RHEL 7

systemctl start haproxy
systemctl enable haproxy

Note :

if your http service is running in 80 change it to other port. It will cause starting issue in haproxy.


Now try in web browser it will work.

Nagios Installations and configurations

Nagios Installations and configurations

What is Nagios :

Nagios is known as Nagios Core and it's a open source computer software application that monitor systems, network and infrastructure. It's also have alerting system for servers, switch, applications and services.

Server Monitoring :

Nagios is the one of the best monitoring software for servers. It made easy to monitor with flexibility of both agent-based and agent-less monitoring. It has over 5000 different kind of addons available to monitor servers.

Network Monitoring :

Nagios monitors the network for the problems caused by overloaded data links or network connections, same as switches, routers and more. It's easy to monitor availability up-time and response time of every node on the network.

Application Monitoring :

Implementing effective application monitoring with nagios allows our organization to quickly detect applications, services, and process problems. It alert when app got problems to the user that control nagios. 

Installation :

Before installation we need to have root access for that server will run Nagios ideally. 

Installation of Nagios 4 :

Step 1 

Install dependencies of below mentioned

yum install gcc glibc glibc-common gd gd-devel make net-snmp open-ssl xineted unzip -y

Step 2

Create nagios user and group for running Nagios.

useradd nagios

groupadd nagcmd

usermod -a -G nagcmd nagios

Step 3

Download the Ngaios stable release and place it where required that. I always use /opt dir. 

We can download nagios core and other open source in followed in here.

goto /opt

cd /opt

curl -L -o https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.1.1.tar.gz

step 4

Extract the package in same location

tar -xvzf nagios-4.1.1.tar.gz

change the name as nagios-4.1.1 to nagios

mv nagios-4.1.1 nagios

Step 5

now let install 

cd nagios

./configure --with-command-group=nagcmd

after that

make all

now we need to install init script with following commands

make install
make install-commandmode
make install-init
make install-config
make install-webconf

We also need the apache to access our nagios so we need to add the apache user to nagcmd group.

usermod -G nagcmd apache

now Nagios installed. We need to install plugins for the nagios.

Installation of Nagios Plugin :

Step 1

got /opt directory.

cd /opt

curl -L -o http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz

Step 2

Extract it on same location.

tar -xvzf nagios-plugins-2.1.1.tar.gz

cd nagios-plugin-2.1.1

Step 3

Configuring nagios plugin with following command

./configure --with-nagios-user=nagios --with-nagios-group=nagcmd --with-openssl

Now compile the nagios plugin with following command

make

now install with following command

make install

now nagios plugin is completed

Installation of NRPE :

We can find the latest NRPE file following link in here.

Step 1

Download the NRPE and extract them.

cd /opt

curl -L -o http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz

tar -xvzf nrpe-2.15.tar.gz

Step 2

Move to the directory and configure nrpe with following command

./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu

now we ready to install the NRP and init script with following command

make all
make install
make install-xinetd
make install-daemon-config

Step 3

Now open the startup xinetd script in your favorite editor

vi /etc/xinetd.d/nrpe

modify the only from line by adding your private IP address.

only_from = 127.0.0.1 192.168.0.0

save and exit.

Now the Nagios server will be communicate with NRPE.

Now restart the xinetd service to start the NRPE service.

Service xinetd restart.

Step 4

Configure the new command to our nagios configuration. For this we need to add some lines in commands.cfg file. Followed

vi /usr/local/nagios/etc/objects/commands.cfg

in that add the details below to the end of the file

define command{
          command_name check_nrpe
          command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

save & exit

This will allow us to use the check_nrpe command in nagios service definitions.

Configuration of Nagios :

Now we are going to make some changes in nagios default configuration.

open the nagios.cfg file and remove the # symbol from below mentioned line

vi /usr/local/nagios/etc/nagios.cfg

find the line of cfg_dir=/usr/local/nagios/etc/servers

#cfg_dir=/usr/local/nagios/etc/server

remove # 

cfg_dir=/usr/local/nagios/etc/server

save & exit

now create the directory that will store the nagios configuration file that each you monitor.

mkdir /usr/local/nagios/etc/servers

Configuration of Notification :

In this we can add our mail id for the alert notifications. All you need to configure the details in contacts.cfg

vi /usr/local/nagios/etc/objects/contacts.cfg

In that find the email directive and replace your mail id. 

email            yourmailid       ;<<***** CHANGE THIS TO YOUR EMAIL ADDRESS *****

save & exit

configurations of Apache :

Her you can set the password for nagiosadmin web user admin password. For this we use htpasswd in apache.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

New password:

Re-type password: 

Adding password for nagiosadmin

if you don't want to use admin username as nagiosadmin the you have to edit /usr/local/nagios/etc/cgi.cfg file and change the name as you wished.

Now restart the nagios and httpd service 

service nagios restart
service httpd restart

make sure you enable the nagios on startup

chkconfig nagios on

Configurations of Restricted Access by IP :

If you want to access the nagios web interface only by your system then you have to edit the nagios apache configuration file.

vi /etc/httpd/conf.d/nagios.conf

and find the two line that mentioned below and add # in-front of it.

Order allow,deny
Allow from all

then remove the # from below mentioned lines and add your ip in Allow from line.

# Order deny,allow
# Deny from all
# Allow from 127.0.0.1 <- you can add your ip here 

As these line appear multiple the you have do the same in other.

save & exit

now restart nagios and httpd

service nagios restart
service httpd restart

now we have completed the configuration now open the nagios in web browser.

http://nagios_server_ip/nagios

it will ask username password

After that the page will appear like below image

That's all for nagios installation. Next I will come up with NRPE client configuration and adding host in nagios.

Elasticsearch password authentication

Elasticsearch password authentication & SSL Auth

What is elasticsearch:

Elasticsearch is a search engine based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in java and released as opensource under the terms of the Apache license.

Configuring user authentication in elasticsearch

It's very simple to configure elastic search basic authentication. All you need to download the shield package and license in elastic home website and installed it. 

Below I have mentioned how to install shield license and plugins.

Download the package and placed it in where you want to I placed it in /opt location.

then go to the elasticsearch location I have portable elasticsearch with me in /opt. So I move to that directory and install shield plugin.

cd /opt/elasticsearch

ls

It will show us like this. Then

bin/plugins install file:///opt/license.xx.xx.zip

bin/plugins install file:///opt/shield.xx.xx.zip

now we have completed the installation shield plugin. now we all have to do simple step for authentication.

Role Based Access Control

We need to move to shield configuration location to configuring the users and their roles with which we'll be able to execute various of APIs on Elasticsearch

Shield directory location will be /opt/elasticsearch/config/shield.

Go to that directory and check the permissions that which user have which permissions. 

cd /opt/elasticsearch/config.shield

vi roles.yml

Admin role:

The admin role enables full access to the cluster and all it's indices.

Power_user role:

The power_user role enables monitoring only access on the cluster and full access on all it's indices.

User role:

The user role has no cluster wide permissions and only has read access to the data on all it's indices.

For the basic authentication we don't need to change anything from roles.yml file that comes from shield. It's already defines with required default roles listed in above.

User creation per permissions

We already have know the user permissions that have in shield. Now we need to create the user and password and required permissions. 

Now i'm going to create one user with admin role and another with user role. 

For that shield have internal user like root shield have esusers it comes with shield.

cd /opt/elasticsearch

bin/shield/esusers useradd rain -p R@!N@1234 -r admin

in above command 

-p - refereed as password

-r - refereed as roles

admin - refereed as admin role

bin/shield/esusers useradd pearl -p PE@R!@1234 -r user 

now we have completed the user creation and password authentication. 

Verify the shield installation

Once elasticsearch started we can use curl command to check the shield installed correctly or not.

curl --user rain:R@!N@1234 'localhost:9200/_shield'

{
  "status" : "enabled",
  "name" : "rain",
  "cluster_name" : "Test.elasticseach.com",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "8a3e9756c34e3110c49fd3a81a5ac90a83dc2eaa",
    "build_timestamp" : "2016-05-17T16:35:12Z",
    "build_snapshot" : false
  },
  "tagline" : "You Know, for Security"

}

If result appear like above then your configuration completed successfully.

SSL Auth:

We need to add the ssl file in elastic source place and mention that in the elasticsearch.yml. Follow my lead.

goto elastcisearch directory

cd /opt/elasticsearch

place the ssl file or copy the ssl file

make sure the permission for this in ssl appropriate user

chown test:test test.jks

now wee need to add the location this jks file in elasticsearch.yml.

vi conf/elasticsearc.yml

goto the last line and add the following line

shield.ssl.keystore.path:          /opt/elasticsearch/test.jks
shield.ssl.keystore.password:      test123
shield.transport.ssl: true
shield.http.ssl: true 

now restart the elasticsearch and check it will work perfectly.