This sections describes the instllation of the master server components.
Ensure that mysql starts automatically (e.g. 'chkconfig mysql on' on RedHat/Suse systems or 'update-rc.d mysql defaults' on Debian based systems).
Add the path to 'mysql' to your PATH for ease of use.
Set a softlink "/mysqldata" to point to the mysql database directory, for example '/var/lib/mysql'. In most of the documentation we refer to /mysqldata for brevity.
ln -s /var/lib/mysql /mysqldata
my.cnf
Compare your /etc/my.cnf (or /etc/mysql/my.cnf) with /opt/nac/contrib/etc/my.cnf, for parameters that may need to be set in the [mysqld] section.
The most important parameters to check are:
log-bin and report-host to include hostname. On the master this might be vmps1, on secondaries vmps2/3 etc.:
log-bin = vmps1-bin
log-warnings
report-host = vmps1
server-id = 10 [10 for master, 20 for slave1, 20 for slave 2 etc..]
relay-log=vmps1-relay-bin
replicate-do-db= opennac
replicate-wild-ignore-table= opennac.vmpsauth%
On Ubuntu 7.10, log-bin is configured with the full path, and should include the hostname. It may also be called log_bin, not log-bin:
log-bin = /var/log/mysql/vmps1-bin.log
Consider increasing the connection timeouts to avoid spurious deconnection on low traffic networks, add the following:
interactive_timeout = 604800
wait_timeout = 604800
MySQL needs to be listening to the network on port 3306, but it might be bound only to localhost (e.g. Ubuntu default). Check the parameter bind-address and comment it out:
#bind-address = 127.0.0.1
Each server can insert data locally, changes are replicated to other servers and the changes do not conflict. Datasets must be configured with autoincrement keys, and the autoincrement value set differently on each server - thus avoiding replication conflicts. An auto_increment_increment value of 5 allows a maximun of 5 servers. Each server must have a different auto_increment_offset (1 for the first, or main server, 2 for the second, etc.)
auto_increment_increment= 5
auto_increment_offset = 1 [1 for vmps1, 2 for vmps2, 3 for vmps3 ...]
Ensure the mysql user can write to the database files (this is usually the case).
chown -R mysql /mysqldata /var/lib/mysql
Ensure that /etc/init.d/mysql exists, and automatic start is enabled. Finally, restart mysql in order to take into account the modifications you made to my.cnf:
/etc/init.d/mysql restart
You can check that mysql is running by looking at netstat, and verify that mysqld is now bound on 0.0.0.0 and not 127.0.0.1 only:
$ netstat -anp|grep mysql
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5666/mysqld
cd /mysqldata
cp /opt/nac/contrib/opennac_db.tar.gz .
tar xvzf opennac_db.tar.gz
For a new master server: Install an initial set of empty FreeNAC tables for the 'opennac' database, backing up the existing tables first (Note: You may need to prefix each command with sudo, depending on the permissions of the directory. And during the first install, you do not have an opennac db to backup :-) ):
cd /mysqldata
cp -R opennac opennac.$$
mysql -u root -p -e "create database opennac;"
mysql -u root -p opennac < tables.sql
mysql -u root -p opennac < values.sql
As of v2.2 RC3, we provide a permissions.sql file, so you don't have to worry about setting permissions by hand.
cd /mysqldata
mysql -u root opennac < permissions.sql
check /mysqldata/localhost.err for errors. (or whereever your log file resides, i.e. /var/log/mysql.err or syslog - 'grep mysqld /var/log/syslog')
Login to sql to check connectivity:
mysql opennac
show tables;
select * from port;
By default the permissions script above, and the default config.inc use the password 'PASSWORD2' to connect to the database and thus be able to run the daemons.
It is important for security to change the passwords from the default values.
Connect first as root to the mysql database:
mysql -u root -p mysql
Then execute the following commands to change the passwords:
SET PASSWORD FOR inventwrite@localhost=PASSWORD('NEW_PASSWORD2');
SET PASSWORD FOR inventwrite@'%'=PASSWORD('NEW_PASSWORD1');NEW_PASSWORD2 is the password you'll use in your config.inc file and NEW_PASSWORD1 will be used by the Windows GUI.
The cron tool is where all regular tasks are done to keep the system healthy. The following are recommended regular tasks.
The following crontab entries are for FreeNAC v3.0. For versions prior to this one, you don't need to include the .php extension at the end of the script name.
Master server: Remove 'unknowns' from the DB, that were never authorised and are very old:
0 1 * * 1 /opt/nac/bin/purge_unknowns.php
Clean mysql logs on the 1st per month. In this example, the absolute path of the mysql binary file is the one defined below. Please adjust the path according to your system.
0 6 30 * 1 /usr/bin/mysql -uroot -e "PURGE MASTER LOGS BEFORE DATE_SUB( NOW( ), INTERVAL 30 DAY);"
Optional: The following are scripts to backup the system in different ways to the second internal disk. These are highly system specifc, make sure you understand, tune and test them (e.g. you will need a '/disk2' partition). Remember to adjust any path according to your system.
0 3 * * 1-5 /opt/nac/bin/dump_ports.php
0 3 * * 1 /usr/bin/mysqlhotcopy --allowold --keepold --regexp=".+" /disk2/backups/mysql 2>&1 | logger
Adapt the MySQL path to your distribution
The following has to be done in the event that you don't have a permissions file (releases prior to 2.2RC3)
There are 3 mysql users needed for accessing the database.
A. Local daemon user for PHP scripts: inventwrite@localhost
B. A user for the remote Delphi Windows GUI: inventwrite@'%'
C. Root is used by the sysadmin for local configuration. By default root
is only allowed from localhost, and has no password. Its is
recommended that you set a root password for mysql root, if the NAC
server login is accessible to several users.
Local daemon user for PHP scripts (set the user/pw in /opt/nac/config.inc):
grant SELECT,INSERT,UPDATE ON opennac.* to inventwrite@localhost IDENTIFIED by 'PASSWORD2';
SET PASSWORD FOR inventwrite@localhost = OLD_PASSWORD('PASSWORD2');
grant SELECT,INSERT,UPDATE,DELETE ON opennac.systems to inventwrite@localhost;
grant CREATE TEMPORARY TABLES ON opennac.* to inventwrite@localhost;
grant ALL ON opennac.vmpsauth to inventwrite@localhost;
Remote delphi Windows GUI user. See also the vmps.ini file on the Windows client.
grant SELECT,INSERT ON opennac.* to inventwrite@'%' IDENTIFIED by 'PASSWORD1';
SET PASSWORD FOR inventwrite@'%' = OLD_PASSWORD('PASSWORD1');
grant SELECT,UPDATE ON opennac.oper to inventwrite@'%' ;
grant SELECT,UPDATE ON opennac.config to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.building to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.location to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.port to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.switch to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.vlan to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.systems to inventwrite@'%';
grant SELECT,INSERT,UPDATE,DELETE ON opennac.users to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.patchcable to inventwrite@'%';
grant SELECT,INSERT,UPDATE,DELETE ON opennac.vlanswitch to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.cabletype to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_class to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_class2 to inventwrite@'%' ;
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_os to inventwrite@'%';
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_os1 to inventwrite@'%';
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_os2 to inventwrite@'%';
grant SELECT,INSERT,UPDATE,DELETE ON opennac.sys_os3 to inventwrite@'%';
We normally leave a blank password and expect a dedicated server to be used for FreeNAC. Scripts also expect a balnk password.
Optional: If the NAC server is not exclusively used by one administrator, you may want to set a local root password for mysql. This make administratig more difficult though, and some cron scripts will need to be adapted to provide a password.
mysqladmin -u root password 'new-password'
mysqladmin -u root -h MYHOST password 'new-password'
This document explains how to setup MySQL replication between master and slaves.
References: See also http://dev.mysql.com/doc/refman/5.0/en/replication-howto.html
Since FreeNAC Version 3.0.1, the MySQL database is configured to run in a so called 'multiple-master' scenario, meaning that each server is both a master and a slave in MySQL terminology. So each server queries updates from others (a slave), and makes any updates which were made to its dataset available to other servers (master).
Therefore a replication must be setup in each direction, for each server. Lets assume we have two servers vmps1 (our 'main' or primary server) and vmps2.
It is possible to have more than two servers (using the mysql relay_log), but this has not been tested or documented in FreeNACA yet.
The procedure is basically as follows:
First get vmps1 (the main server) running, with actual data.
A) configure vmps1 to share its data, copy an initial dataset to vmps2, configure vmps2 to retrieve updates via replication
B) configure vmps2 to share its updates, and vmps1 to retrieve these via replication
Replace the following in the examples below:
SERVER2.DOMAIN the FQDN of your slave
repl Replication username
REPL_PASSWD Replication password
opennac Name of your database (this was 'inventory' prior to NAC v2.2).
"vmps2" is a MySQL slave, and "vmps1" is a MySQL master.
Allow vmps2 the right to get replication updates from vmps1.
Note: it is important the master name corresponds to the DNS name in the GRANT statement below, otherwise use its IP address. Check /mysqldata/mysqld.log for errors.
GRANT SELECT, PROCESS, FILE, SUPER, REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl'@'vmps2' IDENTIFIED BY 'REPL_PASSWD';
SHOW MASTER STATUS;
Purge unneeded logs on the master:
PURGE MASTER LOGS TO 'SERVER-bin.NUMBER'
[the exact name comes from the File field in the 'show master status' above]
0) On the slave, vmps2
stop slave;
1) On the master, vmps1: Lock the tables, note log position, restart
mysql> FLUSH TABLES WITH READ LOCK;
vmps1:$ cd /mysqldata; tar cvf opennac.tar opennac
mysql> SHOW MASTER STATUS;
+------------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------------+----------+--------------+------------------+
| vmps1-bin.000027 | 12717436 | | |
==> take note of the position
mysql> UNLOCK TABLES;
2) Slave vmps2:
Stop mysql
/etc/init.d/mysql stop
Copy DB tar file from master & extract:
cd /mysqldata && mv opennac opennac.$$
scp vmps1:/mysql/opennac.tar .
tar xvf opennac.tar
chmod 770 opennac; chmod g+s opennac; chown -R mysql:mysql opennac;
Configure slave: start daemon with slave off
/usr/sbin/mysqld --skip-slave-start --log-warnings &
Start mysql client (on vmps2):
mysql> reset slave;
CHANGE MASTER: replace XXXX, YYYY, ZZZZ and 'FILE_NAME' with the values from the 'show master' above:
mysql> CHANGE MASTER TO MASTER_HOST='vmps1', MASTER_USER='repl', MASTER_PASSWORD='YYYY', MASTER_LOG_FILE='FILE_NAME', MASTER_LOG_POS=ZZZ;
Start replication:
START SLAVE;
show slave status \G;
Check the log position with that on the master:
show master status;
Empty the vmpsauth table, which is the only local table:
DELETE FROM opennac.vmpsauth;
Also check the slave mysql log (or syslog) for errors.
If all looks fine, stop the slave:
/etc/init.d/mysql stop
Check with 'ps' to make sure mysql is dead, other use 'kill' with the PID of the mysqlprocess.
Then start mysql normally
/etc/init.d/mysql start
If vmps is configured already, restart that too. If this is a first time installation, wait.
/etc/init.d/vmps restart;
/etc/init.d/postconnect restart;
tail -f /var/log/messages | grep vmpsd_external
"vmps1" is a MySQL slave, and "vmps2" is a MySQL master.
Note: it is important the master name corresponds to the DNS name in the GRANT statement below, otherwise use its IP address. Check /mysqldata/mysqld.log for errors.
On the vmps2 mysql prompt:
GRANT SELECT, PROCESS, FILE, SUPER, REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl'@'vmps1' IDENTIFIED BY 'REPL_PASSWD';
SHOW MASTER STATUS;
Now vmps2 is already humming along (due to the procedure in section A.) with a copy of vmps1's data, and is retrieving vmps1 update via replication. Since that there may have been updated to vmps2 though.
To see what logs vmps2 has, the name of the current log and position:
show binary logs;
show master status;
Now lets look at the updates in the current log:
show binlog events limit 20;
This will show the most recent 100 SQL statements that are pending, allowing you to verify that they make sense.
Start the mysql client and tell the replication to start at the initial position of the log on vmps2 (see also the output from the show master status on vmps2)
mysql> reset slave;
mysql> CHANGE MASTER TO MASTER_HOST='vmps2', MASTER_USER='repl', MASTER_PASSWORD='REPL_PASSWD', MASTER_LOG_FILE='vmps2-bin.000001', MASTER_LOG_POS=1;
Start replication:
start slave;
show slave status \G;
Verify that the master log position is correct, Slave_IO_Running: Yes and Slave_SQL_Running: Yes. Last_Error should be empty.
Check the log position with that on vmps2:
show master status;
Check the mysql log (/mysqldata/mysql.log or syslog) for errors.
Double check replication: on vmps2, insert some data
insert into naclog set what='test2';
select * from naclog order by id desc limit 10;
on vmps2, see if it appears as expected:
select * from naclog order by id desc limit 10;
The id of the inserted row should have an increment offset of 2.
It has happened to us that replication stops due to an invalid query.
Replication is OK on a slave if
show slave status \G;
reports that the master log position is correct, Slave_IO_Running: Yes and Slave_SQL_Running: Yes. Last_Error should be empty.
For example, lets say Slave_SQL_Running was 'No'. To see why examine the Last_Error entry which may list the SQL entry causing the problem and then the mysql log (/mysqldata/mysql.log or syslog).
Lets assume that you understand the SQL statement, decide its not a big problem and just want to ignore that statement. So we fix it, by stopping the
slave and skipping the SQL Query causing the problem:
stop slave;
SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1;
start slave;
show slave status \G;
It now skips to the next error, for example:
Slave_SQL_Running: No
Last_Error: Error 'Unknown table 'opennac.v_1'' on query. Default database: 'opennac'. Query: 'DROP VIEW v_1'
Pending log events can also be examined:
show binlog events limit 100;
show warnings;
To get through these difficult queries, it may be necessary to repeat the above.
More reading:
http://dev.mysql.com/doc/refman/5.0/en/set-global-sql-slave-skip-counter...
http://dev.mysql.com/doc/refman/5.1/en/replication-options.html
Activate monitor_mysql_slave - call it from cron on all servers (since all servers are slaves), e.g. every 5 minutes during office hours:
*/5 7-18 * * 1-5 /opt/nac/bin/monitor_mysql_slave
The NAC main server needs to have a syslog server to collect messages locally, and from any secondary servers. The secondaries are configured to send a copy.
Its also useful, though not mandatory, for switches to send a copy of their events via syslog too.
Configure the syslog daemon to listen to the network interface for messages, e.g. by starting with the "-r" option. Syslog-ng needs a directive for the network interface. Some examples are:
SYSLOGD=""
for
SYSLOGD="-u syslog -r"
in /etc/init.d/sysklogd. If you install syslog-ng in Ubuntu, locate the line
# udp();
in syslog-ng.conf and uncomment it.
Create a symlink pointing to your syslog startup file, so if for example you are using sysklogd, do:
ln -s /etc/init.d/sysklogd /etc/init.d/syslog
or in case you are using syslog-ng
ln -s /etc/init.d/syslog-ng /etc/init.d/syslog
We assume that /etc/init.d/syslog is a valid link to your syslog, for the rotate scripts mentioned below.
Configure a syslog client to send a copy of messages to the server.
First add a 'loghost' alias to /etc/hosts, then configure syslog:
1. Classical syslog: Add the following to the bottom of /etc/syslog.conf, note that there is a tab (not a space) between the two fields.
*.info @loghost
2. Syslog-ng: Add the following to /etc/syslog-ng/syslog-ng.conf (example for Ubuntu 7.10)
## Forward *.info to loghost
filter f_info { level(info) ; };
destination network { udp("loghost" port(514)); };
log { source(s_all); filter(f_info); destination(network); };
Secondary servers: use the default Linux log rotation mechanisms, or optionally, the mechanisms below.
Main server: Its important to ensure logs are regularly archived, rotated and that syslog is working as expected.
Syslog-ng: Add the following to /etc/syslog-ng/syslog-ng.conf (example for Ubuntu 7.10)
Find the following section in syslog-ng.conf
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mai
};
and change it as follows
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info..emerg)
and not facility(auth,authpriv,cron,mail,news);
}
and comment out the following sections:
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};
A log pruning configuration file is provided with FreeNAC, which focusses on /var/log/messages. This file is rotated weekly, archived for one year, two scripts /opt/nac/logcheck/logcheck.sh and /opt/nac/bin/monitor_allows_count.sh are run before-hand and all FreeNAC daemons restarted afterwards.
So, review the logrotate config file, copy it to /etc, activate and test:
a) syslog-ng (preferred)
mv /etc/logrotate.d/syslog-ng /etc/syslog-ng.$$ cp /opt/nac/contrib/logrotate.d/syslog-ng /etc/logrotate.d/syslog-ng /usr/sbin/logrotate -d --force /etc/logrotate.conf
b) classical syslog
mv /etc/logrotate.d/syslog /etc/syslog.$$ cp /opt/nac/contrib/logrotate.d/syslog /etc/logrotate.d/syslog /usr/sbin/logrotate -d --force /etc/logrotate.conf
Add a cron entry to prune syslog, for example on weekday mornings:
# Force Log pruning check each morning
0 6 * * 1-5 /usr/sbin/logrotate /etc/logrotate.conf | logger
Activate the syslog configuration above, and test:
/etc/init.d/syslog restart
echo test_syslog | logger -p local3.info -t daemon
grep test_syslog /var/log/messages
FreeNAC tools send notifications by default to the 'nac' and 'root' user. In the file /etc/aliases there should be an alias for nac and root that point to a sysadmin.
To delivery email beyond a local user, the mail daemon (postfix, exim, sendmail, etc.) will have to be configured to send emails via your gateways.
On Ubuntu 7.10 for example, we deinstall exim and install postfix (personal preference) and configure it:
apt-get install postfix dpkg-reconfigure postfix (Internet site with mailhost is probably what you want)
To test email delivery:
echo test | mailx -v -s "test" root tail /var/log/mail.info
Change the root GECOS field in /etc/passwd to "root MACHINE", this makes email from headers easier to read.
Adjust the root crontab to update the current time from an NTP server
0,30 * * * * /usr/sbin/ntpdate -s A.B.C.D X.Y.Z.Z; /sbin/hwclock --systohc
where A.B.C.D X.Y.Z.Z are NTP servers to synchronize from.
Create the file /etc/mods where you'll store the changes made to your system
touch /etc/mods chmod 600 /etc/mods
Setup SSH trusts if needed: /root/.ssh/authorized_keys
Server side programming is in PHP, so PHP5 cli (command line interface) module must be installed - see also the linux installation section.
PHP setting are stored in 'php.ini' the default that comes with your distribution should be enough (assuming its recent and up to date).
If installing PHP from the sources use the 'php.ini-recommended' file included in the distribution, or the contrib/etc_php5_cli/php.ini of FreeNAC
Recommended variables set in your /etc/php5/cli/php.ini file are as follows,
Memory
memory_limit = 256M ; Maximum amount of memory a script may consume (128MB)
Error_reporting on productive servers: show all errors, except for notice. Log errors to syslog:
error_reporting = E_ALL & ~E_NOTICE log_errors = on display_errors = off error_log = syslog
On test / development servers where you wish to see all software warnings:
error_reporting = E_ALL | E_STRICT display_errors = on error_log = syslog
The Freenac software should already have been installed in the section Installing the FreeNAC software .
You need to create a freenac username and group. This is handy if you want the configuration file to be accesible by other daemons (e.g. Apache, Radius).
groupadd freenac && useradd freenac -r -g freenac
Master server: Create a config.inc from a template and set the DB connection parameters (this should correspond to the password you set in the MySQL configuration):
cp /opt/nac/etc/config.inc.template /opt/nac/etc/config.inc vi /opt/nac/etc/config.inc
Slave servers: copy /opt/nac/etc/config.inc from the master
Change the group the config.inc file and the lib directory belong to and its permissions
chgrp freenac /opt/nac/etc/config.inc chgrp freenac /opt/nac/lib chmod 640 /opt/nac/etc/config.inc chmod -R 640 /opt/nac/lib
For version 2.2 RC2 and earlier: import the config file into the database. To do so:
cd /opt/nac/contrib ./config2db ../etc/config.inc
For v2.2 RC3, V3.0 and later, all settings are in the 'config' table in the database. Only usernames and passwords are in config.inc. The 'config' paramets are set via the Windows GUI (see the Administration -> config tab).
A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding access to the network.
You need to specify a policy file to use. We provide some sample policy files in the etc directory. In the Technical Guide there are several policy chapters, please example at least the Sample Policies .
A policy file that would be useful to many sites is the etc/policy5.php file, lets assume you wish to use that. Now create a link from policy file to the default policy file name 'policy.inc.php':
cd /opt/nac/etc ln -s policy5.php policy.inc.php
Masters and slaves normally have the same policy.
Creating a start-up file and start the service:
cp /opt/nac/contrib/startup_init.d/vmps /etc/init.d/vmps chmod 750 /etc/init.d/vmps vi /etc/init.d/vmps [adapt IP address on vmpsd start line, if have more than one interface]
And activate it to start automatically according to your distro
chkconfig vmps on [SuSE] update-rc.d vmps defaults [Ubuntu/Debian based distros]
Start and watch syslog for events:
/etc/init.d/vmps start
ps -ef | grep vmps
tail -f /var/log/messages
If vmpsd does not start, see the troubleshooting section of the Users Guide.
cp /opt/nac/contrib/startup_init.d/postconnect /etc/init.d/postconnect chmod 750 /etc/init.d/postconnect
And activate it to start automatically according to your distro
chkconfig postconnect on [SuSE] update-rc.d postconnect defaults [Ubuntu/Debian based distros]
Start and watch syslog for events:
/etc/init.d/postconnect start tail -f /var/log/messages
cp /opt/nac/contrib/startup_init.d/vmps_lastseen /etc/init.d/vmps_lastseen chmod 750 /etc/init.d/vmps_lastseen
And activate it to start automatically according to your distro
chkconfig vmps_lastseen on [SuSE] update-rc.d vmps_lastseen defaults [Ubuntu/Debian based distros]
Watch syslog for events:
tail -f /var/log/messages
If vmpsd does not start, see the troubleshooting section of the Users Guide.
See the Policy testing chapter of the Technical Guide, to explain how to read the syslog messages.
In production environments, monitoring and alerting of the FreeNAC server is recommended . This section discusses several such tools included in FreeNAC. You may choose to use these scripts, do nothing, or do similar monitoring with your own tools.
The monitoring scripts that need to be individually tested and enabled in root cron. In Previous chapters other cron scripts were mentioned, for example for monitoring MySQL. This section, which is addressed at the Linux adept, covers other housekeeping scripts that inducate to the system administrator if the FreeNAC system is behaving properly, or if specific switches or ports are having issues.
All of these are focussed on the main server, some such as process monitoring may also be used on secondary servers.
Monitoring syslog for unusual events, is done by the logcheck which basically does a grep on the logs. See also the syslog configuration chapter.
0 8,12 * * 1-5 /opt/nac/logcheck/logcheck.sh
The following two check that a minimum number of devices are being regularly allowed onto the network (i.e. FreeNAC is actually seeing and VMPS authenticating end-devices), and that a port is not flapping between several vlans.
30 6-22 * * 1-5 /opt/nac/bin/monitor_allows.sh */4 * * * * /opt/nac/bin/flap_detect.php
Are there any 'MAC-NOT-RECONFIRMED' from switches or vmps requests with MAC 000000 that might indicate communication problems between switches and the NAC server?
*/10 7-18 * * 1-5 /opt/nac/bin/monitor2.sh
Notify if there are updates to NAC (query FreeNAC.net and report if there is a new version)
0 0 * * 0 /opt/nac/bin/updates.php
Monitor_processes just does a grep on the process list and send an email alert if a process dies. This tool is run regularly from cron.
*/20 7-18 * * 1-5 /opt/nac/bin/monitor_processes.pl proctst vmpsd_external postconnect
In 802.1x mode, check samba & free radius too.
*/20 7-18 * * 1-5 /opt/nac/bin/monitor_processes.pl winbindd smbd nmbd radiusd
proctst: There is an aletrnative process monitoing with the proctst daemon. proctst (as opposed to monitor_processes) is a daemon: it does not need cron, and not just alerts when a process dies but also restarts it.
With proctst there are also unexpected side effects: if you should shutdown a daemon manually, because you want to do some debugging or so, proctst immediately restarts it.
e.g. You shutdown mysql, want to do backups or maintenance, in fact mysql was immediately restarted by proctst and you may not realise it is running.
So consider using proctst when there is an actual problem with a daemon dying, or for production servers where everything has to be as automated as possible.
Configuring proctst:
To do: check_disk watches system load and disk space usage.
0 8-18 * * 1-5 /opt/nac/bin/check_disk 90 800