I always wanted to monitor my private network with an open source tool. Since I knew some nice statistics, e.g. from the DE-CIX (printed with RRDtool) or from the Uni-Gießen (generated with MRTG), I had the idea of installing such a system by myself. Luckily I found a book from Steve Shipway, called “Using MRTG with RRDtool and Routers2“, which actually disappointed me because it did not offer a complete installation guide but mainly further information about fine-tuning the appropriate tools.

Therefore, I want to show a complete step-by-step installation of all the needed tools in order to monitor a network with MRTG, RRDtool and Routers2.  “From scratch” means that there are no prerequisite to this installation guide except a plain Linux server (in my case a Ubuntu Linux) such as presented here. Okay, let’s go:

Preparation

In order to use all features that I explain in the next sections, the following tools must be installed on the system. Of course, all these packages can be installed step-by-step, but I think it is easier to install them at once. Here is the list:

sudo apt-get install mrtg mrtg-ping-probe rrdtool librrds-perl snmp snmpd snmp-mibs-downloader apache2 libapache2-mod-perl2 libnet-snmp-perl libgd-gd2-perl

The installation requires round about 60 packages. Attention: The installation process from MRTG asks a single question, whether or not the root user should be the only one who can read the default configuration file from MRTG (/etc/mrtg.cfg). In our scenario, this can be answered with “Yes”, which is also the default option in this question.

Webserver: Apache

We just installed the apache web server. It is already running in the background and can be tested with a browser that accesses the IP address/domain name of the server. If you see the standard “It works!” page you are right. (The following paragraph is only for further investigations on it.)

• You can see whether the apache server is running via

  ps -A | grep apache

  which should show a few apache2 processes. Furthermore, the command

  netstat -l

  should show at least one tcp process that LISTENs on port 80 (http). If you have IPv6 enabled, another tcp6 process also LISTENs on port 80.
• The configuration can be edited with

  sudo nano /etc/apache2/apache2.conf

  (since I am using Ubuntu. Other Linux distributions are using httpd.conf).
• If you get an error message in your logs similar to this: “apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName”, you can add a line in the apache2.conf file which starts with

  ServerName

  , e.g., “ServerName mrtg.example.com”.
• We also already installed the CGI support. In the following file an alias specifies in which directory the CGI scripts must be stored: 

  cat /etc/apache2/sites-available/default

  . It is under “/usr/lib/cgi-bin/”.

MRTG and RRDtool

There is not much to say about the blank MRTG installation on a Ubuntu server since it already comes with a pre-configured configuration file (/etc/mrtg.cfg) and also an installed cron job which runs MRTG every five minutes. You can verify that there is a cron job installed as you should have a file called “mrtg” in the “/etc/cron.d/” directory. You can display it via

cat /etc/cron.d/mrtg

tail /var/log/syslog

Jun  4 20:40:01 jw-nb10 CRON[9722]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[[:space:]]*[^#]*[[:space:]]*WorkDir' /etc/mrtg.cfg | awk '{ print $NF }')" ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)

Similarly, the MRTG log is under

/var/log/mrtg/mrtg.log

We must create some folders in order to store our configuration and rrd files. I decided to store the configs under the /etc folder while the rrd files under the /var folder:

sudo mkdir /var/mrtg	#for rrd directory
sudo mkdir /etc/mrtg	#for config files

Note that RRDtool itself needs no further configuration since it is always used from Routers2 directly and thus needs no specific configuration.

Routers2.cgi

At first, the routers2.cgi package must be downloaded from here. Extract it, cd into the folder and start the installation:

tar xfv routers2-v2.22.tar.gz
cd routers2-v2.22/
sudo perl install.pl

During the installation, several questions are asked and can be answered as follows. (Note that these are only my suggestions! Answer the questions to your needs. The following text only shows the relevant lines):

Document root? /var/www
CGI directory? /usr/lib/cgi-bin
MRTG config directory? /etc/mrtg
MRTG files [*.cfg]? 
RRD directory [/tmp]? /var/mrtg
Perl executable [/usr/bin/perl]? 
Configuration file [/var/mrtg/routers2.conf]? 
Activate routingtable extensions [no]? 
'usebigk' option [mixed]? no
auth option [none]? 
Caching option [no]? 
Can I mail [no]? 

INSTALLING SOFTWARE

Perl is     : /usr/bin/perl
MRTG files  : /etc/mrtg/*.cfg
RRD files   : /var/mrtg
Doc root    : /var/www
CGI bin     : /usr/lib/cgi-bin
Config file : /var/mrtg/routers2.conf
Routingtable: INACTIVE
Compact page: ENABLED
Caching     : DISABLED
'usebigk'   : no
Auth option : NONE
Mail Steve  : no
Other options can be set later by modifying the Config file
Continue to install [no]? yes

After this installation process, the configuration file for routers2.cgi can be modified with

sudo nano /var/mrtg/routers2.conf

charset = utf-8         #Since otherwise the degree symbol ° isn't displayed correctly
actuals = yes           #Show actual values in a popup
defaulttarget = summary #Show the summary page first
graphstyle = x3         #Show the biggest image by default
graphtype = w           #Show the weekly graph by default
percentile = yes        #Percentile calculation
sorder = l2 l2D x3 x3D  #Offer only the huge images
showtotal = yes         #A total line on the incoming and outgoing graphs
compact = no            #I am not using the compact graphs. Maybe you want to...
daystart = 8            #For displaying a highlighted area for the working day
dayend   = 18           #Ditto
windowtitle = Title     #Here you can customize the title of the webpage
bgcolour = #fffffff     #Otherwise some targets have a purple background
twinmenu = yes          #Since we all have widescreen displays nowadays
showfindbox = no        #I am not monitoring that many devices

Modifying the Default mrtg.cfg

Open the file with

sudo nano /etc/mrtg.cfg

#Directory in which the RRD files will be stored
WorkDir: /var/mrtg
#Tells MRTG to use RRD instead of its own log format
LogFormat: rrdtool
#To have multiple instances of MRTG running to immediately pass through all targets
Forks: 4
#Use the configs in the mrtg subfolder (/etc/mrtg)
Include: mrtg/*.cfg

First Test (Yet Without Any Devices)

With a web browser, access the following page/file:

http://<ip-address>/cgi-bin/routers2.cgi

If so, you are almost done with the base installation of MRTG, RRDtool and Routers2!!! Congratulations!
You can also view the configuration verification of Routers2 when you access the following URL (of course without any targets, too):

http://<ip-address>/cgi-bin/routers2.cgi?page=verify

Forwarding to Routers2.cgi

It is desirable to have a forwarding to the routers2.cgi if only the IP address or domain name of the server is entered. That is, even though only

http://domain.name

/var/www/index.html

<html>

<body>

<head>
<meta http-equiv="refresh" content="0; URL=http://domain.name/cgi-bin/routers2.cgi/">
</head>

From now on, the web page automatically redirects to the routers2.cgi page after a few milliseconds.

Adding Devices/Targets

Since we now have a complete MRTG with RRDtool and Routers2 installation, we can add several devices to monitor, e.g., network routers and switches, firewalls, servers, and/or even other interesting values to monitor, such as ping-times to a remote server, temperature values, firewall statistics, etc. I will explain the adding procedure for various targets into MRTG in later posts. However, here comes a rough overview:

Querying SNMP values

The first step is always to activate SNMP on the appropriate device. I recommend to use different community strings (i.e., passwords) for every single device! After that, the querying of SNMP can be tested from the Linux server with the tools from snmp, e.g., snmpwalk. Here is an example with the first few lines from requesting a Juniper SSG firewall:

weberjoh@jw-vm01:~$ snmpwalk -v 2c -c krmbd5aPfQ 172.16.1.1 .1.3.6
iso.3.6.1.2.1.1.1.0 = STRING: "SSG5-Serial-WLAN version 6.3.0r16.0 (SN: ---, Firewall+VPN)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.3224.1.32
iso.3.6.1.2.1.1.3.0 = Timeticks: (57520000) 6 days, 15:46:40.00
iso.3.6.1.2.1.1.4.0 = STRING: "johannes@webernetz.net"
iso.3.6.1.2.1.1.5.0 = STRING: "fd-wv-fw01"
iso.3.6.1.2.1.1.6.0 = STRING: "Serverraum"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.2.1.0 = INTEGER: 24

For gathering information about the MIBs that the device supports, the brilliant MIB Browser from iReasoning can be used. It is free for personal use an can be downloaded here. It uses a GUI, can load several MIBs and is able to request the whole SNMP tree via “Get Subtree”. Really good! Here is a screenshot with the output of the NetscreenVpnMonitor MIB:

With these information, precise SNMP OIDs can be queried with MRTG, etc.

Building the MRTG/Routers2 Configuration

Finally, the *.cfg files for MRTG/Routers2 must be created. The tool cfgmaker which ships directly with MRTG can be used for the basic gathering of interfaces of routers and switches, such as:

cfgmaker --snmp-options=:::::2 --output=filename.cfg qYMJOYSx1F@172.16.1.1

Note that you can use host templates and interface templates with cfgmaker. [Comment by Steve added here:] “These are scripts that add additional Targets either on a per-device or per-interface basis. For example, the correct host template will add Targets to monitor CPU, Memory, disk space, and so on at the same time as creating all the Interface targets. You can download some templates that work with most hosts and devices from http://www.steveshipway.org/cfgmaker.”

Also note that I wrote several posts about adding other devices to MRTG/routers2. Use this category to search for them on my blog.

MRTG on the Raspberry Pi?

Since the RPi is quite popular these days, it would be a good use case to run MRTG and the other programs on it. I tried it (Model B) and my short summary is: Everything runs without problems – but it is really slow. I have monitored a few switches with 24 ports each, and the RPi took a few seconds for every refresh of the summary page. This is because the Routers2.cgi generates all RRD images on the fly which consumes lots of CPU power. That is: I stopped running MRTG on the RPi because it was simply to slow.

Okay, finished for today!

This post shortly explains the process of adding a Cisco router into the monitoring system “MRTG with Routers2″ as I explained it here. It gives an example on how SNMP is activated on the router and how the *.cfg file for MRTG/Routers2 is created with the additional values for CPU and memory usage.

SNMP w/ Access-List

It is really important to not only activate SNMP on the Cisco router, but to use an ACL that allows only a few hosts (or networks) to query it via SNMP. So, the first step is to create the appropriate ACL, such as:

access-list 3 remark All private IPv4 addresses behind inside
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 3 permit 172.16.0.0 0.15.255.255
access-list 3 permit 192.168.0.0 0.0.255.255
access-list 3 deny   any

The SNMP commands then look like the following. The first command sets the community string with a read-only (RO) policy and allows only connections from an IP address that passed access-list 3.

snmp-server community HINefcKmWP RO 3
snmp-server location Serverraum
snmp-server contact Johannes Weber

Basic *.cfg Config File

The first step is to generate the basic *.cfg file that lists all interfaces from the router:

cfgmaker --snmp-options=:::::2 --show-op-down --output=fd-wv-ro01.cfg HINefcKmWP@172.16.0.1

Then, all “Global Config Options” can be deleted. This is because they are already specified in the basic mrtg.cfg file (if it is installed due to my tutorial in the previous post).

An icon that shows the common router symbol in the Routers2 overview can be set with:

routers.cgi*Icon: router3-sm.gif

routers.cgi*GraphStyle[_]: mirror

Finally, it should be verified that the MaxBytes values for all interfaces are correct.

Additional Values to Monitor

(Note that cfgmaker can also use templates with the option 

--host-template=cisco.htp

CPU Usage

The CPU usage can be gathered by MRTG with the following lines. I like the CPU and memory graphs to be “unscaled” in which the y-axis always displays the range from 0..100 % and therefore gives a complete view. Of course, the file description [foobar] must be set correctly as well as the COMMUNITY string and the IP address:

############################################### CPU #################################################
#CPU usage on a 5-min avarage basis, which is the most accurate
#http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a94.shtml
Target[172.16.0.1_cpu]: 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1&PseudoZero:COMMUNITY@172.16.0.1:::::2
Title[172.16.0.1_cpu]: CPU Usage -- fd-wv-ro01.webernetz.net
MaxBytes[172.16.0.1_cpu]: 100
Options[172.16.0.1_cpu]: gauge
UnScaled[172.16.0.1_cpu]: dwmy
Colours[172.16.0.1_cpu]: LIGHT YELLOW#FEED01, BLUE#0000FF, ORANGE#FF6307, VIOLET#FF00FF
routers.cgi*Mode[172.16.0.1_cpu]: cpu
routers.cgi*GraphStyle[172.16.0.1_cpu]: normal
routers.cgi*ShortDesc[172.16.0.1_cpu]: CPU
routers.cgi*InSummary[172.16.0.1_cpu]: yes

This gives a CPU graph that looks like the following. Note that my CPU usage is not that high, so there is not much color here.

Memory Usage

In the same way as the CPU, the memory usage can be captured by MRTG. It is only mandatory to specify the correct MaxBytes value for the memory:

############################################### Memory #################################################
#CLI on Cisco: show memory statistics
#MaxBytes = value under Processor Total(b)
Target[172.16.0.1_mem]: 1.3.6.1.4.1.9.9.48.1.1.1.5.1&PseudoZero:COMMUNITY@172.16.0.1:::::2
Title[172.16.0.1_mem]: Memory Usage -- fd-wv-ro01.webernetz.net
####Specify the MaxBytes here
MaxBytes[172.16.0.1_mem]: 294647400
Options[172.16.0.1_mem]: gauge
UnScaled[172.16.0.1_mem]: dwmy
Colours[172.16.0.1_mem]: ORANGE#FC7C01, GREEN#00CC00, DARK RED#660000, DARK GREEN#006600
routers.cgi*GraphStyle[172.16.0.1_mem]: normal
routers.cgi*Options[172.16.0.1_mem]: noo
routers.cgi*ShortDesc[172.16.0.1_mem]: Memory
routers.cgi*InSummary[172.16.0.1_mem]: yes

The graph will look like that:

That’s it. Go for it!

The Multi Router Traffic Grapher (MRTG) can, of course, not only monitor routers via SNMP, but any devices that support the Simple Network Management Protocol, e.g., switches. With the tool “cfgmaker” it is quite easy to add switches with many ports to the monitoring system. However, some subsequent work is needed to have a clean configuration. This blog post presents a step-by-step guide for adding a switch into MRTG/Routers2.

(This guide presumes an “MRTG with Routers2″ installation such as presented here on my blog. It will not work on a plain MRTG installation without Routers2.)

Initial Configuration

The first step is to generate the basic *.cfg file with cfgmaker. I am using a few options such as “show-op-down” to show also the interfaces that are currently down or “zero-speed=1000000000″ whichs stores a MaxBytes value of 1 GBit if the switch returns “0” for that particular interface. Furthermore, the global options specify the icon for the switch and a default graph style of “mirror”.

cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=1000000000 --global "routers.cgi*Icon: switch2-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=switch.cfg COMMUNITY@10.10.10.250

After that, I always edit the *.cfg file in the following way:

• Delete (or #comment out) all options under the Global Config Options, especially the WorkDir attribute. Of course, the just added global options (GraphStyle, Icon) should not be deleted.
• Adjust all MaxBytes values to the maximum speed of the switch ports because cfgmaker stores the speed of the current port setting. This means, that if a 100 MBit client is connected to a 1 GBit port (and thus this port runs with 100 MBit), cfgmaker stores 100 MBit for its configuration. However, if later on a client with 1 GBit is connected, MRTG will not store these information correctly. Therefore, I always change all MaxBytes settings to the maximum port speed of all switch ports regardless of the currently connected client speed. For a 1 GBit port, it looks like that:

  MaxBytes[10.10.10.250_GigabitEthernet1_0_1]: 125000000

Optional Changes

The following options are nice but not mandatory:

• Unfortunately, the order of the interfaces in Routers2.cgi is not correct if the numbers are counted from a single digit to two digits. That is, the interfaces are displayed in the order like “1, 10-19, 2, 20-29, 3, 30-39, …”. The only way to change this is to specify the ShortName attribute from routers2, such as

  routers.cgi*ShortName[192.168.0.10_g1]: g01

    for all interfaces with a single digit. After that, the order will be correctly displayed as “01, 02, 03, …, 09, 10, 11, …”.
• Delete all “noHC” attributes if the switch is capable of the HC counters. This means, if at least a single port was configured by cfgmaker without the noHC attribute, all other ports also support the long counters. However, in my tests, cfgmaker always stored the noHC attribute for all switch ports that were not connected during the installation process of cfgmaker. But since the most switches support these counters, all lines such as 

  noHC[10.10.10.251_g10]: yes

    can be deleted.
• If you are using “MRTG with Routers2″ such as me (that is: not only MRTG), you do not need all the lines after the “PageTop[foobar_eth0]: …..”. They can be deleted which brings a bit more structure to the *.cfg files since they are much smaller afterwards.

Adding other Variables

Even though it might not be that interesting for switches, I am sometimes adding some other variables, e.g., the CPU, memory, or temperature of the switch. This always requires a detailed investigation of the OIDs and MIBs that the switch is able to process. Once more, the iReasoning MIB browser is a really good tool to search for certain values.

As an exampe, these are the OIDs for a stacked HP (formerly H3C) switch that return the CPU usage, memory usage and temperature:

Target[10.10.10.2_cpu]: 1.3.6.1.4.1.25506.2.6.1.1.1.1.6.112&1.3.6.1.4.1.25506.2.6.1.1.1.1.6.122:COMMUNITY@10.10.10.2:::::2
Target[10.10.10.2_mem]: 1.3.6.1.4.1.25506.2.6.1.1.1.1.8.112&1.3.6.1.4.1.25506.2.6.1.1.1.1.8.122:COMMUNITY@10.10.10.2:::::2
Target[10.10.10.2_temp]: 1.3.6.1.4.1.25506.2.6.1.1.1.1.12.112&1.3.6.1.4.1.25506.2.6.1.1.1.1.12.122:COMMUNITY@10.10.10.2:::::2

Here is a graph from the two temperature values. Though they might be boring at a first glance, they reveal some interesting information. E.g., the peak in the middle of March was a failure in one of the air conditioners in the server room, while the lowering on the end of October was the shutdown of a complete server rack:

MRTG can also evaluate values from external scripts such as the “mrtg-ping-probe” program which returns the round-trip time from the initiated ping command to the specified destination host. With an additional GraphStyle called “range” from Routers2, these ping times can be displayed in the monitoring system. This graph style shows the “min” and “max” RTT in one vertical line instead of two independent lines.

Since there is not much to say about this process, I will only paste my MRTG/Routers2 config for mrtg-ping-probe and will show a few example graphs here.

If not already done, mrtg-ping-probe must be installed on the monitoring system. For Debian/Ubuntu its:

sudo apt-get install mrtg-ping-probe

MRTG/Routers2 Config

Following is my configuration part for the ping probes to a fictitious host of “1.2.3.4”. You need to change the “foobar” description to the hostname of the monitored machine and the “1.2.3.4” to the real IPv4 address:

#Since mrtg-ping-probe outputs integers, the values are multiplied to have milliseconds reported
#i.e., instead of "5" the answer is now "5324" which is interpreted by "Factor[]: 0.001" as 5.324 ms
Target[foobar_ping]: `mrtg-ping-probe -p '1000*max/1000*min' -s 1.2.3.4`
Title[foobar_ping]: Ping Times to 1.2.3.4
#MaxBytes: 10 seconds = 10 * 1000 * 1000 (due to mrtg-ping-probe * 1000 and milliseconds * 1000)
MaxBytes[foobar_ping]: 10000000
Options[foobar_ping]: gauge
Factor[foobar_ping]: 0.001
Colours[foobar_ping]: RED#FF0000, WHATEVER#123456, DARKRED#800000, WHATEVER2#654321
routers.cgi*ShortDesc[foobar_ping]: Ping 1.2.3.4
routers.cgi*Options[foobar_ping]: fixunit nomax nopercentile nototal
routers.cgi*GraphStyle[foobar_ping]: range
routers.cgi*Icon[foobar_ping]: clock-sm.gif

With this configuration I am pinging all my remote routers/firewalls on the untrust (Internet) interface as well as on the trust (through VPN) interface. This immediately gives knowledge about problems due to network congestion, overloaded devices, routing changes, etc.

Sample Screenshots

Here are two graphs from my monitoring system that show the round-trip times to one of my external locations. The first one is the daily graph while the second one is the weekly graph. It is notable that the RTTs are much lower and continuous through the night while peaking several times through the working day. The weekly graph shows some major steps in the RTTs that reveal different routing paths through the Internet.

I was interested in generating graphs within the MRTG/Routers2 monitoring system that display the number of hops for an IP connection through the Internet. In my opinion its interesting to see the different routing run times/hop counts e.g. for remote offices that are connected via dynamic ISP connections such as DSL. Therefore, I wrote a small script that executes a traceroute command which can be called from MRTG.

Traceroute Script

Here comes my script “traceroute2mrtg” which needs the destination host as a parameter:

traceroute2mrtg www.webernetz.net

I have moved this script to “/usr/local/bin” and, of course, made it executable:

sudo chmod u+x traceroute2mrtg

#!/bin/bash
#######################################################################
#Author:           Johannes Weber (johannes@webernetz.net)            #
#Homepage:         http://blog.webernetz.net                          #
#Last Modified:    2014-01-07                                         #
#######################################################################

#Only one parameter for this tool: The destination
dest=$1

#Basic traceroute with:
#-I for using ICMP messages instead of UDP (needs root privileges)
#-n since the DNS lookups are not needed here
#-w 2 for only waiting 2 seconds until response for not slowing down MRTG to much
#Error messages into 2>/dev/null
#Piped into "tail -1" to have only the last line
#Piped to awk to return only the number of hops
hops=`traceroute -I -n -w 2 $dest 2>/dev/null | tail -1 | awk '{print $1}'`

#If the destination is unreachable, traceroute stops after 30 hops.
#In order to have an unreachable host displayed as "0" and not as "30", the value is changed in that case:
if [ $hops == 30 ]
  then hops=0
fi

#Output for MRTG (which basically needs 4 lines)
echo $hops
echo 0
#echo no uptime to report here
#echo traceroute $dest

Note that the reported values are NOT the actual hop count to the destination since the last line in a traceroute reveals the final destination. That is, the real hop count would be the reported value decremented by one. However, I am not changing this value by “-1″ because I do not want to confuse myself when comparing the MRTG graphs with some other traceroute tests.

Here is an example of my script:

weberjoh@jw-vm01:~$ sudo traceroute2mrtg www.webernetz.net
11
0

MRTG/Routers2 Config

Following is my MRTG/Routers2 configuration part for the hop count. It mainly calls my script with the destination host “domain.name”.

Target[foobar_traceroute]: `/usr/local/bin/traceroute2mrtg domain.name`
Title[foobar_traceroute]: Traceroute Hop Counts to domain.name
#MaxBytes: Since the standard traceroute command stops after 30 hops, this value fits for the MaxBytes, too.
MaxBytes[foobar_traceroute]: 30
Options[foobar_traceroute]: gauge
Colours[foobar_traceroute]: BROWN#660000, YELLOW#FFD600, BLACK#000000, ORANGE#FC7C01
YLegend[foobar_traceroute]: Number of Hops
Legend1[foobar_traceroute]: Hops
Legend3[foobar_traceroute]: Peak Hops
LegendI[foobar_traceroute]: Hops:
ShortLegend[foobar_traceroute]:  
routers.cgi*ShortDesc[foobar_traceroute]: Traceroute Hop Count
routers.cgi*Options[foobar_traceroute]: fixunit integer maximum nomax noo nopercentile nototal
routers.cgi*Icon[foobar_traceroute]: graph-sm.gif

Note that I specified the “maximum” option. That is, the weekly, monthly, and yearly graphs will show the maximum hop count for its ranges and NOT the averages with a maximum line above them. This is more useful if certain destinations are down for a longer time and MRTG stores “0”. If the maximum option would not be specified, the average values for a week would be much lower than realistic ones if the destination was not reachable for a few days, for example.

Also note that the average calculations on the graphs (the middle column with text) are NOT realistic if a destination is not reachable for a certain amount of time. It is only meaningful if the destination was reachable all the time. This behaviour cannot be changed here since there is no option to tell MRTG/Routers2 to “not display the Avg values if the values return a zero”.

Sample Graphs

Here are a few examples from my monitoring system. The first one reveals that the hop count to the destination changes incessantly between 15 and 16 hops. Here, the calculated average value of 15 makes sense:

The second one presents the hop count to a dynamic ISP connection which restarts every night. The hop count switches between 13 and 15 hops:

The last one shows the hop counts to one of the domains of the NTP Pool Project, in this case

0.de.pool.ntp.org

This post describes how to add a Linux machine to the MRTG/Routers2 monitoring server. First, the host must be able to process SNMP requests. Then, a *.cfg file for MRTG/Routers2 is created by running the “cfgmaker” tool with a host-template. Since a few values are wrong in the cfgmaker file, I also explain how to correct them. Finally, I am adding the mrtg-ping-probe lines to the configuration.

Installation of SNMP

Two packages are mandatory for SNMP:

snmp

snmpd

sudo apt-get install snmp snmpd

After that, the snmpd configuration must be customized in order to allow incoming SNMP requests. This slightly depends on whether these requests are sent from the localhost (e.g., if the MRTG machine wants to query itself), or from a remote host over the network (which is the normal case). In both cases, the snmpd.conf file must be opened with:

sudo nano /etc/snmp/snmpd.conf

In the snmpd.conf, a paragraph called “AGENT BEHAVIOUR” specifies the listening state of snmpd. In order to allow incoming requests from any machine via IPv4, the following line fits:

agentAddress udp:161

In the paragraph called “ACCESS CONTROL” a line that allows an SNMP COMMUNITY for read-only access can be specified like this two examples:

rocommunity public localhost
rocommunity COMMUNITY 192.168.0.0/16

Now restart the daemon with

sudo /etc/init.d/snmpd restart

snmpwalk -v 2c -c public localhost .1.3.6

Creating the CFG File

I am creating my *.cfg files for Linux servers with the host-generic.htp from Steve Shipways forum here. The main command is the following:

sudo cfgmaker --snmp-options=:::::2 --host-template=host-generic.htp --output=jw-vm01.cfg COMMUNITY@192.168.4.11

This creates the “jw-vm01.cfg” file and customizes the settings. This file must then be copied into the “/etc/mrtg/” folder. MRTG will then query it. However, I advise to change the following lines:

• Delete all lines under the “### Global Config Options” because they are not needed. Especially the “WorkDir:” value is wrong at this position since it is already specified in the global mrtg.cfg configuration file if it is installed due to my tutorial.
• The memory values are wrongly calculated with the host template: They need to be multiplied with 1024. E.g., instead of

  MaxBytes1[192.168.9.6-memory]: 448180

  it must be

  MaxBytes1[192.168.9.6-memory]: 458936320

  .
• The CPU, memory, and the filesystem graphs are not shown from “0 – 100 %” but only from “0 – current max value %”. In my opinion I get more information if the graph always shows up to 100 %. So I added

  Unscaled[localhost-cpu]: dwmy

  to the CPU area,

  Unscaled[localhost-memory]: dwmy

  to the memory area, and

  Unscaled[localhost.disk.xy]: dwmy

  to all disks (replace “xy” by the disk value shown in the other lines).
• I like all interfaces with a graph type of mirror. That is:

  routers.cgi*GraphStyle[interface]: mirror

  for all interfaces.
• Furthermore, I am always adding a ping to the node (which is not much interesting at the localhost in this example here, though). This requires to have the “mrtg-ping-probe” packaged installed. I listed the MRTG/Routers2 config here.
• Finally, I have a recurrent coloring style, i.e., yellow for CPU, pink for processes, turquoise for users, and orange for RAM. So I added the following lines inside the appropriate sections:
  

  Colours[localhost-cpu]: Lightyellow#FEED01, Blue#0000FF, Orange#FF6307, Purple#FF00FF
  Colours[localhost-memory]: Orange#FC7C01, Green#00CC00, Darkred#660000, Darkgreen#006600
  Colours[localhost-lavg]: Lightyellow#FEED01, Blue#0000FF, Orange#FF6307, Purple#FF00FF
  Colours[localhost-users]: Turquois#00CCCC, Darkyellow#CCCC00, Darkturquois#377D77, Orange#E97F02
  Colours[localhost-procs]: Pink#FF00AA, Yellow#FFD600, Darkpurple#7608AA, Orange#FC7C01

  
   

Here is an example of my localhost *.cfg file with all the above mentioned changes:

Graphs

If everything is ok and MRTG stores the values correctly, the graphs should grow every five minutes and look like that:

Natürlich wollte ich auch Statistiken von der FRITZ!Box in meiner MRTG/Routers2-basierten Monitoring Umgebung haben. Glücklicherweise habe ich ein Tool namens upnp2mrtg gefunden, welches exakt das macht, nämlich die Interface-Statistik des WAN Ports der FRITZ!Box über UPnP abzufragen und für MRTG aufzubereiten. Sehr einfach zu benutzen. Hier also eine Anleitung mit einigen zusätzlichen Hinweisen.

UPnP auf der FRITZ!Box zulassen

Der erste Schritt ist die Kontrolle, ob Universal Plug and Play (UPnP) auf der FRITZ!Box erlaubt ist. Man findet die Einstellung unter Heimnetz -> Netzwerk -> Programme. Das Häkchen bei “Statusinformationen über UPnP übertragen (empfohlen)” muss drin sein, während das Häkchen bei “Änderungen der Sicherheitseinstellungen über UPnP gestatten” draußen bleiben sollte:

Eine potentielle Frage kann ich noch mit “ja” beantworten: Die Abfrage über UPnP funktioniert auch aus anderen IP-Bereichen und über einen aufgebauten VPN-Tunnel hinweg. Beides war für mich wichtig, da ich mehrere FRITZ!Boxen von meinem zentralen Monitoring Server aus überwache und somit alle Boxen über die VPN-Tunnel abfrage.

upnp2mrtg

Zunächst muss man sich das Tool hier herunterladen. Auf meinem Ubuntu Server hat es sofort ohne Probleme funktioniert. (Natürlich darf man nicht vergessen, es ausführbar zu machen:

chmod u+x upnp2mrtg

-a <IP-Adresse>

weberjoh@jw-vm01:~$ upnp2mrtg -a 192.168.86.1
692423171
524025935
0 days 18:08:30 h (online)
Fritz!Box

Wie gewohnt habe ich das Tool nach “/usr/local/bin/” verschoben. (Infos zur Verzeichnisstruktur hier.)

Schieße dich selber ab …

… bevor du alles blockierst. Nach ein paar Wochen im Test mit MRTG (Konfig kommt weiter unten) musste ich feststellen, dass das Tool immer wieder den kompletten MRTG Prozess blockiert hat, sobald eine einzelne FRITZ!Box nicht auf die Anfragen geantwortet hat. Sprich: Bei allen Graphen von MRTG waren diese grauen Balken zu sehen. Hier ein Screenshot davon und die Ausgabe von htop auf dem Monitoring-Server welches zeigt, dass cron alle 5 Minuten MRTG neu startet, aber die alten Prozesse noch gar nicht fertig sind:

Deswegen habe ich ein kleines Skript geschrieben, welches das eigentliche upnp2mrtg Skript aufruft und aber nach 3 Sekunden schaut, ob es noch am Laufen ist. Wenn ja, dann wird das upnp2mrtg Skript abgeschossen, damit MRTG alle anderen Geräte zeitnah abfragen und sich dann beenden kann.

Mein “upnp2mrtgwithkill” Skript sieht folgendermaßen aus:

#!/bin/bash

/usr/local/bin/upnp2mrtg -a $1 &
PID=$!
#echo "PID: "$PID

sleep 3

if ps -p $PID > /dev/null
then
#  echo $PID" is still running --> kill"
  kill $PID
fi

Ich habe es auch wieder nach “/usr/local/bin” verschoben und ausführbar gemacht. Als einzigen Parameter braucht es die IP Adresse der abzufragenden FRITZ!Box:

weberjoh@jw-vm01:/usr/local/bin$ upnp2mrtgwithkill 192.168.86.1
4229780344
2069694830
0 days 06:07:05 h (online)
Fritz!Box

Wieder in htop sieht man schön, wie sich die Prozesse gegenseitig aufrufen. Bei einem kill von upnp2mrtg ist außerdem anzumerken, dass ein paar Zombies weiterhin existieren. Diese verschwinden aber auf meinem Ubuntu immer nach ein paar Augenblicken (macht Ubuntu das?). Hier zwei htop Screenshots davon:

MRTG/Routers2 Konfiguration

Jetzt also endlich zur MRTG/Routers2 Konfiguration. Diese sieht relativ einfach aus und erinnert stark an die eines normalen Interfaces welches per SNMP abgefragt wird. Hier wird stattdessen halt mein Skript verwendet:

Target[fdorf_wan]: `/usr/local/bin/upnp2mrtgwithkill 192.168.86.1`
Title[fdorf_wan]: Traffic Analysis for WAN -- fdorf
#Downstream 16 MBit = 2000000
MaxBytes1[fdorf_wan]: 2000000
#Upstream 1 MBit = 125000
MaxBytes2[fdorf_wan]: 125000
#AbsMax set to 100 MBit
AbsMax[fdorf_wan]: 12500000
routers.cgi*Mode[fdorf_wan]: interface
routers.cgi*GraphStyle[fdorf_wan]: mirror
routers.cgi*ShortDesc[fdorf_wan]: WAN

Hier ein Beispiel für einen solchen Graphen. Ab 22:15 Uhr wurde ein Live-Stream übers Internet geschaut – zunächst in normaler Qualitätsstufe. Gegen 23:15 Uhr wurde dann auf HQ umgeschaltet, was die Downloadrate direkt verdoppelt hat:

Cool ist natürlich auch, dass Routers2 nicht nur die durchschnittlichen Down-/Uploadwerte, sondern auch die absoluten Werte für den Traffic anzeigt. Das sieht bei mir beispielsweise so aus (im letzten Monat 29,6 GB Download und 4,21 GB Upload):

Total over last 7 days:                  In:  4.95 Gbytes            Out:  608.94 Mbytes	
95th Percentile for last 7 days:         In:  188.53 kbps (1.18 %)   Out:  38.40 kbps (0.24 %)
Total over rolling last month:           In:  29.63 Gbytes           Out:  4.21 Gbytes	
95th Percentile for rolling last month:  In:  255.73 kbps (1.60 %)   Out:  34.37 kbps (0.21 %)

Meine komplette FRITZ!Box Konfig

Als Template biete ich hier noch meine komplette FRITZ!Box Konfiguration für MRTG/Routers2 an. Sie beinhält neben dem hier erwähnten Skript noch drei weitere Graphen, nämlich den Traceroute Hop Count (siehe hier) sowie die Ping Zeiten (siehe hier) vom externen und dem internen Interface. Dieses Template macht natürlich nur da Sinn, wo auch über einen VPN-Tunnel die FRITZ!Box abgefragt wird. Hat man den Monitoring-Server im eigenen Netz direkt hinter der FRITZ!Box kann man sich das Traceroute Hop Count und die Pings sparen. Summa summarum ist überdies interessant, dass bei keinem der vier Graphen SNMP zum Einsatz kommt, sondern nur externe Skripte.

Man muss lediglich drei Variablen per Suchen-und-Ersetzen anpassen, damit die Konfig fertig ist. Beschrieben ist es am Anfang der Datei.

Hier noch eine Slideshow von den vier Graphen in meinem Montoring-System. Man sieht zum Beispiel, dass der Ping zum outside Interface im Vergleich zum inside Interface stets etwas kürzer ist, da er nicht durch den VPN-Tunnel muss. Interessant sind auch die unterschiedlichen Hop-Counts, die sich immer nach der DSL-Zwangstrennung in der Nacht ergeben:

Das war’s. Viel Spaß damit.

I am always interested in capturing real values via hardware devices in order to generate the appropriate graphs with my monitoring system. Of course, the outside temperature in our city was at the pole position for such a project. Therefore I ordered a few temperature/humidity sensors from PCsensor (via eBay), plugged them via USB on my Raspberry Pi (Raspbian Linux), and queried them via SNMP from my MRTG/Routers2 monitoring server. Here is the whole story:

Hardware

The USB sticks can also be ordered from PCsensor directly. I am using the sensor called “TEMPerHUM” with the USB ID “1130:660c“. (Google is a really good source for finding similar projects using exactly this type of sensor!) It has a built-in temperature and humidity sensor. Here is a photo of the USB stick:

The following messages appeared after plugging the USB device in (

dmesg

Oct 16 10:41:25 jw-nb09 kernel: [1793988.148047] usb 2-1: new low-speed USB device number 2 using ohci_hcd
Oct 16 10:41:26 jw-nb09 kernel: [1793988.946117] input:  PCsensor Temper as /devices/pci0000:00/0000:00:1c.0/usb2/2-1/2-1:1.0/input/input5
Oct 16 10:41:26 jw-nb09 kernel: [1793988.946555] generic-usb 0003:1130:660C.0001: input,hidraw0: USB HID v1.10 Keyboard [ PCsensor Temper] on usb-0000:00:1c.0-1/input0
Oct 16 10:41:26 jw-nb09 kernel: [1793988.977273] input:  PCsensor Temper as /devices/pci0000:00/0000:00:1c.0/usb2/2-1/2-1:1.1/input/input6
Oct 16 10:41:26 jw-nb09 kernel: [1793988.977777] generic-usb 0003:1130:660C.0002: input,hidraw1: USB HID v1.10 Device [ PCsensor Temper] on usb-0000:00:1c.0-1/input1
Oct 16 10:41:26 jw-nb09 kernel: [1793988.977829] usbcore: registered new interface driver usbhid
Oct 16 10:41:26 jw-nb09 kernel: [1793988.977834] usbhid: USB HID core driver

With 

lsusb

Bus 001 Device 005: ID 1130:660c Tenx Technology, Inc. Foot Pedal/Thermometer

Driver etc.

After quite a few tests with different drivers for this sensor I found a working one, called HID-TEMPerHUM. It needs “libusb-dev” as a prerequisite:

sudo apt-get install libusb-dev

After a download of the HID-TEMPerHUM driver (

git clone https://github.com/jeixav/HID-TEMPerHUM

make

sudo chmod u+x temper

sudo mv temper /usr/local/bin/

pi@jw-pi01 ~ $ sudo temper
8.50 67.45

The first value is the temperature while the second one is the humidity.

Two improvements of this procedure are: Change the ownership of the program with 

sudo chown root temper

sudo chmod +s temper

So, the first steps are done. Great.

Script for MRTG

However, I wanted to query the values via SNMP from my MRTG/Routers2 installation. At first this required a small change in the output of the “temper” program. I wrote a small script called “temperMRTG.sh” which calls the original temper program, but displays the two values without a dot on two distinct lines. This is my script:

#!/bin/bash

/usr/local/bin/temper | sed s/[.]//g | tr [:space:] \\n

#echo "Line3"
#echo "Line4"

Make it executable with

chmod u+x temperMRTG.sh

sudo mv temperMRTG.sh /usr/local/bin/

pi@jw-pi01 ~ $ temperMRTG.sh
876
6718

Querying the Sensor via SNMP

(Not exactly true: You are querying the Raspberry Pi on which the USB sensor is plugged in.) The final step is to add the script in the snmpd.conf file to make it accessible via SNMP. (For further information about the SNMP daemon, use my post about adding a Linux host to MRTG.) Open the snmpd.conf file

sudo nano /etc/snmp/snmpd.conf

extend-sh temperature /bin/sh /usr/local/bin/temperMRTG.sh

A restart of the snmpd is required:

sudo /etc/init.d/snmpd restart

MRTG/Routers2 Configuration

Finally, here is my MRTG/Routers2 configuration for this sensor. It queries the two OIDs that I found on the above step with the MIB browser. Note that these OIDs might be different on your system! Also note the “/100″ at the very end of the first line which shifts the comma for the values two times to the left. I am using a graph with two y-axis, one on the left (temperature) and one on the right (humidity). Refer to the sample screenshots at the end of this post for a better understanding.

Target[temperature_fdorf-outside]: 1.3.6.1.4.1.8072.1.3.2.4.1.2.11.116.101.109.112.101.114.97.116.117.114.101.1&1.3.6.1.4.1.8072.1.3.2.4.1.2.11.116.101.109.112.101.114.97.116.117.114.101.2:pA7EHRaKQZfm@192.168.86.5:::::2 /100
MaxBytes[temperature_fdorf-outside]: 100
#Since my USB device sometimes reports humidity values greater 100, I am using the AbsMax value here:
AbsMax[temperature_fdorf-outside]: 120
Title[temperature_fdorf-outside]: Temperature & Humidity -- Fdorf Outside
Options[temperature_fdorf-outside]: gauge
#for only printing the Peak Value on the yearly-graph
WithPeak[temperature_fdorf-outside]: y
Colours[temperature_fdorf-outside]: Red#FF0000, Blue#0000FF, Darkred#800000, Purple#FF00FF
YLegend[temperature_fdorf-outside]: Temperature °C
Legend1[temperature_fdorf-outside]: Temperature
Legend2[temperature_fdorf-outside]: Humidity
Legend3[temperature_fdorf-outside]: Peak Temperature
Legend4[temperature_fdorf-outside]: Peak Humidity
LegendI[temperature_fdorf-outside]: Temperature:
LegendO[temperature_fdorf-outside]: Humidity:
ShortLegend[temperature_fdorf-outside]: °C
routers.cgi*Options[temperature_fdorf-outside]: fixunit nomax nopercentile nototal
#routers.cgi*GraphStyle[temperature_fdorf-outside]: lines
routers.cgi*ShortDesc[temperature_fdorf-outside]: Fdorf Outside
routers.cgi*ShortLegend2[temperature_fdorf-outside]:  %
routers.cgi*YLegend2[temperature_fdorf-outside]: Humidity %
routers.cgi*ScaleShift[temperature_fdorf-outside]: 4
#routers.cgi*UpperLimit[temperature_fdorf-outside]: 30
#This one does not work with negative values:
#routers.cgi*LowerLimit[temperature_fdorf-outside]: -10
#And this one does not exist at all :( The workaround is to use ScaleShift
#routers.cgi*UpperLimit2[temperature_fdorf-outside]: 100

Changing the RRD Files

In order to store negative values (which is not common an a mere MRTG installation since it only reports positive traffic through routers/switches and not negative temperature values), the RRD files of the temperature must be adjusted a bit. The program rrdtune does that. At first, move to the folder in which all RRD files are stored. In my case, this is “/var/mrtg/”. Locate the correct *.rrd file and read out the file with:

rrdtool info temperature_fdorf-outside.rrd

The interesting line looks like that:

ds[ds0].min = 0.0000000000e+00

To have a minimum value of “-100″ stored, the rrd must be changed with root privileges such as:

sudo rrdtool tune temperature_fdorf-outside.rrd --minimum ds0:-100

After that when doing an “info” on more time, the line should look like that:

ds[ds0].min = -1.0000000000e+02

DONE!!!

Sample Screenshots

Since the temperature was not that interesting in Germany during the last few weeks, these graphs look quite boring, i.e., no negative temperatures, or the like. However, here we go:

By the way, this is the sensor on the outside at our balcony:

Though it is not meant to be used outside a building, I have not encountered any problems with this USB sensor. Of course it is placed under a small roof and therefore protected from direct rain and weather, which has the disadvantage that the measured temperature is a little bit different from the real temperature due to the window near to the sensor.

Links

• Similar project using perl: TEMPer Sensor temperature graphing and monitoring with MRTG. It uses this perl driver: HidTEMPer
• Linux Journal using the same perl driver: Hack and / – Temper Temper
• Newer driver for Linux: TEMPered
• (German) Linux Magazin: Perl-Skript misst und bewertet Temperaturen

Eine sehr praktische Variante, möglichst viele Sensoren übers Netzwerk abzufragen ohne dabei viel basteln zu müssen, ist die Ethernetbox von MessPC. Man kann sie zum Beispiel mit mehreren kombinierten Temperatur/Luftfeuchtigkeits-Sensoren bestücken. Die Auswertung erfolgt am besten über ein zentrales Monitoring-System.

Auf der Homepage von MessPC befindet sich zwar eine kleine Dokumentation für die Verwendung von MRTG, allerdings wird dort ein zusätzliches Skript vorgestellt, was dank der Verwendung von SNMP ja gar nicht nötig ist. Deswegen poste ich hier mein Template von einem MessPC mit zwei Kombisensoren für Temperatur/Luftfeuchtigkeit, welches für die Verwendung mit MRTG und Routers2 gemäß meiner Installation geeignet ist. Mit nur drei Suchen-und-Ersetzen Durchläufen hat man das Template angepasst.

Hier das Template. Man beachte das “/10″ am Ende der jeweils ersten Zeile. Da die Werte per SNMP ein gedachtes Komma vor der letzten Zahl haben, muss die Temperatur/Luftfeuchtigkeit entsprechend umgerechnet werden:

routers.cgi*ShortDesc: Temperature

Target[temperature_BEZEICHNUNG-1]: 1.3.6.1.4.1.14848.2.1.2.1.5.1&1.3.6.1.4.1.14848.2.1.2.1.5.5:SNMPCOMMUNITY@IPADDRESS /10
MaxBytes[temperature_BEZEICHNUNG-1]: 100
Title[temperature_BEZEICHNUNG-1]: Temperature & Humidity -- BEZEICHNUNG-1
Options[temperature_BEZEICHNUNG-1]: gauge
#for only printing the Peak Value on the yearly-graph
WithPeak[temperature_BEZEICHNUNG-1]: y
Colours[temperature_BEZEICHNUNG-1]: Red#FF0000, Blue#0000FF, Darkred#800000, Purple#FF00FF
YLegend[temperature_BEZEICHNUNG-1]: Temperature °C
Legend1[temperature_BEZEICHNUNG-1]: Temperature
Legend2[temperature_BEZEICHNUNG-1]: Humidity
Legend3[temperature_BEZEICHNUNG-1]: Peak Temperature
Legend4[temperature_BEZEICHNUNG-1]: Peak Humidity
LegendI[temperature_BEZEICHNUNG-1]: Temperature:
LegendO[temperature_BEZEICHNUNG-1]: Humidity:
ShortLegend[temperature_BEZEICHNUNG-1]: °C
routers.cgi*Options[temperature_BEZEICHNUNG-1]: fixunit nomax nopercentile nototal
#routers.cgi*GraphStyle[temperature_BEZEICHNUNG-1]: lines
routers.cgi*ShortDesc[temperature_BEZEICHNUNG-1]: BEZEICHNUNG-1
routers.cgi*ShortLegend2[temperature_BEZEICHNUNG-1]:  %
routers.cgi*YLegend2[temperature_BEZEICHNUNG-1]: Humidity %
routers.cgi*ScaleShift[temperature_BEZEICHNUNG-1]: 4
routers.cgi*Graph[temperature_BEZEICHNUNG-1]: temperature_BEZEICHNUNG

Target[temperature_BEZEICHNUNG-2]: 1.3.6.1.4.1.14848.2.1.2.1.5.2&1.3.6.1.4.1.14848.2.1.2.1.5.6:SNMPCOMMUNITY@IPADDRESS /10
MaxBytes[temperature_BEZEICHNUNG-2]: 100
Title[temperature_BEZEICHNUNG-2]: Temperature & Humidity -- BEZEICHNUNG-2
Options[temperature_BEZEICHNUNG-2]: gauge
#for only printing the Peak Value on the yearly-graph
WithPeak[temperature_BEZEICHNUNG-2]: y
Colours[temperature_BEZEICHNUNG-2]: Red#FF0000, Blue#0000FF, Darkred#800000, Purple#FF00FF
YLegend[temperature_BEZEICHNUNG-2]: Temperature °C
Legend1[temperature_BEZEICHNUNG-2]: Temperature
Legend2[temperature_BEZEICHNUNG-2]: Humidity
Legend3[temperature_BEZEICHNUNG-2]: Peak Temperature
Legend4[temperature_BEZEICHNUNG-2]: Peak Humidity
LegendI[temperature_BEZEICHNUNG-2]: Temperature:
LegendO[temperature_BEZEICHNUNG-2]: Humidity:
ShortLegend[temperature_BEZEICHNUNG-2]: °C
routers.cgi*Options[temperature_BEZEICHNUNG-2]: fixunit nomax nopercentile nototal
#routers.cgi*GraphStyle[temperature_BEZEICHNUNG-2]: lines
routers.cgi*ShortDesc[temperature_BEZEICHNUNG-2]: BEZEICHNUNG-2
routers.cgi*ShortLegend2[temperature_BEZEICHNUNG-2]:  %
routers.cgi*YLegend2[temperature_BEZEICHNUNG-2]: Humidity %
routers.cgi*ScaleShift[temperature_BEZEICHNUNG-2]: 4
routers.cgi*Graph[temperature_BEZEICHNUNG-2]: temperature_BEZEICHNUNG

routers.cgi*Title[temperature_BEZEICHNUNG]: Temperature & Humidity -- Summary BEZEICHNUNG
routers.cgi*ShortDesc[temperature_BEZEICHNUNG]: Summary BEZEICHNUNG
routers.cgi*Options[temperature_BEZEICHNUNG]: nototal

Es müssen folgende drei Variablen ersetzt werden:

• SNMPCOMMUNITY gibt das Read-Passwort an
• IPADDRESS die IPv4 Adresse vom MessPC
• BEZEICHNUNG eine eindeutige (!) Bezeichnung für den MessPC. Für die Verwendung in verschiedenen Stockwerken beispielsweise “UG”, “EG”, “1.OG”, etc.

Hier noch ein Beispielgraph in der monatlichen Ansicht. Vor einiger Zeit wurde der Sensor an einen anderen Ort gebaut, wodurch die deutlich zu sehende Veränderung in den Werten entstand. In den Wochen davor sieht man aber schön die täglich ansteigende Zimmertemperatur während den Arbeitszeiten.

Und hier noch der Summary Graph von zwei Sensoren, der ebenfalls im obigen Template vorgesehen ist:

Endlich ist es soweit: Ich lese den Stromverbrauch von unserer Wohnung mit einem Raspberry Pi aus und lasse mir von meinem Monitoring Server (MRTG + Routers2) schöne Graphen malen. Hierfür verwende ich einen Stromzähler mit einer S0-Schnittstelle, welchen ich direkt in der Unterverteilung eingebaut habe. Die Impulse des “Smart Meters” wertet eine Interruptroutine am Pi aus. Der Monitoring Server wiederum fragt den Pi per SNMP ab. Viele kleine Schritte also, die ich in diesem Blogpost ausführlich erläutern möchte. Viel Spaß damit!

Die Idee

Folgenden “Pfad” nehmen die Stromdaten vom Zähler bis zum Monitoring System:

1. Der Stromzähler (3 Phasen) erzeugt 800 Impulse pro kWh und gibt diese an einer S0-Schnittstelle aus. Sprich: Ein Optokoppler, der bei jedem Impuls kurzschließt.
2. Mit zwei Adern geht’s dann zum Raspberry Pi, welcher einfach nur eine Textdatei mit einem Counter bei jedem Impuls um eins hoch setzt. (Der Interrupt löst ein kleines Programm aus, welches die Datei beschreibt.)
3. Der bereits vorhandene Monitoring Server fragt schlussendlich den Pi per SNMP ab, sprich: es wird ein zusätzlich Skript gestartet, welches einfach den Inhalt der Textdatei ausgibt und in einer OID per SNMP transportiert.

Die Hardware

Hier ein paar Bilder von der Hardware. Ich habe einen Drehstromzähler von Eltako gekauft, genaue Bezeichnung: DSZ12E-3x80A. Kostenpunkt: ca. 90,- €. Dieser Stromzähler ist NACH dem geeichten und offiziellen Stromzähler der Stadtwerke im Keller eingebaut. Somit gibt es keine Probleme mit der Stromabrechnung. Mit einer Standard Telefon-Doppelader (oben rechts im Bild, gelb und weiß aus dem Sicherungskasten) geht die S0-Schnittstelle dann an den Raspberry Pi.

Die Software

Eine erste Googelei hatte mich auf ein Projekt von volkszaehler mit dem Artikel S0-Impuls Zähler direkt über RS232 auswerten gebracht. Dabei bin ich der Anleitung in dem grünen Kasten, der speziell für den Raspberry Pi gedacht ist, gefolgt. Also den GPIO Port auf die Alternative Funktion 3 umbiegen und dann die 

stty

strace

S0-Auswertung am Pi

Erfreulicherweise bin ich dann über den Artikel S0-Stromzähler am RaspberryPi gestoßen, welcher exakt das beschreibt, was ich vor hatte. Und das hat sogar ziemlich einfach funktioniert. Juchu! Also:

1. S0+ und S0- an die richtigen Ports anschließen (gar nicht so einfach, da die Benennung der GPIO-Ports variiert und ungleich der Zählung der Anschlüsse auf dem Pi ist, sowie die Zählung der Ports für Wiring Pi noch mals verschieden ist). Bei mir ist es folgendermaßen: Stromzähler Pin 20 = S0+ (weißes Kabel) = GPIO 3 -> Pin 5, sowie: Stromzähler Pin 21 = S0- (gelbes Kabel) = GND -> Pin 6. Uff.
2. Wiring Pi per git clonen.
3. Die ISR.c Datei mit dem richtigen #define kompilieren. (Bei mir ist es

   #define BUTTON_PIN 9

   ). Achtung: Nicht die isr.c Datei in dem Unterordner “examples” von Wiring Pi verwenden, sondern die, die hinter dem Link steckt.

Um aber den Zählerstand korrekt in eine Datei zu schreiben, muss die C Datei noch etwas angepasst werden (Link: Datei schreiben): Im main Bereich noch eine Variable deklarieren:

FILE *datei;

//    printf (" Done. counter: %5d\n", globalCounter) ;
    datei = fopen ("/var/strom/stromcounter", "w");
    fprintf (datei, "%d\n", globalCounter);
    fclose (datei);

Ich habe dann noch einen Ordner für die Logdatei erstellt:

sudo mkdir /var/strom

gcc -lwiringPi -o stromzaehler stromzaehler.c

sudo mv stromzaehler /usr/local/bin/

sudo stromzaehler

Nun muss das Programm noch per Autostart beim Booten vom Pi ausgeführt werden (Link: Dienste). Dabei habe ich mich an diese Anleitung gehalten. Folgende Datei habe ich als “/etc/init.d/stromzahler” angelegt (

sudo nano /etc/init.d/stromzaehler

#! /bin/sh
### BEGIN INIT INFO
# Provides:          Stromzaehler starten: S0-Schnittstelle per ISR auswerten und Textdatei schreiben
# Required-Start:
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Kurze Beschreibung
# Description:       Längere Bechreibung
### END INIT INFO
# Author: Johannes Weber (johannes@webernetz.net)

# Aktionen
case "$1" in
    start)
        /usr/local/bin/stromzaehler &
#        /opt/beispiel start
        ;;
    stop)
        killall stromzaehler
#        /opt/beispiel stop
        ;;
    restart)
        killall stromzaehler
        /usr/local/bin/stromzaehler &
#        /opt/beispiel restart
        ;;
esac

exit 0

Und dann (wie in dem Link beschrieben) erst die Rechte auf die Datei korrekt vergeben, damit sie ausführbar ist:

sudo chmod 755 stromzaehler

sudo update-rc.d stromzaehler defaults

Mit den folgenden Befehlen kann man nun den Service stoppen, starten, oder restarten (wobei das gar nicht nötig ist, da er ja beim Booten automatisch startet und immerzu laufen soll) [Außerdem stelle ich gerade fest, dass der "restart" gar nicht richtig funktioniert. Der Dienst wird zwar abgeschossen, aber nicht wieder gestartet. Hm. Egal, ich will ja nur, dass es beim Booten automatisch läuft]:

sudo service stromzaehler stop
sudo service stromzaehler start
sudo service stromzaehler restart

Den aktuellen Stromzählerwert (Erinnerung: 800 Impulse/kWh) bekommt man so:

cat /var/strom/stromcounter

LÄUFT! Juchu.

(Wen es übrigens noch genauer interessiert: Ich finde den Unterschied der beiden von mir verlinkten Programme interessant: Während das erstere einfach Spannung an die S0-Schnittstelle anlegt und dann auf der anderen Leitung misst, wann Spannung ankam, verwendet das zweite Projekt einen Interrupt per Pull-Down. Sprich: Es liegt konstant Spannung an, und per S0-Schnittstelle wird diese Spannung auf 0 gezogen. Während bei erstem also der zweite Pin eine Spannung wahrnimmt, registriert der Pi bei zweiterem den Spannungsverlust am ersten Pin.)

Auslesen via SNMP

Um auf den Inhalt der Textdatei via SNMP zuzugreifen muss lediglich ein extended Skript in der snmpd.conf eingebunden werden. Dies hatte ich bei meinem Temperatursensor genau so schon mal gemacht. Also bitte dort für weitere Details nachlesen. Hier nur kurz die Anleitung:

Konfigurationsdatei auf dem Pi öffnen:

sudo nano /etc/snmp/snmpd.conf

extend-sh stromcounter cat /var/strom/stromcounter

Danach den snmpd service neustarten:

sudo service snmpd restart

Einbinden in MRTG

Hier die Konfigurationszeilen für MRTG und Routers2.cgi. Als Farbe habe ich mich für ein sattes Schwarz entschieden. Dies hatte ich noch nirgends anders verwendet und irgendwie passt es auch zur Erzeugung des Stroms durch Kohle.

routers.cgi*Icon: house-sm.gif
routers.cgi*ShortDesc: Stromverbrauch

#OID per snmpwalk herausgefunden
Target[strom-fdorf]: 1.3.6.1.4.1.8072.1.3.2.4.1.2.12.115.116.114.111.109.99.111.117.110.116.101.114.1&PseudoZero:d83lykUUdiqhdz@192.168.86.5:::::2
#800 Impulse pro kWh -> MaxBytes (pro Sekunde) auf 5 gesetzt = 3600*5/800 entspricht 22,5 kW (das sollte reichen ;))
MaxBytes[strom-fdorf]: 5
Title[strom-fdorf]: Stromverbrauch Friedrichsdorf
#Gespeichert wird in Raw, also 800 Impulse pro kWh. Anzeige aber in Wh, daher mal 1.25. Somit entspricht einem faktorisiertem Impuls genau 1 Wh.
Factor[strom-fdorf]: 1.25
#Ausgabe aber immer in Leistung pro Stunde (und nicht pro Sekunde)
Options[strom-fdorf]: perhour
Colours[strom-fdorf]: BLACK#000000, YELLOW#FFD600, RED#FF0000, ORANGE#FC7C01
YLegend[strom-fdorf]: Watt
Legend1[strom-fdorf]: Leistung
Legend3[strom-fdorf]: Peak Leistung
LegendI[strom-fdorf]: Leistung:
ShortLegend[strom-fdorf]: W
routers.cgi*Options[strom-fdorf]: nomax noo
routers.cgi*TotalLegend[strom-fdorf]: Wh
routers.cgi*ShortDesc[strom-fdorf]: Fdorf
#Kommentar unter jedem Graph, weil ich mir das sonst nicht merken kann:
routers.cgi*Comment[strom-fdorf]: 1x Peak Waschmaschine, 2x Peak Spülmaschine

An dieser Stelle sei noch erwähnt, dass MRTG lediglich alle 5 Minuten per SNMP den Zählerstand vom Pi holt. Sprich: Es wird immer nur der Durchschnittswert der letzten 5 Minuten gespeichert. Ein ernsthafter Peak im Stromverbrauch von beispielsweise 5 kW über eine Minute würde doch nur als 1 kW über 5 Minuten angezeigt werden. Aber gut, damit kann ich leben.

Das Ergebnis

Hier drei Beispielgraphen von meinem Monitoring Server. Die ersten beiden in der “Daily” Ansicht und mit ein paar Infos zu den verwendeten Stromverbrauchern. Der letzte dann in der “Monthly” Ansicht mit der roten Kennlinie für die Peaks und dem schwarzen Block weiterhin für den Durchschnitt. Man sieht schön, in welcher Woche wir im Urlaub waren und an welchen Tagen weder Spül- noch Waschmaschine liefen, da kein Peak über 1 kW geht. (Leider sieht man auch, an welchen Tagen ich den Pi aus Versehen nicht am Laufen hatte. Pech.)

Die Zukunft

Tja, also konsequent wäre es jetzt noch, die Wasserzähler auch gegen solche mit S0-Schnittstelle auszutauschen. Leider ist das alles andere als einfach. Entweder müsste man einen geeichten/offiziellen Zähler einbauen lassen (was teuer wäre), oder man müsste einen zusätzlichen Wasserzähler mit S0 einbauen (was ich nicht selber kann). Außerdem haben wir in unserer Mietwohnung insgesamt vier Wasserzähler (2x kalt, 2x warm, jeweils in Küche und Bad). Also wird das wohl nichts. Oder zumindest erst im Eigenheim. Aber das kann auch noch dauern. Dann aber auch bitte mit Temperatursensoren am Vor- und Rücklauf, usw.

I constructed a MRTG/Routers2 configuration template for the Cisco ASA firewall which consists the OIDs (graphs) for the interfaces, CPU, memory, VPNs, connections, ping times, and traceroute hop counts. With only four search-and-replace changes as well as a few further specifications, the whole SNMP monitoring for that firewall is configured.

With this template, the following graphs are shown:

• Interfaces
• CPU & Memory
• Connections
• VPN Sessions (RA & S2S total count)
• VPN Remote Access Sessions (IPsec, AnyConnect, WebVPN)
• Ping Outside IP (mrtg-ping-probe script covered here)
• Ping Inside IP through VPN-Tunnel (if available)
• Hop Count to Outside IP (with my script from here)
• Short Summary (only: CPU, connections, VPN, outside interface, ping outside)

Download the Template

This is the *.cfg template file. Follow the first comment lines in the file to replace the correct values inside the template.

MRTG-Routers2 Template Cisco ASA 18.33 KB

Download cfg

Sample Graphs

Here is a gallery with all the graphs from that template (all in the “weekly” view):

And here a few graphs with the values over two years to see the trends:

Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other scenarios.

SNMP Tests

In my testbed, I am using a PA-200 with PAN-OS 6.1.1. That is, I used the Enterprise SNMP MIB 6.1 from Palo Alto. This is relevant to know since Palo Alto changed a few OIDs from PAN-OS version 5.0.x to 6.0.x.

Note that the following template must be adjusted if it is used with other Palo Alto firewalls, e.g., when more than CPU or multiple VSYS are used.

Unfortunately, the PA firewall is very limited when it comes to monitoring it via SNMP. Is has only a single MIB with a few values. Furthermore, the interfaces cannot be monitored as known from other firewall vendors. For example, there are no counters for subinterfaces or for VLAN interfaces. This is really bad! Furthermore, no site-to-site VPN statistics can be read out, and so on. However, at least the speed of the fan can be requested.

The following values are accessible via SNMP:

• CPU of the data- and management-plane
• Disk space of all partitions
• Fan speed
• GlobalProtect tunnels
• Sessions: ICMP, SSL, TCP, UDP
• Temperature
• Memory: real and swap
• Interfaces: all data ports + management port

My MRTG/Routers2 Configuration

At first, I ran the cfgmaker to get the interfaces. I am also using two global options: one for the icon and one for the “mirror” graph style:

cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=1000000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@192.168.120.2

Then, as always, I deleted the Global Config Options except the two ones that were added through the global options with cfgmaker. Furthermore, the “noHC[…]: yes” lines (if present) can be deleted.

For all specific Palo Alto OIDs, use the following template and copy the contents into the just generated cfg file. Of course, the targets for the interfaces should not be copied. Read the first lines of that file to know which values must be adjusted.

MRTG-Routers2 Template Palo Alto 17.50 KB

Download cfg

Sample Graphs

This leads to the following graphs (here in the monthly view):

Links

• Palo Alto: Enterprise SNMP MIB 6.1
• Palo Alto: Enterprise SNMP MIB 6.0
• Palo Alto: Enterprise SNMP MIB 5.0
• Palo Alto: Useful SNMP OIDs for Monitoring Palo Alto Networks Devices
• Palo Alto: What MIBs supported on the PAN?

I am monitoring an (old) SA-2000 cluster of Juniper Secure Access devices with my MRTG/Routers2 system. With the JUNIPER-IVE-MIB I built the configuration file for that monitoring system. In this blog post, I show the graphs generated with MRTG/Routers2 and publish my cfg file as a template.

SNMP OIDs

The following values will be shown in the graphs, every time for both hardware devices:

• CPU Usage
• Concurrent Users
• Hits: Applet, Term, File, Web, Meeting, SAM, NC
• Log & Disk
• Memory
• Interfaces: external and internal
• Additional Graphs: interfaces summary, total hits

Graphs

This leads to the following graphs:

MRTG/Routers2 Configuration

This is the cfg file. Read the first line to know which template objects must be search-and-replaced.

MRTG-Routers2 Template Juniper Secure Access 20.38 KB

Download cfg

Finally, this is how I am monitoring my Juniper ScreenOS SSG firewalls with MRTG/Routers2. Beside the interfaces (that can be built with cfgmaker) I am using my template in order to monitor the CPU & memory, count of sessions & VPNs, count of different kind of attacks, etc.

SNMP MIBs

The ScreenOS MIBs can be downloaded here. There are really many OIDs to query on the ScreenOS device (compared to some other firewall vendors…). However, some statistics are not available, such as subinterfaces.

Site-to-Site VPNs can be monitored with the NetscreenVpnMon MIB while the “tunnel interfaces” itself do not provide any counters.

Finally, in my template all hit counts of the zone screening from the untrust zone are monitored. Though a bit unclear, at least the summary graph with all attack vectors at a glance gives a hint whether the firewall is under attack or not.

MRTG/Routers2 Configuration

The first step is to build the *.cfg file with cfgmaker in order to capture all interfaces. A command such as the following can be used:

sudo cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=100000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@IPADDRESS

As always, some sections of the output file can be removed, e.g., all “noHC[…]: yes” lines, and all “PageTops” with html code. The global options at the beginning of the file can be deleted, too, except the two options that were generated with the cfgmaker command above. Furthermore, all tunnel interfaces can be deleted since the SSG does not provide any counters there. For monitoring site-to-site VPN tunnels, my template below offers some OIDs.

This is my complete cfg file for MRTG/Routers2. There are several things to change before it can be used somewhere. The first lines of the template give some hints. (Of course, all the lines with the interfaces must be deleted, since they are already created with the cfgmaker tool.)

MRTG-Routers2 Template Juniper SSG 26.32 KB

Download cfg

Sample Graphs

In summary, this is how my graphs look like:

A few weeks ago I constructed an MRTG/Routers2 template for the Fortinet FortiGate firewalls. I am using it for monitoring the FortiGate from my MRTG/Routers2 server. With the basic MRTG tool “cfgmaker” all graphs for the interfaces are generated automatically. My template is an add-on that appends graphs for CPU, memory, and disk usage, as well as connections and VPN statistics. Furthermore, it implements the ping statistics graph and a “short summary”, which only shows the system relevant graphs.

Similar to all my other MRTG/Routers2 templates I constructed the configuration lines after investigating the MIBs from Fortinet via the MIB Browser. The MIBs can be downloaded directly from the FortiGate GUI under System -> Config -> SNMP. Great.

Note that this template is built upon a single vdom environment. I was running a FortiWiFi 90D with FortiOS v5.2.4, build688. Depending on the number of vdoms or processors, some of the OIDs in the template must be adjusted, e.g. the CPU usage or the VPN statistics.

cfgmaker Configuration

The first step is the generation of the basic *.cfg file for MRTG/Routers2. It adds all currently known interfaces from the FortiGate with their names. (Even the “zone” interfaces as well as the VPN IPsec tunnel interfaces, which is great!) Note that I am using a few more options such as the “show-op-down” or other global options. Please use Google if you don’t know their meaning.

sudo cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=100000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@IPADDRESS

You can delete all global options (expect the ones just created with the cfgmaker command) within the cfg file because they are not needed if running Routers2.

Template

The following template adds the OIDs/graphs for the usage of the CPU, memory, and disk. It also shows the connections (All and IPv6) as well as the VPN stats. (Note that the MIB allows for even more stats such as byte counts for each policy or counts for AV/IPS/whatever features. However, I have not implemented them here.) I am using the same coloring style as in all my other MRTG/Routers2 templates.

You can download my *.cfg template and follow the first comments inside the file which give hints about what to change (search and replace) in order to make the configuration usable for your environment:

MRTG-Routers2 Template Fortinet FortiGate 8.45 KB

Download cfg

Sample Graphs

After all, these graphs are generated:

Especially, I am loving the connections graphs, which show the count for all (=IPv4 and IPv6) and IPv6-only connections. Great for a comparison of both protocols.