Cisco Access Lists graphing

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Cisco Access Lists graphing

Post by mongoose »

Hi guys,

I am trying to graph a Cisco Access List with and expect script. I am only logging http hits on the access-list and I do get an output from my script :

CMD: expect /home/andre/test_expect.sh, output: 1777069

but its not putting in data on my graph ? (please see attached .gif)

Any help would be appreciated ??

Thanks
Attachments
cisco_access_list.gif
cisco_access_list.gif (22.54 KiB) Viewed 8274 times
africanw
Cacti User
Posts: 130
Joined: Thu Mar 31, 2005 4:24 pm
Location: Sydney, Asutralia
Contact:

Post by africanw »

Post your script and graph/data templates and will look.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Post the output of you script.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Post by mongoose »

okay here is my script output, what it does, it just logs into the router, get the hit count on a access-list and gives the output :

-sh-2.05b# expect /home/andre/test_expect.sh
1805134

My Data and Graph templates are attached !

Thanks guys !
Attachments
cacti_graph_template_cisco_access_lists.xml
Graph Template
(6.93 KiB) Downloaded 287 times
cacti_data_template_cisco_access_lists.xml
Data Template
(2.92 KiB) Downloaded 395 times
africanw
Cacti User
Posts: 130
Joined: Thu Mar 31, 2005 4:24 pm
Location: Sydney, Asutralia
Contact:

Post by africanw »

Hi,

any chance you can post the script and will have a play?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Alter you upper limit on the graph template, 100 isn't high enough.

Also, consider changing the internal DS name to something other than www_hits?

Also, put the full path to expect in your Data Input Method.

Those are the only things that I can see wrong at this time.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Post by mongoose »

rony wrote:Alter you upper limit on the graph template, 100 isn't high enough.

Also, consider changing the internal DS name to something other than www_hits?

Also, put the full path to expect in your Data Input Method.

Those are the only things that I can see wrong at this time.

thanks, I have changed my upper limit

I have changed hits_www to just wwwhits

...and I have the full path in my Data Input Method :

expect /home/andre/test_expect.sh

Thanks man ... I think it was the upper limit thing as it starting working while I was busy typing this msg ...

Thanks again !
africanw
Cacti User
Posts: 130
Joined: Thu Mar 31, 2005 4:24 pm
Location: Sydney, Asutralia
Contact:

Post by africanw »

Hi,

Any chance you are willing to share that script. The idea sounded interesting.

Thanks

AW
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

You might have to remove the rrd file assocated with that datasource so the changes you made to the DS names will apply and work correctly.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Post by mongoose »

africanw wrote:Hi,

Any chance you are willing to share that script. The idea sounded interesting.

Thanks

AW
no problems ... will post it tomorrow, however, i have one problem with the script. the hitcount will just go up and up so the graph will just get bigger and bigger ... is there a way to reset it every month ?
africanw
Cacti User
Posts: 130
Joined: Thu Mar 31, 2005 4:24 pm
Location: Sydney, Asutralia
Contact:

Post by africanw »

Well you can just reset the counters on a cisco router. Setup a script that telnets in once a month and resets them.
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Post by mongoose »

africanw wrote:Well you can just reset the counters on a cisco router. Setup a script that telnets in once a month and resets them.
doh :oops: why didnt i think of it :)
mongoose
Posts: 8
Joined: Wed Apr 20, 2005 10:29 am

Post by mongoose »

okay, please find attached the data and graph template for the cisco access-list graphing and also the script (remember its an expect script, not perl) below that gets the hit counts from the cisco

the picure shows the Data Input Method

Script Starts:

#----------Start Here--------------
#!/usr/bin/expect

# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc. However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
#
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for

# Options to add:
# - multiple pattern matches when looking for access list lines, with
# second pattern the CLI prompt and the corresponding body exits script;
# because if you find the CLI prompt before finding the access list line,
# then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
# for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
# of 'access line text'

# Greg Scheidel, 2/15/2000

#Added by Andre Els, 2005/04/24

#
#USAGE : ./getacl.sh <router ip address> <access-list number>
#
#EXAMPLE : ./getacl.sh 10.10.10.10 101

#------------------------------------------------------------
# Procedure to call when prematurely aborting. May need to use
# to output null/0 values.

proc abortproc "" {
# debugging only
#send_tty "ok, works"

exit
}

#------------------------------------------------------------
# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.

proc getcounter AccessLine {
#debugging only
# send_tty "*$AccessLine*\n"

#------------------------------------------------------------
# set R/W variables used during the proc

# temp variable used to pull information from access list lines
# before parsing and dumping to output
set tempvar "0"

#------------------------------------------------------------
# declare global variables that we'll need to reference
global CLIenprompt

#------------------------------------------------------------
# look for the access list line that we want to pull counters for.
# - if we find the access list line we want, continue
# - if a CLI enable prompt is found before the access list line, then
# the access list is not built the way we expect and we should exit
# - if expect times out waiting for a match, exit
expect {
"$AccessLine" {}
"$CLIenprompt" {abortproc}
timeout {abortproc}
}

# we are now 'on' the access list line, immediately following the last
# char that we just searched for. search for newline character so that
# expect_out(buffer) contains the text comprising the remainder of the
#line
expect {
"\n" {}
timeout {aportproc}
}

# save the string and trim it; if there is no text left on the line
# we'll end up with an empty string
set tempvar [string trim "$expect_out(buffer)"]

# if we got any text it will be in the format "(12341234 matches)" ;
# trim it down to just the number
if {"$tempvar" != ""} {
# debugging only
# send_tty "Got something.\n"
set tempvar [string trim "$tempvar" "( matches)"]
}

return "$tempvar"
}

#------------------------------------------------------------
# set R/W variables used during the script

# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"

#------------------------------------------------------------
# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script

set CLIprompt ">"
set CLIenprompt "#"
# login and enable passwords variable must end in \r so that CR is sent
set loginusr "yourusername\r"
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"

#------------------------------------------------------------
# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20

# disable output from being sent to stdout
log_user 0

# initiate the telnet session to the router holding your access list
spawn telnet [lindex $argv 0]

# wait for username prompt ,my router uses tacacs

expect {
"Username: " {}
timeout {abortproc}
}
send "$loginusr"


# wait for the login password prompt and send login password
expect {
"Password: " {}
timeout {abortproc}
}
send "$loginpwd"

# wait for the CLI prompt
expect {
"$CLIprompt" {}
timeout {abortproc}
}
# enter enable mode
send "enable\r"
expect {
"Password: " {}
timeout {abortproc}
}
send "$enpwd"
expect {
"$CLIenprompt" {}
timeout {abortproc}
}

# display the desired access list
send "show access-list [lindex $argv 1]\r"

# call procedure to get the values we're interested in
# you can add more access-list lines here to match those on your router

set wwwpermitcount [getcounter "permit tcp any any eq www"]
set smtppermitcount [getcounter "permit tcp any any eq smtp"]
set otherpermitcount [getcounter "permit ip any any"]

expect {
"$CLIenprompt" {}
timeout {abortproc}
}
send "logout\r"
expect {
"Connection closed by foreign host." {}
timeout {abortproc}
}
close

# debugging only
#send_tty ".$wwwpermitcount.\n"
#send_tty ".$otherpermitcount.\n"

#Output need my Cacti to graph www, smtp and other hits
send_user "www:$wwwpermitcount smtp:$smtppermitcount other:$otherpermitcount";

# other:$otherpermitcount";

# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"

exit
#--------------Stops here---------------------
Attachments
ciscoacl_input.gif
ciscoacl_input.gif (17.28 KiB) Viewed 8148 times
cacti_graph_template_cisco_access_lists.xml
(11.43 KiB) Downloaded 366 times
cacti_data_template_cisco_access_lists.xml
(5.84 KiB) Downloaded 379 times
Last edited by mongoose on Sat Feb 04, 2006 8:06 am, edited 1 time in total.
aboyz

anyone know if this script work?

Post by aboyz »

anyone know if this script work? and will it work on a serveriron load balancer? I mean the ideas are the same right??
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests