Cisco Access Lists graphing
Moderators: Developers, Moderators
Cisco Access Lists graphing
Hi guys,
I am trying to graph a Cisco Access List with and expect script. I am only logging http hits on the access-list and I do get an output from my script :
CMD: expect /home/andre/test_expect.sh, output: 1777069
but its not putting in data on my graph ? (please see attached .gif)
Any help would be appreciated ??
Thanks
I am trying to graph a Cisco Access List with and expect script. I am only logging http hits on the access-list and I do get an output from my script :
CMD: expect /home/andre/test_expect.sh, output: 1777069
but its not putting in data on my graph ? (please see attached .gif)
Any help would be appreciated ??
Thanks
- Attachments
-
- cisco_access_list.gif (22.54 KiB) Viewed 8275 times
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Post the output of you script.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
okay here is my script output, what it does, it just logs into the router, get the hit count on a access-list and gives the output :
-sh-2.05b# expect /home/andre/test_expect.sh
1805134
My Data and Graph templates are attached !
Thanks guys !
-sh-2.05b# expect /home/andre/test_expect.sh
1805134
My Data and Graph templates are attached !
Thanks guys !
- Attachments
-
- cacti_graph_template_cisco_access_lists.xml
- Graph Template
- (6.93 KiB) Downloaded 287 times
-
- cacti_data_template_cisco_access_lists.xml
- Data Template
- (2.92 KiB) Downloaded 395 times
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Alter you upper limit on the graph template, 100 isn't high enough.
Also, consider changing the internal DS name to something other than www_hits?
Also, put the full path to expect in your Data Input Method.
Those are the only things that I can see wrong at this time.
Also, consider changing the internal DS name to something other than www_hits?
Also, put the full path to expect in your Data Input Method.
Those are the only things that I can see wrong at this time.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
rony wrote:Alter you upper limit on the graph template, 100 isn't high enough.
Also, consider changing the internal DS name to something other than www_hits?
Also, put the full path to expect in your Data Input Method.
Those are the only things that I can see wrong at this time.
thanks, I have changed my upper limit
I have changed hits_www to just wwwhits
...and I have the full path in my Data Input Method :
expect /home/andre/test_expect.sh
Thanks man ... I think it was the upper limit thing as it starting working while I was busy typing this msg ...
Thanks again !
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
You might have to remove the rrd file assocated with that datasource so the changes you made to the DS names will apply and work correctly.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
no problems ... will post it tomorrow, however, i have one problem with the script. the hitcount will just go up and up so the graph will just get bigger and bigger ... is there a way to reset it every month ?africanw wrote:Hi,
Any chance you are willing to share that script. The idea sounded interesting.
Thanks
AW
okay, please find attached the data and graph template for the cisco access-list graphing and also the script (remember its an expect script, not perl) below that gets the hit counts from the cisco
the picure shows the Data Input Method
Script Starts:
#----------Start Here--------------
#!/usr/bin/expect
# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc. However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
#
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for
# Options to add:
# - multiple pattern matches when looking for access list lines, with
# second pattern the CLI prompt and the corresponding body exits script;
# because if you find the CLI prompt before finding the access list line,
# then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
# for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
# of 'access line text'
# Greg Scheidel, 2/15/2000
#Added by Andre Els, 2005/04/24
#
#USAGE : ./getacl.sh <router ip address> <access-list number>
#
#EXAMPLE : ./getacl.sh 10.10.10.10 101
#------------------------------------------------------------
# Procedure to call when prematurely aborting. May need to use
# to output null/0 values.
proc abortproc "" {
# debugging only
#send_tty "ok, works"
exit
}
#------------------------------------------------------------
# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.
proc getcounter AccessLine {
#debugging only
# send_tty "*$AccessLine*\n"
#------------------------------------------------------------
# set R/W variables used during the proc
# temp variable used to pull information from access list lines
# before parsing and dumping to output
set tempvar "0"
#------------------------------------------------------------
# declare global variables that we'll need to reference
global CLIenprompt
#------------------------------------------------------------
# look for the access list line that we want to pull counters for.
# - if we find the access list line we want, continue
# - if a CLI enable prompt is found before the access list line, then
# the access list is not built the way we expect and we should exit
# - if expect times out waiting for a match, exit
expect {
"$AccessLine" {}
"$CLIenprompt" {abortproc}
timeout {abortproc}
}
# we are now 'on' the access list line, immediately following the last
# char that we just searched for. search for newline character so that
# expect_out(buffer) contains the text comprising the remainder of the
#line
expect {
"\n" {}
timeout {aportproc}
}
# save the string and trim it; if there is no text left on the line
# we'll end up with an empty string
set tempvar [string trim "$expect_out(buffer)"]
# if we got any text it will be in the format "(12341234 matches)" ;
# trim it down to just the number
if {"$tempvar" != ""} {
# debugging only
# send_tty "Got something.\n"
set tempvar [string trim "$tempvar" "( matches)"]
}
return "$tempvar"
}
#------------------------------------------------------------
# set R/W variables used during the script
# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"
#------------------------------------------------------------
# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script
set CLIprompt ">"
set CLIenprompt "#"
# login and enable passwords variable must end in \r so that CR is sent
set loginusr "yourusername\r"
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"
#------------------------------------------------------------
# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20
# disable output from being sent to stdout
log_user 0
# initiate the telnet session to the router holding your access list
spawn telnet [lindex $argv 0]
# wait for username prompt ,my router uses tacacs
expect {
"Username: " {}
timeout {abortproc}
}
send "$loginusr"
# wait for the login password prompt and send login password
expect {
"Password: " {}
timeout {abortproc}
}
send "$loginpwd"
# wait for the CLI prompt
expect {
"$CLIprompt" {}
timeout {abortproc}
}
# enter enable mode
send "enable\r"
expect {
"Password: " {}
timeout {abortproc}
}
send "$enpwd"
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
# display the desired access list
send "show access-list [lindex $argv 1]\r"
# call procedure to get the values we're interested in
# you can add more access-list lines here to match those on your router
set wwwpermitcount [getcounter "permit tcp any any eq www"]
set smtppermitcount [getcounter "permit tcp any any eq smtp"]
set otherpermitcount [getcounter "permit ip any any"]
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
send "logout\r"
expect {
"Connection closed by foreign host." {}
timeout {abortproc}
}
close
# debugging only
#send_tty ".$wwwpermitcount.\n"
#send_tty ".$otherpermitcount.\n"
#Output need my Cacti to graph www, smtp and other hits
send_user "www:$wwwpermitcount smtp:$smtppermitcount other:$otherpermitcount";
# other:$otherpermitcount";
# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"
exit
#--------------Stops here---------------------
the picure shows the Data Input Method
Script Starts:
#----------Start Here--------------
#!/usr/bin/expect
# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc. However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
#
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for
# Options to add:
# - multiple pattern matches when looking for access list lines, with
# second pattern the CLI prompt and the corresponding body exits script;
# because if you find the CLI prompt before finding the access list line,
# then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
# for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
# of 'access line text'
# Greg Scheidel, 2/15/2000
#Added by Andre Els, 2005/04/24
#
#USAGE : ./getacl.sh <router ip address> <access-list number>
#
#EXAMPLE : ./getacl.sh 10.10.10.10 101
#------------------------------------------------------------
# Procedure to call when prematurely aborting. May need to use
# to output null/0 values.
proc abortproc "" {
# debugging only
#send_tty "ok, works"
exit
}
#------------------------------------------------------------
# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.
proc getcounter AccessLine {
#debugging only
# send_tty "*$AccessLine*\n"
#------------------------------------------------------------
# set R/W variables used during the proc
# temp variable used to pull information from access list lines
# before parsing and dumping to output
set tempvar "0"
#------------------------------------------------------------
# declare global variables that we'll need to reference
global CLIenprompt
#------------------------------------------------------------
# look for the access list line that we want to pull counters for.
# - if we find the access list line we want, continue
# - if a CLI enable prompt is found before the access list line, then
# the access list is not built the way we expect and we should exit
# - if expect times out waiting for a match, exit
expect {
"$AccessLine" {}
"$CLIenprompt" {abortproc}
timeout {abortproc}
}
# we are now 'on' the access list line, immediately following the last
# char that we just searched for. search for newline character so that
# expect_out(buffer) contains the text comprising the remainder of the
#line
expect {
"\n" {}
timeout {aportproc}
}
# save the string and trim it; if there is no text left on the line
# we'll end up with an empty string
set tempvar [string trim "$expect_out(buffer)"]
# if we got any text it will be in the format "(12341234 matches)" ;
# trim it down to just the number
if {"$tempvar" != ""} {
# debugging only
# send_tty "Got something.\n"
set tempvar [string trim "$tempvar" "( matches)"]
}
return "$tempvar"
}
#------------------------------------------------------------
# set R/W variables used during the script
# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"
#------------------------------------------------------------
# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script
set CLIprompt ">"
set CLIenprompt "#"
# login and enable passwords variable must end in \r so that CR is sent
set loginusr "yourusername\r"
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"
#------------------------------------------------------------
# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20
# disable output from being sent to stdout
log_user 0
# initiate the telnet session to the router holding your access list
spawn telnet [lindex $argv 0]
# wait for username prompt ,my router uses tacacs
expect {
"Username: " {}
timeout {abortproc}
}
send "$loginusr"
# wait for the login password prompt and send login password
expect {
"Password: " {}
timeout {abortproc}
}
send "$loginpwd"
# wait for the CLI prompt
expect {
"$CLIprompt" {}
timeout {abortproc}
}
# enter enable mode
send "enable\r"
expect {
"Password: " {}
timeout {abortproc}
}
send "$enpwd"
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
# display the desired access list
send "show access-list [lindex $argv 1]\r"
# call procedure to get the values we're interested in
# you can add more access-list lines here to match those on your router
set wwwpermitcount [getcounter "permit tcp any any eq www"]
set smtppermitcount [getcounter "permit tcp any any eq smtp"]
set otherpermitcount [getcounter "permit ip any any"]
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
send "logout\r"
expect {
"Connection closed by foreign host." {}
timeout {abortproc}
}
close
# debugging only
#send_tty ".$wwwpermitcount.\n"
#send_tty ".$otherpermitcount.\n"
#Output need my Cacti to graph www, smtp and other hits
send_user "www:$wwwpermitcount smtp:$smtppermitcount other:$otherpermitcount";
# other:$otherpermitcount";
# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"
exit
#--------------Stops here---------------------
- Attachments
-
- ciscoacl_input.gif (17.28 KiB) Viewed 8149 times
-
- cacti_graph_template_cisco_access_lists.xml
- (11.43 KiB) Downloaded 366 times
-
- cacti_data_template_cisco_access_lists.xml
- (5.84 KiB) Downloaded 379 times
Last edited by mongoose on Sat Feb 04, 2006 8:06 am, edited 1 time in total.
anyone know if this script work?
anyone know if this script work? and will it work on a serveriron load balancer? I mean the ideas are the same right??
Who is online
Users browsing this forum: No registered users and 3 guests