polling data using proxy and context name

[maj]

Hi all,
I'm having some trouble configuring cacti to allow polling for multiple devices. This is my goal:

1. Setup each cisco router with snmpv2 (achieved)
2. Setup the firewall using net-snmp, have incoming snmpv3 with context names being matched to each context name in each respective proxy directive. (achieved)
3. Forward the request onto the specific cisco using v2 and public community (achieved)
4. Setup Cacti to poll data and query interfaces, so additional cisco's are added easily on the fly. (stuck)

Currently my net-snmp setup has:

Code: Select all

com2sec -Cn <context> <v3user> <source ip> public

proxy -Cn <context> -v 2c -c public <dest ip> .1.3

This allows me to snmpwalk/get any data off the cisco's behind the firewall, by specifying a different context I can point all requests to the one IP (the firewall) and it knows which cisco to forward it onto, a nice feature of snmpv3 in net-snmp.

Being new to cacti, has anyone setup this method? Are context's fully supported? Any help would be much appreciated. The cisco's being polled are 837's, 1841's and 2811's.

[TheWitness]

I did get a patch to Cactid around the same subject, but am uncertain quite what to do with it since we don't "completely" support v3 in the current version.

Larry

[maj]

I've found a few posts touching this kind of subject, turning the community string into the context name. Cacti is able to grab the SysDesc and what not but its having touble querying interfaces, I put it down to snmpv3 to snmpv2 translation (even though cacti should be polling purely snmpv2 stuff so only snmpv3 is used for auth and proxying so theoretically there shouldnt be a problem?) Or is it Cisco related?

[maj]

I guess It'll probably help to paste the changes i've made and my results.

Here is my modified snmp.php:

define("REGEXP_SNMP_TRIM", "(hex|counter(32|64)|gauge|gauge(32|64)|float|ipaddress|string|integer):");

define("SNMP_METHOD_PHP", 1);
define("SNMP_METHOD_BINARY", 2);

/* we must use an apostrophe to escape community names under Unix in case the user uses
characters that the shell might interpret. the ucd-snmp binaries on Windows flip out when
you do this, but are perfectly happy with a quotation mark. */
if ($config["cacti_server_os"] == "unix") {
define("SNMP_ESCAPE_CHARACTER", "'");
}else{
define("SNMP_ESCAPE_CHARACTER", "\"");
}

function cacti_snmp_get($hostname, $community, $oid, $version, $username, $password, $port = 161, $timeout = 500, $environ = SNMP_POLLER) {
global $config;
/* determine default retries */
$retries = read_config_option("snmp_retries");
if ($retries == "") $retries = 3;
/* do not attempt to poll invalid combinations */
if (($version == 0) || (($community == "") && ($version != 3))) {
return "U";
}

if (snmp_get_method($version) == SNMP_METHOD_PHP) {
/* make sure snmp* is verbose so we can see what types of data we are getting back */
snmp_set_quick_print(0);

if ($version == "1") {
$snmp_value = @snmpget("$hostname:$port", $community, $oid, ($timeout * 1000), $retries);
}elseif ($version == "2") {
$snmp_value = @snmp2_get("$hostname:$port", $community, $oid, ($timeout * 1000), $retries);
}else{
$snmp_value = @snmp3_get("$hostname:$port", $username, "authPriv", "MD5", $password, "DES", "$password", $oid, ($timeout * 1000), $retries);
}
}else {
/* ucd/net snmp want the timeout in seconds */
$timeout = ceil($timeout / 1000);

if ($version == "1") {
$snmp_auth = (read_config_option("snmp_version") == "ucd-snmp") ? SNMP_ESCAPE_CHARACTER . $community . SNMP_
ESCAPE_CHARACTER : "-c " . SNMP_ESCAPE_CHARACTER . $community . SNMP_ESCAPE_CHARACTER; /* v1/v2 - community string */
}elseif ($version == "2") {
$snmp_auth = (read_config_option("snmp_version") == "ucd-snmp") ? SNMP_ESCAPE_CHARACTER . $community . SNMP_
ESCAPE_CHARACTER : "-c " . SNMP_ESCAPE_CHARACTER . $community . SNMP_ESCAPE_CHARACTER; /* v1/v2 - community string */
$version = "2c"; /* ucd/net snmp prefers this over '2' */
}elseif ($version == "3") {
$snmp_auth = "-n $community -u $username -l authPriv -a MD5 -A $password -x DES -X $password"; /* v3 - username/password */
}

/* no valid snmp version has been set, get out */
if (empty($snmp_auth)) { return; }

if (read_config_option("snmp_version") == "ucd-snmp") {
exec(read_config_option("path_snmpget") . " -O vt -v$version -t $timeout -r $retries $hostname:$port $snmp_a
uth $oid", $snmp_value);
}else {
exec(read_config_option("path_snmpget") . " -O fntev $snmp_auth -v $version -t $timeout -r $retries $hostnam
e:$port $oid", $snmp_value);
}
}

if (isset($snmp_value)) {
/* fix for multi-line snmp output */
if (is_array($snmp_value)) {
$snmp_value = implode(" ", $snmp_value);
}
}

/* strip out non-snmp data */
$snmp_value = format_snmp_string($snmp_value);

return $snmp_value;
}

function cacti_snmp_walk($hostname, $community, $oid, $version, $username, $password, $port = 161, $timeout = 500, $environ = SNMP_P
OLLER) {
global $config;

$snmp_array = array();
$temp_array = array();
/* determine default retries */
$retries = read_config_option("snmp_retries");
if ($retries == "") $retries = 3;

$path_snmpbulkwalk = read_config_option("path_snmpbulkwalk");

if ((snmp_get_method($version) == SNMP_METHOD_PHP) &&
(($version == 1) || (strlen(trim($path_snmpbulkwalk)) == 0))) {
/* make sure snmp* is verbose so we can see what types of data
we are getting back */

/* force php to return numeric oid's */
if (function_exists("snmp_set_oid_numeric_print")) {
snmp_set_oid_numeric_print(TRUE);
}

snmp_set_quick_print(0);

if ($version == "1") {
$temp_array = @snmprealwalk("$hostname:$port", $community, $oid, ($timeout * 1000), $retries);
}elseif ($version == "2") {
$temp_array = @snmp2_real_walk("$hostname:$port", $community, $oid, ($timeout * 1000), $retries);
}else{
$temp_array = @snmp3_real_walk("$hostname:$port", $community, $username, "authPriv", "MD5", $password, "DES", "$password", $oid, ($timeout * 1000), $retries);
}

$o = 0;
for (@reset($temp_array); $i = @key($temp_array); next($temp_array)) {
$snmp_array[$o]["oid"] = ereg_replace("^\.", "", $i);
$snmp_array[$o]["value"] = format_snmp_string($temp_array[$i]);
$o++;
}
}else{
/* ucd/net snmp want the timeout in seconds */
$timeout = ceil($timeout / 1000);

if ($version == "1") {
$snmp_auth = (read_config_option("snmp_version") == "ucd-snmp") ? SNMP_ESCAPE_CHARACTER . $community . SNMP_
ESCAPE_CHARACTER : "-c " . SNMP_ESCAPE_CHARACTER . $community . SNMP_ESCAPE_CHARACTER; /* v1/v2 - community string */
}elseif ($version == "2") {
$snmp_auth = (read_config_option("snmp_version") == "ucd-snmp") ? SNMP_ESCAPE_CHARACTER . $community . SNMP_
ESCAPE_CHARACTER : "-c " . SNMP_ESCAPE_CHARACTER . $community . SNMP_ESCAPE_CHARACTER; /* v1/v2 - community string */
$version = "2c"; /* ucd/net snmp prefers this over '2' */
}elseif ($version == "3") {
$snmp_auth = "-n $community -u $username -l authNoPriv -a MD5 -A $password -x DES -X $password"; /* v3 - username/password */
}

if (read_config_option("snmp_version") == "ucd-snmp") {
$temp_array = exec_into_array(read_config_option("path_snmpwalk") . " -v$version -t $timeout -r $retries $ho
stname:$port $snmp_auth $oid");
}else {
if (strlen(trim($path_snmpbulkwalk)) && ($version > 1)) {
$temp_array = exec_into_array(read_config_option("path_snmpbulkwalk") . " -O QfntUe $snmp_auth -v $v
ersion -t $timeout -r $retries -Cr50 $hostname:$port $oid");
}else{
$temp_array = exec_into_array(read_config_option("path_snmpwalk") . " -O QfntUe $snmp_auth -v $versi
on -t $timeout -r $retries $hostname:$port $oid");
}
}

if ((sizeof($temp_array) == 0) || (substr_count($temp_array[0], "No Such Object"))) {
return array();
}

for ($i=0; $i < count($temp_array); $i++) {
$snmp_array[$i]["oid"] = trim(ereg_replace("(.*) =.*", "\\1", $temp_array[$i]));
$snmp_array[$i]["value"] = format_snmp_string($temp_array[$i]);
}
}

return $snmp_array;
}

function format_snmp_string($string) {
/* strip off all leading junk (the oid and stuff) */
$string = trim(ereg_replace(".*= ?", "", $string));

/* remove ALL quotes */
$string = str_replace("\"", "", $string);
$string = str_replace("'", "", $string);
$string = str_replace(">", "", $string);
$string = str_replace("<", "", $string);
$string = str_replace("\\", "", $string);

/* Remove invalid chars */
$k = strlen($string);
for ($i=0; $i < $k; $i++) {
if ((ord($string[$i]) <= 31) || (ord($string[$i]) >= 127)) {
$string[$i] = " ";
}
}
$string = trim($string);

if (preg_match("/(hex:\?)?([a-fA-F0-9]{1,2}(:|\s)){5}/", $string)) {
$octet = "";

/* strip of the 'hex:' */
$string = eregi_replace("hex: ?", "", $string);

/* split the hex on the delimiter */
$octets = preg_split("/\s|:/", $string);

/* loop through each octet and format it accordingly */
for ($i=0;($i<count($octets));$i++) {
$octet .= str_pad($octets[$i], 2, "0", STR_PAD_LEFT);

if (($i+1) < count($octets)) {
$octet .= ":";
}
}

/* copy the final result and make it upper case */
$string = strtoupper($octet);
}elseif (preg_match("/Timeticks:\s\((\d+)\)\s/", $string, $matches)) {
$string = $matches[1];
}

$string = eregi_replace(REGEXP_SNMP_TRIM, "", $string);

return trim($string);
}

function snmp_get_method($version = 1) {
if ((function_exists("snmpget")) && ($version == 1)) {
return SNMP_METHOD_PHP;
}else if ((function_exists("snmp2_get")) && ($version == 2)) {
return SNMP_METHOD_PHP;
}else if ((function_exists("snmp3_get")) && ($version == 3)) {
return SNMP_METHOD_PHP;
}else if ((($version == 2) || ($version == 3)) && (file_exists(read_config_option("path_snmpget")))) {
return SNMP_METHOD_BINARY;
}else if (function_exists("snmpget")) {
/* last resort (hopefully it isn't a 64-bit result) */
return SNMP_METHOD_PHP;
}else if (file_exists(read_config_option("path_snmpget"))) {
return SNMP_METHOD_BINARY;
}else{
/* looks like snmp is broken */
return SNMP_METHOD_BINARY;
}
}

?>
Edited Code in Bold.

Here is the error when i do a verbose query on the SNMP - Interface Statistics

Code: Select all

+ Running data query [1].
+ Found type = '3' [snmp query].
+ Found data query XML file at '/usr/local/apache2/htdocs/cacti/resource/snmp_queries/interface.xml'
+ XML file parsed ok.
+ Executing SNMP walk for list of indexes @ '.1.3.6.1.2.1.2.2.1.1'
+ No SNMP data returned
+ Found data query XML file at '/usr/local/apache2/htdocs/cacti/resource/snmp_queries/interface.xml'
+ Found data query XML file at '/usr/local/apache2/htdocs/cacti/resource/snmp_queries/interface.xml'
+ Found data query XML file at '/usr/local/apache2/htdocs/cacti/resource/snmp_queries/interface.xml'

[maj]

Actually I've just found the problem while pasting that snmp.php, I had missed one authNoPriv in the snmp_auth.

Context now works! A dirty but very simple hack.

[TheWitness]

Good work!!

[maj]

Just a post reflection on this method.

It will work following the method above but I have noticed varied results with the cisco IOS versions it is monitoring, I still have problems querying interfaces for some versions but not others, the 12.4(6)T/2/3 branch seems to have the most luck. Just keep this in mind!