Quick HOWTO : Ch22 : Monitoring Server Performance/zh
来自Ubuntu中文
 |
文章出处: |
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch22_:_Monitoring_Server_Performance |
|
翻译人员: |
lipeng |
|
点击翻译: |
English • 中文 |
目录
简介
你能够使用Linux的图形化工具来容易地监视系统的网络性能。在下面的章节中,你将会学到怎样使用包括MRTG(基于SNMP的,用来监视网络流量的工具)和Webalizer(分析网站命中率的工具)在内的一些工具。
简单网络管理协议
许多服务器、路由器和防火墙在他们的对象标志符(OIDs)里保记录这他们的操作上的统计数据,你可以通过简单网络管理协议(SNMP)来细心的检索他们。为了方便使用,设备制造商为他们的设备提供了管理信息库文件MIB,该文件定义了设备对象标志符OID的功能。在这两句中有许多新的术语需要被理解,因此让我们花一点时间弄清楚他们。
OIDs 和 MIBs
OIDs 由SNMP标准定义的结构化管理信息树来确定。该树开始于根结点root,通过分支和叶继承下去,每一个子结点添加他们自己的引用值到一个由单独的时间区分的路径。图 22-1显示了OID结构,企业OID分支的路径首先通过org,dod,internet,和private branches,因此相应的OID路径是1.3.6.1.4.1。
图22-1 SNMP OID 结构
管理信息库(MIBs)是用文字定义每个OID分支.表22-1展示了常用的OIDs与它们的MIBs的对应关系.例如,org MIB定义了dod层必需的所有最高层的OIDs。dod下层的internet MIB定义了directory、mgmt、experimental、和private branches中的最高层OIDs。这种MIB信息对SNMP管理程序非常有用,你可以点击某个OID来看它的值、类型和描述。
Table 22-1 OIDs 和相对应的MIBs
| OID | MIB |
| 1.3 | org |
| 1.3.6 | dod |
| 1.3.6.1 | internet |
| 1.3.6.1.1 | directory |
| 1.3.6.1.2 | mgmt |
| 1.3.6.1.3 | experimental |
| 1.3.6.1.4 | private |
| 1.3.6.1.4.1 | enterprises |
用可读性更高的MIB别名来替代OID分支中的数字,你可以更好的识别该OID。例如,你可以将OID 1.3.6.1.4.1.9.9.109.1.1.1.1.5看成enterprises.9.9.109.1.1.1.1.5.即你可以用enterprises的分支名来替代它的OID数字(1.3.6.1.4.1)
记住,只有分支中的最底端即叶子的OID值才有实际的可读性。将OIDs看成硬盘上的目录结构一样。每个分支就等同于子目录,最底端(叶子)就好比一个文件。
linux下的snmpget命令输出单个叶子的值,snmpwalk命令则会输出分支下面所有叶子的值。晚些时候再讨论这些命令;现在你只需要知道的是命令的输出通常情况下不会列出整个OID,只会列出它所属的MIB文件和该文件中的别名,例如:
SNMPv2-MIB::sysUpTime.0
这里OID值属于SNMPv2-MIB文件,使用sysUpTime别名中的零位置
设备厂商通常在enterprises MIB下分配他们自己的OID分支,为方便管理他们还必须提供以全局OIDs方式表示的信息。例如,NIC接口数据吞吐量应该放在通用树上的某个预先定义好的位置,可是定制的处理器卡上的内存使用值会被定义在某个MIB中,该MIB在厂商自己的OID分支下。
SNMP Community字符串
作为一种安全措施, 你需要知道 SNMP 密码, 即 community字符串,来查询 OID. 有多种community 字符串,最常用的是只读字符串用来提供对统计和系统参数的访问. 多数情况下设置为 "public;"为避免被猜出你应该修改它 . 读写community字符串不仅用来查看统计数据和系统参数,而且用来修改系统参数。
SNMP Versions
目前SNMP有三个版本.
- SNMP版本1: 第一个实现版本, 版本1的目的是设计出一种协议以在不消耗太多系统资源的情况下提供设备统计信息和错误报告. 安全方面仅限于 community 字符串和基于IP地址的访问控制. 数据通讯没有加密.
- SNMP 版本 2: 第二个版本的 SNMP协议, 通常称为v2c,扩展了所支持的错误码, 增加了跟踪数据的计数器, 具备批量查询能力,可以更高效的加载返回数据包. SNMP v2c 与版本1兼容.
- SNMP版本3: 这个版本比前面的版本提供了更多的安全和远程配置能力. 访问控制不仅限于community字符串来提供只读或者读写访问,引入了用户名和口令. 可以为每一个用户提供MIB库的OID视图. 提供 SNMP数据加密和数据错误检测.
请记住他们的差异, 因为做SNMP查询时你需要确定版本号.
SNMP查询
在一个服务器上配置SNMP并不难, 不过也需要一些琐碎的步骤.
在Linux Server上安装SNMP工具
如果你想用你的linux通过MRTG或者其他工具去查询你的网络设备,其他服务器甚至本机, 你需要安装SNMP工具包net-snmp-utils .这个包需要其他的一些包, 因此最好用自动的软件包更新工具例如 yum 或者 apt 来安装.
查找这些包时,文件名一般是包名名称加上版本号,例如net-snmp-utils-5.1.1-2.i386.rpm. (如果你需要一个安装工具请参阅第六章, , "Installing Linux Software").
SNMP Utilities Command Syntax
The SNMP utility tools package installs a number of new commands on your system for doing SNMP queries, most notably snmpget for individual OIDs and snmpwalk for obtaining the contents of an entire MIB. Both commands require you to specify the community string with a -c operator. They also require you to specify the version of the SNMP query to be used with a -v 1, -v 2c, or -v 3 operator for versions 1, 2, and 3, respectively. The first argument is the name or IP address of the target device and all other arguments list the MIBs to be queried.
This example gets all the values in the interface MIB of the local server using SNMP version 1 and the community string of craz33guy.
[root@bigboy tmp]# snmpwalk -v 1 -c craz33guy localhost interface ... ... IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 ... ... IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 IF-MIB::ifPhysAddress.3 = STRING: 0:b0:d0:46:32:71 ... ... [root@bigboy tmp]#
Upon inspecting the output of the snmpwalk command, you can see that the second interface seems to have the name eth0 and the MAC address 0:9:5b:2f:9e:d5. You can now retrieve the individual MAC address using the snmpget command.
[root@bigboy tmp]# snmpget -v 1 -c const1payted localhost ifPhysAddress.2 IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 [root@bigboy tmp]#
You can confirm this information using the ifconfig command for interface eth0; the very first line shows a matching MAC address.
[root@bigboy tmp]# ifconfig -a eth0 eth0 Link encap:Ethernet HWaddr 00:09:5B:2F:9E:D5 inet addr:216.10.119.244 Bcast:216.10.119.255 Mask:255.255.255.240 ... ... [root@bigboy tmp]#
You'll now see how you can configure SNMP on your Linux server to achieve these results.
Configuring Simple SNMP on a Linux Server
By default Fedora, installs the net-snmp package as its SNMP server product. This package uses a configuration file named /etc/snmp/snmpd.conf in which the community strings and other parameters may be set. The version of the configuration file that comes with net-snmp is quite complicated. I suggest archiving it and using a much simpler version with only a single line containing the keyword rocommunity followed by the community string. Here is an example.
1) Save the old configuration file
[root@bigboy tmp]# cd /etc/snmp/ [root@bigboy snmp]# mv snmpd.conf snmpd.conf.old [root@bigboy snmp]# vi snmpd.conf
2) Enter the following line in the new configuration file to set the Read Only community string to craz33guy.
rocommunity craz33guy
3) Configure Linux to start SNMP services on each reboot with the chkconfig command:
[root@bigboy root]# chkconfig snmpd on [root@bigboy root]#
4) Start SNMP to load the current configuration file.
[root@bigboy root]# service snmpd start Starting snmpd: [ OK ] [root@bigboy root]#
5) Test whether SNMP can read the system and interface MIBs using the snmpwalk command.
[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system SNMPv2-MIB::sysDescr.0 = STRING: Linux bigboy 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 SNMPv2-MIB::sysUpTime.0 = Timeticks: (425) 0:00:04.25 SNMPv2-MIB::sysContact.0 = STRING: root@localhost SNMPv2-MIB::sysName.0 = STRING: bigboy ... ... ... [root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface IF-MIB::ifNumber.0 = INTEGER: 3 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifIndex.3 = INTEGER: 3 IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: wlan0 IF-MIB::ifDescr.3 = STRING: eth0 ... ... ... [root@bigboy snmp]#
Now that you know SNMP is working correctly on your Linux server, you can configure SNMP statistics gathering software, such as MRTG, to create online graphs of your traffic flows.
SNMP On Other Devices
In the example, you were polling localhost. You can poll any SNMP-aware network device that has SNMP enabled. All you need is the IP address and SNMP Read Only string and you'll be able to get similar results. Here is an example of a query of a device with an IP address of 192.168.1.1.
[root@bigboy snmp]# snmpwalk -v 1 -c chir1qui 192.168.1.1 interface
Note: When issuing snmpwalk and snmpget commands, remember to use the proper version switch (-v 1, -v 2c, or -v 3) for the version of SNMP you're using.
Basic SNMP Security
The security precautions that need to be taken with SNMP vary depending on the version you are using. This section outlines the basic steps for protecting your MIB data.
SNMP Versions 1 and 2
The most commonly supported versions of SNMP don't encrypt your community string password so you shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or the SNMP security features available in the snmp.conf file. You can also configure your server to use the TCP wrappers feature outlined in Appendix I, "Miscellaneous Linux Topics," to limit access to specific servers without the need of a firewall.
In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.
The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the file and is immediately followed by a less restrictive section. The example that follows is a modification of the less restrictive section. You will have to comment out the more restrictive statements at the top of the file for it to work correctly.
## sec.name source community ## ======== ====== ========= com2sec local localhost craz33guy com2sec network_1 172.16.1.0/24 craz33guy com2sec network_2 192.168.2.0/24 craz33guy ## Access.group.name sec.model sec.name ## ================= ========= ======== group MyROGroup_1 v1 local group MyROGroup_1 v1 network_1 group MyROGroup_2 v2c network_2 ## MIB.view.name incl/excl MIB.subtree mask ## ============== ========= =========== ==== view all-mibs included .1 80 ## MIB ## group.name context sec.model sec.level prefix read write notif ## ========== ======= ========= ========= ====== ==== ===== ===== access MyROGroup_1 "" v1 noauth exact all-mibs none none access MyROGroup_2 "" v2c noauth exact all-mibs none none
In our example:
- Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with the craz33guy community string.
- Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group called MyROGroup_2 using SNMP version 2.
- All the MIBs on the server are defined by the view named all-mibs.
- An access statement ensures that only the defined networks have read only access to all the MIBs. MyROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.
- Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the access statement.
These precautions are probably unnecessary in a home environment where access is generally limited to devices on the home network by a NAT firewall.
SNMP Version 3
SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data and uses a username / password combination for client authentication. The username should be located in the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the /var/net-snmp/snmpd.conf file. Here is how it's done.
1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the password. If you need an installation refresher, see Chapter 6, "Installing Linux Software")
2. Stop the snmpd process.
[root@bigboy tmp]# service snmpd stop Stopping snmpd: [ OK ] [root@bigboy tmp]#
3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password entries using the net-snmp-config command. In this example the authentication password of "rootsrockreggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The data received will not be encrypted.
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \ -a MD5 -A rootsrockreggae username4snmpv3 adding the following line to /var/net-snmp/snmpd.conf: createUser username4snmpv3 MD5 "rootsrockreggae" DES adding the following line to /etc/snmp/snmpd.conf: rouser username4snmpv3 [root@bigboy tmp]# service snmpd start Starting snmpd: [ OK ] [root@bigboy tmp]#
4. To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "securev3user" and authentication password "mandeville" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "savlamar".
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \ -a MD5 -A mandeville -x DES -X savlamar securev3user adding the following line to /var/net-snmp/snmpd.conf: createUser securev3user MD5 "mandeville" DES savlamar adding the following line to /etc/snmp/snmpd.conf: rouser securev3user [root@bigboy tmp]#
5. Start the snmpd process.
[root@bigboy tmp]# service snmpd start Starting snmpd: [ OK ] [root@bigboy tmp]#
6. First we'll do a query from remote host smallfry. We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option).
[root@smallfry ~]# snmpget -v 3 -u username4snmpv3 -l authNoPriv \ -a MD5 -A rootsrockreggae 192.168.2.200 SNMPv2-MIB::sysORDescr.8 SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model. [root@smallfry ~]#
The query returns an easy to read string, "The management information definitions for the SNMP User-based Security Model". This unencrypted string can also be seen in the tshark packet capture of the server's interface.
[root@bigboy tmp]# tshark -n -i eth1 -x port 161 Capturing on eth1 ... ... ... 0.005889 192.168.1.100 -> 192.168.1.50 SNMP get-response 0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E. 0010 00 f0 00 00 40 00 40 11 b3 b2 c0 a8 02 c8 c0 a8 ....@.@......... 0020 02 32 00 a1 80 0a 00 dc 87 38 30 81 d1 02 01 03 .2.......80..... 0030 30 11 02 04 45 a2 23 54 02 03 00 ff e3 04 01 01 0...E.#T........ 0040 02 01 03 04 38 30 36 04 0d 80 00 1f 88 80 71 11 ....806.......q. 0050 68 72 0e b1 e7 45 02 01 12 02 01 39 04 0f 75 73 hr...E.....9..us 0060 65 72 6e 61 6d 65 34 73 6e 6d 70 76 33 04 0c 46 ername4snmpv3..F 0070 6c 74 26 51 4d aa 65 61 59 06 1a 04 00 30 7f 04 lt&QM.eaY....0.. 0080 0d 80 00 1f 88 80 71 11 68 72 0e b1 e7 45 04 00 ......q.hr...E.. 0090 a2 6c 02 04 43 4e da d7 02 01 00 02 01 00 30 5e .l..CN........0^ 00a0 30 5c 06 0a 2b 06 01 02 01 01 09 01 03 08 04 4e 0\..+..........N 00b0 54 68 65 20 6d 61 6e 61 67 65 6d 65 6e 74 20 69 The management i 00c0 6e 66 6f 72 6d 61 74 69 6f 6e 20 64 65 66 69 6e nformation defin 00d0 69 74 69 6f 6e 73 20 66 6f 72 20 74 68 65 20 53 itions for the S 00e0 4e 4d 50 20 55 73 65 72 2d 62 61 73 65 64 20 53 NMP User-based S 00f0 65 63 75 72 69 74 79 20 4d 6f 64 65 6c 2e ecurity Model. 4 packets captured [root@bigboy tmp]#
7. Next we'll do a query that will return a response over an encrypted data channel while crossing the network (the authPriv option).
[root@smallfry ~]# snmpget -v 3 -u securev3user -l authPriv \ -a MD5 -A mandeville -x DES -X savlamar 192.168.2.200 \ SNMPv2-MIB::sysORDescr.8 SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model. [root@smallfry ~]#
The query returns the same string, but the tshark packet capture only sees encrypted data, with only the username being visible.
[root@bigboy tmp] # tshark -n -i eth1 -x port 161
Capturing on eth1
...
...
...
0.003675 192.168.1.200 -> 192.168.1.50 SNMP Source port: 161 Destination port: 32778 [UDP CHECKSUM INCORRECT]
0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.
0010 01 00 00 00 40 00 40 11 b3 a2 c0 a8 02 c8 c0 a8 ....@.@.........
0020 02 32 00 a1 80 0a 00 ec 87 48 30 81 e1 02 01 03 .2.......H0.....
0030 30 11 02 04 17 52 82 96 02 03 00 ff e3 04 01 03 0....R..........
0040 02 01 03 04 3e 30 3c 04 0d 80 00 1f 88 80 71 11 ....>0<.......q.
0050 68 72 0e b1 e7 45 02 01 11 02 02 00 8e 04 0c 73 hr...E.........s
0060 65 63 75 72 65 76 33 75 73 65 72 04 0c 01 b2 00 ecurev3user.....
0070 6e 23 07 83 dc a2 b6 d6 3d 04 08 00 00 00 11 4e n#......=......N
0080 df 19 a3 04 81 88 36 dd e0 ce e0 52 19 ff 58 7e ......6....R..X~
0090 be fa d1 96 20 2b 28 65 59 30 e8 d4 cb 18 9f 8f .... +(eY0......
00a0 1e 5b a3 d6 ae f7 4a 86 bd ed 2a 4b a8 df 52 fb .[....J...*K..R.
00b0 00 b4 a8 37 3d 74 9e 6d 1d 56 9a ba f2 13 fa 72 ...7=t.m.V.....r
00c0 4d 47 fb 88 7b d3 54 e1 9d b3 66 f0 29 ab 8a 55 MG..{.T...f.)..U
00d0 6f 77 65 40 87 ab 0c 51 d9 0e bf 33 7f 9a cb ea [email protected]....
00e0 37 50 3c 8e 65 dd 8f 3c 49 71 96 59 f9 d3 a8 23 7P<.e..<Iq.Y...#
00f0 81 c6 1b b2 c2 d0 57 9b 98 1b 89 1e ca 77 3d 84 ......W......w=.
0100 6f af b6 9b 86 3a 2f 66 44 1a 41 51 03 bc o....:/fD.AQ..
4 packets captured
[root@bigboy tmp] #
8. Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example.
# File: /var/net-snmp/snmpd.conf before SNMP starts createUser securev3user MD5 "mandeville" DES savlamar createUser username4snmpv3 MD5 "rootsrockreggae" DES
The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.
# File: /var/net-snmp/snmpd.conf after SNMP starts usmUser 1 3 0x80001f88780711168720eb1e745 0x73656375626576337573657200 0x73656375726576337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0xd951 ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2 0xf1f4bb00452211d27b50c273c09031ac 0x00 usmUser 1 3 0x80001f8880711168720eb1e745 0x757365726e61657534736e6d70763300 0x757365726e616d6534736e6d70763300 NULL .1.3.6.1.6.3.10. 1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd .1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd "" setserialno 1464593474
Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you use it without any arguments like this:
[root@bigboy tmp]# net-snmp-config ... ... SNMP Setup commands: --create-snmpv3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username] ... ... [root@bigboy tmp]#
With experience, you should become confident enough to edit the configuration files by yourself.
As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice whenever possible.
Simple SNMP Troubleshooting
If your SNMP queries fail, then verify that:
- You restarted your snmp.conf file so the configuration settings become active. Remember, the snmpd.conf file is only read by the snmpd daemon when it starts up.
- You are using the correct community string.
- Firewalls aren't preventing SNMP queries from the SNMP client to the SNMP target.
- Your SNMP security policy allows the query from your network.
- Any TCP wrappers configuration on your SNMP target machine allows SNMP queries from your SNMP client. Generally speaking in a home environment protected by NAT your TCP wrappers files (/etc/hosts.allow) and (/etc/hosts.deny) should be blank.
- Network routing between the client and target devices is correct. A simple ping or traceroute test should be sufficient.
- The snmpd daemon is running on the SNMP client.
- You are querying using the correct SNMP version.
- Your /var/log/messages file does not contain errors that may have occurred while starting snmpd.
Troubleshooting to get functioning SNMP queries is important as many other supporting applications, such as MRTG which I'll discuss next, rely on them in order to work correctly.
