The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
NetSaint - a network monitor 10 September 2001
NetSaint is a network monitor. You can use it to keep close tabs on your routers, printers, computers, and services. NetSaint can watch/monitor various services (SMTP, POP3, HTTP) to make sure they keep running. It can ping boxes to make sure they are still up. If a problem occurs, NetSaint can send out email, page people, and escalate problems if they persist. When the problem is fixed, NetSaint can also send out a recovery notification. And my personal favourite, you can view the current status through a webpage.
NetSaint uses a feature called plugins to perform the actual service checks. This is a very flexible approach
which allows new plugins to be created for specific situations as and when necessary. If also allows you to create
your own plugins if you so wish. In fact, there is a port for the plugins
It seems like everything I install is already available in the ports collection. That makes life simple. Here's what you do:
cd /usr/ports/net/netsaint make install
Don't forget to do a
The NetSaint port has a fair number of dependencies (including gd, bzip2, etc, about a dozen in total) so it may take some time to install everything. But that's the beauty of the ports system. It's just start and forget.
But don't forget it for too long. You will eventually be given a list of things to choose from:
NetSaint plugins configuration options Please select desired options: [ ] QStat Game server query support [X] FPing Support for non-flooding fast ping [X] NetSNMP SNMP support [ ] Radiusclient Radius support [X] MySQL MySQL support [X] PostgreSQL PostgreSQL support [ ] OpenLDAP OpenLDAP support [ OK ] Cancel
You can see the selections I choose. Only you can figure out what makes sense to you. If none of the above options make any sense, don't select them. If you're not running mysql or postgresql, then don't worry about those options.
I answered y to both of the following questions:
You need a group "netsaint". Would you like me to create it [y]? Done. You need a user "netsaint". Would you like me to create it [y]?
NetSaint will run as a specific user, which is a good thing from a security point of view. The use of a specific group is also a good security concept. Combining the use of a specific user and a specific group for NetSaint is a basic and commonly used security precaution. Everything, including your NetSaint configuration files should be treated on a 'need to know' basis.
The web interface
This section may seem out of place, but I think it's a good idea to get the web interface set up and at least partially functional before we go very far down the track. It also has the added benefit of giving you online access to the documentation....
You need to add the following to your apache configuration file (normally, this is /usr/local/etc/apache/httpd.conf). You should place these directives in the vhost section for the website you wish to use for NetSaint.
For a complete working example, see samples/netsaint.vhosts.txt.
Take note that the Alias does not contain a trailing /. On this point, I disagree with the NetSaint documentation where it specifies a trailing slash. I originally followed the documentation but encountered a "The page cannot be found" message when I did not specify a trailing slash in my browser. Removing the trailing slash from the Apache configuration file solved that problem.
To further restrict access to NetSaint, I also added the following to my Apache configuration file for the vhost in question:
<Directory "/usr/local/share/netsaint/sbin"> AllowOverride None AuthConfig Options FollowSymLinks ExecCGI Order allow,deny Allow from 192.168.0.99 </Directory>
The AuthConfig will be used later to authenticate people using NetSaint. The 'Allow from' directive will restrict access to the CGI directory to the specified IP address. You can specify multiple IP addresses or hostnames on that line, separated by commas.
If you are even more worried about access, try adding this entry:
<Directory "/usr/local/share/netsaint"> Order deny,allow Deny from all Allow from 192.168.0.99 </Directory>
This will prevent anyone from even getting to /netsaint/ unless they are at that IP.
You should then test your Apache changes:
# /usr/local/sbin/apachectl configtest
You should then HUP Apache to invoke your changes:
# /usr/local/sbin/apachectl graceful
You should then be able to browse to your NetSaint directory using http://www.example.org/netsaint/ (subsitute your own domain). But if you click on any of the CGI links, you may see an error something like this:
That's because NetSaint isn't running yet with host/service information. But we will deal with that problem after we complete the configuration.
Seen this error? 27 January 2003
If you encounter this error:
If so, then you haven't done what the next section tells you to do!
NetSaint configuration files are located at /usr/local/etc/netsaint. The main configuration files are:
After the first install, you need to copy the distributed files to the file names expected by NetSaint:
cp commands.cfg.dist commands.cfg cp netsaint.cfg.dist netsaint.cfg cp nscgi.cfg.dist nscgi.cfg cp resource.cfg.dist resource.cfg chown netsaint * chmod o-r *
WARNING: I just removed world-readability using the above step. I run Apache as www. So I used this to allow Apache to read the above (note: this tip may apply to other items as well, which I may have neglected to include; you'll soon find out....):
chgrp www *
I purposely have not taken the distributed hosts file (hosts.cfg.dist) as I'm going to provide a simple example later in the next section.
That chown ensures the files are owned by netsaint rather than root. And the chmod makes sure nobody but netsaint can read the files. Both of these steps may be considered overkill, but I think it's a good security measure. Keep things tidy.
The distributed hosts.cfg contains a very rich example. I suggest that you closely examine that file and use that as the basis for your actual configuration. But first, as a practical example, I suggest you use the following example and comment out the existing sections. This will get you going and allow you to see a small example with a minimum of fuss. Start small. Walk first. Then run.
The sample hosts file is provided via this link. I don't want to display it in this article because some of the lines are very long. You will need to make modifications to this sample file. Be sure to get the IP address right. Fill in the name, probably your own name. That name will be used in the next section for authentication.
nscgi.cfg controls access to the CGI programs. It's pretty obvious that you don't want just anyone to see the system monitor information. The official information for this step is contained in your online documentation (available via the /netsaint/docs/cgiauth.html link) or at NetSaint. The short version of the story is we use .htaccess and a database in order to authenticate users via CGI. For more information about .htaccess files, try reading Protected Apache directories. In the meantime, I'll just press ahead with a simple setup.
The directory you want to protect is /usr/local/share/netsaint/sbin. You can protect it by placing a .htaccess file in that directory. In that file you would place the following:
AuthName "NetSaint Access" AuthType Basic AuthUserFile /usr/local/etc/netsaint/htpasswd.users require valid-user
You then create a password entry using the steps shown in Protected Apache directories. Be sure to use the same name as you used in the hosts.cfg file. You add this entry to /usr/local/etc/netsaint/htpasswd.users:
After doing those changes, Apache will prompt you for a user name and password when you broswe to one of the CGI directories (e.g. Status Overview).
The next step is to specify what commands are avialble to you. This is done via the nscgi.cfg. To get you started, just add the following. WARNING: This may be more than you want to allow. Read the documentation.
authorized_for_all_hosts=dan authorized_for_all_host_commands=dan authorized_for_all_services=dan authorized_for_system_information=dan authorized_for_system_commands=dan authorized_for_configuration_information=dan
Now it's time to start NetSaint and see what happens....
Starting NetSaint is easy:
Similarly, you can use the stop and restart options.
NetSaint process may not be running!
If you happen to see the message 'NetSaint process may not be running!' when you broswe to /netsaint, don't worry. First, verify that NetSaint is indeed running. You should see something like this:
If you see something like that, then you know that NetSatint is actually running. If you click on the link 'Click here for more info.' (right below 'NetSaint process may not be running!'), you'll find that you need to modify nscgi.cfg and supply a value for netsaint_check_command. That's pretty easy. All you need to do is uncomment the line on which that keyword is found and restart NetSaint.
OK, you should be running now
You should have NetSaint running now. There's no reason why it shouldn't be running. If you are having trouble, and it's because of something not covered in this article, please add your solution/problem to the article comments. In any case, please consider this. Thanks.
The steps in this section are optional. They may not be applicable to you. I strongly urge you to get everything else working, then consider these steps.
In this section, I'm going to restrict things. I'm not going to let just anyone read my NetSaint configuration files. I'm only going to let the netsaint user read them. Let's just say a little bit of paranoia is a good thing when it comes to security.
The first step is to chmod o-r the configuration files.
cd /usr/local/etc/netsaint chmod o-r *
But if you do just that, you'll find that Apache can't read htpasswd.users. This will manifest itself as authentation failures in your Apache logs:
The solution is to make htpasswd.users readable by Apache:
chgrp www htpasswd.users
But then you'll have trouble with the other configuration files as well. So I found it easiest to just do this:
chgrp www *
That will go some way to restricting access to your configuration files but still allow the web interface to function.
FreeBSD graphics for NetSaint
NOTE: The graphics rerferred to by in this section are now included in the FreeBSD port. The steps below are no longer necessary.
If you have a look at the web pages for NetSaint, you'll notice it's rather Linux-centric. Fair enough. It is designed for Linux (it says so right on their homepage. But RevDigger decided that some better graphics were in order. In the spirit of sharing, he's allowed me to distribute these graphics.
The graphics are available at:
These files should be place at /usr/local/share/netsaint/images There are only two simple changes you need to make. Remember to change both the URL and the graphic dimensions. I won't provide a diff. Merely a simple before-and-after. If the graphics don't look right, you probably messed up on the dimensions. The filee you want to change are located at /usr/local/share/netsaint/.
I think NetSaint has the ability to change configuration items from the webpage interface. If so, you may need to make the configuration files chmod +w with respect to your http process. In my case, I'm running Apache as www. So I made the NetSaint configuration files (/usr/local/etc/netsaint) a member of the www group and chmod g+r.
If you happen to see the following message:
It appears as though you do not have permission to view information for any of the hosts you requested...
Then I suspect your .htaccess user name and your NetSaint user names are not matching up. Or you didn't specify any permission for your user name in nscgi.cfg.
If you keep seeing messages like this on your screen:
Or these in
Then I know of a change which will fix the problem (if it hasn't already made it into NetSaint>.
Modify /usr/local/etc/rc.d/netsaint.sh to add a single line (
rm -f $NetsaintCmd unset -v HOME $NetsaintBin -d $NetsaintCfg
That should stop the messages.
I wish to thank the following people for reviewing this article.
It's always helpful to have people read what you've written before it is released upon the world.
Was that useful
If you found that article useful, then please consider supporting this website. At the moment, we're trying to raise funds to pay for the new year of colocation. Thank you.