.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
This article contains sample nagios plugins that may be used to monitor Security Analytics. Many of these features are available within the Health and Wellness System Stats feature of the product.When there is a need to display the information in a third party Nagios based monitoring tool, the scripts can be copied to the Security Analytics server. Then the check_by_ssh command may used to run the scripts on the server, noting that the main purpose of the scripts is to gather information that can then be graphed.
Resolution
Script to Check Warehouse Streams Behind
This script will output how far each stream is behind. Install on the machine hosting the warehouse connector service.
#!/bin/bash
#David Waugh RSA
#This script will display the current Warehouse Connector Stream Rate for all streams.
#Get the stream names
Perfdata=""
Output=""
Streams=$(NwConsole -c login localhost:50020 admin netwitness -c cd warehouseconnector/streams -c ls |tail -n +9)
for mystream in $Streams
do
behind=$(NwConsole -c login localhost:50020 admin netwitness -c cd warehouseconnector/streams -c cd $mystream -c cd stats -c ls |grep -i behind | awk -F "= " '{print $2}' | awk '{s+=$1} END {print s}')
Output+=$mystream
Output+=": "
Output+=$behind
Output+=" "
Perfdata+=$mystream
Perfdata+=\=
Perfdata+=$behind
Perfdata+=" "
done
echo $Output\|$Perfdata\;\;
exit 0
#David Waugh RSA
#This script will display the current Warehouse Connector Stream Rate for all streams.
#Get the stream names
Perfdata=""
Output=""
Streams=$(NwConsole -c login localhost:50020 admin netwitness -c cd warehouseconnector/streams -c ls |tail -n +9)
for mystream in $Streams
do
behind=$(NwConsole -c login localhost:50020 admin netwitness -c cd warehouseconnector/streams -c cd $mystream -c cd stats -c ls |grep -i behind | awk -F "= " '{print $2}' | awk '{s+=$1} END {print s}')
Output+=$mystream
Output+=": "
Output+=$behind
Output+=" "
Perfdata+=$mystream
Perfdata+=\=
Perfdata+=$behind
Perfdata+=" "
done
echo $Output\|$Perfdata\;\;
exit 0
Sample Output:
Elastic3: 27951 LogStream3: 278805 PacketStream3: 12731 |Elastic3=27951 LogStream3=278805 PacketStream3=12731 ;;
Script to Check Log Decoder EPS
This script will collect the current capture rate through a log decoder. Install on a logdecoder.
#!/bin/bash
#David Waugh (RSA)
#This script will display the current EPS of the logdecoder
eval capture_rate=$(NwConsole -c login localhost:56002:ssl admin netwitness -c logdecoder/stats ls |grep "/decoder
/stats/capture.packet.rate "| awk -F "= " '{print $2}')
echo "capture rate: $capture_rate|capture_rate=$capture_rate;;"
exit 0
#David Waugh (RSA)
#This script will display the current EPS of the logdecoder
eval capture_rate=$(NwConsole -c login localhost:56002:ssl admin netwitness -c logdecoder/stats ls |grep "/decoder
/stats/capture.packet.rate "| awk -F "= " '{print $2}')
echo "capture rate: $capture_rate|capture_rate=$capture_rate;;"
exit 0
Sample Ouput
capture rate: 110|capture_rate=110;;
Script To Check Log Collection Statistics
Install on a Log Collector
#!/bin/bash
#Lee Kirkpatrick (RSA)
#This script will display the current EPS for all collection methods and a total
#Declare collection methods
declare -a cMethod=('syslog' 'windows' 'checkpoint' 'vmware' 'sdee' 'file' 'netflow' 'odbc' 'snmptrap');
#Get the current EPS for each of the above
for i in "${cMethod[@]}"
do
eval $i=$(NwConsole -c login localhost:56001:ssl admin netwitness -c logcollection/$i/stats/eventsources ls |grep total_events_rate | awk -F "= " '{print $2}')
if [[ $sdee == "" ]]
then
sdee=0
elif [[ $syslog == "" ]]
then
syslog=0
elif [[ $windows == "" ]]
then
windows=0
elif [[ $checkpoint == "" ]]
then
checkpoint=0
elif [[ $vmware == "" ]]
then
vmware=0
elif [[ $file == "" ]]
then
file=0
elif [[ $netflow == "" ]]
then
netflow=0
elif [[ $odbc == "" ]]
then
odbc=0
elif [[ $snmptrap == "" ]]
then
snmptrap=0
fi
done
#Calculate total of all methods
total=$[$sdee+$syslog+$windows+$checkpoint+$vmware+$file+$netflow+$odbc]
#Pretty Print
#printf '%-15s %-10s\n' "Syslog: " "$syslog"
#printf '%-15s %-10s\n' "SDEE: " "$sdee"
#printf '%-15s %-10s\n' "Windows: " "$windows"
#printf '%-15s %-10s\n' "Checkpoint: " "$checkpoint"
#printf '%-15s %-10s\n' "VMWare: " "$vmware"
#printf '%-15s %-10s\n' "File: " "$file"
#printf '%-15s %-10s\n' "NetFlow: " "$netflow"
#printf '%-15s %-10s\n' "ODBC: " "$odbc"
#echo
#printf '%-15s %-10s\n' "Total: " "$total"
echo "Syslog: $syslog SDEE: $sdee Windows: $windows Checkpoint: $checkpoint VMWare: $vmware File: $file Netflow: $
netflow ODBC: $ODBC Total: $total|Syslog=$syslog SDEE=$sdee Windows=$windows Checkpoint=$checkpoint VMWare=$vmware File=$file Netflow=$netflow ODBC=$odbc Total=$total;;"
exit 0
#Lee Kirkpatrick (RSA)
#This script will display the current EPS for all collection methods and a total
#Declare collection methods
declare -a cMethod=('syslog' 'windows' 'checkpoint' 'vmware' 'sdee' 'file' 'netflow' 'odbc' 'snmptrap');
#Get the current EPS for each of the above
for i in "${cMethod[@]}"
do
eval $i=$(NwConsole -c login localhost:56001:ssl admin netwitness -c logcollection/$i/stats/eventsources ls |grep total_events_rate | awk -F "= " '{print $2}')
if [[ $sdee == "" ]]
then
sdee=0
elif [[ $syslog == "" ]]
then
syslog=0
elif [[ $windows == "" ]]
then
windows=0
elif [[ $checkpoint == "" ]]
then
checkpoint=0
elif [[ $vmware == "" ]]
then
vmware=0
elif [[ $file == "" ]]
then
file=0
elif [[ $netflow == "" ]]
then
netflow=0
elif [[ $odbc == "" ]]
then
odbc=0
elif [[ $snmptrap == "" ]]
then
snmptrap=0
fi
done
#Calculate total of all methods
total=$[$sdee+$syslog+$windows+$checkpoint+$vmware+$file+$netflow+$odbc]
#Pretty Print
#printf '%-15s %-10s\n' "Syslog: " "$syslog"
#printf '%-15s %-10s\n' "SDEE: " "$sdee"
#printf '%-15s %-10s\n' "Windows: " "$windows"
#printf '%-15s %-10s\n' "Checkpoint: " "$checkpoint"
#printf '%-15s %-10s\n' "VMWare: " "$vmware"
#printf '%-15s %-10s\n' "File: " "$file"
#printf '%-15s %-10s\n' "NetFlow: " "$netflow"
#printf '%-15s %-10s\n' "ODBC: " "$odbc"
#echo
#printf '%-15s %-10s\n' "Total: " "$total"
echo "Syslog: $syslog SDEE: $sdee Windows: $windows Checkpoint: $checkpoint VMWare: $vmware File: $file Netflow: $
netflow ODBC: $ODBC Total: $total|Syslog=$syslog SDEE=$sdee Windows=$windows Checkpoint=$checkpoint VMWare=$vmware File=$file Netflow=$netflow ODBC=$odbc Total=$total;;"
exit 0
Sample Ouptut:
Syslog: 3 SDEE: 0 Windows: 0 Checkpoint: 0 VMWare: 0 File: 0 Netflow: 0 ODBC: Total: 3|Syslog=3 SDEE=0 Windows=0 Checkpoint=0 VMWare=0 File=0 Netflow=0 ODBC=0 Total=3;;
Product Details
RSA Product Set: Security AnalyticsRSA Version/Condition: 10.5.X
Platform: CentOS
O/S Version: 6
Summary
This article provides Nagios monitoring scripts and plugins that may be used on Security Analytics. Note this information is provided on a courtesy basis only, with no expressed and implied warranties by RSA. RSA does not bundle Nagios with Security Analytics., nor is licensed to distribute Nagios. Nagios is an open source project and part of the public domain. For more information on Nagios, visit the opensource site itself at https://www.nagios.org.
Approval Reviewer Queue
Technical approval queue