Tuesday, March 25, 2014

Twenty years in this field and never knew awk was so great...

I needed to find lines that look like this:

Mar 25 06:38:58 192.268.29.141 syslog_smtp: Info: New SMTP ICID 447042464 interface public (192.268.29.141) address 157.56.110.254 reverse dns host mail-bn1un0254.outbound.protection.outlook.com verified yes
Mar 25 06:38:58 192.268.29.141 syslog_smtp: Info: ICID 447042464 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.5
Basically I need to match anything that belongs to outbound.protection.outlook.com and grab the ICID number.   Then continue to look though the log file to find another match of the ICID and BLACKLIST.   If these are found then print both lines.


You can accomplish this by this awk script:


/outbound.protection.outlook.com/ {
  icid = $10
  lastline = $0
}
($8 ~ icid && $11 ~ /BLACKLIST/ ) {
  printf "First line: %s\n",  lastline
  printf "Next line: %s\n", $0
  print ""
}

Running it yields:

jemurray@syslog:~$ cat /var/log/ironport.log.1 | awk -f ./blacklist.awk

First line: Mar 24 06:42:29 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446816558 interface public (192.168.29.141) address 207.46.100.250 reverse dns host mail-by2hn0250.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:42:29 192.168.29.141 syslog_smtp: Info: ICID 446816558 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:42:29 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462989143 interface public (192.168.29.10) address 207.46.100.250 reverse dns host mail-by2hn0250.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:42:29 192.168.29.10 syslog_smtp: Info: ICID 462989143 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:47:30 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446817160 interface public (192.168.29.141) address 207.46.100.246 reverse dns host mail-by2hn0246.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:47:30 192.168.29.141 syslog_smtp: Info: ICID 446817160 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:47:31 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462989826 interface public (192.168.29.10) address 207.46.100.247 reverse dns host mail-by2hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:47:31 192.168.29.10 syslog_smtp: Info: ICID 462989826 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.5
First line: Mar 24 06:52:10 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446817705 interface public (192.168.29.141) address 157.56.112.247 reverse dns host mail-am1hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:52:10 192.168.29.141 syslog_smtp: Info: ICID 446817705 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -8.1
First line: Mar 24 06:52:10 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462990429 interface public (192.168.29.10) address 157.56.112.247 reverse dns host mail-am1hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:52:10 192.168.29.10 syslog_smtp: Info: ICID 462990429 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -8.1 


In the past I have always used a higher level language like Perl or Python to accomplish this.

Tuesday, March 18, 2014

Compiling and installing (almost) all Nagios Core plugins on Centos6.x with EPEL.

Typically I try to use vendor supplied packages when possible.   In this case I need the features of Nagios 4.x.   As of 2014/03 the only way to get this software was to compile Nagios Core and Nagios Plugins by hand.  Before installing the plugins, make sure Nagios is installed by following the installation directions (outside the scope of this document).

The Nagios Plugins 2.0 plugins have numerous package dependencies.  Many of these can be resolved by installing the EPEL repository and using yum to install them.   The hardest part of this project was finding what packages resolve these dependences.

Install the basic compiler tools:
sudo yum groupinstall "Development tools"

Install the EPEL repository:
sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Install the following extra packages.  There will be LOTS of dependencies that need to be satisfied. Installing the following should cover everything:
sudo yum install openssl-devel gnutls-devel fping qstat openldap-devel mysql-devel postgresql-devel libdbi-devel radiusclient-ng-devel perl-Net-SNMP libsmbclient-devel samba-client net-snmp-devel 
Download the software:
wget http://nagios-plugins.org/download/nagios-plugins-2.0.tar.gz

Enter the dir:
cd nagios-plugins-2.0 

Run configure:
./configure --with-nagios-user=nagios --with-nagios-group=nagios

Watch the output of the ./configure command.   Look for any plugins that don't compile.  You may see something like this:
...
configure: WARNING: Get smbclient from Samba.org to monitor SMB shares
...
configure: WARNING: Get fping from http://www.fping.com in order to make check_fping plugin
...
configure: WARNING: Tried /usr/bin/perl - install Net::SNMP perl module if you want to use the perl snmp plugins
... 
While I believe the above list of packages is comprehensive, I may have missed something.   Based on the errors, it is pretty easy to figure out what package that needs to be installed.   For example, the fping warning above could be solved by running:
yum search fping

Find the package and install it:
sudo yum install fping

Once configure is completed, install the plugins:
sudo make install

That is it.  There should be about 72 plugins:
ls -1 /usr/local/nagios/libexec/ | wc -l
72 

I know the following plugins didn't get built.   You have to go to external sources to satisfy their requirements.  I didn't feel like doing that:

  • flexlm license manager
  • Qmail qstat

Followers

Contributors