This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Monitoring Netwitness with Zabbix

DavidWaugh1
Employee
Employee
‎2017-03-17 08:52 AM

This post is completely unsupported by RSA Support and indeed RSA, but it might be interesting if you want to try it. 

 

In Netwitness 10.X the current weakness in the topology is that the SA Server is a single point of failure and it monitors the other components in your environment. If the monitoring on your SA Server has a problem would you actually be aware of it?

 

I've posted in the past about monitoring your Netwitness Infrastructure with Nagios, but what about Zabbix? This is a more modern monitoring system and I gave it a go on my Netwitness environment. More information on Zabbix can be found at Zabbix :: The Enterprise-Class Open Source Network Monitoring Solution 

 

Monitoring involves installing the Zabbix Agent onto each server. This can be done by copying the Centos 6 rpm into 

/var/netwitness/srv/www/rsa/updates/10.6.3 and then running the following.

 

cd /var/netwitness/srv/www/rsa/updates/10.6.3
createrepo .

Instructions for obtaining the Zabbix agent for Centos 6 can be found at: How to Install Zabbix Agent on CentOS/RHEL 7/6/5 

 

In the file

 

/etc/puppet/modules/base/manifest/init.pp add the following lines:

 

package { 'zabbix-agent' :
 ensure => installed,
 }
 # Configure Zabbix Agent for PreShared Key Encrypted Connections
 file {'zabbix_agentd.conf' :
 path => "/etc/zabbix/zabbix_agentd.conf",
 mode => 0644,
 ensure => present,
 owner => "root",
 group => "root",
 source => "puppet:///modules/base/zabbix_agentd.conf",
 notify      => Service['zabbix-agent'],
 }
 file {'zabbix_agentd.psk' :
 path => "/etc/zabbix/zabbix_agentd.psk",
 mode => 0644,
 ensure => present,
 owner => "root",
 group => "root",
 source => "puppet:///modules/base/zabbix_agentd.psk",
 notify      => Service['zabbix-agent'],
 }
 firewall {'1 Allow Zabbix Agent':
 port => [10050],
 proto => tcp,
 action => accept,
 source => '192.168.123.177',
 }

This will copy a standard agent configuration file and pre-shared key to encrypt the Zabbix Server and Zabbix Agent communication. It will also open a firewall port to allow communication from the Zabbix Server in this case 192.168.123.177 to each Security Analytics appliance on tcp port 10050

 

The following files should be copied to /etc/puppet/modules/base/files

zabbix_agentd.conf
zabbix_agentd.psk

The advantages of monitoring are:

 

  • Ability to make nice graphs
  • Ability to have a Map of your infrastructure to see any problems easily.

 

AutoMap.png

 

logdecoder.png

networktraffic.png

 

 

I've also copied a few Zabbix Checks that can be run by using the check type "SSH Agent". Note in this example I used the root account, but best practise would be to create a specific Zabbix account on each system. Again this could be done using puppet.

 

ssh-check.png

Preview file
1 KB
Preview file
1 KB
Preview file
1 KB
1 Comment
DavidWaugh1
Employee
Employee
‎2017-03-20 12:39 PM
‎2017-03-20 12:39 PM

To make things even more secure you can limit the commands that the zabbixsshcheck user is able to run.

 

Have a wrapper script as follows:

 

more check_Zabbix.sh
#!/bin/sh
 case "$1" in
 ./check_ntp_offset_Zabbix.sh)
 ./check_ntp_offset_Zabbix.sh
 ;;
 ./getEPS_logdecoder_Zabbix.sh)
 ./getEPS_logdecoder_Zabbix.sh
 ;;
 ./get_Warehouse_Zabbix.sh)
 ./get_Warehouse_Zabbix.sh
 ;;
 *)
 /bin/echo "Invalid choice '$1': please try again"
 ;;
 esac
exit 0

Then in your authorised keys files use

 

 

command="./check_Zabbix.sh $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaiECAd7XNjrUAnSeCaKhhx/gdboX5fOmUG/rVjse92rQ53wzV/J+Vk9xOfb2l9q5jxPJ77mS0a4V82AFmI6cEho2T5RBijfpotFaBHeSGWLLvMiwwdIzE8/JOVNwkAyaQIsQE8Q488Xw1Asv9KFJjGcGmKpjy0Nw87Q1HwvdHxYjf1YB4svkZBfvNFGFmhlhze+WwlORGPnfgTMHGv3LaPW+48MQM0YFd6RvY2a2Tywe7HVK9IhJ/QdfC9p6qvoROPHUSZkCyac2ihOjH0/ynV5wDQG/ZLgD3WgtWNhf+74smdZKSKm9gl2rDWILRMvOSal1xt+KniXrJJHggUtKN zabbix@centos7.waugh.local

 

This means that the user can only run the check_Zabbix.sh command, which will only perfrom particular actions which we have defined.

 

For example only the correct command specified is allowed.

 

[root@centos7 ~]# sudo -u zabbix ssh zabbixsshcheck@192.168.123.3 -C "./check_ntp_offset_Zabbix.sh1"
Invalid choice './check_ntp_offset_Zabbix.sh1': please try again
[root@centos7 ~]# sudo -u zabbix ssh zabbixsshcheck@192.168.123.3 -C "./check_ntp_offset_Zabbix.sh"
0.001362
© 2022 RSA Security LLC or its affiliates. All rights reserved.