Slashdot Mirror
Ask Slashdot: Remote Server Support and Monitoring Solution?
New submitter Crizzam writes I have about 500 clients which have my servers installed in their data centers as a hosted solution for time & attendance (employee attendance / vacation / etc). I want to actively monitor all the client servers from my desktop, so know when a server failure has occurred. I am thinking I need to trap SNMP data and collect it in a dashboard. I'd also like to have each client connect to my server via HTTP tunnel using something like OpenVPN. In this way I maintain a site-site tunnel open so if I need to access my server remotely, I can. Any suggestions as to the technology stack I should put together to pull off this task? I was looking at Zabbix / Nagios for SNMP monitoring and OpenVPN for the other part. What else should I include? How does one put together a good remote monitoring / access solution that clients can live with and will still allow me to offer great proactive service to my servers located on-site?
Set up a script to initiate a reverse-SSH tunnel from the remote device back to a monitoring server, set up no-login on the tunnel but distribute keys for the monitoring user on the remote devices.
You should be able to passwordless login from the monitoring box over a completely secure link that doesn't require port-forwarding at the remote site.
Will you do my job if I tell you the answer? You've already gotten your start. What more do you need?
Check out www.newrelic.com - even their free service tier offers great features and it's easy to deploy on all servers
Would this centralized server be your universal remote server?
For Server active status (eg: am i dead?)
Inside a while loop or sleep() if you cant be bothered.
for(int i=0;iMAX_SERVERS;i++)
{
IcmpSendEcho(..........);
}
For everything else monitoring related. Employ someone to make a custom monitoring application ,or, Google "server monitoring software".
I agree that this creates the potential for a hug security that has the potential to compromise the privacy of all of the employees at 500 companies. The consequence of this breach might be worse there is a connection between his servers and a payroll system or any point of sale system. I also wonder his clients are willing to open up the ports required to support remote access to their data centers.
I do something similiar. I use openvpn and x11vnc. I have a cron on each client that runs a
small perl script that grabs the output of several programs like top, uptime, and sensors
and then saves the results in an easy to parse file that my server periodically grabs so that
I have stuff like cpu temperature, cpu usage, memory usage, etc...
I also grab a screenshot of x11vnc using vnccapture.
I also have a way to remotely activate reverse ssh if for some reason openvpn fails.
My only problem with openvpn is key management. Creating and distributing unique keys
to each client is kindof a pain.
Nagios is Open Source.. GPL V2 specifically..
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Make damn sure your clients are aware of exactly what you're doing. They probably don't care about the specifics (e.g. openvpn, reverse ssh); but they need to know you can remotely access the boxes.
It's probably a good idea to have some sort of document to give them that does spell out all the specifics - something they need to acknowledge/sign, with both of you keeping copies.
#DeleteChrome
not really. snmp is an afterthought for them and its clumsy as hell to add snmp to it. I tried and gave up. instead, I picked hobbit (uhm, the new name is 'xymon').
xymon has its quirks but it was not hard to modify to add more snmp features to and its coding was not too bad to get thru. its not written in a lot of 'strange' languages, and that's a plus, to me, too.
personally, I usually just write snmp code fresh, from scratch, using net-snmp mgr tools. its not hard and you get just what you want and you are not muddled down in lots of 'infrastructure' that someone else thought was good but useless to you (like zabbix).
--
"It is now safe to switch off your computer."
You'll need a means of knowing that 10.20.20.x is client x and 10.20.20.y is client y. Of course OpenVPN allows you to do this but maintaining that table by hand could be a bit of a pain.
You mean like the common name of the ssl certificate used to connect in the first place? Combine this with a client-connect script to update dns and/or the ifconfig-pool-persist option and you've got a great solution.
.sig: No such file or directory
Managing the OpenVPN connections is not that bad. You give each client its own key and certificate and you use OpenVPN's ccd/ directory to assign VPN IP addresses.
We use the following tools to monitor our servers, but we're only monitoring about 30, not 500:
I'm not sure how well this would scale to 500 boxes, though Xymon claims to be able to monitor "lots of systems".
NAV has very similar functionality to prtg, but is completely open source.
Or, do the right thing and hire a network admin so someone with a clue is involved.
If you have to ask this question on slashdot, you need to change the question to something appropriate. Based on exactly what was posted, he doesn't have any idea what his requirements are. He knows the conceptual goals, but not the actual goals or requirements. Unless he is trying to change careers from whatever he is to a full time network infrastructure person he is going to be wasting a lot of time getting a clue. That means time he won't be spending doing whatever his actual job is.
He needs someone who can look at his actual setup, figure what what actually needs monitored, and knows the appropriate ways to do it.
Short of multiple Bennett hasleton length posts, and many discussions in depth, no answer coming from slashdot or all of them combined is going to be useful.
Everyone here posting solutions has their own, certainly incorrect idea of what he wants but no one actually knows. No one so far has even started by asking the right questions. It's the blind leading the blind at best.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Problem solved. Next topic please.
http://www.gfimax.com/
Life is not for the lazy.
Just because you're unfamiliar with networking administration doesn't mean this needs to blown up into "hire a network guy". That's just ignorance and
As someone who's been a network admin for a few years, I'm fairly confident in my statements. Do you do even minor surgery on yourself if you're not a surgeon? If you come to slashdot to ask how to do something for your business, you already fucked up and the only valid responses you should be getting from slashdot are help on finding someone who can help you. If he asked 'how do I find someone, like a consultant for a short term project, like this' that would be one thing. He didn't, he came here expecting a solution which illustrates his complete lack of understanding of the problem, THAT IS WHY he needs to hire a network guy.
He is, by definition, ignorant, which is why he is asking for help ... clearly you are as well as your choice of words indicates. I suggest you learn what the word ignorant means before you brandish it about like an insult as you just end up insulting yourself through your own ignorance.
(I suspect) trying to make yourself sound important on an anonymous message board.
I have no need to make myself sound important, I certainly don't need your approval ... and if you bother to google for my nick, you'll find its not even a little difficult to link to a real name, address, and everything else. I'm not in the least bit anonymous. People have been able to recognize that nick and its association with me for 20+ years. On the other hand ... your post ... is from ... anonymous coward. Do you know the meaning of the word ironic?
As my granddaddy used to say, if you don't know what you're talking about, it's best to not open your mouth and prove it. So no need to apologize, just take the advice and consider it a lesson learned. Best of luck.
Your grand daddy said that too you a lot, didn't he? Did you ever wonder WHY he said it too you so much? Maybe he was trying to get some sort of point across to you ... Go look in the mirror and repeat those words until you get the point of them and who he was talking about. Hint: Its the guy in the mirror.
You're an absolutely shitty troll. You just suck at it. Nothing you've said did anything other than show how stupid YOU are, not me.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
There's no need to install Ansible on the remote systems, only on the machine running the playbooks. All Ansible activity is run over SSH and has no remote dependencies.
You sound like a Windows admin for a gov't entity.
You spend a lot of energy telling people they do it wrong without having any real insight or advice on how to do it correctly.
A blanket statement like this shows your cluelessness and shear ignorance.
What does his knowledge of a specific cutting tool have to do with anything?
Someone flopped a steamer in the gene pool.