Network ARP Checking - Zabbix Linux Agent UserParameter
I have developed the following system for checking the arp entries of my major ingress and egress devices located on a network. The check is simple but yet effective in detecting any funny business with ARP "man in the middle" techniques.
The one requirement though is the machine that performs the ARP check must be on the same segment in which what IP/ARP is being checked. I have a linux firewall that has vlan interfaces on all vlan networks so it was an ideal location to perform the checks.
zabbix_agentd.conf
UserParameter=arpcheck[*], ping $1 -c 1 > /dev/null; arp -an |grep $1 |awk {'print $$4'}
*Note: The ping is done prior to make sure the arp entry exist in the table before it is printed and awk'd.
I have not developed a trigger yet but it will be pretty much a test to see if value has changed and alert. Once I have had the time to do so, I will post that also.
Attached is a screen shot of the data collected by Zabbix.
The one requirement though is the machine that performs the ARP check must be on the same segment in which what IP/ARP is being checked. I have a linux firewall that has vlan interfaces on all vlan networks so it was an ideal location to perform the checks.
zabbix_agentd.conf
UserParameter=arpcheck[*], ping $1 -c 1 > /dev/null; arp -an |grep $1 |awk {'print $$4'}
*Note: The ping is done prior to make sure the arp entry exist in the table before it is printed and awk'd.
Code:
<item type="0" key="arpcheck[ip]" value_type="1"> <description>ARPCHECK - xxx.xxx.xxx.xxx</description> <delay>600</delay> <history>3</history> <trends>365</trends> <status>0</status> <units></units> <multiplier>0</multiplier> <delta>0</delta> <formula>1</formula> <lastlogsize>0</lastlogsize> <logtimefmt></logtimefmt> <delay_flex></delay_flex> <applications> <application>Network Checks</application> </applications> </item>
Attached is a screen shot of the data collected by Zabbix.
Attached Files
Comment