Ad Widget

**knarfling** · 27-05-2008, 18:13

Usually permissions

There have been many times that I have seen items that appear to run perfectly when tested on the client but won't run on the server. There could be several reasons, but let me post the top 2.

1. Permissions. Remember that this is being run as user zabbix, not the user you are logged in as. When I log in, my login usually has advanced permissions, and can run just about everything. The zabbix user may not have permission to run ipstate. You can check this by enabling login for user zbbix (if you have disabled it) and issuing su - zabbix and then try testing the client.

2. Path. I have seen a few cases where the path to a specific program is not in the users default path. Again, you can test this by logging in as user zabbix on the client and trying to run the test.

Good Luck

**johnnguyen** · 28-05-2008, 08:37

Thanks for your support.
So, I must change iptstates from "root" to "zabbix" user?

JohnNguyen?

**tuantaro** · 07-09-2012, 13:51

Originally posted by johnnguyen

Thanks for your support.
So, I must change iptstates from "root" to "zabbix" user?

JohnNguyen?

*Centos 5.5
+ Setting root permission
zabbix All=(ALL) NOPASSWD:/usr/sbin/ipstate -s

+ zabbix_agentd.conf
UserParameter=iptstate.tcp.close,sudo /usr/sbin/iptstate -s |grep CLOSE |wc -l
UserParameter=iptstate.tcp.established,sudo /usr/sbin/iptstate -s |grep ESTABLISHED |wc -l
UserParameter=iptstate.tcp.syn,sudo /usr/sbin/iptstate -s |grep SYN |wc -l
UserParameter=iptstate.tcp.timewait,sudo /usr/sbin/iptstate -s |grep TIME_WAIT |wc -l
#
UserParameter=iptstate.total.tcp,sudo /usr/sbin/iptstate -s |grep tcp |wc -l
UserParameter=iptstate.total.udp,sudo /usr/sbin/iptstate -s |grep udp |wc -l
UserParameter=iptstate.total.icmp,sudo /usr/sbin/iptstate -s |grep icmp |wc -l
UserParameter=iptstate.total.other,sudo /usr/sbin/iptstate -s -t | head -2 |tail -1 | sed 's/^.*OTHER: //'

**killed** · 02-10-2012, 11:24

After appended by visudo command from root user:

Code:

zabbix ALL=(ALL) NOPASSWD:/usr/sbin/iptstate -s

Then switch to zabbix user:

Code:

su - zabbix

And run, but it's not show anything

Code:

[zabbix@dev ~]$ /usr/sbin/iptstate -s
IP Tables State Top -- Sort by: SrcIP
Source                Destination           Proto   State        TTL

If use sudo, user zabbix still required password

Code:

[zabbix@dev ~]$ sudo /usr/sbin/iptstate -s
[sudo] password for zabbix:
zabbix is not in the sudoers file.  This incident will be reported.

What happened to my system?

In logs

Code:

type=USER_AUTH msg=audit(1349169582.180:6547): user pid=19317 uid=0 auid=0 msg='PAM: authentication acct="zabbix" : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=/dev/pts/8 res=success)'

**tuantaro** · 02-10-2012, 13:51

============================
$ /usr/sbin/iptstate -s
IP Tables State Top -- Sort by: SrcIP
Source Destination Proto State TTL[/code]
============================
+ set permission -> sudo /usr/sbin/iptstate
+ set no required password -> zabbix ALL=(ALL) NOPASSWD:/usr/sbin/iptstate
+ set no console (terminal=/dev/pts/8 res=success ??) ->
Use visudo command, comment out this parameter
# Defaults requiretty

**killed** · 03-10-2012, 04:38

Originally posted by tuantaro

============================
$ /usr/sbin/iptstate -s
IP Tables State Top -- Sort by: SrcIP
Source Destination Proto State TTL[/code]
============================
+ set permission -> sudo /usr/sbin/iptstate
+ set no required password -> zabbix ALL=(ALL) NOPASSWD:/usr/sbin/iptstate
+ set no console (terminal=/dev/pts/8 res=success ??) ->
Use visudo command, comment out this parameter
# Defaults requiretty

Thank you very much, tuantaro
It's work fine.

======
Zabbix (2.0, older version not test) can not run directly sudo command, need write into script, example:

Code:

UserParameter=tcp.iptstate.established,/home/zabbix/CustomZabbixScript/tcp.iptstate.established

Content: /home/zabbix/CustomZabbixScript/tcp.iptstate.established, chmod 775 it

Code:

#!/bin/bash
est=`sudo /usr/sbin/iptstate -s | grep -c ESTABLISHED`
echo $est

======

Cảm ơn nhiều, nó đã có thể hoạt động tốt.

**tuantaro** · 03-10-2012, 11:36

>Killed
Oh, good job !
I used v1.8.9, it's ok
I have the trouble with Ver2.0

Chúc nhiều may mắn !

**neilb** · 22-04-2013, 21:05

iptstate v netstat

Hi
what is the advantage of running iptstate -1 / -s and then doing a wc on the returned set versus netstat -s ?

i ask because netstat -s already contains the totals since startup (so use a delta to show the difference) and as such is much quicker to run.
Speed is important on some servers which may have hundreds of connections - eg my varnish server will time out when running the above commands, but netstat -s is near instant as the o/s has already tabulated the results.

the other advantage is netstat -s doesn't need to run as sudo.

example usage in zabbix conf for both:

UserParameter=iptstate.summary[*],iptstate -1 | grep -v $1 | wc -l
UserParameter=netstat.sum[*],(netstat -s|awk '/$1/' { print $$1} )

realise i may be missing something here, so am curious as to what.

thx
Neil

Ad Widget

IPTables Monitoring

IPTables Monitoring

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment