Hey everyone,
It's been too long! Last time I was here was back in 2009 when I completed my zabbix disaster recovery project and it was complete. Now i'm back with some new challenges. I'm rebuilding my productin environment and am making it more secure now. Here is my question, is there any way to do a file size, checksum, or change comparison on ESXi. Since there is no service console, the zabbix agent can't be installed and therefore cannot do the file integrity monitoring through the agent.
So I was working on some solutions and please tell me what you think or if there is an easier way to do this:
Option 1: On Windows Syslog server (which has zabbix agent on it) - create a script that ssh's into the esxi host and pulls down the byte count, line count and date modified of all files needing to be monitored into a text file. Run this script again on a schedule and create a secondary file. Have zabbix run a compare on the two files that are local on the windows syslog server using the vfs.file.md5sum[file] compare expression. This will tell me if the configs have been modified. The only problem here is that the esxi host will not trigger the alert, the windows syslog server will have to trigger this alert.
Can this scenario work or be easier by using the Zabbix server via either an external check or ssh check? I'm having trouble trying to figure the logic behind it (i'm rusty with my zabbix as i haven't programmed or used it in about two years) and I want to do it the best and simplest way. I was thinking of using an external check by launching a script that will dump the date modified, line counts, etc into a temp directory or folder local to the zabbix server, however i'm not sure if it would be any different than option 1. Can the ssh check work the same? I guess I still need to have two temp files that need to be compared, it's just a matter of where those files are located and how zabbix compares them. Is there anyway that I can get this to trigger under the esxi host itself? Any help would be greatly appreciated!! Thanks again!!
-Robert
It's been too long! Last time I was here was back in 2009 when I completed my zabbix disaster recovery project and it was complete. Now i'm back with some new challenges. I'm rebuilding my productin environment and am making it more secure now. Here is my question, is there any way to do a file size, checksum, or change comparison on ESXi. Since there is no service console, the zabbix agent can't be installed and therefore cannot do the file integrity monitoring through the agent.
So I was working on some solutions and please tell me what you think or if there is an easier way to do this:
Option 1: On Windows Syslog server (which has zabbix agent on it) - create a script that ssh's into the esxi host and pulls down the byte count, line count and date modified of all files needing to be monitored into a text file. Run this script again on a schedule and create a secondary file. Have zabbix run a compare on the two files that are local on the windows syslog server using the vfs.file.md5sum[file] compare expression. This will tell me if the configs have been modified. The only problem here is that the esxi host will not trigger the alert, the windows syslog server will have to trigger this alert.
Can this scenario work or be easier by using the Zabbix server via either an external check or ssh check? I'm having trouble trying to figure the logic behind it (i'm rusty with my zabbix as i haven't programmed or used it in about two years) and I want to do it the best and simplest way. I was thinking of using an external check by launching a script that will dump the date modified, line counts, etc into a temp directory or folder local to the zabbix server, however i'm not sure if it would be any different than option 1. Can the ssh check work the same? I guess I still need to have two temp files that need to be compared, it's just a matter of where those files are located and how zabbix compares them. Is there anyway that I can get this to trigger under the esxi host itself? Any help would be greatly appreciated!! Thanks again!!
-Robert