Enterprise Service Cloud - Docs

Monitoring

Server Monitoring

Each Managed RHEL VM will be monitored by Swisscom. The monitoring agent (Prometheus Node Exporter) is installed and configured with Ansible. Prometheus is a popular open-source monitoring tool that collects metrics from targets by scraping HTTP endpoints. The agent collects Operating System metrics and notifies the Swisscom operation team in the event of an anomaly. You can set up your own self-managed Prometheus monitoring and collect the metrics from the preinstalled Prometheus Node Exporter available for Managed RHEL.

Prometheus Node Exporter for Managed RHEL

Your Managed RHEL VM comes with the Prometheus Node Exporter. The purpose of this service is to provide an endpoint for your self-managed Prometheus instance to scrape Operating System related metrics, including CPU, memory, disk, network, and other components. The Prometheus Node Exporter listens on http port 9100 by default.

The preconfigured Node Exporter comes with the following configuration:

  • Prometheus Node exporter process running as user prometheus
  • Systemd service node_exporter
  • Inbound rule on the host-based firewall for tcp/9100

To view all the exposed metrics, you can use the curl command on your Managed RHEL VM, as shown below.

curl localhost:9100/metrics

You can filter the output to look at just a subset of metrics, as shown below:

 curl localhost:9100/metrics | grep filesystem

Configure SNMP for Managed RHEL

If you want to monitor applications with SNMP, it's necessary to configure the SNMP daemon on these servers to respond to requests from the customer's monitoring system. Only SNMP version 3 in the "authenticated and privacy protected" mode is allowed for Managed RHEL, commonly abbreviated as authPriv. SNMP protocol version 1 and 2c are unencrypted and therefore not allowed for Managed RHEL. SNMPv3 has three separate options for security and privacy (called security level, or secLevel for short);

  • noAuthNoPriv (no authentication, no privacy)
  • authNoPriv (authentication but no privacy)
  • authPriv (authentication and privacy)

For Managed RHEL only the 'authPriv' option is allowed

SNMPv3 provides two different authentication mechanisms:

  • md5 - is for backward compatibility
  • sha1 - is a much stronger cryptographic algorithm that is also faster to compute, there's no reason to use md5

For Managed RHEL, only the 'sha1' option is allowed

SNMPv3 also provides two different encryption algorithms:

  • DES - has known security issues and provides weak encryption
  • AES - use whenever possible

For Managed RHEL, only the 'AES' option is allowed

If you want to use SNMP to monitor your Managed RHEL VM use the following procedure to configure the SNMP daemon

  1. Switch the VM to the Temp Admin state

  2. Install the software:

    sudo yum install -y net-snmp net-snmp-libs net-snmp-utils net-snmp-perl net-snmp-python

  3. Create a SNMP user:

    sudo echo 'createUser    custsnmp SHA authPass AES privPass' | sudo tee /var/lib/net-snmp/snmpd.conf     
sudo echo 'rouser        custsnmp priv .1' | sudo tee /etc/snmp/snmpd.conf

  4. Configure iptables (use the according nftables command for Managed RHEL 9):

    sudo echo "-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -j ACCEPT" | sudo tee -a /etc/sysconfig/iptables.custom

  5. Enable and start the SNMP sevice:

    sudo systemctl enable snmpd     
sudo systemctl start snmpd

  6. Verify the configuration:

    snmpwalk -v 3 -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost .1.3.6.1.4.1.8072.1.3     
snmpwalk -v 3 -mALL -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost system
Last Updated: