Monitoring

Server Monitoring

Each Managed OS VM will be monitored by Swisscom. The monitoring agent is installed and configured with Puppet. The monitoring agent monitors only OS parameters and notifies the Swisscom support organization in the event of an error. The customer can set up application monitoring with WMI for Managed Windows or Prometheus Node Exporter for Managed RHEL.

Configure WMI and Performance Monitor for Managed Windows

Windows Server 2012 and up does not support SNMPv3. Microsoft officially states that SNMP is deprecated in Windows Server 2012 and up. Because SNMP v1 and v2 are not secure they are not supported by Swisscom. The compliance check tests if SNMP is disabled.

Instead, you should use Common Information Model (CIM/WMI). In the Resource Domain you will find for each VM a Domain Local Group called DL_ESC-MOS-Win-Access_[ComputerName]_S_05 for OS, and DL_ESC-MOS-SQL-Access_[ComputerName]_S_05 for SQL. These groups give you the possibility to grant access to a Service Account for reading the CIM Namespace via WMI.

With this group it is also possible to read all Performance Monitors.

With the following Power Shell command you can get all disk information from the Remote Server

Get-WmiObject win32_logicaldisk -Computername RemoteComputer

With this command you can list all performance counter from a Remote Computer

Get-Counter -ListSet * -ComputerName RemoteComputer

Prometheus Node Exporter for Managed RHEL

The monitoring agent (Prometheus Node Exporter) is installed and configured with Puppet. Prometheus is a popular open-source monitoring tool that collects metrics from targets by scraping HTTP endpoints. The agent collects Operating System metrics and notifies the Swisscom operation team in the event of an anomaly. You can set up your own self-managed Prometheus monitoring and collect the metrics from the preinstalled Prometheus Node Exporter available for Managed RHEL.

The main functionality of this exporter is to provide an endpoint for your Prometheus instance to scrape OS-related metrics, such as:

CPUMemoryDiskNetwork
CPU LoadRAM total, RAM Used, RAM Cache, RAM FreeDisk Space, IOPS, Mounts, I/O statisticsNetwork traffic, TCP flow, Connections

The preconfigured Node Exporter comes with the following configuration:

  • Prometheus Node exporter running as user prometheus
  • Systemd service node_exporter
  • Inbound rule on host-based firewall for tcp/9100

To view all the metrics, you can use curl on your Managed RHEL VM, as shown below.

$ curl localhost:9100/metrics

You can filter the output to look at just a subset of metrics, as shown below:

$ curl localhost:9100/metrics | grep filesystem

Configure SNMP for Managed RHEL

If you want to monitor applications with SNMP, it's necessary to configure the SNMP daemon on these servers to respond to requests from the customer's monitoring system. Only SNMP version 3 in the "authenticated and privacy protected" mode is allowed for Managed RHEL, commonly abbreviated as authPriv. SNMP protocol version 1 and 2c is un-encrypted and therefore not allowed for Managed RHEL. SNMPv3 has three separate options for security and privacy (called security level, or secLevel for short);

  • noAuthNoPriv (no authentication, no privacy)
  • authNoPriv (authentication but no privacy)
  • authPriv (authentication and privacy)

For Managed RHEL only the 'authPriv' option is allowed

SNMPv3 provides two different authentication mechanisms:

  • md5 - is for backward compatibility
  • sha1 - is a much stronger cryptographic algorithm that is also faster to compute, there's no reason to use md5

For Managed RHEL only the 'sha1' option is allowed

SNMPv3 also provides two different encryption algorithms:

  • DES - has known security issues and provides weak encryption
  • AES - use whenever possible

For Managed RHEL only the 'AES' option is allowed

If you want to use SNMP to monitor your Managed RHEL VM use the following procedure to configure the SNMP daemon

Switch the VM to the Temp Admin state

Install the software:

$ sudo yum install -y net-snmp net-snmp-libs net-snmp-utils net-snmp-perl net-snmp-python

Create a SNMP user:

$ sudo echo 'createUser    custsnmp SHA authPass AES privPass' | sudo tee /var/lib/net-snmp/snmpd.conf     
$ sudo echo 'rouser        custsnmp priv .1' | sudo tee /etc/snmp/snmpd.conf

Configure iptables:

$ sudo echo "-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -j ACCEPT" | sudo tee -a /etc/sysconfig/iptables.custom

Enable and start the SNMP sevice:

$ sudo systemctl enable snmpd     
$ sudo systemctl start snmpd     

Verify the configuration:

$ snmpwalk -v 3 -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost .1.3.6.1.4.1.8072.1.3     
$ snmpwalk -v 3 -mALL -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost system
Last Updated: