Monitoring
Server Monitoring
Each Managed OS VM will be monitored by Swisscom. The monitoring agent is installed and configured with Puppet. The monitoring agent monitors only OS parameters and notifies the Swisscom support organization in the event of an error. The customer can set up application monitoring with WMI for Managed Windows or Prometheus Node Exporter for Managed RHEL.
Configure WMI and Performance Monitor for Managed Windows
Windows Server 2012 and up does not support SNMPv3. Microsoft officially states that SNMP is deprecated in Windows Server 2012 and up. Because SNMP v1 and v2 are not secure they are not supported by Swisscom. The compliance check tests if SNMP is disabled.
Instead, you should use Common Information Model (CIM/WMI). In the Resource Domain you will find for each VM a Domain Local Group called DL_ESC-MOS-Win-Access_[ComputerName]_S_05
for OS, and DL_ESC-MOS-SQL-Access_[ComputerName]_S_05
for SQL. These groups give you the possibility to grant access to a Service Account for reading the CIM Namespace via WMI.
With this group it is also possible to read all Performance Monitors.
With the following Power Shell command you can get all disk information from the Remote Server
Get-WmiObject win32_logicaldisk -Computername RemoteComputer
With this command you can list all performance counter from a Remote Computer
Get-Counter -ListSet * -ComputerName RemoteComputer
Prometheus Node Exporter for Managed RHEL
The monitoring agent (Prometheus Node Exporter) is installed and configured with Puppet. Prometheus is a popular open-source monitoring tool that collects metrics from targets by scraping HTTP endpoints. The agent collects Operating System metrics and notifies the Swisscom operation team in the event of an anomaly. You can set up your own self-managed Prometheus monitoring and collect the metrics from the preinstalled Prometheus Node Exporter available for Managed RHEL.
The main functionality of this exporter is to provide an endpoint for your Prometheus instance to scrape OS-related metrics, such as:
CPU | Memory | Disk | Network |
---|---|---|---|
CPU Load | RAM total, RAM Used, RAM Cache, RAM Free | Disk Space, IOPS, Mounts, I/O statistics | Network traffic, TCP flow, Connections |
The preconfigured Node Exporter comes with the following configuration:
- Prometheus Node exporter running as user
prometheus
- Systemd service
node_exporter
- Inbound rule on host-based firewall for
tcp/9100
To view all the metrics, you can use curl
on your Managed RHEL VM, as shown below.
$ curl localhost:9100/metrics
You can filter the output to look at just a subset of metrics, as shown below:
$ curl localhost:9100/metrics | grep filesystem
Configure SNMP for Managed RHEL
If you want to monitor applications with SNMP, it's necessary to configure the SNMP daemon on these servers to respond to requests from the customer's monitoring system. Only SNMP version 3 in the "authenticated and privacy protected" mode is allowed for Managed RHEL, commonly abbreviated as authPriv. SNMP protocol version 1 and 2c is un-encrypted and therefore not allowed for Managed RHEL. SNMPv3 has three separate options for security and privacy (called security level, or secLevel for short);
- noAuthNoPriv (no authentication, no privacy)
- authNoPriv (authentication but no privacy)
- authPriv (authentication and privacy)
For Managed RHEL only the 'authPriv' option is allowed
SNMPv3 provides two different authentication mechanisms:
- md5 - is for backward compatibility
- sha1 - is a much stronger cryptographic algorithm that is also faster to compute, there's no reason to use md5
For Managed RHEL only the 'sha1' option is allowed
SNMPv3 also provides two different encryption algorithms:
- DES - has known security issues and provides weak encryption
- AES - use whenever possible
For Managed RHEL only the 'AES' option is allowed
If you want to use SNMP to monitor your Managed RHEL VM use the following procedure to configure the SNMP daemon
Switch the VM to the Temp Admin state
Install the software:
$ sudo yum install -y net-snmp net-snmp-libs net-snmp-utils net-snmp-perl net-snmp-python
Create a SNMP user:
$ sudo echo 'createUser custsnmp SHA authPass AES privPass' | sudo tee /var/lib/net-snmp/snmpd.conf
$ sudo echo 'rouser custsnmp priv .1' | sudo tee /etc/snmp/snmpd.conf
Configure iptables:
$ sudo echo "-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -j ACCEPT" | sudo tee -a /etc/sysconfig/iptables.custom
Enable and start the SNMP sevice:
$ sudo systemctl enable snmpd
$ sudo systemctl start snmpd
Verify the configuration:
$ snmpwalk -v 3 -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost .1.3.6.1.4.1.8072.1.3
$ snmpwalk -v 3 -mALL -l authPriv -u custsnmp -a sha -A authPass -x AES -X privPass localhost system