• 0

What permissions needed for ssh user on Linux boxes to monitor


Go to solution Solved by DanB,

Question

So as a test we created a new user on a linux box and specified this user on the properties of the linux system (ssh.user/ssh.pass) Forced a Active Discovery and DS re-match and its been 1hr so far and its still under "minimal monitoring". 
We don't want to use snmp, so for ssh only systems what are the required permissions needed for ssh to work? Does the user have to be part of the root group? 

Was looking at this page: https://www.logicmonitor.com/support/monitoring/os-virtualization/linux-via-ssh-monitoring but there is no mention of permissions needed on the user.

Edited by DanB
Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 0

I don't believe LM has device detection that uses SSH so wouldn't fill in the system.sysinfo and the like. I ended up just adding !hasCategory("Linux_SSH") to the my Minimal monitoring check AppliesTo to exclude them when I have to use SSH for Linux.

https://www.logicmonitor.com/support/devices/adding-managing-devices/how-does-logicmonitor-know-what-to-monitor-for-a-device

"When a resource is added into monitoring, LogicMonitor immediately runs a series of queries using WMI and SNMP to determine basic system information about the resource such as operating system version, IP address, sysOID, supported SNMP version, system category, and so on. This information is stored as properties that are associated with the resource (e.g. the system.ips property stores IP address)"

Edited by Mike Moniz
Link to post
Share on other sites
  • 0

Hi Mike, maybe I'm not explaining enough.

The only thing discovered on by LM after applying the ssh.user\pass properties

image.png.98ac91b64c5ca23f95a5fb172a6f45fc.png 

is nothing but the very basic metrics
image.png.6318dc1ac47a8def39fdc915343be119.png

There's no CPU/Disk/Memory, etc...

I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

 

 

Link to post
Share on other sites
  • 0
21 minutes ago, DanB said:

Hi Mike, maybe I'm not explaining enough.

The only thing discovered on by LM after applying the ssh.user\pass properties

image.png.98ac91b64c5ca23f95a5fb172a6f45fc.png 

is nothing but the very basic metrics
image.png.6318dc1ac47a8def39fdc915343be119.png

There's no CPU/Disk/Memory, etc...

I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

 

 

If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

Link to post
Share on other sites
  • 0
5 minutes ago, mnagel said:

If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

I just checked and it looks like currently all the commands require no special privileges, but also not all may be appropriate for every Linux flavor. I know a few spotchecks show some will not work on EL6 (which, to be fair, is EOL later this year).

Linux_SSH_BlockDevicePerformance:    def command = \"cat /proc/diskstats\";
Linux_SSH_CPUCores:    def command = 'cat /proc/cpuinfo'
Linux_SSH_CPUCores:    def command = 'cat /proc/stat'
Linux_SSH_CPUMemory:    def command = 'vmstat -s -S K; echo -n \"Cores:\";nproc --all; echo -n \"load:\"; uptime'
Linux_SSH_Filesystems:    def command = \"`which df` -P\"
Linux_SSH_NetworkInterfaces:    def command = \"cat /proc/net/dev\"
Linux_SSH_NetworkTCPUDP:    def command = '`which netstat` -s'
Linux_SSH_ServiceStatus:def command = 'systemctl list-units --all --type=service --plain'
Linux_SSH_SystemClock:    def command = 'date +%s'
Linux_SSH_TCPUDP:    def command = 'nstat -a -j'
Linux_SSH_Uptime:    def command = 'echo -n \"Uptime:\"; cat /proc/uptime'

 

Link to post
Share on other sites
  • 0
  • Solution

So what then do I need to do to get LM to use the Linux_SSH DS to monitor this box? The system.categories property is empty. 

image.png.e0afa8418ed595de11f479fe22923f10.png
 

Okay: figured it out. 🤬
So first for the Linux_SSH DS's to be applied they only work on devices who's system.categories contain hasCategory("Linux_SSH"). So I checked the property source "addCategory_Linux_SSH" and when I tested it against the device above it failed. 😕

image.thumb.png.9f48d0655976003ba9ce4fae1515ca51.png

I re-entered the password, retested and then the test above worked. The system.categories got populated with "Linux_SSH" and then forced a AD and DS rematch and I finally got the Linux_SSH DS's to work:

image.png.122aaa64b397996706afbaf16795b75b.png

Ok so a 'regular' Linux use can be used and works. I forgot the whole process flow of how things are detected, categorized, then DS's applied. I'll add this to my check list of things to check next time adding something and it doesn't work. 

Thanks Folks!!!

 

Edited by DanB
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.