Email Us

Mrtg and Trend Viruswall

MRTG is an excellent tool for graphing most network related things like bandwidth usage, ping latency etc. Iíve been running mrtg for the last three years graphing the network usage  on our Cisco WAN routers amongst a few other things.

Iíve always wanted to get some stats on how our AntiVirus Email gateway is performing.  Unfortunately, the Trend Interscan package does not contain any SNMP management, which makes it more of a challenge to monitor. Interscan is running on a Win2000 server, where the only stats avaible is either using the builtin reports of  Interscan, or by using the Windows Performance monitor (Perfmon) tool. None of  these allows you to do much in terms of automated monitoring,

Luckily, there is a  nice little tool that is used together with Nagios (another excellent  network monitoring package running on various forms of unix/linux) called  NSClient. This Nagios plugin runs on all Windows servers and gives you reports  on CPU, Disks, uptime etc. But the best thing about this plugin is the COUNTER function, which allows you to read any performance counter that Perfmon can give you. So, even if Trend InterScan does not give you any SNMP management, you can  use the Perfomance counters to fetch values for incoming/outgoing, queue size,  dropped messages, cleaned messages etc.

To set this up you need to have the following running on a Linux/Unix host:

1. MRTG by Tobias Oetiker
2.
RRD  Tools by Tobias Oetiker (Not necessary - standard MRTG database works too!)
3.
NSClient by Yves Rubin
4.
Trend  Interscan running on Windows NT 4.0/5.0

All of these tools - apart from Trend VirusWall are GPL software. Now, lets have a look at what you need to do to monitor some of the basic stuff of Trend InterScan.

Installation
Install the NSClient on the Trend server. Make sure you install the latest and correct version as NSClient comes with both a NT 4.0 and W2K/XP binary versions. Also copy the check_nt binary file from the NSClient onto you Linux box (if you are  using anything but Linux, you will have to compile the binary). Copy these 4  files to the windows system directory: pnsclient.exe , phd.dll, counters.defs and psapi.dll. Once those are in place. issue a pnscliet /install from a command prompt. This will then install the client as an NT service. Before starting the service, go to the registry key: HLM\Software\NSClient\Params - password and set your password.

Moving on to the MRTG scripts... My MRTG script requires you to pass three parameters to it. First the IP address for the host which you want to get the stats from, and  secondly the type of stats you want. Currently Iíve got three different sections  which is used in the MRTG script:

Request  Type

Description

msg

Number if send and recieved messages

vir

Number of detected viruses, and number of cleaned viruses

err

Queue lenght and number of SMTP errors.

The last parameter is just the hostname of the host you monitor. The NSClient does not give you the name of the monitored host .

You can download the script I run on my MRTG installation: MRTG Script. Put this script somewhere where on your system which MRTG can get  to.
Further on, you need to set up the monitoring part of your MRTG config file. I use RRD as the database format, but if you remove the LogFormat: rrdtools statement from the following config file, you will use the default  MRTG log format:
MRTG Config  File. Copy the MRTG config file to your system and set up a cron job which  runs every 5 minutes. (RedHat 7.2 already comes with a cron job that uses the  /etc/mrtg/mrtg.cfg file). Replace my config file with this script, or modify the crontab file to reflect the correct file.

Once the config file is in place, make sure you change the paramaters of the config file as well as  the MRTG script. Changes that needs to be done before the script is run are as  follows:

MRTG Script  (chk-viruswall.txt)

Exe

Location of the  check_nt binary from NSClient for the linux/unix host.

ClientPwd

Password set on  the Windows NSClient. If you donít want to use a password, take out the ď$ClientPwdĒ part of the script.

CPort

Port which the Windows NSClient listens to. Default is 1248.

MRTG Config  (viruswall.conf)

WorkDir

The location of your database/htlm/graphs output

LogFormat

Comment this file  you you want to use the native MRTG format.

LibAdd

Location of the RRD  perl modules. Used with rrdtools database format.

PathAdd

Location of the RRD  binary. Used with rrdtools database format.

<yourserverip>

The IP of your Trend InterScan viruswall server.

<mail>

The name of the host your are monitoring.

Once you have the  NSClinet installed, MRTG up and running, use the MRTG Config file to get the  stats. Try issuing a mrtg /etc/viruswall.conf at the shell prompt. That should  generate a couple of files in the directory you specified in the WorkDir folder. When you view the folder in a web browser, it should bring up a screen that might look like this:

Contributions
Elmar van Mourik has added more counters for the Trend Viruswall package, which includes HTTP & FTP requests. Please download shell script chk-viruswall.txt and the MRTG config file viruswall.conf.

Problems
Check the MRTG and NSClient Faq and documentation. Most problems can be solved by reading and  following the guides following these two applications.

To troubleshoot the  MRTG script, just run the script from a shell. If you type in:

./chk-viruswall  172.10.0.1 msg mail.doc-s.co.uk

from where the script is located, it will try ang get the number of messages sent and recieved since last time the Trend Interscan service was started. The output of this  command should look something like this:

121254
202097
System Uptime : 99 day(s) 7 hour(s) 13 minute(s)
mail.doc-s.co.uk

Iíve got problems to get the uptime to work on certain NT installations. I am not sure why this is, but it is not a major problem anyway.

Error: NSClient -  Wrong Password:
Change the ClientPwd entry in the MRTG script to match what  you have configured on the server. The password is set in Registry using  HLM\Software\NSClient\Params - password.

Update: Thanks to Elmar van Mourik for picking up the error with ďOptions:[] bitsĒ entry in the MRTG config file. This gave 8 times the expected value.... (No wonder we had so much email.. :-) )