Configuration of MRTG on Linux

The Multi Router Traffic Grapher of MRTG is an open source tool for monitoring the traffic load on Networks. It allows the users to see traffic load on a network over time in graphical form. It generates HTML pages containing PNG images which provide a live graphical representation of the traffic.

MRTG works on most UNIX platforms and Windows, but i have described here for UNIX platform specified on Centos 5.x version. MRTG is written in perl and some code in c language.

MRTG uses the Simple Network Management Protocl (SNMP) to send requests with two object identifiers (OIDs) to a device. The device. which must be SNMP-enabled, will have a management information base (MIB) to look up the OIDs specified.  SNMP is use to manage IP network devices such as servers, routers, switches etc. Administrators can find or manage network performance, solve problem or even optimize it further.

This document includes MRTG and snmp binary installation using rpm. Please visit the author’s website here for source installation. Required RPMs are mrtg, snmp and snmp-utils.

The first step for mrtg to work is to make sure snmp is up and running. without proper working snmp server, mrtg will not work. Lets follow the following steps for fully working mrtg server.

1: Make sure snmp server is installed
# rpm -qa | grep snmp
Run rpm commands query option to find out snmp server installed or not:

If snmp is installed then please follow the next step or else it should be installed.
# yum install net-snmp-utils net-snmp
yum command can be used to install snmp package in centos or fedora. For other distros, you can find rpms in rpmfind.net

2: Determine if SNMP server is running or not
# ps -aux | grep snmp
This command will list the process if snmp server is running.

Output:
root      1442  0.0  0.6  27432  6564 ?        Sl   Aug04   2:29 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid -a
root     17653  0.0  0.0   3924   696 pts/0    S+   09:18   0:00 grep snmp

Alternatively, following two commands can be run as well:
# /usr/sbin/lsof -i :199

Output:
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
snmpd   1442 root   10u  IPv4   4101       TCP mrtgtestserver:smux (LISTEN)

OR # netstat -natv | grep ‘:199′

Output:
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN

If  you get the above outputs, the you can move on to next step or you have to start the service using following command:
# service snmpd start

snmpd service should start automatically as linux boots:
# chkconfig –add snmpd

3: Make sure snmp server is configured properly
snmpwalk utility is used to request for tree of information about network entity. i.e. query snmp server for server’s ipaddress assigned to it’s interface.
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Output:
IP-MIB::ipAdEntIfIndex.192.168.1.100 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

If the result is as given to output, then follow the next step, else you need to configure snmp server as follows:

Configure SNMP
1. Edit the file /etc/snmp/snmpd.conf using vi text editor:
# vi /etc/snmp/snmpd.conf
Modify the lines as follows:

Find lines:
com2sec notConfigUser  default          public

Replace with:
com2sec   local                localhost                 public
com2sec   mynetwork  192.168.1.0/24    public

Note: My local network is 192.168.1.0/24. What about yours? replace it with your network.

Find lines:
group        notConfigGroup    v1             notConfigUser
group        notConfigGroup    v2c          notConfigUser

Replace with:
group     MyRWGroup    v1                local
group     MyRWGroup    v2c             local
group     MyRWGroup    usm            local
group     MyROGroup     v1               mynetwork
group     MyROGroup     v2c            mynetwork
group     MyROGroup     usm           mynetwork

Find lines:
view       systemview         included           system

Replace with:
view   all           included         .1                                                  80

Find lines:
access       notConfigGroup   ” “          any          noauth          exact           systemview   none    none

Replace with:
access   MyROGroup  ” “         any          noauth         exact       all       none     none
access   MyRWGroup ” “         any          noauth         exact       all       all          none

Find lines:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)

Replace with:
syslocation Linux (CentOS), MRTG Server.
syscontact Kijush Maharjan <kijush.maharjan@gmail.com>

Start the snmp server and test it:
a. snmpd should always start as linux boots.
# chkconfig  snmpd on
b. make sure service start whenever linux comes up after reboot.
# sevice snmpd on
c. Finally test the snmp server:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

4: Install mrtg if not installed
MRTG package may install during initial installation. It can be verified if MRTG has been installed or not by following command:
# rpm -qa | grep mrtg

If MRTG is already installed, lets move on to next step else It can be found on rmpfind.net or it is also bundled with centos installation cd.

Yum command can be used on fedora linux as well as centos to install MRTG.
# yum install mrtg

5: Configuration of MRTG
a. Create document root to store mrtg graphs and html pages:
# mkdir -p /var/www/html/mymrtg/
b. Run following commands to create mrtg configuration file:
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/mrtg1.cfg public@localhost            (For localhost)
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/router.cfg public@192.168.1.1      (For router)
# cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/server.cfg public@192.168.1.2      (For linux/windows server)
c. Generate default index page for MRTG configuration:
# indexmaker –output=/var/www/html/mymrtg/index.html /etc/mrtg/router.cfg /etc/mrtg/server.cfg /etc/mrtg/localhost.cfg        (index.html file for all generated cfg file. It can also be separeted as necessary)
d. copy all tiny png files to the mrtg path:
# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

6: First test run of MRTG
a. Run mrtg command from command line with the configuration file:
# mrtg /etc/mrtg/router.cfg
Note: This command will generate error regarding enviroment. so following command is used:
# env LANG=C /usr/bin/mrtg /etc/mrtg/router.cfg
Note: Few warning messages may be displayed, but above command should run until it stop to display warning messages.
b. Now from the web browser type url: http://<ipaddress of mrtg server>/mymrtg

7: Create crontab entry so that mrtg graphs and images get generated every 5 minutes
a. Login as root and type the following command:
# crontab -e
b. Add mrtg cron job entry to configuration file:
*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg –logging /var/log/mrtg.log
*/5 * * * * /usr/bin/mrtg /etc/mrtg/router.cfg –logging /var/log/mrtg.log
*/5 * * * * /usr/bin/mrtg /etc/mrtg/server.cfg –logging /var/log/mrtg.log
save file and it’s done with MRTG configuration.

8: I don’t think anyone wanna give access to their snmp server for security reasons. SNMP server users UDP 161, 162 ports for communications. Linux IPTABLES firewall can be used to restrict access to SNMP Server.
a. Allow outgoing SNMP server request from linux computer. This is useful when you query remote host/router.
SERVER=”xxx.xxx.xxx.xxx”
iptables -A OUTPUT -p udp -s $SERVER –sport 1024:65535 -d 0/0 –dport 161:162 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 –sport 161:162 -d $SERVER –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

b. Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world.
SERVER=”xxx.xxx.xxx.xxx”
iptables -A INPUT -p udp -s 0/0 –sport 1024:65535 -d $SERVER –dport 161:162 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER –sport 161:162 -d 0/0 –dport 124:65535 -m state –state ESTABLISHED -j ACCEPT
Note: The above two rules just SNMP specific iptables rules. Please refer iptables documents for complete information about iptables.

9: Protect MRTG graphs/html pages with password protected directory
Restricting access to MRTG reports can be accomplished with Apache webserver’s .htaccess file. Follow the process outlined to protect graphs using apache’s .htaccess file and htpasswd command:
a. Create .htaccess file in /var/www/html/mymrtg/ directory
vi /var/www/html/mymrtg/.htaccess
Add following text to file:
AuthName “MRTG Graphs/Html restricted access”
AuthType Basic
AuthUserFile /var/www/html/mymrtg/.htpasswd
require user mrtgadmin

b. Create a user and password name (-c assumes first time you are using .htpasswd file, -m for modifying):
# htpasswd -c /var/www/html/mymrtg/.htpasswd mrtgadmin
For more information about apache web server and it’s authentication method, please refer to apache web server documentation.