Forum Discussion

DanB's avatar
DanB
Icon for Advisor rankAdvisor
5 years ago

What permissions needed for ssh user on Linux boxes to monitor

So as a test we created a new user on a linux box and specified this user on the properties of the linux system (ssh.user/ssh.pass) Forced a Active Discovery and DS re-match and its been 1hr so far and its still under "minimal monitoring". 
We don't want to use snmp, so for ssh only systems what are the required permissions needed for ssh to work? Does the user have to be part of the root group? 

Was looking at this page: https://www.logicmonitor.com/support/monitoring/os-virtualization/linux-via-ssh-monitoring but there is no mention of permissions needed on the user.

  • So what then do I need to do to get LM to use the Linux_SSH DS to monitor this box? The system.categories property is empty. 


     

    Okay: figured it out. ?
    So first for the Linux_SSH DS's to be applied they only work on devices who's system.categories contain hasCategory("Linux_SSH"). So I checked the property source "addCategory_Linux_SSH" and when I tested it against the device above it failed. ?

    I re-entered the password, retested and then the test above worked. The system.categories got populated with "Linux_SSH" and then forced a AD and DS rematch and I finally got the Linux_SSH DS's to work:

    Ok so a 'regular' Linux use can be used and works. I forgot the whole process flow of how things are detected, categorized, then DS's applied. I'll add this to my check list of things to check next time adding something and it doesn't work. 

    Thanks Folks!!!

     

  • So what then do I need to do to get LM to use the Linux_SSH DS to monitor this box? The system.categories property is empty. 


     

    Okay: figured it out. ?
    So first for the Linux_SSH DS's to be applied they only work on devices who's system.categories contain hasCategory("Linux_SSH"). So I checked the property source "addCategory_Linux_SSH" and when I tested it against the device above it failed. ?

    I re-entered the password, retested and then the test above worked. The system.categories got populated with "Linux_SSH" and then forced a AD and DS rematch and I finally got the Linux_SSH DS's to work:

    Ok so a 'regular' Linux use can be used and works. I forgot the whole process flow of how things are detected, categorized, then DS's applied. I'll add this to my check list of things to check next time adding something and it doesn't work. 

    Thanks Folks!!!

     

  • You can always add the "Linux_SSH" category to the devices or groups manually if you don't want to remove existing categories or modify the propertysource.

  • 5 minutes ago, mnagel said:

    If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

    Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

    I just checked and it looks like currently all the commands require no special privileges, but also not all may be appropriate for every Linux flavor. I know a few spotchecks show some will not work on EL6 (which, to be fair, is EOL later this year).

    Linux_SSH_BlockDevicePerformance:    def command = \"cat /proc/diskstats\";
    Linux_SSH_CPUCores:    def command = 'cat /proc/cpuinfo'
    Linux_SSH_CPUCores:    def command = 'cat /proc/stat'
    Linux_SSH_CPUMemory:    def command = 'vmstat -s -S K; echo -n \"Cores:\";nproc --all; echo -n \"load:\"; uptime'
    Linux_SSH_Filesystems:    def command = \"`which df` -P\"
    Linux_SSH_NetworkInterfaces:    def command = \"cat /proc/net/dev\"
    Linux_SSH_NetworkTCPUDP:    def command = '`which netstat` -s'
    Linux_SSH_ServiceStatus:def command = 'systemctl list-units --all --type=service --plain'
    Linux_SSH_SystemClock:    def command = 'date +%s'
    Linux_SSH_TCPUDP:    def command = 'nstat -a -j'
    Linux_SSH_Uptime:    def command = 'echo -n \"Uptime:\"; cat /proc/uptime'

     

  • 21 minutes ago, DanB said:

    Hi Mike, maybe I'm not explaining enough.

    The only thing discovered on by LM after applying the ssh.user\pass properties

     

    is nothing but the very basic metrics

    There's no CPU/Disk/Memory, etc...

    I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

     

     

    If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

    Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

  • Hi Mike, maybe I'm not explaining enough.

    The only thing discovered on by LM after applying the ssh.user\pass properties

     

    is nothing but the very basic metrics

    There's no CPU/Disk/Memory, etc...

    I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

     

     

  • I don't believe LM has device detection that uses SSH so wouldn't fill in the system.sysinfo and the like. I ended up just adding !hasCategory("Linux_SSH") to the my Minimal monitoring check AppliesTo to exclude them when I have to use SSH for Linux.

    https://www.logicmonitor.com/support/devices/adding-managing-devices/how-does-logicmonitor-know-what-to-monitor-for-a-device

    "When a resource is added into monitoring, LogicMonitor immediately runs a series of queries using WMI and SNMP to determine basic system information about the resource such as operating system version, IP address, sysOID, supported SNMP version, system category, and so on. This information is stored as properties that are associated with the resource (e.g. the system.ips property stores IP address)"