What permissions needed for ssh user on Linux boxes to monitor

You can always add the "Linux_SSH" category to the devices or groups manually if you don't want to remove existing categories or modify the propertysource.

I don't believe LM has device detection that uses SSH so wouldn't fill in the system.sysinfo and the like. I ended up just adding !hasCategory("Linux_SSH") to the my Minimal monitoring check AppliesTo to exclude them when I have to use SSH for Linux.

https://www.logicmonitor.com/support/devices/adding-managing-devices/how-does-logicmonitor-know-what-to-monitor-for-a-device

"When a resource is added into monitoring, LogicMonitor immediately runs a series of queries using WMI and SNMP to determine basic system information about the resource such as operating system version, IP address, sysOID, supported SNMP version, system category, and so on. This information is stored as properties that are associated with the resource (e.g. the system.ips property stores IP address)"

Hi Mike, maybe I'm not explaining enough.

The only thing discovered on by LM after applying the ssh.user\pass properties

is nothing but the very basic metrics

There's no CPU/Disk/Memory, etc...

I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

21 minutes ago, DanB said:

Hi Mike, maybe I'm not explaining enough.

The only thing discovered on by LM after applying the ssh.user\pass properties

 

is nothing but the very basic metrics

There's no CPU/Disk/Memory, etc...

I'm asking if the user we created 'lmsvc' does it have to be part of the root group since after running "Active Discovery" again with the properties applied LM still doesn't find anything from any DS still. This is just a new local user on this box.

 

 

If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

5 minutes ago, mnagel said:

If the box does respond to SNMP, then it will never discover the Linux_SSH property even if you define credentials because addCategory_Linux_SSH only applies if the system has no categories or only "collector" (which seems like an error). This may explain your AD problems if any category was added to those devices for any reason.

Once that is detected, the various modules will work.  I am not sure if root is required for all of the modules, but I expect it is for at least a few and as you say, this is not documented anywhere explicitly.  Since it must be defined at the device level, you would need to bind your public key to the root account even if only one of the modules requires root (we generally use public key access only for Linux systems).  I would prefer to see sudo supported in all the modules so that a non-root account can be used with restricted command access controlled by sudo.  All that said, I have not tested these fully to see if we can get away with a regular user.  We have none of these yet in use in any of our portals, but I am curious now so will be trying a few things :).

I just checked and it looks like currently all the commands require no special privileges, but also not all may be appropriate for every Linux flavor. I know a few spotchecks show some will not work on EL6 (which, to be fair, is EOL later this year).

Linux_SSH_BlockDevicePerformance:    def command = \"cat /proc/diskstats\";
Linux_SSH_CPUCores:    def command = 'cat /proc/cpuinfo'
Linux_SSH_CPUCores:    def command = 'cat /proc/stat'
Linux_SSH_CPUMemory:    def command = 'vmstat -s -S K; echo -n \"Cores:\";nproc --all; echo -n \"load:\"; uptime'
Linux_SSH_Filesystems:    def command = \"`which df` -P\"
Linux_SSH_NetworkInterfaces:    def command = \"cat /proc/net/dev\"
Linux_SSH_NetworkTCPUDP:    def command = '`which netstat` -s'
Linux_SSH_ServiceStatus:def command = 'systemctl list-units --all --type=service --plain'
Linux_SSH_SystemClock:    def command = 'date +%s'
Linux_SSH_TCPUDP:    def command = 'nstat -a -j'
Linux_SSH_Uptime:    def command = 'echo -n \"Uptime:\"; cat /proc/uptime'