SSH login check

Sensu Classic (EOL)
1

I am running sensu monitoring for few servers, everything works fine.

Now, I have a requirement to check SSH login for each of these servers remotely, basically need to check if remote ssh login is working for a test user or not.

Trying to use the sensu framework for this, any suggestions?

2

Hello

Use SSH to inject data into localhost port 3030 like this:
https://sensuapp.org/docs/latest/reference/clients.html#creating-a-dead-mans-switch

echo "{...}" | ssh testuser@testhost "nc localhost 3030"

If the ssh login does not work this would trigger the dead mans switch.
And this connects the failing logins to the affected host.

The call of the ssh client does not need to be integrated with sensu
client itself. This might simplify the handling of authorized keys etc.
This would mean you could have two hosts doing ssh logins to the systems
and if one of the hosts goes down this does not create alerts if
timeouts are set properly.

Regards,
Oliver Paukstadt

···

On Mon, 2016-06-13 at 04:15 -0700, Jay Kumar wrote:

I am running sensu monitoring for few servers, everything works fine.

Now, I have a requirement to check SSH login for each of these servers
remotely, basically need to check if remote ssh login is working for a test
user or not.

Trying to use the sensu framework for this, any suggestions?

--
Oliver Paukstadt <pstadt@sourcentral.org>

3

An alternative approach is to define a check on some server (probably
the sensu server) and set the "source" attribute to be each of the
server which will create a JIT client
https://sensuapp.org/docs/latest/reference/clients.html#proxy-clients
Which is easier than it sounds if you are already creating sensu checks.

···

On Mon, Jun 13, 2016 at 5:42 AM, Oliver Paukstadt <pstadt@sourcentral.org> wrote:

On Mon, 2016-06-13 at 04:15 -0700, Jay Kumar wrote:

I am running sensu monitoring for few servers, everything works fine.

Now, I have a requirement to check SSH login for each of these servers
remotely, basically need to check if remote ssh login is working for a test
user or not.

Trying to use the sensu framework for this, any suggestions?

Hello

Use SSH to inject data into localhost port 3030 like this:
https://sensuapp.org/docs/latest/reference/clients.html#creating-a-dead-mans-switch

echo "{...}" | ssh testuser@testhost "nc localhost 3030"

If the ssh login does not work this would trigger the dead mans switch.
And this connects the failing logins to the affected host.

The call of the ssh client does not need to be integrated with sensu
client itself. This might simplify the handling of authorized keys etc.
This would mean you could have two hosts doing ssh logins to the systems
and if one of the hosts goes down this does not create alerts if
timeouts are set properly.

Regards,
Oliver Paukstadt
--
Oliver Paukstadt <pstadt@sourcentral.org>

4

How do I avoid creating a check for each server in the inventory? If I understand correctly, I would need to create ssh check for each “source” on a sensu server.

I can use automation framework to actually create the checks, but does not seem to a manageable option.

Thanks,

Jay Kumar

···

On Monday, 13 June 2016 20:40:16 UTC+5:30, Kyle Anderson wrote:

An alternative approach is to define a check on some server (probably

the sensu server) and set the “source” attribute to be each of the

server which will create a JIT client

https://sensuapp.org/docs/latest/reference/clients.html#proxy-clients

Which is easier than it sounds if you are already creating sensu checks.

On Mon, Jun 13, 2016 at 5:42 AM, Oliver Paukstadt > > pst...@sourcentral.org wrote:

On Mon, 2016-06-13 at 04:15 -0700, Jay Kumar wrote:

I am running sensu monitoring for few servers, everything works fine.

Now, I have a requirement to check SSH login for each of these servers

remotely, basically need to check if remote ssh login is working for a test

user or not.

Trying to use the sensu framework for this, any suggestions?

Hello

Use SSH to inject data into localhost port 3030 like this:

https://sensuapp.org/docs/latest/reference/clients.html#creating-a-dead-mans-switch

echo “{…}” | ssh testuser@testhost “nc localhost 3030”

If the ssh login does not work this would trigger the dead mans switch.

And this connects the failing logins to the affected host.

The call of the ssh client does not need to be integrated with sensu

client itself. This might simplify the handling of authorized keys etc.

This would mean you could have two hosts doing ssh logins to the systems

and if one of the hosts goes down this does not create alerts if

timeouts are set properly.

Regards,

Oliver Paukstadt

Oliver Paukstadt pst...@sourcentral.org

5

I don't know, depends on your setup.

But if you don't want to define the checks in sensu, then you should
go with the first option an programmatically generate the check
results and send it to localhost:3030
See a meta-check for sensu that creates many other checks · GitHub for an example.

Whether you programmatically generate json files or programmatically
emit the json output to localhost:3030 will depend on what kind of
automation you would like to use.

···

On Mon, Jun 13, 2016 at 11:20 AM, Jay Kumar <jaykumar2005@gmail.com> wrote:

How do I avoid creating a check for each server in the inventory? If I
understand correctly, I would need to create ssh check for each "source" on
a sensu server.

I can use automation framework to actually create the checks, but does not
seem to a manageable option.

Thanks,
Jay Kumar

On Monday, 13 June 2016 20:40:16 UTC+5:30, Kyle Anderson wrote:

An alternative approach is to define a check on some server (probably
the sensu server) and set the "source" attribute to be each of the
server which will create a JIT client
https://sensuapp.org/docs/latest/reference/clients.html#proxy-clients
Which is easier than it sounds if you are already creating sensu checks.

On Mon, Jun 13, 2016 at 5:42 AM, Oliver Paukstadt >> <pst...@sourcentral.org> wrote:
> On Mon, 2016-06-13 at 04:15 -0700, Jay Kumar wrote:
>> I am running sensu monitoring for few servers, everything works fine.
>>
>> Now, I have a requirement to check SSH login for each of these servers
>> remotely, basically need to check if remote ssh login is working for a
>> test
>> user or not.
>>
>> Trying to use the sensu framework for this, any suggestions?
> Hello
>
> Use SSH to inject data into localhost port 3030 like this:
>
> https://sensuapp.org/docs/latest/reference/clients.html#creating-a-dead-mans-switch
>
> echo "{...}" | ssh testuser@testhost "nc localhost 3030"
>
> If the ssh login does not work this would trigger the dead mans switch.
> And this connects the failing logins to the affected host.
>
> The call of the ssh client does not need to be integrated with sensu
> client itself. This might simplify the handling of authorized keys etc.
> This would mean you could have two hosts doing ssh logins to the systems
> and if one of the hosts goes down this does not create alerts if
> timeouts are set properly.
>
> Regards,
> Oliver Paukstadt
> --
> Oliver Paukstadt <pst...@sourcentral.org>
>

6

Hi ,
I was wondering if initial question found another answer with better approach or no?

As I am running POC for Sensu , but we have more that 600 server and we have some application checks which are executed across multiple servers from some remote server.

So descried 2 approaches are not really correct way of doing things.

  1. 600 check definition will be paint in the …

  2. Triggering dead man switch with several checks will not tell me what is the real problem.

To sum up , is it possible to run check from remote server on subscription list from sensu ?

With best regards,

Vahagn

7

If the hosts are already in Sensu, you can create a check with a proxy request attribute which will find all clients which has certain attributes. As the example in the docs describe, you can then have the check go to a roundrobin subscription for some host to run the commands. So in theory, if you had 600 clients which have a client config looking something like this:

{
“client”: {
“name”: “host100”,
“address”: “192.168.1.100”,
“os”: “linux”,
}
}

You could have a check defined on the server that looks like this:

{
“checks”: {
“check_ssh”: {
“command”: “check-ssh.rb -h :::address:::”,
“subscribers”: [
“round-robin:ssh_checkers”
],
“interval”: 60,
“proxy_requests”: {
“client_attributes”: {
“os”: “linux”
}
}
}
}
}

Internal to sensu, it finds all clients with those attributes (os == linux), and then adds the client name to the source, and replaces the :::address::: part of the command for you. The checks will happen on some subset of hosts which should be checking for ssh, but the results will be attributed to the individual client, not the host checking it.

Hope that makes sense and answers your question.

···

On Monday, April 3, 2017 at 3:56:33 PM UTC-4, Vahagn wrote:

Hi ,
I was wondering if initial question found another answer with better approach or no?

As I am running POC for Sensu , but we have more that 600 server and we have some application checks which are executed across multiple servers from some remote server.

So descried 2 approaches are not really correct way of doing things.

  1. 600 check definition will be paint in the …
  1. Triggering dead man switch with several checks will not tell me what is the real problem.

To sum up , is it possible to run check from remote server on subscription list from sensu ?

With best regards,

Vahagn

8

Thanks Steve ,

I will try this.

With best regards,

Vahagn