slauger / check_netscaler Goto Github PK

Hi,

when using the "state" option for objects "vserver", "service", "groupservice" or "server", it's only possible to get a list or to query one single object. If one member of the list is out of order, the answer is "critical" ; it could be nice to query on a part of the list only, by :
• excluding one or more object's values from the query or
• using the -n ( name ) option with more than 1 name

The check could be written as following :
./check_netscaler.pl -H IP -u user -p password -s -C state -o lbvserver -nx name9 --> name9 is excluded from the query
./check_netscaler.pl -H IP -u user -p password -s -C state -o lbvserver -n name1,name2,name3 --> the query is asked on the 3 names written

sometimes you need to disable some objects ( test's lbvserver by ex. ) and this way permits to clean nagios screen from useless alerts. It would permit not to query every object by a single check, which is a working way today, but not the best when you have many objects to look after.

Hi,

i like this plugin! It would be nice if we can have a multiline output (activated by an option).

Hello

Wanted to add some tips on checking sslcert

• Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice while aiming directly at a IP (or FQDN) and a port is a better practice.

• More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

• Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Those are my thoughts.

Thanks

I have a usability request regarding the CRITICAL alert when polling VPX'es for lbvserver and csvserver state which does not have any configured. This is reported as critical.

I think this should be customizable. I have manually edited the script to report OK.
if ( !scalar($response) ) {
$plugin->nagios_exit( OK, $plugin->opts->command . ': no ' . $plugin->opts->objecttype . ' found in configuration' );
}

This allows me to poll all VPX'es for lb/cs state, without knowing whether the VPX hold lb/csvservers or not, but still ensuring that future VIPs are monitored.

/Henrik

Is this plugin still alive? On a new SDX with 12.1: Build 51.19 all checks give me:

debug: target url is http://x.y.z//nitro/v1/config/nshardware
debug: response of request is:
$VAR1 = '{ "errorcode": 10005, "message": "Invalid Resource", "severity": "ERROR" }';
NetScaler UNKNOWN - { "errorcode": 10005, "message": "Invalid Resource", "severity": "ERROR" }

Check for licensing status of the appliance.

There is no licensing API available, so the the files inside of /nsconfig/licensing need to be parsed manually.

Hello

How can i use a proxy to connect to my Netscaler?

I can't find the syntax to specify my proxy or to bypass it?

Is there a possibility?

Thanks

Does anyone have a command reference for NetScaler Nitro API?
Or the command for uptime?

The plugin needs a better implementation for checking the current HA state.

The current implementation trough matches sucks.

Hi just wanted to let you know that on Icinga 2 there is problem with graphing few checks. We are using graphite to store and fetch from it performance data.

Icinga2 is having some behaviour, it will be problem if in data output will be label with . in the name ... like system.memory ... it was similar case opened at icinga2 community:

https://community.icinga.com/t/issue-icinga-not-showing-metrics-stored-in-graphite/466/3

example:

-icinga2 will not store graphs:
NetScaler OK - perfdata: ns_tcpcurserverconn: 9163 | 'ns.tcpcurserverconn'=9163;;

-icinga2 will store graphs:
NetScaler OK - perfdata: ns_tcpcurserverconn: 9163 | 'ns_tcpcurserverconn'=9163;;

After troubleshooting I have made some changes almost on every line where I have $plugin->add_perfdata...

for 1 example changing label inside hash structure and changing the "." to "_"
original:
$plugin->add_perfdata(
label => "'" . $plugin->opts->objectname . ".member_quorum'",
value => $member_quorum . '%',
min => 0,
max => 100,
warning => $member_quorum_warning,
critical => $member_quorum_critical,
);

I have changed to this:

$plugin->add_perfdata(
label => "'" . $plugin->opts->objectname . "_member_quorum'",
value => $member_quorum . '%',
min => 0,
max => 100,
warning => $member_quorum_warning,
critical => $member_quorum_critical,
);

After changes has been done, we are getting the graphs.
Maybe you should think also to change the format of output.

This plugin is great and thank you for sharing it with community.

KR,
Josip

Hello,

I'm trying to supervise our Netscaler and i run into a little problem.
When i try to check Memory (and everything else) i obtain this error with or without ssl option:

malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "LWP will support htt...") at Nitro.pm line 70.

We use a NetScaler Virtual Appliance, and the certificate isn't verified.
And this is the versions of the library:

perl-JSON-2.59-2
perl-libwww-perl-6.05-2
perl-Nagios-Plugin-0.36-9.1

If you have any idea ?

Thanks.

The plugin should have another native check for testing the XML secure ticket service (STA).

STA issues are one of the main reasons for outages in NetScaler Gateway deployments.

Is it possible, to fetch one particular value of hwinfo like nsversion or hwdescription?

All threshold checks (check_ threshold_above, check_string, ...) should also accept arrays.

Delete me

Hi,
it's for sure not the right way to post this here, but I don't know another way.
Even if I do the configuration as you wrote in your README, I don't get the check for the license files running with another user than nsroot. With nsroot ev. is working properly.

Always get this error --> NetScaler UNKNOWN - { "errorcode": 2138, "message": "Not authorized to execute this command [show system file -fileLocation "/nsconfig/license"]", "severity": "ERROR" }

I tried already to set the "add system cmdPolicy" command with user nagios and the effective user I use in the commend line.
I am using the newest Version: v1.6.1

Thanks in advance

Add a perltidy step in the Travis CI pipeline and fail if issues are found.

It would be nice to have a native Check (check_sslcert) which checks the expire date of all installed SSL certificates.

See latest commit in branch development (08e84bd).

Needs some testing, after that the fix could be merged into master.

When running the plugin with ntp check command:

$ ./check_netscaler.pl -H mynetscaler -s -C ntp -u nsroot -p secret 
Use of uninitialized value in split at ./check_netscaler.pl line 1122.
Use of uninitialized value in split at ./check_netscaler.pl line 1131.
NetScaler OK - ntp: Offset -0.000324 secs, jitter=5.033, stratum=3, truechimers=1 | offset=-0.000324s;; jitter=5.033;;;0; stratum=3;;;0;16 truechimers=1;;;0;

Bad workaround: Temporarily disable perl warnings

$ grep "^use warnings" check_netscaler.pl
use warnings;

$ sudo sed -i "s/use warnings/#use warnings/" check_netscaler.pl

$ ./check_netscaler.pl -H mynetscaler -s -C ntp -u nsroot -p secret 
NetScaler OK - ntp: Offset -0.000324 secs, jitter=5.139, stratum=3, truechimers=1 | offset=-0.000324s;; jitter=5.139;;;0; stratum=3;;;0;16 truechimers=1;;;0;

Real solution: Define variables.

Since NetScaler 12.0 there is a update check in the admin GUI.

I couldn't find any API method for this. I tried to reverse engineer the PHP code on the appliance to understand how the check works, but I couldn't find anything yet.

We need some kind of API from Citrix to get the latest version for a specific release (10.5, 11.0, 11.1, 12.0). This would be helpful for a lot of my customers.

An other possible resource to get the latest available version is the RSS feed from Citrix. But well, this might be not the best solution):

• https://www.citrix.com/content/citrix/en_us/downloads/netscaler-adc.rss

This would be cool for other products as well (XenMobile, XenDesktop, ...).

Hello.

I'm running OP5 on CentOS.
I see this with your plugin:
NetScaler CRITICAL - ntp: Server not synchronized, Offset unknown, jitter=-1, stratum=-1, truechimers=0

I think this relates to the title bug.
nagios-plugins/nagios-plugins#329

Could you add a small delay between checks and i'll be happy to test?

Thank you.

Hi,
we are trying to use check_netscaler against a SDX appliance but we got errors.

System: Netscaler SDX 8015 ver 11.1
Hypervisor: Citrix XenServer ver 6.5

Outputs:

# ./check_netscaler.pl -H <IPADDR> -s -C hwinfo -u <USER> -p <PASSWD> -v
debug: target url is https://<IPADDR>/nitro/v1/config/nshardware
NetScaler UNKNOWN

# ./check_netscaler.pl -H <IPADDR> -s -C interfaces -u <USER> -p <PASSWD> -v
debug: target url is https://<IPADDR>/nitro/v1/config/interface
NetScaler UNKNOWN

Poking the API via curl produce the following output, that endpoint is missing indeed:

# curl -k -u '<USER>:<PASSWD>' -XGET "https://<IPADDR>/nitro/v1/config/nshardware"
{ "errorcode": 10005, "message": "Invalid Resource", "severity": "ERROR" }

# curl -k -u '<USER>:<PASSWD>' -XGET "https://<IPADDR>/nitro/v1/config/interface"
{ "errorcode": 10005, "message": "Invalid Resource", "severity": "ERROR" }

Please let me know if this can be integrated with any details.

Hey,

Do you plan on implementing partition support? We use this heavily in our company.
That would make this excellent tool even better :)

Best regards,
Henrik

Hi,

Can you provide the perf_enabled template as we are referring to it, but it doesn't exist...

thanks

Hey,

I think we see the samme issues on /stat/interface like we did on /stat/nspartition
When polling for performance data like;
/home/user/check_netscaler.pl -t 1 -C perfdata -u nsroot -p password -s -H hostname -v -o interface -n errdroppedrxpkts -v

I get:
$VAR1 = '{ "errorcode": 0, "message": "Done", "severity": "NONE", "Interface": [ { "id": "10\/1", "curintfstate": "UP", "curlinkuptime": "209.11:10:58", "curlinkdowntime": "00:00:00", "totrxbytes": "1705768467627", "rxbytesrate": 506275, "tottxbytes": "1764413027029", "txbytesrate": 547663, "totrxpkts": "2994048284", "rxpktsrate": 727, "tottxpkts": "3352305004", "txpktsrate": 828, "jumbopktsreceived": "0", "jumbopktsreceivedrate": 0, "jumbopktstransmitted": "0", "jumbopktstransmittedrate": 0, "trun......
NetScaler UNKNOWN - perfdata: unable to parse data. Returned data is not a HASH or ARRAY!

not sure if it is the same issue or because interface names are 10/1 - note the /

stat/interface is important to monitor (totrxpkts,errdroppedrxpkts) because of the packets per second assigment to a VPX from SDX.

Best regards,
Henrik

Hello!,

Great plugin, but check license always shows "never expires".

When using user nsmonitor (NetScaler 11.0):

./check_netscaler.pl -H netscaler -s -C license -n FID__xxx_xxx__xxx.lic -u nsroot -p nsroot -w 1 -c 1
NetScaler OK - license: CNS_SSE_SERVER never expires; CNS_V5_SERVER never expires;¿?¿?¿

Performance data for check_mk would be cool.

./check_netscaler.pl -H hostname -u username -p passwd -s -C perfdata -o Interface -n rxbytesrate
NetScaler OK - perfdata: Interface.rxbytesrate[0]: 0; Interface.rxbytesrate[1]: 0; Interface.rxbytesrate[2]: 0; Interface.rxbytesrate[3]: 0; Interface.rxbytesrate[4]: 7941; Interface.rxbytesrate[5]: 3714; Interface.rxbytesrate[6]: 874196; Interface.rxbytesrate[7]: 4048; Interface.rxbytesrate[8]: 3677; Interface.rxbytesrate[9]: 2312; Interface.rxbytesrate[10]: 943678; Interface.rxbytesrate[11]: 7889; Interface.rxbytesrate[12]: 6122; Interface.rxbytesrate[13]: 0; Interface.rxbytesrate[14]: 104078; Interface.rxbytesrate[15]: 11635; Interface.rxbytesrate[16]: 6042; Interface.rxbytesrate[17]: 1817614; Interface.rxbytesrate[18]: 12097 | 'Interface.rxbytesrate[0]'=0;; 'Interface.rxbytesrate[1]'=0;; 'Interface.rxbytesrate[2]'=0;; 'Interface.rxbytesrate[3]'=0;; 'Interface.rxbytesrate[4]'=7941;; 'Interface.rxbytesrate[5]'=3714;; 'Interface.rxbytesrate[6]'=874196;; 'Interface.rxbytesrate[7]'=4048;; 'Interface.rxbytesrate[8]'=3677;; 'Interface.rxbytesrate[9]'=2312;; 'Interface.rxbytesrate[10]'=943678;; 'Interface.rxbytesrate[11]'=7889;; 'Interface.rxbytesrate[12]'=6122;; 'Interface.rxbytesrate[13]'=0;; 'Interface.rxbytesrate[14]'=104078;; 'Interface.rxbytesrate[15]'=11635;; 'Interface.rxbytesrate[16]'=6042;; 'Interface.rxbytesrate[17]'=1817614;; 'Interface.rxbytesrate[18]'=12097;;

It is giving rxbytesrate for all the interfaces.
Is there a way to get the metric for particular interface instead of all interfaces
or atleast the "id" value(i.e, the name of the interface) instead of [1],[2]...

The dependency to Nitro.pm should be dropped. It's very easy to implement the NITRO API with LWP itself (also Nitro also uses LWP).

Also the login mechanism could be removed. It's possible to add two header fields (X-NITRO-USER and X-NITRO-PASS) in each requests. This avoids the need of a login, which means we could reduce the http requests from 3 to 1 for each check.

Hi,

first thank you for the great work.

In Line 227 (check_netscaler.pl) you set the URL staticly to "/nitro/v1/". However I noticed, that we can request some information of our SDX instance through the "/nitro/v1/" but also some exclusive through "/nitro/v2/". Because of that I implemented an iterative check for the correct nitro version by myself.
Do you also have this problem and have you some advices to solve this "problem"?

Kind regards
Marco

Hello,
I extended your script to check if a particular ACL is enabled. Specifically the Deny_All acl. When we update the firmware in our ADC cluster the Deny_All gets automatically removed and the admin sometimes forgets to replace it.
The code below starts on line 366
just below the elsif ($plugin->opts->objecttype eq 'server') stanza.

} elsif ($plugin->opts->objecttype eq 'nsacl') {
$params{'endpoint'} = $plugin->opts->endpoint || 'config';
$field_name = 'aclname';
$field_state = 'state';
$enable_perfdata = 0;


We're using version Version: v1.4.0 (2017-08-20)
We should probably upgrade. :)
Hope you find this useful.
Thanks,
Erik Mallory

Monitoring check for NTP connectivity and time sync status.

Patch Nitro.pm to support SSL connections

The plugin returns invalid performance data values. According to the Nagios Plugins
Development Guidelines the value has to be in class [-0-9.] and 'a' for the UOM (unit of measurement) is not supported.

icinga2.log

[2019-09-24 06:14:55 +0200] warning/InfluxdbWriter: Ignoring invalid perfdata value: ns.hacurstate=UP;;
[2019-09-24 06:14:55 +0200] warning/InfluxdbWriter: Ignoring invalid perfdata value: ns.hacurmasterstate=Primary;;
[2019-09-24 06:15:13 +0200] warning/InfluxdbWriter: Ignoring invalid perfdata value: hapktrxrate=5a;;;0;
[2019-09-24 06:15:13 +0200] warning/InfluxdbWriter: Ignoring invalid perfdata value: hapkttxrate=5a;;;0;

To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.
URL: http:///nitro/v1/stat/nsglobalcntr?args=counters:;
Previously, these counter values could be viewed only through the "nsconmsg" Shell command.
For more information, see https://docs.citrix.com/en-us/netscaler/12/nitro-api/nitro-rest/nitro-rest-usage-scenarios/view-individual-counter-info.html.
[# 622976]

I am able to connect successfully to our netscaler using check_netscaler and can query license, interface, hwinfo successfully. However we have two Citrix Gateway virtual servers, which as far as I can see are VPN virtual servers on VPNvServer in check_netscaler terms, however, when we try to get state info for these, we just get the error "NetScaler CRITICAL - state: no VPNvServer found in configuration".

The command we are using is:
.../check_netscaler.pl -H X.X.X.X --username=someone --password=difficult --command=status --objecttype=VPNvServer -ssl

we have also tried specifying the object name with no luck.

.../check_netscaler.pl -H X.X.X.X --username=someone --password=difficult --command=status --objecttype=VPNvServer --objectname="_XD_Netscaler Gateway" --ssl

After upgrading to version 13.0 Build 82.45 the value of cpuusegepcnt seems to be wrong.

Output of Plugin:
NetScaler CRITICAL - above: system.rescpuusagepcnt is above threshold (current: 4294967295, critical: 90); system.mgmtcpuusagepcnt: 0.2 | 'system.rescpuusagepcnt'=4294967295;80;90 'system.mgmtcpuusagepcnt'=0.2;80;90

Any idea ?