Topic: SNMP for Netscaler - For Real! (Read 22879 times)

jmelika · « **on:** August 08, 2007, 09:27:15 AM »

I don't want to bash Citrix. Those guys rock. But let's face it. Their documentation for SNMP, and others, are lacking big time. It took me forever trying to get some basic SNMP monitoring on my NetScaler boxes. Here it is. So that we're all clear, this is for NetScaler 9000 series and using a Windows Server to monitor it.

First, you need to configure your NetScaler boxes with the appropriate SNMP information. Simply from the GUI go to System/SNMP and setup a community. I suggest you make the community name not simple to figure out. Think of it as the password. You know that.

Second, get yourself a decent SNMP reporting tool. Everyone knows about MRTG (http://oss.oetiker.ch/mrtg/). Well, it's free and does the job, but I hate it. For about $100, you can get yourself a more friendly tool called PRTG (http://www.paessler.com/prtg/). Highly recommended. Install it and then you're ready to start configuring it.

Assuming that the software is working at this point and you can browse to the PRTG web interface, we'll proceed by adding the sensors. Add a new sensor and choose at the Data Acquisition Type screen the SNMP option. At the following screen, choose Custom SNMP Sensor. Next you will fill out the Device Alias, IP address (I normally use a VIP and not the NSIP in the even of running HA Pair. This way I am monitoring the active box and not necessarily each box individually for these counters), Version should be v2c, port 161, and SNMP Community String should be the one you create earlier (remember the password?).

The OIDs I use are:
1.3.6.1.4.1.5951.4.1.1.46.1.0 (Current TCP Server Connections)
1.3.6.1.4.1.5951.4.1.1.46.2.0 (Current TCP Client Connections)
1.3.6.1.4.1.5951.4.1.1.46.8.0 (Active TVP Server Connections)

For all three OIDs, make sure you change the Type from Delta to Guage. I normally put Connections in the Unit field, but it's optional. Finally, be sure to Test the OID on that screen for the Nest button to become available.

That's really it. If you're interested in browsing more SNMP options on the NetScaler, download the file /netscaler/snmp/NS-MIB-smiv2.mib file from your NetScaler (mine is running version 7.0). You can walk that MIB using any MIB walker tool available out there. I spent a long time looking for a good one and I came across iReasoning MIB Browser (http://www.ireasoning.com/). It's free.

Please let me know if you come across any trouble setting up SNMP on NetScaler using this document. Also, please share with everyone if you came across other useful counters to add to the SNMP monitoring.

JM

sfrancis · « **Reply #1 on:** December 08, 2008, 12:55:09 PM »

This reply is highlighting a product that solves this issue, but I did clear it with the site owner...
Yes, Netscaler monitoring is painful - figuring out what to monitor, then how to convert VIPs into OIDs, both are non-trivial. And then keeping monitoring up to date takes more time...
I ran datacenters for years, for different companies (one of them being Citrix - before they bought Netscaler), and used Netscalers at most of them. Providing monitoring that worked for Netscalers, and for datacenters in general, was what led to the creation of the company I'm currently at, LogicMonitor.com.
Addressing Netscaler monitoring, LogicMonitor will:
- automatically discover all VIPs, and classify them as content switching or load balancing. It will make instantly available for each VIP charts of traffic, connections, responses, etc (and for load balancing VIPs, the number of up, down and out of service services, and time to first byte, with appropriate alerts.). It will also automatically create overview graphs, so you can see all requests broken down by VIP on a single graph, so it's easy to see anomalous behavior. (e.g. which of my 10 VIPs suddenly had its connections shoot way up?)
- automatically detect whether integrated caching is enabled, and if so, generate charts and alerts regarding hit rate, and recommending cache tuning techniques.
- detect whether GSLB is enabled, with more charts and alerts
- detect whether the netscalers are part of a HA pair, and if so monitor synchronization, cluster health, etc
- detect all interfaces and aggregated links, and chart and alert on them
- detect all the Policies in place on the Netscalers, and chart hit rate of each one (and again, with overview graphs, you can see an overview of all policies on one graph.)

There is more (monitoring of DNS responses, uptime, hardware, global CPU, memory, reponses, Syn Floods, disks, etc), but the idea is that we have gone through the entire Netscaler MIB, and determined what you should be charting, what you should be alerted on, and set sensible default alert thresholds. (Alert thresholds are customizable on a group level, a host level, or individual VIP level.)

Also, LogicMonitor is a hosted service - so there is no big software installation or hardware requirements, and you can be running in minutes. (There is a small agent that runs inside the datacenter, but with only 4 responses needed for configuration and installation, it can be up on a windows or linux server very quickly).
Enter the Netscaler's name or IP in the LogicMonitor portal for your account running in our high availability datacenter, and your Netscaler monitoring issues are solved.
LogicMonitor also keeps itself up to date -so if you add a new VIP or make any other changes, you do not have to change monitoring - LogicMonitor will notice, and add the new VIP to monitoring automatically, within minutes.

And one final feature I wanted to mention - with LogicMonitor, you can easily classify and filter discovered VIPs: so you can do things like define simple rules that say "If the VIP name includes the word 'prod' then apply the default alert thresholds (requiring at least 2 services up for the VIP, etc). If not, apply these different alert thresholds". Then all your production VIPs will be displayed together, while QA and stage will be together and have more appropriate thresholds and alert escalation rules.

LogicMonitor was meant to solve the operational issues of monitoring Netscalers (and other datacenter devices), so I'd value this community's feedback. We're not free, but will certainly save you a lot of time, and hence money, in making sure your Netscaler's are monitored appropriately.
Check us out - http://www.logicmonitor.com/services/logicmonitor-hosted-monitoring-service/monitoring-load-balancers/

Thanks
Steve Francis

jmelika · « **Reply #2 on:** January 12, 2009, 11:28:38 AM »

Steve,

Thank you for your post. It is certainly a demanded service. I have not done the trial, but I intend on it soon. I have to clear it with my client(s) who desparately need it now. My question is, is it SNMP based? Does the application require any sort of authentication against the NS to collect all this data? I'm assuming the answer is yes if it's auto updating the VIPs. I can tell you this will make people more nervous about releasing their NS authentication to a third party, than comfortable that their NS is now being monitored.

Just my $0.02.

JM

sfrancis · « **Reply #3 on:** January 26, 2009, 01:48:35 PM »

The system is (for netscalers) snmp based. (Other devices are monitored with whatever is appropriate: WMI, JMX, native API, etc).
An snmp read-only community is defined in the LogicMonitor web portal for use in querying the netscaler - but as the snmp data is being collected by an agent inside your datacenter (you only need one agent for a whole datacenter: you can do multiple ones for different security zones, or redundancy, etc) the community should be setup to only be valid from your own IP address (i.e. your host where you run the agent.)

All traffic from the agent to the central servers is SSL encrypted, so no possibility of credentials being sniffed. So, assuming you set up snmp access control, even if someone did get into the central servers (which are continuously scanned for vulnerabilities); did break in to the central DB for your account (each account has its own database to eliminate chances of cross account information leakage) and somehow got your read only community for the netscaler, they still could do nothing with it, unless they also broke into one your own servers to issue the commands from.
They could not attack your servers via the LogicMonitor agent - it has no incoming connections.
Let me know if you still have concerns or questions...

Netscaler Knowledgebase

News:

Author Topic: SNMP for Netscaler - For Real! (Read 22879 times)

jmelika

SNMP for Netscaler - For Real!

sfrancis

Re: SNMP for Netscaler - For Real!

jmelika

Re: SNMP for Netscaler - For Real!

sfrancis

Re: SNMP for Netscaler - For Real!