Detailed explanation of Linux using ss command combined with zabbix to monitor socket

Preface
1. ss command
2. Overall socket status of zabbix monitoring machine

2.1. Write a script
2.2. Configure the configuration file of zabbix agent
2.3. Configure the zabbix template

3. The number of requests from each machine to the zabbix monitoring machine

3.1. Writing scripts
3.2. Configure the zabbix_agent.conf file
3.3. Configure Discovery, item, trigger, and graph

Preface

Here we use zabbix to monitor it, using the ss command instead of the netstat command, because ss is much faster. If you don't believe it, you can test it. The more sockets a machine has, the more obvious the contrast. And the ss command can display more content. In fact, I am not particularly familiar with these two commands. Through man ss, I can see:

1. ss command

The ss command is used to display socket status. It can display statistics for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and more. It displays more tcp and state information than other tools. It is a very practical, fast, and effective new tool for tracking IP connections and sockets. The SS command can provide the following information:

All TCP sockets
All UDP sockets
All ssh/ftp/ttp/https persistent connections
All local processes connected to the Xserver
Use state (e.g. connected, synchronized, SYN-RECV, SYN-SENT, TIME-WAIT), address, and port filtering
All state FIN-WAIT-1 tcpsocket connections and more

Many popular Linux distributions support ss and many monitoring tools use ss commands. Familiarity with this tool will help you better discover and solve system performance problems. I strongly recommend using ss commands instead of some netstat commands, such as netsat -ant/lnt, etc.

Direct ss command

To explain the above:

Netid #socket type. In the above example, there are TCP, u_str (unix stream) and other sockets. State #What state is the socket in? Below are all the states and descriptions of TCP sockets, which are actually all the states of TCP's three-way handshake and four-way handshake. Recv-Q #In the ESTAB state, it indicates how many bytes of data in the kernel have not been read by the upper-layer application. If the value here is large, the application may be blocked. Send-Q #In the ESTAB state, it indicates how many bytes of data in the kernel send queue have not received the confirmation ACK. If this value is large, it indicates that the receiving end's reception and processing need to be strengthened. Local Address:Port #Local address and port Peer Address:Port #Remote address and port

Then let's look at the states above. If you are familiar with the network, you should understand it very well. At least I am not very familiar with it now. The states of three handshakes and four waves are:

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

So how do these status ss commands correspond? (The following is the status information displayed by the ss command)

[TCP_ESTABLISHED] = "ESTAB",
[TCP_SYN_SENT] = "SYN-SENT",
[TCP_SYN_RECV] = "SYN-RECV",
[TCP_FIN_WAIT1] = "FIN-WAIT-1",
[TCP_FIN_WAIT2] = "FIN-WAIT-2",
[TCP_TIME_WAIT] = "TIME-WAIT",
[TCP_CLOSE] = "UNCONN",
[TCP_CLOSE_WAIT] = "CLOSE-WAIT",
[TCP_LAST_ACK] = "LAST-ACK",
[TCP_LISTEN] = "LISTEN",
[TCP_CLOSING] = "CLOSING",

Now you can do the following monitoring. Continue reading the usage of ss command.

Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]

-h, --help help information -V, --version program version information -n, --numeric do not resolve service names -r, --resolve resolve host names -a, --all display all sockets
-l, --listening Display listening sockets
-o, --options Display timer information -e, --extended Display detailed socket information -m, --memory Display socket memory usage -p, --processes Display the process using the socket -i, --info Display TCP internal information -s, --summary Display socket usage overview -4, --ipv4 Display only IPv4 sockets
-6, --ipv6 Show only IPv6 sockets
-0, --packet Display PACKET socket
-t, --tcp Show only TCP sockets
-u, --udp show only UCP sockets
-d, --dccp Show only DCCP sockets
-w, --raw show only RAW sockets
-x, --unix show only Unix sockets
-f, --family=FAMILY displays sockets of type FAMILY, FAMILY is optional, supports unix, inet, inet6, link, netlink
-A, --query=QUERY, --socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}［,QUERY］
-D, --diag=FILE Dump raw TCP socket information to file -F, --filter=FILE Remove filter information from file FILTER := [ state TCP-STATE ] [ EXPRESSION ]

The focus is on the following monitoring

2. Overall socket status of zabbix monitoring machine

Before doing this monitoring, you can familiarize yourself with the awk command

The monitoring system used here is zabbix. We will combine the zabbix template (the template is selected here for later expansion) and custom scripts for monitoring.

2.1. Write a script

Without further ado, here is the script:

vim tcp_status.sh
#################Script content#################
#!/bin/bash
if [ $# -ne 1 ];then
    echo "Follow the script name with an argument "
fi

case $1 in

    LISTEN)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/LISTEN/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    ESTAB)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/ESTAB/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;


    CLOSE-WAIT
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/CLOSE-WAIT/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    TIME-WAIT)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/TIME-WAIT/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    SYN-SENT)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/SYN-SENT/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    SYN-RECV)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/SYN-RECV/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    FIN-WAIT-1)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/FIN-WAIT-1/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    FIN-WAIT-2)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/FIN-WAIT-2/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    UNCONN)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/UNCONN/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    LAST-ACK
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/LAST-ACK/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;

    CLOSING)
        result=`ss -ant | awk 'NR>1 {a[$1]++} END {for (b in a) print b,a[b]}' | awk '/CLOSING/{print $2}'`
        if [ "$result" == "" ]; then
               echo 0
        else
           echo $result
        fi
        ;;
 esac

2.2. Configure the configuration file of zabbix agent

vim zabbix_agent.conf
##############Add the following content#################
UnsafeUserParameters=1 #This parameter is required for custom scripts UserParameter=tcp.status[*],sh /home/zabbix/tcp_status.sh $1 #This is used to specify the script just written, and then pass a parameter

Remember to restart zabbix agent after configuration

2.3. Configure the zabbix template

Add item, trigger, graph to it

Add a new template and then add item to it, as shown in the following figure

The tcp.status in the key in the above figure refers to the configuration just in step 2 UserParameter=tcp.status[*],sh /home/zabbix/tcp_status.sh \$1

Then the content in the brackets is the parameter passed by \$1. The specific parameter is UNCONN in [UNCONN]. These values correspond to each case in the case of the first step monitoring script. It is basically completed here. No, let's draw a graph and add a graph to the template, as shown in the following figure:

The most important step is to add the host with the monitoring script configured (the first step) to the template. So far, the monitoring is complete. Let's take a look at the result chart.

3. The number of requests from each machine to the zabbix monitoring machine

The purpose of this monitoring is to see which machines access the target machine more frequently.

This monitoring uses self-discovery monitoring, which is a little more difficult than the above one. Why choose self-discovery monitoring? Because the item is not certain. Here we choose: the original address IP and the destination IP address as the item. We monitor the destination IP address, which is unchanged, so the original address IP value will change. Therefore, the automatic generation of items is used for monitoring here. Automatically add and delete items. It is actually very easy to use. Once you learn it, it is super simple.

This is also divided into three steps: writing scripts, configuring zabbix_agent.conf files, and configuring Discovery

3.1. Writing scripts

Two scripts are needed here, one for self-discovery (needs to output json format) and one for item)

vim tcp_monitory.sh
##################tcp_monitor.sh##################
#!/bin/bash
#Get the data and output it to the data.txt file. The format is: original address ip: count: target address ip
#And filter out the data with count less than 200. There is no socket status here. It is too complicated. Individuals can improve it according to specific needs. ip_addr=`ip addr | grep -w inet | grep -v "127.0.0.1" | awk '{print $2}'| awk -F "/" '{print $1}'`
ss -ant | awk '{ print $5}'|grep -Ev '127.0.0.1' | cut -d ':' -f4 | awk -v ip_addr=$ip_addr 'NR>1 {++s[$1]} END {for(k in s)if(s[k]>=200){print k,s[k],ip_addr}}' | grep -E "^([0-9]{1,3}\.){3}[0-9]" > /home/zabbix/data.txt

#Execute the Python script to output the json format.
python /home/zabbix/get_json.py

#####################################
#The following is the content of get_json.py##############get_json.py#################
#!/usr/bin/env python
#coding=utf-8
import json

def create_json(path):
    json_list = []
    with open(path) as f:
        for line in f.readlines():
            dict = {}
            split = line.split(" ")
            dict["{#DES_IP}"] = split[0]
            //dict["{#LINK_COUNT}"] = split[1] //This is optional dict["{#SOU_IP}"] = split[2][:-1]
            json_list.append(dict)
    sum = {}
    sum["data"] = json_list
    sum = json.dumps(sum)
    print sum


if __name__ == '__main__':
    path = "/home/zabbix/data.txt"
    create_json(path)

###############Dividing line: The above is a self-discovered script###############
###############Dividing line: The following is the item related script###############
vim tcp_item.sh
##################tcp_item.sh####################
#!/bin/bash
export LANG="en_US.UTF-8"
path=/home/zabbix/data.txt
count=`cat $path | grep $1 | grep $2 | awk '{print $2}'`
[ 1 "$count" -eq 1 ] && echo 0 || echo $count

Now that both scripts are done, you can configure zabbix_agent.conf

3.2. Configure the zabbix_agent.conf file

Add the following content to the configuration file:

UnsafeUserParameters=1 #If it has already been configured, it does not need to be configured UserParameter=discovery.tcp_monitor[*],sh /home/zabbix/tcp_monitor.sh #Self-discovery UserParameter=alert.tcp_count[*],sh /home/zabbix/tcp_item.sh $1 $2 #item, where $1 and $2 are the transfer parameters in item to distinguish the different items

3.3. Configure Discovery, item, trigger, and graph

Here we still choose to configure on the zabbix template, now add a Discovery

Then configure item, trigger, and graph on Discovery

Configuration item:

The above DES_IP and SOU_IP are derived from the Python script in the self-discovery script and are used for output format. alter.tcp_count is UserParameter=alert.tcp_count[*],sh /home/zabbix/tcp_item.sh \$1 \$2, and the following \$1, \$2 correspond to DES_IP, SOU_IP to generate a unique item.

After the item is configured, you can configure the trigger:

Next, continue to configure the graph

Finally, add the template to the machine and see the results

The above is a detailed explanation of how to use the Linux ss command combined with zabbix to monitor the socket. For more information about Linux ss command zabbix socket monitoring, please pay attention to other related articles on 123WORDPRESS.COM!

You may also be interested in:

How to use ss command instead of netstat in Linux operation and maintenance
Detailed explanation of Linux ss command
Linux inter-process communication method socket usage example
The difference between non-blocking mode and blocking mode of Linux UDP socket
Linux network programming UDP Socket program example
Linux network programming socket file transfer example
Zabbix monitors Linux hosts based on snmp
Zabbix monitors the process of Linux system services
How to set up Zabbix to monitor Linux hosts
Detailed explanation of the implementation method of Linux monitoring important processes

<<: How to build a MySQL PXC cluster

>>: Analysis and treatment of scroll bars in both HTML and embedded Flash