NetXMS Support Forum

Just wondering if git.netxms.org is down or moved?  I usually track changes via sourcetree and I receive this error when trying to pull changes:

git -c diff.mnemonicprefix=false -c core.quotepath=false fetch origin
fatal: repository 'https://git.netxms.org/public/netxms.git/' not found
Completed with errors, see above.

I notice that the web interface https://git.netxms.org/public/netxms.git/shortlog?js=1  is 13 days out of date which is about when I stopped being able to pull changes.

Has the repo moved or is down for anyone else?

Cheers.

Hi all.  Looking at the agent tunnel functions and wondering how have some of you deployed them operationally? 

I can see their utility for allowing hole-punching out of a proxy site back to the server, but how do you do this securely?

Are you placing the NetXMS server on the public internet to receive the tunnels? 

Or are some of you using an extra NetXMS server in a DMZ and forwarding events/alarms to a primary server behind the firewall?  using a SSL proxy like nginx to unwrap and forward to the server behind the firewall?

Just curious of any deployment recommendations that can avoid directly placing the server online?  Or is the SSL code sufficiently isolated from the rest of the server and I'm being paranoid?

Cheers.

Hi all, I have a WMI DCI that pulls the Dell service tag from the windows machines running the netxms agent.

WMI.Query(root\cimv2,select * from Win32_ComputerSystemProduct,IdentifyingNumber)

This number is generally not what is entered when calling up support, they prefer the DTMF friendly Express Service Code that is a numerical version of the Service Tag (easier to type on number pad).
I've found a couple of links that describe the service tag as a base-36 number [A-Z][0-9] that you just convert to decimal.

http://creativyst.com/Doc/Articles/HT/Dell/DellNumb.htm
https://serverfault.com/questions/589774/how-to-convert-a-dell-service-tag-to-an-express-service-code

What is the best way to do this in NetXMS?

Do I create a DCI that takes the same WMI query and uses a transformation script to convert the number?  Is this possible in NXSL with base36 conversion to decimal?

Or if NXSL can't handle arbitrary bases do I have to use an external Python/nxshell script to do the conversion and call that from a DCI?

My goal is to get it represented as a DCI to display on the object details tab and in DCI summary tables.

Thanks for any suggestions.

Hello Marco, although I can't answer your problem I can add that I've had the same thing happen to me on 2.1.2 server and agent.

64bit agents on windows 10, one will find all counters during the config poll, the other will fail with the same message as you.

Haven't yet had time to look any deeper into it, I guess enabling some debug logging on the agent will be the first step we're told to try unless someone has an idea of what it could be.

Has anyone used agent external parameters/scripts to pull info for guest VMs from Proxmox VE?  Just starting to think about how to do this.

I see they have a documentation website for their REST-like api which it looks like you can call from a CLI tool called pvesh which might work well with the agent external parameter?

https://pve.proxmox.com/wiki/Proxmox_VE_API
https://pve.proxmox.com/pve-docs/api-viewer/index.html

Looking at my mikrotik routers I now realise that none of them display any topology info, and functions like "right click" > "topology" > "switch forwarding database" are empty too.

In Tomas' linked ticket, Alex mentions that the bridge MIB should provide some info (.1.3.6.1.2.1.17.4.3.1.1-3).  I don't get anything back from that whole tree other than 3 rows of STP info on any devices (CRS/CCR/AH1100).
.1.3.6.1.2.1.17.1.1.0 [Hex-STRING] = 00 00 00 00 00 00
.1.3.6.1.2.1.17.2.1.0 [INTEGER] = 3
.1.3.6.1.2.1.17.2.2.0 [INTEGER] = 32768

I have a mix of mikrotik devices with and without switch chips, but most of them are just using bridged interfaces as routers only.  I can only find L2 neighbour information under:

LLDP MIB
.1.0.8802.1.1.2.1.3  &  .1.0.8802.1.1.2.1.4 for LLDP

Mikrotik Neighbour Table (mtxrNeighbourTable .1.3.6.1.4.1.14988.1.1.11.1)
> ip neighbor print oid
0 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.6 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.6
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.6 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.6
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.6 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.6

1 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.7 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.7
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.7 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.7
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.7 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.7

2 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.5 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.5
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.5 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.5
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.5 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.5

3 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.12 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.12
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.12 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.12
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.12 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.12

4 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.1 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.1
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.1 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.1
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.1 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.1

5 ip-address=.1.3.6.1.4.1.14988.1.1.11.1.1.2.9 mac-address=.1.3.6.1.4.1.14988.1.1.11.1.1.3.9
   version=.1.3.6.1.4.1.14988.1.1.11.1.1.4.9 platform=.1.3.6.1.4.1.14988.1.1.11.1.1.5.9
   identity=.1.3.6.1.4.1.14988.1.1.11.1.1.6.9 software-id=.1.3.6.1.4.1.14988.1.1.11.1.1.7.9


On a CRS model I have, seems like unicast FDB (> interface ethernet switch unicast-fdb print) is not available over SNMP either.

I see now Tomas has mentioned before that mikrotik don't expose enough L2 info over SNMP so I guess its down to nagging them and hoping the LLDP/neighbour MIB info can be added to the driver on NX-1189 at some point.

What do the mikrotik experts do?  Does anyone use the API and scripts to get some of this information?  Am I missing anything obvious here?

Thanks guys.

Thanks for the link to the ticket Tomas.

Is this something that the "Network Device Database" feature in 2.1 might help make easier in the future rather than having to write new drivers in c++?  Or is that just for cosmetic layout of ports and vlans on the interface tab and you would still need c++ driver below it?

https://www.netxms.org/forum/announcements/netxms-2-1-rc1-released/msg22296/#msg22296

Hi, since version 6.38, Mikrotik routeros has started to use LLDP as part of "ip > neighbor" discovery.  This version has filtered down to their "bugfix" branch now (the most stable release).

It seems that lldpRemoteSystemsData and lldpLocalSystemData in the LLDPMIB is populated (when I do a walk of a routeros device) - OIDs: .1.0.8802.1.1.2.1.3  &  .1.0.8802.1.1.2.1.4 have data for local and remote devices.

Any chance that this can be added to the mikrotik driver to populate

• peer mac/node/IPaddr columns of the interfaces list on a node object details
• Tools > info > Topology Table [LLDP]
• L2 topology maps

Cheers.

This looks great, thanks. 

Will try it out on an old ERL3 and see how it goes.  Any limits you've discovered (node/proxy scans) before the load on the CPU affects other processes on the router?

Just wondering if it is possible to embed a network map or dashboard element into an external web page using say a custom request to the web console?

My immediate example was to embed a live layer2 or custom network map into some atlassian confluence wiki documentation. 

I can export an image of the map and will probably do that for now, but thought it would be pretty cool to be able to embed the live map in a frame or some such.  Imagine the unicorn of network documentation that stays dynamically up to date 

Hi, looked into the repository; is 2.0.4 and up only available for debian jessie, but not wheezy?  Still on Wheezy at the moment.

Hi, are the 2.0.4 packages still missing from the debian/ubuntu repositories?  I can only see 2.0.3 available at the moment.

Hi, is it possible to enable multi-select editing of access control lists in the object browser?  So for example you could select a range of subnets and apply group/user permissions to all at once instead of one-at-a-time editing of properties > access control?

I'd like to grant access to branch office users to view some subnets but not others within a zone under entire network and infrastructure services to allow them to find IPs connected to ports, and see L2/L3 maps of devices currently online (technical sales reps in branch offices who are always asking for the status of various devices and what's plugged into their showroom switches etc). 

It also seems that if you use zones and want to be able to use "tool > find IP address" from a non-admin user you must grant read access to the zone object (to allow zone choice in find IP address dialog).  However by enabling read access to the zone this inherits read access rights to all subnets under that zone by default.  To remove the visibility of the other subnets for the branch user group then requires editing each subnet object manually to remove inheritance and add ACLs.  Would be easier with a lot of subnets to allow multi-object (shift-select) editing of permissions.

As an example I have a setup similar to the following and would like an easy way to restrict subnets 2~4 to user group for branch 2 without having to manually edit each subnet object under entire network one at a time and remove inheritance from parent and put in additive and negative ACLs for each branch group on every subnet (doesn't scale as number of subnets gets higher). 

entire network
---Zone1
------subnet 1 (branch 1)
------subnet 2 (branch 2)
------subnet 3 (branch 2)
------subnet 4 (branch 2)
------subnet 5 (branch 3)
------subnet 6 (branch 3)
...
------subnet n (branch n)

infrastructure services
---branch1
------racks
------switches
------routers
------devices
------PCs
---branch2
------racks
------switches
------routers
------devices
------PCs
---branch3
------racks
------switches
------routers
------devices
------PCs

eg:  At the moment to enable a group for branch 2 to see only subnets 2~4 I have to enable read access to the zone to allow find by IP to work, then on each subnet record (could get to hundreds) right click and edit properties and remove inheritance, and add in an allow rule for branch 2.  As more branches/subnets get added rinse and repeat.

I guess it would be great (and for all I know there already is a way to do this!) if netxms could allow either:

• Multi-select editing of some properties in the object browser (eg: shift select 10 subnet objects, right click on properties and change access control for all 10 subnets at once)
• Current inheritance seems to be upward looking toward parent.  Would it make any sense to allow a checkbox to block downward inheritance to child objects too? Or would that break things the other way in that nodes/interfaces now loose permissions and have to be manually edited.
• Is there a way during discovery (filter script?) to designate some subnets as having certain user/group permissions?
• Is there a way to use the nxshell to automate applying a lot of ACLs to a lot of subnets at once? (say providing a text list of subnets to have a certain ACL set applied?
• I suppose one suggestion might be to use a separate zone for each branch and control access there?  None of the branches have separate IP ranges as they're all linked via private LANs and so that's why they're under a single zone, and I've tended to use zones to separate our internal monitoring from a few customers where we monitor some field testing equipment they have.

Just looking to avoid a lot of point and clicking in the interface before I start.

Thanks in advance for any advice all, and thanks for this fantastic software.

Just wanted to add to the sentiments, these videos are a big part of getting us to look at deploying NetXMS.  Look forward to more of them.

Thanks for the effort.

Hi, I'm a mikrotik dude refugee and just discovered NetXMS via Tomas Kirnak's excellent videos (looking forward to more of those).

Still wrapping my head around the whole system but I am curious about the possibilities for monitoring customer sites MSP style.  The agents can be configured in zones to proxy SNMP and NetXMS agent polls and buffer them for reporting back to the main server correct?  Can the agent also act as a proxy syslog server/forwarder or can you only send syslogs back to the master server? 

My thought is that if you have one proxy per client zone with an unreliable internet connection between you could send syslogs to the local proxy and when the internet connection to the main server is re-established the syslog messages are forwarded?

Or would you need to have a host (the one running the NetXMS proxy?) at the client site to run a standard syslog forwarder independent of NetXMS agent to handle that use case?

What are people using to monitor client sites remotely? NUCs with linux?  A customer windows host configured as proxy?

Cheers.