At work we use a DS200 device sold by Tyrnstone Systems, Inc. Basically a black box that takes over the job of talking to the outside world about incoming email and rejects a lot of the attempts based on a combination of factors.
To keep an eye on how that’s going I’ve created the following setup: The DS200 device sends regular syslog data to one of our unix machines — let’s call it machine A — which logs it and also processes the entries, keeping track of accept and reject counters. MRTG (which happens to run on a different machine — let’s call it B — but that isn’t necessary) then queries two custom entries from the SNMP software that runs on machine A and uses that to create its usual set of graphs.
Setting up the DS200 device is easy, simply step through these menus:
- System Management (Y)
- Configure Syslog Servers (O)
- Add Syslog Server (A)
On machine A you want to make sure that:
- Your syslog port is firewalled to only DS200 (and other hosts sending remote syslog info) have access to UDP port 514.
- Your syslog program accepts remote data. For us, using Debian, that meant editing /etc/init.d/sysklogd and change this line appropriately:
# Options for start/restart the daemons # For remote UDP logging use SYSLOGD="-r" # SYSLOGD=”-r”
- Create a directory /var/run/ds200 in which you (manually or automatically, later) create a fifo (named pipe):
mknod /var/run/ds200/fifo p
- Edit your /etc/syslog.conf to redirect the appropriate syslog traffic type/level to that fifo:
# # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.info |/var/run/ds200/fifo mail.warn -/var/log/mail.warn mail.err /var/log/mail.err
The next ingredients to this setup are:
- A script that reads the fifo and updates two files containing the accept and reject counters.
- A script that will go in /etc/init.d/ to ensure that the fifo is created and the previous script is started.
After downloading the scripts, make sure you change the /your/path occurances appropriately in both scripts. The parse_fifo script also expects to log matching data in /var/log/ds200/ so you’ll want to create that directory, and probably do some form of logrotation on the result (not included in this mini-HOWTO).
We were already running SNMP software on our machines for network/harddisk usage tracking, so adding two custom entries in /etc/snmp/snmpd.conf was pretty easy:
exec ds200-accept /bin/cat <path>/ds200/accept.total exec ds200-reject /bin/cat <path>/ds200/reject.total
You can then query the results with the OIDs 1.3.6.1.4.1.2021.8.1.101.1 and 1.3.6.1.4.1.2021.8.1.101.2 (or UCD-SNMP-MIB::extOutput.1 and UCD-SNMP-MIB::extOutput.2, but I don’t guarantee that):
$ snmpwalk -v 2c -c <community> localhost UCD-SNMP-MIB::extOutput.1 UCD-SNMP-MIB::extOutput.1 = STRING: 355547 $ snmpwalk -v 2c -c <community> localhost UCD-SNMP-MIB::extOutput.2 UCD-SNMP-MIB::extOutput.1 = STRING: 695752
The final step is then to add an entry to the MRTG configuration:
LegendI[ds200]: Accepted LegendO[ds200]: Rejected Legend1[ds200]: Accepted connection attempts Legend2[ds200]: Rejected connection attempts YLegend[ds200]: Connections ShortLegend[ds200]: C/m Factor[ds200]: 1 MaxBytes[ds200]: 1000 AbsMax[ds200]: 10000 Target[ds200]: 1.3.6.1.4.1.2021.8.1.101.1&1.3.6.1.4.1.2021.8.1.101.2:<community>@machine-a options[ds200]: growright nopercent perminute unknaszero Title[ds200]: DS200 Stats PageTop[ds200]: <h1>DS200 Stats</h1>
The MaxBytes and AbsMax settings are somewhat arbitrary, but sufficiently high given the documented limitations of the DS200 device.
That’s it. Hope this is useful for someone out there. 
Update #1: We’ve since switched to using Cacti instead of MRTG.
Update #2: When I wrote the parse_fifo script we did not use the whitelists or blacklists, or at least not enough for me to notice that the syslog entries for those don’t have a numeric score, but BL and WL instead. I’ve altered it locally to account for that and it depends on your own preference how you want to deal with that.
Update #3: I’ve moved the location the two linked scripts to code.is-here.com.