0

As lame as it may sound:

I am trying to configure monitoring for our production system which consists of 2 hardware boxes with ESXi on both and multiple VMs. All of this is hidden behind a firewall which we may configure ourselves if needed.

My choice is between Munin (with which I already have experience) or Zabbix.

I would like to keep production system as clean as possible and (to me) the logical way is to put master server out of production so it:

  1. Won't consume any possible mission critical resources
  2. Will provide data even if the whole system for some reason is not reachable (so at least from data can see what happened and when happened)
  3. Will send alert in case of situation when entire production system is not reachable

However from documentation I see that not Zabbix nor Munin don't support this sort of setup. Actually with Munin it would be possible to do, but I would need to create separate fw port forwarding rule for each node that I need to monitor, which sounds like an overkill to me and brings complications to the setup. Same time it seems that only Munin provides encrypted traffic between node and master out-of-box and Zabbix doesn't. And still with all those possibilities the whole setup (apart of fw rules) is still very non-trivial for Munin.

VPN to production system is out of the question (legal issues in this country for having VPN in IDC)

Therefore my question is: Is there a better way to achieve my goal? Or some other tool which can do it that I am not be aware of?

Alexey Kamenskiy
  • 794
  • 1
  • 9
  • 23
  • Are you planning to install the monitoring system at the same location (just on the other side of a firewall), or would the monitoring system connect to the production network over the internet? – Grant Apr 16 '15 at 18:40
  • @Grant __out__ of production system means really out. Put it straight - yes, in another location, otherwise it still would not follow requirements for points 1, 2 and 3. – Alexey Kamenskiy Apr 16 '15 at 18:41

1 Answers1

4

As I am a long time Munin user, I can give you few quick thoughts on using it:

  1. using a SSH tunnel (is that illegal as well?) to get behind the firewall.
  2. The obvious port forward, you mentioned.
  3. If you have SSH of the monitored machines already exposed, you can use Munin's SSH support to get to those.
  4. You can use one very light-weight node behind firewall, running munin-async, to do the collecting, and accessing this node through SSH.

Drawbacks of using Munin:

  1. AFAIK Munin itself is not very well suited for alterting. For alerting it might be better to use something like nagios. Actually Munin was initially built as a better way to graph and poll resources for nagios.
  2. As it is starting several processes (scripts in different languages) for every poll, it might not conform to your #2.

Great source of information on Monitoring software is Comparison of network monitoring systems wikipedia page.

Fox
  • 3,977
  • 18
  • 23