daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

Monitoring Citrix Netscaler with Icinga/Nagios

Citrix Netscaler is a very good system for load balancing, if you want to have an enterprise system and not do this in another way with Apache for free. It also provide a access gateways for ICA sessions. It’s based on FreeBSD but it has no nagios-plugins inside like other firewall system e. g. GenuGate firewall systems. So the only way to monitor such device is over SNMP. There are some plugins on Monitorexchange to watch over CPU, Mem, Connections and Disks.

In this article I’ll describe some self written plugins to monitor other SNMP values on an netscaler. All plugins are available under GPL on Monitorexchange or local.

All plugins are tested with Netscaler version 9.3.

Monitor the vserver-health

The netscaler provides a SNMP value about the health of a load balancing vserver, and only for those. For AAA or Access Gateways there is no such value. In this first version of this plugin check_netscaler_vserver.pl you need the special load-balancing OID from the vserver to monitor. You get this with:

show snmp oid VSERVER

at the shell.

Now you should define the check command:

define command {
        command_name    check_snmp_netscaler_vserver
        command_line    $USER1$/check_netscaler_vserver.pl -H '$HOSTADDRESS$' -C '$ARG1$' -S '$ARG2$'  -w '$ARG3$' -c '$ARG4$'

Here is the service check example:

define service {
        host_name       netscaler
        service_description     check_snmp_netscaler_vserver_lb_vs_ldap
        check_command   check_snmp_netscaler_vserver!<community>!<oid>!99!0

With the default warning value of 99, the check turns into warning state if one of the used backends not available. Is every backend down the check is critical.

An next plugin version will be use the name of the load balancing vserver for better handling.

Monitor the certificate lifetime

Normaly there are some, or a lot of SSL certificates on a netscaler. The lifetime of a webserver certificate could checked from outside over _checkhttp easily. But if you use SSL certificates and maybe CA’s for client authentication there is no way to check the lifetime from outside. Sure you can see it in the GUI but how often will you check that? This Icinga/Nagios check check_netscaler_certificates.pl watch over the lifetime using SMNP. As result the plugin returns the shortest lifetime over all certificates, webserver and client authentication. It returns no certificate names, because for this the plugin needs a larger SNMP request or a double request on every run. I think that’s not really necessary.

Here is a command definition for this check:

define command {
        command_name    check_snmp_netscaler_certificates
        command_line    $USER1$/check_netscaler_certificates.pl -H '$HOSTADDRESS$' -C '$ARG1$' -w '$ARG2$'  -c '$ARG3$'

And that’s the corresponding service check:

define service {
        host_name       netscaler
        service_description     check_snmp_netscaler_certificates
        check_command   check_snmp_netscaler_certificates!<community>!60!10

The warning and critical values are the days left.

Some more checks for netscaler will be introduced here. The next steps are health checks for AAA and access gateways and HA status checks.

Be patient.