automation, monitoring, scripting, Uncategorized

How to send attachment from Linux

There are some cases when its needed to send via email many scripts output results from Linux command line.  Here is an working example to achieve this.

It is expected that email options have been already configured so that mail command is working.

Below is the example of command which will zip all related logs  from /tmp folder into a .zip file “WLCs_logs.zip”

zip -r /tmp/WLCs_logs.zip /tmp/WLCs-peers-*.log.filtered

next command will send email with .zip attachment to me@mymail.com

mpack -s “AVC and other data from WLCs” /tmp/WLCs_logs.zip me@mymail.com

Mentioned commands can be executed from cron on a regular basis.

monitoring, Uncategorized

generate ACLs based on traffic analysis

For modern companies security is an important focusing point. Hence there is a big chance that those, who are in charge of network services, will get productive subnets (with clients or customers) where there will be needed to implement ACLs taking into account and allowing traffic, which is being generated. Correct process would be: employee or department in charge of respective subnet is able to formulate requirements (which traffic should flow to which direction). However in many cases responsible person cannot formulate such requirements. Here below is proposed a method how to analyze traffic for a certain subnet or VLAN with assigned subnet on layer3 switch.

1) under VLAN interface apply logging rules which will permit all traffic and log related results in syslog:

ip access-list extended vlan123_log_in
permit ip any any log
ip access-list extended vlan123_log_out
permit ip any any log
interface Vlan123
description …
ip address 10.10.77.205 255.255.255.248
ip access-group vlan123_log_in in
ip access-group vlan123_log_out out
end

2) after some days (it is expected that device where mentioned logging ACLs have been applied, has configured syslog server where all syslog records will be transferred), when there are enough statistical data about related traffic flowing through the VLAN, analysis can be started. In Linux machine I mount a network share where syslog server stores all records and issue related Bash commands.

mkdir /mnt/syslog
mount //syslog-server/syslog-network-share     /mnt/syslog/ -o user=your_user_name,domain=your_domain
cd /mnt/syslog/
cat * | grep “vlan123_log*” > /tmp/VLAN123.txt
awk ‘{print $13,$14,$15,$16,$17,$18}’ /tmp/VLAN123.txt > /tmp/temp_VLAN123
sort /tmp/temp_VLAN123 | uniq -c | sort -nr

Result will look following way:

29340 vlan123_log_in permitted udp 10.10.77.205(0) -> 192.168.32.131(0),
12298 vlan123_log_in permitted udp 10.10.77.206(0) -> 192.168.19.112(0),
3229 vlan123_log_out permitted udp 10.10.77.206(0) -> 192.168.19.112(0),
2078 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.138(0),
2048 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.153(0),
1996 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.137(0),
1880 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.136(0),
1778 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.142(0),
1776 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.150(0),
1717 vlan123_log_in permitted udp 10.10.77.205(0) -> 10.29.149.141(0),

First column in the result above is amount of hits, which was found in syslog records (e.g., per syslog information, there were 29340 UDP packets which have been sent in 10.10.77.205 -> 192.168.32.131 direction).

Based on such result and ACL template, related ACL can be generated and applied on productive VLAN without impact on current traffic flows.

 

monitoring, Uncategorized, wireless topics

monitor amount of users on Cisco access points

At this stage of wifi technology development high density of clients and access points can be seen quite often. Now is a task to avoid too much clients per access point (once I saw a report with ~90 clients on one access point) to offer reliable wifi service.

Amount of users per access points in certain moments of time can be gained via Cisco prime (PI – prime infrastructure, as it called by vendor). In my case this system is monitored by other persons and when they will restore its functionality is unclear. For such case or if someone don’t want to invest in Cisco prime, Bash script and SQL can be used to monitor amount of users per access points during the time:

1) login with Expect/Perl/Python script to WLC and monitor all output

2) issue command “show ap summary” and following result will be achieved (some columns are deleted for brevity):

(Cisco Controller) >show ap summary

Number of APs……………………………… 101

Global AP User Name………………………… mgmt
Global AP Dot1x User Name…………………… Not Configured

AP Name          AP Model                  Location           IP Address         Clients
——————    ——————–            —————-         —————        ——————–
235AP           AIR-CAP2702E-Z-K9    Stores               10.10.47.235          1
234AP           AIR-CAP2702E-Z-K9    Gnd F               10.10.47.234           1
233AP           AIR-CAP2702E-Z-K9    KP                     10.10.47.233           1
7213AP         AIR-CAP2702E-Z-K9    Aisle 4 – H5     10.105.82.26           0
7208AP         AIR-CAP2702E-Z-K9    Above Bench  10.105.82.33          3

3) this output can be saved in file, which afterwards can be used by a Bash and Perl scripts to push such data into MySQL on regular basis with help of cron on Linux.

4) the result looks good:

mysql> select dt,tm, sum(users_amount) from APs_users GROUP BY dt,tm;
+——————+————-+———————————+
|        dt            |        tm      | sum(users_amount) |
+——————+————-+————- ——————-+
| 2018-12-28  | 09:05:31 |              21                    |
| 2018-12-29  | 07:05:32 |              18                    |
| 2018-12-29  | 08:05:32 |              18                    |
+——————-+————+———————————+
3 rows in set (0.00 sec)