Monitor network device versions with Nagios

The nm_check_version plugin (from Nelmon), allows you to monitor network devices versions from Nagios and compatible products. The vendor and device types supported are limited to what HostInfo from Nelsnmp can find.

Currently you can monitor the version of most Cisco platforms.

Like the other Nelmon plugins using SNMP, this plugin supports both SNMP version 2c and 3.

SNMP Version 2c

nm_check_version -H [host] -P 2c -C public

SNMP Version 3

nm_check_version -H [host] -P 3 -L authPriv -u [user] -a SHA -X AES -A [authpass] -X [privpass]

Compliance monitoring

If you only enter the SNMP credentials the device version will be returned. However you can also compare the current versions against a policy. Using the -d you can point to a directory where you store these policy files.

nm_check_version -H [host] -P 2c -C public -d /opt/share/device_versions/

The plugin will expect these files to be named [vendor]_[os].yml and will complain if the correct file isn’t found. You will have to create the yaml file yourself. If you are familiar with Ansible you’ll have come across yaml files in the Ansible playbooks. Even if you are new to yaml files the whole idea behind them is that they are human readable and easy to understand.

You can use this as a template:

---
approved:
critical:
vulnerable:
obsolete:

You then type in the different versions under each section. To do so you need to enter two space characters (” “) and then end the version number with a colon (“:”). If you want to you can enter a comment behind the version number, if there are spaces in your comment you need to use quotation marks around your comment.

Here is an example of what a file for Cisco ASA might look like (cisco_asa.yml):

---
approved:
  8.4(7.23):
critical:
  8.4(7.11): "Multiple vulnerabilities in cisco-sa-20141008-asa"
vulnerable:
obsolete:
  8.0(5):
  8.0(4): "This version is end of life, upgrade to a later version"

If the version is returned as ‘UNKNOWN’ you might have an old installation of Nelsnmp, or the device might not yet be supported. Refer to the list of supported device types.