Cacti, (www.cacti.net) is a php based web application that front ends RRDTool.  MySQL is used to store all of the collected data from the devices being monitored.  Cacti has a few different methods to gather the information from the network devices.  You can use scripts that are available, usually initiated by Cron jobs, or you can use SNMP.  Of course, since we already had SNMP in place from our MRTG configuration, SNMP was a shoe in!

For more information on what exactly cacti is, check this link- http://www.cacti.net/what_is_cacti.php

Cacti Installation 

    Cacti was very easy to install, especially since we already had SNMP configured on all of our servers and devices.  In the scope of this document, we will walk through setting up SNMP in Windows and NET-SNMP for Linux/BSD and run through the Cacti web app on CentOS v4.4.  What you monitor is up to you, of course.  We chose to monitor RAM, Disk Space, CPU Usage, Bandwidth and Network Errors.

 We installed our Cacti instance on CentOS 4.4. 

First grab the latest source RPM from Cacti and build your RPM:

wget http://www.cacti.net/downloads/packages/SRPMS/cacti-0.8.6j-1.src.rpm

rpmbuild --rebuild cacti-0.8.6j-1.src.rpm --target=i386

Your freshly built RPM will be located in /usr/src/redhat/RPMS/i386/.  Before we install the RPM, we need to get apache, php, rrdtool and mysql going.  Lets install those using yum.

yum install mysql-server httpd php php-mysql

wget wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.2.19.tar.gz

tar zxvf rrdtool-1.2.19.tar.gz

cd rrdtool-1.2.19

./configure

make install

So now you have RRDTool, compiled from source, installed, MySQL server installed, PHP with MySQL support and Apache (httpd).  Now it is time to install and configure Cacti ! 

rpm -ivh /usr/src/redhat/RPMS/i386/cacti-0.8.6j-1.i386.rpm

mysqladmin --user=root create cacti

mysql cacti< /var/www/html/cacti/cacti.sql

mysql --user=root mysql

GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY '<password>';

flush privileges;

quit

Now you must edit the config.php file in /var/www/html/cacti/includes/ and set the following variables for your system:

$database default = "cacti";

$database hostname = "localhost";

$database user = "cactiuser";

$database_password = "<password>";

From the root of your cacti directory /var/www/html/cacti/ chown the directory so we can generate the graphs.

chown -R cactiuser rra/ log/

Add this line to your crontab file:

*/5 * * * * cactiuser php /var/www/html/cacti/poller.php > /dev/null 2>&1

Do not forget to start MySQL and Apache, and add them to the startup scripts!

/etc/init.d/httpd start

/etc/init.d/mysqld start

chkconfig httpd on

chkconfig mysqld on

 Now you should be able to point your favorite web browser to the server you just installed cacti on and finish the rest in Cacti's nice web gui.  Make sure you include the cacti subdirectory, http://servername/cacti.  The config is very straight forward, as well as the configuration in the web UI.  Since you can point and click the rest of cacti, lets get SNMP setup on the hosts we are going to monitor.

 NET-SNMP Installation

Net-SNMP is included in almost every linux distro out there, as well as FreeBSD ports.  Again, we mainly have CentOS hosts with a few FreeBSD servers doing the most important roles. ;)  Let us get started installing net-snmp.  (For FreeBSD, look for the net-snmp package in ports; whereis net-snmp and use the same conf below)

Using yum, we will grab the net-snmp package:

yum install net-snmp

This will create /etc/snmp/ with a few files.  The file we will worry about is /etc/snmp/snmpd.conf.  This is the file that we use to tell snmpd what community can read our stats, and what version we use for which network.  Here is a basic snmpd.conf file:

##       sec.name     source           community
##       ========     ======           =========
com2sec  network_1   192.168.1.0/24   public
com2sec  network_2   10.10.10.0/24   priv_ro

##       Access.group.name   sec.model        sec.name
##       =================  =========         ========
group    MyROGroup_1        v1                network_1
group    MyROGroup_2        v2c               network_2

##   MIB.view.name     incl/excl  MIB.subtree  mask
##   ==============   =========  ===========  ====
view all-mibs         included   .1           80

##      MIB
##      group.name   context sec.model sec.level prefix read     write  notif
##      ==========   ======= ========= ========= ====== ====     =====  =====
access  MyROGroup_1  ""       v1       noauth    exact  all-mibs none   none
access  MyROGroup_2  ""       v2c      noauth    exact  all-mibs none   none

This file basically gives access to two (2) networks to read from this snmp host.  Network 192.168.1.0/24 will use the community name public and use snmp version 1.  Network 10.10.10.0/24 will use the community name priv_ro and use snmp version 2c.  SNMP also has version 3, which is more secure.  Currently, we only use 2c because of legacy network devices.  As a note, do not define v1 and v2c for the same network.  We have experienced problems on Linux hosts when both versions are defined for the same network.

You can copy this file and edit it for your network.  After you have it in place for /etc/snmp/snmpd.conf, lets go ahead and start snmp and add it to the startup:

/etc/init.d/snmpd start

chkconfig snmpd on

Now, you should be able to log in to your Cacti server and add this host to the monitored hosts.  You might need to do a verbose query on the 2nd page of the host configuration before you can make graphs for the interface.  That is a common mishap we ran into.  I am guessing that Cacti has to recieve data for that OID before it will allow you to select to graph that feature.  No complaints! ;)

Securing SNMP with IPtables

Even tho SNMP is semi secure due to the network query ACL, we want to make sure that only certain networks or hosts can even poll that port.  SNMP uses UDP 161.  So say you are on network 192.168.1.0/24 and your Cacti server is 192.168.1.1.  You want to poll 192.168.1.2 for SNMP data.  You only want 192.168.1.1 to be able to connect to port UDP 161.  Add the following rule on your machine with IPtables on 192.168.1.2:

iptables -A INPUT -p udp --dport 161 -s 192.168.1.1 -j ACCEPT

iptables -A INPUT -p udp --dport 161 -j DROP

service iptables save

 This will only allow your 192.168.1.1 machine to poll port UDP 161, adding an extra layer of security to your SNMP.