OpenBGPd sensor

BGP is a sensible process/protocol. We must monitor it very finely

For efficient monitoring on bgpd, there are some NRPE sensors.

Prérequisites

For monitor bgpd, we must allow nrpe user to use bgpctl command. Please add this line into /etc/sudoers

_nrpe ALL=(ALL) NOPASSWD: /usr/sbin/bgpctl

Process verification

This sensor verify if bgpd process runs and listen on IPv4 and IPv6 (TCP/179)

#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

SERVICEON=$(ps aux|grep bgpd|wc -l| awk '{print $1}')
if [ "$SERVICEON" -lt 3 ];
then
        echo "BGPv4 service offline"
        return $STATE_CRITICAL;
else
        LISTENV4=$(netstat -anfinet|grep tcp|grep LISTEN|grep 179|wc -l|awk '{print $1}')
        LISTENV6=$(netstat -anfinet6|grep tcp|grep LISTEN|grep 179|wc -l|awk '{print $1}')
        if [ $LISTENV4 -lt 1 ];
        then
                echo "BGPv4 process doesn't listen on IPv4 !"
                return $STATE_CRITICAL
        fi
        if [ $LISTENV6 -lt 1 ];
        then
                echo "BGPv4 process doesn't listen on IPv6 !"
                return $STATE_CRITICAL
        fi
        echo "BGPv4 process online
        return $STATE_OK
fi

Verify BGP neighbor states

This sensor checks all referenced BGP neighbors and their states. If BGP status if Established, then the sensor thinks it’s ok. This sensor verify together IPv4 and IPv6, and count BGP neighbors

#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

NEIGHBORS_V4=$(sudo bgpctl sh nei|grep neigh |awk '{print $4}'|grep "\."|sed 's/,//')
NEIGHBORS_V6=$(sudo bgpctl sh nei|grep neigh |awk '{print $4}'|grep ":"|sed 's/,//')

NB_V4_NEIGHBOR=0
NB_V6_NEIGHBOR=0

for NEI in $NEIGHBORS_V4
do
        BGPSTATE=$(sudo bgpctl sh nei $NEI|grep "BGP state"|awk '{print $4}'|sed 's/,//')
        if [ "$BGPSTATE" == "Established" ];
        then
                NB_V4_NEIGHBOR=$(($NB_V4_NEIGHBOR+1))
        fi
done

for NEI in $NEIGHBORS_V6
do
        BGPSTATE=$(sudo bgpctl sh nei $NEI|grep "BGP state"|awk '{print $4}'|sed 's/,//')
        if [ "$BGPSTATE" == "Established" ];
        then
                NB_V6_NEIGHBOR=$(($NB_V6_NEIGHBOR+1))
        fi
done

if [ $NB_V4_NEIGHBOR -lt 1 ];
then
        echo "NO IPv4 neighbor available ! IPv4 BGP Routing inoperative"
else
        echo $NB_V4_NEIGHBOR" IPv4 neighbor(s) online"
fi

if [ $NB_V6_NEIGHBOR -lt 1 ];
then
        echo "NO IPv6 neighbor available ! IPv6 BGP routing inoperative"
else
        echo $NB_V6_NEIGHBOR" IPv6 neighbor(s) online"
fi

if [ $NB_V4_NEIGHBOR -lt 1 ] || [ $NB_V6_NEIGHBOR -lt 1 ];
then
        return $STATE_CRITICAL
else
        return $STATE_OK
fi

Verify route collection

This script verify if IPv4 and IPv6 routes are collected. It also verify default route presence.

#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

ROUTES_V4=$(sudo bgpctl sh rib|grep "^*>"|awk '{print $2}'|grep "\.")
ROUTES_V6=$(sudo bgpctl sh rib|grep "^*>"|awk '{print $2}'|grep ":")
DEFROUTE_V4=0
DEFROUTE_V6=0

NB_V4_ROUTES=0
NB_V6_ROUTES=0

OUTPUT=""

for RT in $ROUTES_V4
do
        if [ "$RT" == "0.0.0.0/0" ];
        then
                DEFROUTE_V4=1
        fi
        NB_V4_ROUTES=$(($NB_V4_ROUTES+1))
done

for RT in $ROUTES_V6
do
        if [ "$RT" == "::/0" ];
        then
                DEFROUTE_V6=1
        fi
        NB_V6_ROUTES=$(($NB_V6_ROUTES+1))
done

if [ $NB_V4_ROUTES -lt 1 ];
then
        OUTPUT="No IPv4 routes available ! IPv4 routing inoperative"
else
        OUTPUT=""$NB_V4_ROUTES" IPv4 route(s) learnt"
fi

if [ $NB_V6_ROUTES -lt 1 ];
then
        OUTPUT=$OUTPUT", no IPv6 routes available ! IPv6 routing inoperative"
else
        OUTPUT=$OUTPUT", "$NB_V6_ROUTES" IPv6 route(s) learnt"
fi

if [ $NB_V4_ROUTES -lt 1 ] || [ $NB_V6_ROUTES -lt 1 ];
then
        echo $OUTPUT
        return $STATE_CRITICAL
else
        if [ $DEFROUTE_V4 != 1 ];
        then
                OUTPUT=$OUTPUT", but no IPv4 default route !"
                echo $OUTPUT
                return $STATE_WARNING
        fi
        if [ $DEFROUTE_V6 != 1 ];
        then
                OUTPUT=$OUTPUT", but no IPv6 default route !"
                echo $OUTPUT
                return $STATE_WARNING
        fi
        echo $OUTPUT
        return $STATE_OK
fi