BGP is a sensible process/protocol. We must monitor it very finely
For efficient monitoring on bgpd, there are some NRPE sensors.
For monitor bgpd, we must allow nrpe user to use bgpctl command. Please add this line into /etc/sudoers
_nrpe ALL=(ALL) NOPASSWD: /usr/sbin/bgpctl
This sensor verify if bgpd process runs and listen on IPv4 and IPv6 (TCP/179)
#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
SERVICEON=$(ps aux|grep bgpd|wc -l| awk '{print $1}')
if [ "$SERVICEON" -lt 3 ];
then
echo "BGPv4 service offline"
return $STATE_CRITICAL;
else
LISTENV4=$(netstat -anfinet|grep tcp|grep LISTEN|grep 179|wc -l|awk '{print $1}')
LISTENV6=$(netstat -anfinet6|grep tcp|grep LISTEN|grep 179|wc -l|awk '{print $1}')
if [ $LISTENV4 -lt 1 ];
then
echo "BGPv4 process doesn't listen on IPv4 !"
return $STATE_CRITICAL
fi
if [ $LISTENV6 -lt 1 ];
then
echo "BGPv4 process doesn't listen on IPv6 !"
return $STATE_CRITICAL
fi
echo "BGPv4 process online
return $STATE_OK
fi
This sensor checks all referenced BGP neighbors and their states. If BGP status if Established, then the sensor thinks it’s ok. This sensor verify together IPv4 and IPv6, and count BGP neighbors
#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
NEIGHBORS_V4=$(sudo bgpctl sh nei|grep neigh |awk '{print $4}'|grep "\."|sed 's/,//')
NEIGHBORS_V6=$(sudo bgpctl sh nei|grep neigh |awk '{print $4}'|grep ":"|sed 's/,//')
NB_V4_NEIGHBOR=0
NB_V6_NEIGHBOR=0
for NEI in $NEIGHBORS_V4
do
BGPSTATE=$(sudo bgpctl sh nei $NEI|grep "BGP state"|awk '{print $4}'|sed 's/,//')
if [ "$BGPSTATE" == "Established" ];
then
NB_V4_NEIGHBOR=$(($NB_V4_NEIGHBOR+1))
fi
done
for NEI in $NEIGHBORS_V6
do
BGPSTATE=$(sudo bgpctl sh nei $NEI|grep "BGP state"|awk '{print $4}'|sed 's/,//')
if [ "$BGPSTATE" == "Established" ];
then
NB_V6_NEIGHBOR=$(($NB_V6_NEIGHBOR+1))
fi
done
if [ $NB_V4_NEIGHBOR -lt 1 ];
then
echo "NO IPv4 neighbor available ! IPv4 BGP Routing inoperative"
else
echo $NB_V4_NEIGHBOR" IPv4 neighbor(s) online"
fi
if [ $NB_V6_NEIGHBOR -lt 1 ];
then
echo "NO IPv6 neighbor available ! IPv6 BGP routing inoperative"
else
echo $NB_V6_NEIGHBOR" IPv6 neighbor(s) online"
fi
if [ $NB_V4_NEIGHBOR -lt 1 ] || [ $NB_V6_NEIGHBOR -lt 1 ];
then
return $STATE_CRITICAL
else
return $STATE_OK
fi
This script verify if IPv4 and IPv6 routes are collected. It also verify default route presence.
#! /bin/sh
#states
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
ROUTES_V4=$(sudo bgpctl sh rib|grep "^*>"|awk '{print $2}'|grep "\.")
ROUTES_V6=$(sudo bgpctl sh rib|grep "^*>"|awk '{print $2}'|grep ":")
DEFROUTE_V4=0
DEFROUTE_V6=0
NB_V4_ROUTES=0
NB_V6_ROUTES=0
OUTPUT=""
for RT in $ROUTES_V4
do
if [ "$RT" == "0.0.0.0/0" ];
then
DEFROUTE_V4=1
fi
NB_V4_ROUTES=$(($NB_V4_ROUTES+1))
done
for RT in $ROUTES_V6
do
if [ "$RT" == "::/0" ];
then
DEFROUTE_V6=1
fi
NB_V6_ROUTES=$(($NB_V6_ROUTES+1))
done
if [ $NB_V4_ROUTES -lt 1 ];
then
OUTPUT="No IPv4 routes available ! IPv4 routing inoperative"
else
OUTPUT=""$NB_V4_ROUTES" IPv4 route(s) learnt"
fi
if [ $NB_V6_ROUTES -lt 1 ];
then
OUTPUT=$OUTPUT", no IPv6 routes available ! IPv6 routing inoperative"
else
OUTPUT=$OUTPUT", "$NB_V6_ROUTES" IPv6 route(s) learnt"
fi
if [ $NB_V4_ROUTES -lt 1 ] || [ $NB_V6_ROUTES -lt 1 ];
then
echo $OUTPUT
return $STATE_CRITICAL
else
if [ $DEFROUTE_V4 != 1 ];
then
OUTPUT=$OUTPUT", but no IPv4 default route !"
echo $OUTPUT
return $STATE_WARNING
fi
if [ $DEFROUTE_V6 != 1 ];
then
OUTPUT=$OUTPUT", but no IPv6 default route !"
echo $OUTPUT
return $STATE_WARNING
fi
echo $OUTPUT
return $STATE_OK
fi