-
Title
How to monitor the health of the Authentication Services client? -
Description
How to monitor the health of the Authentication Services client?
-
Resolution
The /opt/quest/bin/vastool status command can be used to check the health of Authentication Services. The vastool status command runs the /opt/quest/libexec/vas/scripts/vas_status.sh script.
If it is in a healthy state the last line will say Result:
. If there is a problem it will report a message in the form of: {FAILURE|CRITICAL|WARNING|INFO}:
- For failure messages are most issues that breaks something in Authentication Services such as configuration issue.
- For critical messages are major break that will stop authentication, cant continue testing, major files missing/corrupt/etc
- For warnings and information messages returned it does not necessarily mean there is a problem.
Search our Knowledge Base if a vastool status message appears for how to resolve it: https://support.oneidentity.com/authentication-services/kb
The latest version of vas_status.sh is always available from: ftp://ftp.vintela.com/vas/support/vas_status.sh.gz
Below are different ways of setting up automatic monitoring:
RESOLUTION 1:
The Management Console for Unix (MCU) 2.5 can be configured to check QAS agent status automatically. Please refer to Management Console For Unix 2.5 Admin Guide for more information on how to set this up.
RESOLUTION 2:
You can create a cronjob to monitor QAS. The script will report issues that can potentially affect the machine from being able to authenticate users.How often to run it is up to each company to decide. Once an hour is common. Some choose just nightly, more critical environaments are every 15 minutes.
RESOLUTION 3:
You can also use vas_status.sh with already established montoring method, tivoli, cfengine, nagios, etc
RESOLUTION 4:
Use our gather_status.sh scipt which is available for download ftp://ftp.vintela.com/vas/support/gather_status.tar.gz
It takes as input a file with a list of hostnames on which to run vas_status.sh, and vas_status is passed on from the same directory gather_status resides in.
gather_status.sh requires a passwordless method of running the script as root on all machines. It will work with rlogin/rsh. It works with non-root ssh ( using keys/gssapi/etc ), then sudo on the machine.
The biggest thing of gather_status is its parsing into easily reviewable output. Here is a simple example, running with output to screen instead of emailing it:
sellswor@sethe:~> ./gather_status.sh vasx8664 vasx86 vassol8 vashpux vastru64 vasirix io junkname
vas_status: Total:8 Fail:1 NoVAS:1 ConnectIssue:1 Good:5
Run Time: 13 seconds
****** Summary ******
*** Host connect failures ***
junkname 0m 0s
*** Failures ***
vasx8664 0m 2s
*** VAS Not installed ***
io 0m 1s
*** Good ***
vasirix 0m 6s
vasx86 0m 6s
vassol8 0m 10s
vastru64 0m 11s
vashpux 0m 13s
****** Details ******
*** Host connect failures ***
junkname 0m 0s
ssh: Could not resolve hostname junkname: Name or service not known
*** Failures ***
vasx8664 0m 2s
Host:
Date:
VAS: <3.5.2.9>
Domain:
FAILURE: 705 vasd does not appear to be running.
Result:
*** VAS Not installed ***
io 0m 1s
Host:
Date:
VAS: <101 No Binary>
INFO: 101 VAS related files on machine
Domain:
Result:(00 seconds)
*** Good ***
vasirix 0m 6s
Host:
Date:
VAS: <3.5.2.9>
Domain:
Result:(05 seconds)
vasx86 0m 6s
Host:
Date:
VAS: <3.5.2.9>
Domain:
Result:(05 seconds)
vassol8 0m 10s
Host:
Date:
VAS: <3.5.2.9>
Domain:
Result:(08 seconds)
vastru64 0m 11s
Host:
Date:
VAS: <3.5.2.9>
Domain:
Result:(10 seconds)
vashpux 0m 13s
Host:
Date:
VAS: <3.5.2.9>
Domain:
Result:(10 seconds)
Total Run Time: 14 seconds
sellswor@sethe:~>
( The summary/times/details are lined up properly in the output email and on screen, just lost that in the copy/paste to a non-fixed length font in the post ).
If its run with manually added hostnames, or without a report email address set, or with TEST=1 env set, it outputs to the screen. Otherwise it emails the configured address with the output, and if anything fails, emails a second address with a terse output ( just names and messages ) of just the failures.
The gather_status script has plenty of comments that should assist in getting it set up, and if there are still questions, I don't mind a conference call to help in answering questions on it or vas_status, and/or to help set it up for a given environment