it is cool to have scripting hooks in netwatch, like up-/down-script.
it would be however much more pleasant to have some variables exposed to the scripts, like
host
since (this time the timestamp of the last change, not the one that has fired the script)
routing-mark (which then implies the usage of in-vrf monitoring)
comment (to be able to add some unique identifier as well)
this way we could re-use scripts for multiple different netwatch entries.
and ability to specify the source-interface/source-ip-address.
and maybe to add some grace cycles, like x consecutive misses fire the down event, instead of a single one.
When you want to setup a complicated monitoring system that performs actions when reachability changes, it is better to avoid netwatch.
Not only is it limited by the recent changes to scripting policy, but also it has always had the problem that a single missed ping indicates a “down” condition.
(there is no way to specify a number of missed pings)
This tends to lead to false alarms in the presence of some packet loss, which could occur when lines are fully loaded etc.
It is probably better to make a script that itself contains a loop or is scheduled frequently for a single pass, and that uses other primitives
like /ping and /tool fetch etc to monitor. This allows you to set thresholds and also solves the problem you have with netwatch.
/ping is also a nice stuff to have, but currently it is lacking some serious functionality. it should be able to return at least the same output when run “as-value” as normally.
sadly it just returns the number of packets successfully received. at least the min/max/avg RTT would be fine. the success rate i can calculate by myself
otoh i also asked for this some time ago:
but hell, i’ll do this right away as a standalone topic
If you send these log message to an external syslog server, it will on the server show
What IP it come from
What time it arrived
Message you chose to send.
Then you could make a graphical dashboard showing you when link goes up/down.
If Syslog server is on Lan side, you get bot up and down message.
If Syslog are on the Wan side and you monitoring Wan side, it will only show when it goes up.
i don’t want to have external tools for this - i want to do it in the device. and definitely i don’t want to create up/down scripts with individual log generation commands.
if i can get access to object metadata as variables, then it is up to me, whether i want to rely on syslog as a shim layer towards out of the box logic, or solve/remediate my issues in the device.
cause netwatch down events can be triggered by interruptions that leave your device incapacitated to communicate to external (central) control elements. and in many cases, the “LAN” is not yours, esp. in the SP environment
According to something my co-worker found somewhere, this actually exist for DHCP Server Alerts scripts.
Not sure where he found it, but try it:
:local hostname [/system identity get name]
:local currentDate [/system clock get date]
:local currentTime [/system clock get time]
:local int "$interface"
:local addr "$address"
:local mac $"mac-address"
/tool e-mail send to=my@e.mail subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $currentDate $currentTime - Interface= $int - IP Address=$addr - MAC-Address= $mac !!")
Not that it seems to be explained in the manual though.
My Up script is but I keep on forgetting to change the target and the email text.
:local target 192.168.0.2
:log error "Connection back to $target";
/tool e-mail send to="x@y" subject="Connection back $target" body="Problem"
It would be much easier if it was as below (please forgive the pseudo code). I could put this in all fields and only need to get the Host IP address correct
:local target Host_of_this_Netwatch
If action_of_this_Netwatch = "Up"
:log error "Connection back to $target";
else
:log error "Connection lost to $target";
/tool e-mail send to="x@y" subject="$error" body="Netwatch"
So I now have 2 Scripts (with no permissions required) called NetwatchUp and NetwatchDown which are called by Netwatch. I could have one script if I could get to $status.
The scripts are very simple. NetwatchDown is:
:log error "Connection lost to $host"
/tool e-mail send to="x@y" subject="$[/system identity get name] Connection lost to $host" body="Problem"
I would like that comment also are sent from the netwatch to the sctipt.
This way I would get both IP ($host) and device to watch using comment ($comment)
My up/down netwatch scipt used with WireGuard
add dont-require-permissions=yes name=WireGuard_down source=\
":log info message=\"vpn=wireguard status=down host=\$host\""
add dont-require-permissions=yes name=WireGuard_up source=\
":log info message=\"vpn=wireguard status=up host=\$host\""
I use Netwatch to ping WireGuard tunnel IP and that is not DHCP based.
So based on your tips, I can add it to DNS and do a lookup from the Script and get the name from there.
So this is what I produced - a single script to manage both Up and Down. I put the name of the machine in the Netwatch comment.
If someone knows how to look up the Netwatch entry directly, could they tell me?
Charles
#########################################################################
# A single script to manage Netwatch
#########################################################################
#:log error "Netwatch $host"
:local myStatus ""
:local myComment ""
# Have to look at each because I can't find the particular one
:foreach i in [/tool netwatch find] do={
:if ( [/tool netwatch get number=$i host] = $host ) do={
:set $myStatus [/tool netwatch get number=$i status]
:set $myComment [/tool netwatch get number=$i comment]
}
}
# Notify
:log error "Connection $myStatus to $host - $myComment"
/tool e-mail send to="x@y" subject="$myComment $[/system identity get name] Connection $myStatus to $host" body="Netwatch"
