Zabbix monitors Tomcat through JMX (tomat's server firewall policy iptables configuration is installed on the monitored end)

Others 2022-05-26 22:27:00 views: 0

 

1. The current environment

 

The monitored terminal 192.168.153.191

/usr/local/tomcat

Downloaded catalina-jmx-remote.jar and put it in the lib directory of the tomcat installation directory. So far, this jar package has not come in handy.

/usr/local/jdk1.7.0_79

A setenv.sh script has been added to the bin directory of tomcat (can be written in one line, which can be found under Baidu)

CATALINA_OPTS="${CATALINA_OPTS} -Djava.rmi.server.hostname=192.168.153.191"
CATALINA_OPTS="${CATALINA_OPTS} -Djavax.management.builder.initial="
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote=true"
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.port=12345"
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"

  According to the usual thinking: It stands to reason that as long as a port 12345 is opened in iptables

 

Zabbix_Server及Zabbix_Java_Gateway端192.168.153.181

The installation directory is not explained, generally it can be found in /usr/local/zabbix_server,/usr/local/zabbix_java_gateway

Mainly want to explain two configuration files

 

zabbix_server.conf

ListenPort=10051
LogFile=/tmp/zabbix_server.log
DBName=zabbix
DBUser=zabbix
DBPassword=zabbix
DBPort=3306
JavaGateway=127.0.0.1
JavaGatewayPort=10052
StartJavaPollers = 5

 Configuration file of zabbix_java_gateway (zabbix_java_gateway installation directory/zabbix_java/sbin/setting.sh)

LISTEN_IP="0.0.0.0"
LISTEN_PORT=10052
PID_FILE="/tmp/zabbix_java.pid"
START_POLLERS=5

illustrate

1) The IP address of Zabbix_Server and Zabbix_Java_Gateway on one machine is 192.168.153.181

On the monitored machine, tomcat is installed, and the IP address is 192.168.153.191

The system on both machines is CentOS 6.5

 

2) JMX has been configured on the monitored machine (192.168.153.191) through the previous article, and the firewall (iptable) has opened port 12345.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 12345 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

 

 2. There are problems

Telnet 192.168.153.191 12345 can be connected, but jconsole can't connect, and the hosts item on the zabbix web page can't be connected.



 

 

 

 

 3. Find the cause of the problem

I have never encountered such a strange situation before, so I started to google and baidu all the way. I have searched dozens of articles, but I can't find it. Some articles point out the use of (org.apache.catalina.mbeans.JmxRemoteLifecycleListener This class is in the catalina-jmx.remote.jar package, and a Listener is configured in server.xml. I have not tried it. I think this is a solution. ).

 

I came across an article by Little Japan that made me stunned. The article website: http://www.checksite.jp/jconsole-jmx-tomcat/

 

The configuration is as follows:

 setenv.sh file content

 The settings are as follows. This setting allows you to monitor Tomcat's Java VM from a remote node using JMX (without authentication).

1
2
3
4
5
6
7
8
# cat setenv.sh
#!/bin/sh
 
export CATALINA_OPTS="-Dcom.sun.management.jmxremote=true
                       -Dcom.sun.management.jmxremote.port=10080
                       -Dcom.sun.management.jmxremote.ssl=false
                       -Dcom.sun.management.jmxremote.authenticate=false"
#

The port is set to "10080", but there is no problem even if you use a port number that matches your environment.
Give execute permission as follows.

 

The configuration of iptable is as follows:

In order to be able to connect using JMX from a remote node, use FireWall to open the connection to the JMX port specified in setenv.sh earlier.

Since I am using iptables in my environment, the settings in iptables are described below.

# iptables --list --line-number (← number confirmation)
# iptables --insert INPUT (number) -p tcp -s (source IP) --dport 10080: 65535 -j ACCEPT
# iptables --list --line-number (← additional confirmation)
# / sbin / service iptables save (← save to file)
# cat / etc / sysconfig / iptables (← Check the saved file)

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=327033404&siteId=291194637
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com