BryanBecker replied on 06-05-2007 12:11 PM

rated by 0 users

How does this work when your Cirrus server and Orion server are separate boxes?  Furthermore in our design the server running the Orion web site is in a DMZ.

TIA.

BB

 

aLTeReGo replied on 06-05-2007 3:31 PM

rated by 0 users

This may not be as cool, or it might be ever cooler, depending on your point of view. You can create a custom link in Orion to view the running or startup configuration of any Cisco device running the http daemon with the following links, no Cirrus needed

https://${nodename}/level/15/exec/-/show/running-config/CR

https://${nodename}/level/15/exec/-/show/startup-config/CR

Network_Guru replied on 06-06-2007 8:41 PM

rated by 0 users

 Have a look here for more info on configuring your Cisco devices to allow HTTP(S) uploads & downloads.
You can even configure your devices using this method.
 

BryanBecker replied on 06-14-2007 8:28 PM

rated by 0 users

Mithrilhall:

So, can this work if Cirrus & Orion are on different boxes?

That's what I want to know.  We have 2 Cirrus boxes, 1 Orion NPM and 4 Orion pollers.  All of them connect to 1 DB server but they have seperate DBs.

BB
 

Malvado replied on 06-21-2007 3:00 PM

rated by 0 users

Is there any way to get the reports to show up without having to download the files everyday? We only download the files when there is a change.

Malvado replied on 06-21-2007 3:36 PM

rated by 0 users

Great News...

How would you do that so it shows the last downloaded config?

rdeprez replied on 07-02-2007 6:12 PM

rated by 0 users

Haley:

We commonly receive requests to be able to view configurations, config change reports, and inventory reports from the Cirrus Configuration Manager from the Orion web console. 

This feature has been available in the Additional Components section of the Customer Area for quite some time but many users were not aware of its existence.  To make it easier, I have included links to the two additional components below. 

View Configs from the Orion Website:

 ftp://ftp.solarwinds.net/cmb03/cirrus/ConfigListing.zip

View Cirrus Reports from the Orion Website:

 ftp://ftp.solarwinds.net/cmb03/cirrus/Cirrus-Reports-View.zip

     

I downloaded the Config listing enhancement and followed the install instructions. It was working fine and then I noticed that adding this code creates an ENORMOUS security hole in Orion. I hope the Solarwinds engineers take notice of this and fix it immediately.

First off, the page accepts un-validated strings to display files on the local server using the permissions of the user running IIS. This allows you to trivially modify the path to the config to something more interesting like the Windows SAM, the hosts file, or any number of XSS vulnerabilites. The page will happily display it.

EVEN WORSE, there is no validation being done that the user is even logged into ORION. So esentially it opens up annonymous file browsing of the entire server and all of the configs you have stored on it.

I have made some changes to the ConfigListing.asp that will validate that the user is logged in and validate the input at least matches the first 5 levels of the directory tree where the configs exist. As you read the code please keep in mind I am not a developer so this is probably very ugly, and may itself have it's own flaws but it at least addresses the problems I outlined above.(not 100% sure this resolves all XSS though) 

Save this text into ConfigListing.asp and use it instead of the one provided by SolarWinds. Alter the variables used in the "vpath" array to match the first 5 levels of where you are storing your configs. In this it will expect the configs to be in d:\Program Files\SolarWinds\Configuration Management\Config-Archive

rdeprez replied on 07-03-2007 2:50 PM

rated by 0 users

Haley:

We commonly receive requests to be able to view configurations, config change reports, and inventory reports from the Cirrus Configuration Manager from the Orion web console. 

This feature has been available in the Additional Components section of the Customer Area for quite some time but many users were not aware of its existence.  To make it easier, I have included links to the two additional components below. 

View Configs from the Orion Website:

 ftp://ftp.solarwinds.net/cmb03/cirrus/ConfigListing.zip

View Cirrus Reports from the Orion Website:

 ftp://ftp.solarwinds.net/cmb03/cirrus/Cirrus-Reports-View.zip

     

I just tried out the Cirrus Report viewer that is being distributed by Solarwinds and found the same issues in it as in the Config viewer which are detailed in my above post. The Changes I used to fix it are below. I hope Solarwinds notices this thread and fixes the packages they are distributing.

To ensure the user is logged in and to perform input validation to the page follow the steps provided by SolarWinds to setup viewing Cirrus Reports. Once that is complete replace the CirrusReportAction.asp file with the text below. It assumes that the path for the reports is d:\InetPub\SolarWinds\NetPerfMon\Reports. If that is not how it is in your environemnt alter the variables loaded into the vpath array to match your path.(it is case sensitive)