Good morning,
thanks, I found DS on the man page (the explanations in analysis.cfg's comments doent't show it). As far as I understand it is unfortunately not suitable:
"NOTE: This rule uses the raw data value from a client to examine the rules. So this type of test is only really suitable for datasets that are of the "GAUGE" type. It cannot be used meaningfully for datasets that use "COUNTER" or "DERIVE" - e.g. the datasets that are used to capture network packet traffic - because the data stored in the RRD for COUNTER-based datasets undergo a transformation (calculation) when going into the RRD. Xymon does not have direct access to the calculated data."
Bad luck,
cheers
Rolf
Rolf Schrittenlocher
Bibliotheksmanagementsystem IT | IT-Services (ITS)
Universit?tsbibliothek Johann Christian Senckenberg
Goethe-Universit?t Frankfurt | Campus Bockenheim
Zentralbibliothek | Freimannplatz 1
60325 Frankfurt am Main | GERMANY
Telefon Sammelnummer +49 (0)69 798 28830
Telefon pers?nlich +49 (0)69 798 28908
E-Mail: user-64314bfd1eb5@xymon.invalid
E-Mail (pers?nlich) user-c8b69be9a15a@xymon.invalid
Website: https://www.ub.uni-frankfurt.de
Von: Xymon <xymon-bounces at xymon.com> im Auftrag von Jeremy Laidman <user-0608abae5e7c@xymon.invalid>
Gesendet: Sonntag, 7. April 2024 11:06
An: xymon at xymon.com
Betreff: Re: [Xymon] Monitoring network traffic
Check out the DS option in analysis.cfg. This can perform a threshold operation on an RRD file value.
J
On Fri, 5 Apr 2024, 19:46 Jeremy Ruffer, <user-6d8e227afca3@xymon.invalid<mailto:user-6d8e227afca3@xymon.invalid>> wrote:
Hi Rolf,
You could try using rrdfetch to get the data that Trends uses.
HTH
Jeremy
------ Original Message ------
From: "Schrittenlocher, Rolf" <user-c8b69be9a15a@xymon.invalid<mailto:user-c8b69be9a15a@xymon.invalid>>
To: "nor krie" <user-ff2afb5e635f@xymon.invalid<mailto:user-ff2afb5e635f@xymon.invalid>>; "Josh Luthman" <user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>>
Cc: "Xymon at xymon.com<mailto:Xymon at xymon.com>" <Xymon at xymon.com<mailto:Xymon at xymon.com>>
Sent: 05/04/2024 05:32:01
Subject: Re: [Xymon] Monitoring network traffic
Hi,
@Josh : Yes I saw it, I hoped there's an easy way to reuse the data used for the trends presentation
@Norbert : Thanks's a lot that helps a lot. I'll adapt it to our needs
Kind regards
Rolf
Rolf Schrittenlocher
Bibliotheksmanagementsystem IT | IT-Services (ITS)
Universit?tsbibliothek Johann Christian Senckenberg
Goethe-Universit?t Frankfurt | Campus Bockenheim
Zentralbibliothek | Freimannplatz 1
60325 Frankfurt am Main | GERMANY
Telefon Sammelnummer +49 (0)69 798 28830
Telefon pers?nlich +49 (0)69 798 28908
E-Mail: user-64314bfd1eb5@xymon.invalid<mailto:user-64314bfd1eb5@xymon.invalid>
E-Mail (pers?nlich) user-c8b69be9a15a@xymon.invalid<mailto:user-c8b69be9a15a@xymon.invalid>
Website: https://www.ub.uni-frankfurt.de
Von: nor krie <user-ff2afb5e635f@xymon.invalid<mailto:user-ff2afb5e635f@xymon.invalid>>
Gesendet: Donnerstag, 4. April 2024 23:27
An: Josh Luthman
Cc: Schrittenlocher, Rolf; Xymon at xymon.com<mailto:Xymon at xymon.com>
Betreff: Re: [Xymon] Monitoring network traffic
Hi,
I created a server side script for all the *nix servers where I extract the network info from the clientlog.
The script identifies all server with a ssh column (this is clearly a *nix server) and then loops over all these targets to create a "nic" column with interface info.
Nothing to configure especially, a new *nic server will be automatically identified and get the column with detailed info and some graphs.
Some snippets to get the idea:
# grab all client info
get_all_info(){
$XYMONBIN localhost "clientlog $TARGET"
}
ALLINFO=`get_all_info`
##################################################
# grab the nic details
get_nic_info(){
echo "$ALLINFO" | \
$NAWK '/^\[ifconfig/,/^\[route/' | \
$GREP -v "^\["
}
##################################################
# grab the route
get_route_info(){
echo "$ALLINFO" | \
$NAWK '/^\[route/,/^\[netstat/' | \
$GREP -v "^\["
}
##################################################
# grab the ports
get_ports_info(){
ALLPORTS=`echo "$ALLINFO" | \
$NAWK '/^\[ports/,/^\[ifstat/' | \
$GREP -v "^\["`
PORTSTATUS=`echo "$ALLPORTS" | \
$NAWK '/^tcp/{print $NF}' | \
$SORT -u`
for stat in $PORTSTATUS
do
NUM=`echo "$ALLPORTS" | \
$NAWK 'BEGIN{i=0}
/'$stat'/{i++};BEGIN{i=0}
END{print i}'`
echo "tcp ports in status $stat: $NUM"
done
}
# create the output to send to xymon
echo "<h4>interface info</h4>"
get_nic_info
echo "<h4>route info</h4>"
get_route_info
echo "<h4>active tcp connections</h4>"
get_ports_info
showgraph ifstat_kB
All these data are then send to the xymon server daemon and create a nic column.
A complete run over 500 servers will take approx. 60 secs (but you can run more scripts in parallel if needed).
HTH
Norbert
Am Do., 4. Apr. 2024 um 19:21 Uhr schrieb Josh Luthman <user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>>:
The clientlog includes [netstat] which has a snapshot of activity in text
The trends puts it in a pretty graph stored in rrd.
On Thu, Apr 4, 2024 at 4:30?AM Schrittenlocher, Rolf <user-c8b69be9a15a@xymon.invalid<mailto:user-c8b69be9a15a@xymon.invalid>> wrote:
Hi,
thanks Axel. I just saw that "trends" shows network traffic. So the data is already collected and available on the server. xymon server is Linux, only the clients are Solaris. So someone can tell me how I can access the data either with a client script or on server side?
kind regards
Rolf
Rolf Schrittenlocher
Bibliotheksmanagementsystem IT | IT-Services (ITS)
Universit?tsbibliothek Johann Christian Senckenberg
Goethe-Universit?t Frankfurt | Campus Bockenheim
Zentralbibliothek | Freimannplatz 1
60325 Frankfurt am Main | GERMANY
Telefon Sammelnummer +49 (0)69 798 28830
Telefon pers?nlich +49 (0)69 798 28908
E-Mail: user-64314bfd1eb5@xymon.invalid<mailto:user-64314bfd1eb5@xymon.invalid>
E-Mail (pers?nlich) user-c8b69be9a15a@xymon.invalid<mailto:user-c8b69be9a15a@xymon.invalid>
Website: https://www.ub.uni-frankfurt.de
Von: Axel Beckert <user-bc188e45dae4@xymon.invalid<mailto:user-bc188e45dae4@xymon.invalid>>
Gesendet: Donnerstag, 4. April 2024 10:17
An: Schrittenlocher, Rolf
Cc: Xymon at xymon.com<mailto:Xymon at xymon.com>
Betreff: Re: [Xymon] Monitoring network traffic
Hi Rolf,
Schrittenlocher, Rolf schrieb am Thu, Apr 04, 2024 at 07:45:58AM +0000:Our challenge at moment is how to monitor traffic quantity in/out in
order to detect suspicious activities on Solaris 10. Is there are
way to do this with xymon?
Definitely. ;-)
For our own use (in a university, too :-) and published via Debian's
hobbit-plugins package, I've written a plugin simply called "net"
which can check many network interface characteristics including
monitoring network traffic (calculating bytes/second average from the
rx/tx difference of 10 seconds), but so far it's just for Linux and
uses common Linux commandline tools and
/proc/ links:
https://salsa.debian.org/debian/hobbit-plugins/-/blob/master/src/usr/lib/xymon/client/ext/net
(It also uses the Hobbit.pm Perl module from the same package:
https://salsa.debian.org/debian/hobbit-plugins/-/blob/master/src/usr/share/perl5/Hobbit.pm)
It though shouldn't be too hard to adapt it to some Solaris
commandline tools and their output. I'm just not sure how to convert
the /proc/ stuff. Maybe there's a Linux compat mode like in FreeBSD?
(Haven't touched any Solaris for like 20 years or so, back when I was
a student.)
Regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: user-bc188e45dae4@xymon.invalid<mailto:user-bc188e45dae4@xymon.invalid> \ / Gegen HTML in E-Mails und Usenet
Mail+Jabber: user-0064bde8d49d@xymon.invalid<mailto:user-0064bde8d49d@xymon.invalid> X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/