Best way to do interface graphs?
list Stewart L
so, I have a number of routers and switches. I want to graph interface utilization and errors for them. What is the best way to do that? -- Stewart The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live.
list Vernon Everett
Hi all
Hoping somebody has encountered this before.
We have put BBWin on a few Windoze servers, but one of the, a DC, has a
HUGE event log.
So large, that hobbit is freaking out, and doing the "Data flooding from
1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there
a way around this?
Can I somehow tell hobbit not to do this for that IP address?
Unfortunately, because of its function, we can't reduce the logging on
the Windoze server, so we need to either
a) get hobbit to handle the problem (desirable solution)
b) get bbwin to truncate the event log (less desirable)
Anybody seen this problem before?
Any ideas?
Regards
Vernon
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
list Mike Rowell
I believe devmon can handle this... However if you want something simple then mrtg is the way to go, well for bandwidth at least. You can then use bb-mrtg to integrate your mrtg stats into hobbit. Mike
▸
From: Stewart L [mailto:user-a046134cfd06@xymon.invalid]
Sent: 17 April 2008 20:37
To: Hobbit Mailing List
Subject: [hobbit] Best way to do interface graphs?
so, I have a number of routers and switches. I want to graph interface
utilization and errors for them.
What is the best way to do that?
--
Stewart
The revolution will not be televised.
The revolution will be no re-run brothers;
The revolution will be live.
This email has been scanned for all viruses by the MessageLabs service.
This email has been scanned for all viruses by the MessageLabs service.
list Buchan Milne
▸
On Thursday 17 April 2008 21:37:21 Stewart L wrote:
so, I have a number of routers and switches. I want to graph interface utilization and errors for them. What is the best way to do that?
I am graphing all the interfaces on our 6 Cisco 6500 switches (another 2 by next week), 2 7600s, a 7200 router, and 4 PIX firewall pairs (6 other pairs need IOS upgrades before they will have any interface data to graph) with devmon, using the devmon rrd collector module shipped as a patch in the 0.3.0. final release. $ ls /var/lib/hobbit/rrd/*/if_load*.rrd|wc -l 1487 I am not currently graphing errors, but it should be relatively easy. Add the rrd option to the table in the message file for the test, add 'if_err=devmon' to TEST2RRD (you should kill the hobbitd_rrd to get it to restart with this environment variable updated), and create a graph configuration for if_err (would be relatively similar to the one for if_load shipped in extras/devmon-graph.cfg). I am actually more interested in adding graphs for discards on the firewall templates (as our internet-facing firewall has quite a high discard rate). I have some other changes to make to the templates, so if error and discard graphs are of interest to others, I can probably get a new template release out pretty soon. Regards, Buchan
list Stewart L
Any chance folks have done templates for Fortinet Firewalls? I'm sure I can whip them out if not. I'm already doing custom graphs via ncv for cpu, memory, sessions, etc. I was planning on releasing my custom script to the shire next week. Stew On Fri, Apr 18, 2008 at 8:37 AM, Buchan Milne <user-9b139aff4dec@xymon.invalid>
▸
wrote:
On Thursday 17 April 2008 21:37:21 Stewart L wrote:so, I have a number of routers and switches. I want to graph interface utilization and errors for them. What is the best way to do that?I am graphing all the interfaces on our 6 Cisco 6500 switches (another 2 by next week), 2 7600s, a 7200 router, and 4 PIX firewall pairs (6 other pairs need IOS upgrades before they will have any interface data to graph) with devmon, using the devmon rrd collector module shipped as a patch in the 0.3.0. final release. $ ls /var/lib/hobbit/rrd/*/if_load*.rrd|wc -l 1487 I am not currently graphing errors, but it should be relatively easy. Add the rrd option to the table in the message file for the test, add 'if_err=devmon' to TEST2RRD (you should kill the hobbitd_rrd to get it to restart with this environment variable updated), and create a graph configuration for if_err (would be relatively similar to the one for if_load shipped in extras/devmon-graph.cfg). I am actually more interested in adding graphs for discards on the firewall templates (as our internet-facing firewall has quite a high discard rate). I have some other changes to make to the templates, so if error and discard graphs are of interest to others, I can probably get a new template release out pretty soon. Regards, Buchan
-- Stewart The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live.
list Buchan Milne
▸
On Friday 18 April 2008 14:49:55 Stewart L wrote:
Any chance folks have done templates for Fortinet Firewalls? I'm sure I can whip them out if not. I'm already doing custom graphs via ncv for cpu, memory, sessions, etc.
Well, devmon does graphs for cpu and memory as well. Creating new templates is very easy. If you get stuck, send me the snmpwalk output, and I'll see if I can help. But, the documentation in docs/TEMPLATES, and you may also want to use a MIB browser (e.g. the online one at http://www.mibdepot.com, or maybe a new open-source one I've recently seen at http://sf.net/projects/snmpb). Basically, if you can see the values in the snmpwalk output, we can graph it ... Regards, Buchan
list Henrik Størner
▸
On Fri, Apr 18, 2008 at 09:03:56AM +0800, Everett, Vernon wrote:
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing. I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address?
No.
▸
Unfortunately, because of its function, we can't reduce the logging on
the Windoze server, so we need to either
a) get hobbit to handle the problem (desirable solution)Only way to do that would be to change the MAX_HOBBIT_INBUFSZ definition in hobbitd/hobbitd.c. It is currently 10 MB: /* * The absolute maximum size we'll grow our buffers to accomodate an * incoming message. * This is really just an upper bound to squash the bad guys trying to * data-flood us. */ #define MAX_HOBBIT_INBUFSZ (10*1024*1024) /* 10 MB */ Regards, Henrik
list Etienne Grignon
Hello Vernon, 2008/4/18, Everett, Vernon <user-9da1a1882f49@xymon.invalid>:
▸
Hoping somebody has encountered this before.
We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE
event log.
So large, that hobbit is freaking out, and doing the "Data flooding from
1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there a
way around this?
Can I somehow tell hobbit not to do this for that IP address?
Unfortunately, because of its function, we can't reduce the logging on the
Windoze server, so we need to either
a) get hobbit to handle the problem (desirable solution)
b) get bbwin to truncate the event log (less desirable)
Do you use the central or local mode of BBWin ? Depending the mode you use, you may add ignore rules in your BBWin.cfg (local mode) or client-local.cfg (win32 section) on the hobbit server. Example for local mode in BBWin.cfg : <ignore logfile="Application" type ="Error" eventid="2001" /> Example for central mode in client-local.cfg : [win32] eventlog:application ignore 2001 -- Etienne GRIGNON
list Vernon Everett
Hi Ettienne
This sounds like a good plan.
I think my knowledge of Windoze and BBWin is too lacking for me to think
of this sort of thing on my own.
The bulk of the noise is coming through in the "Full log
eventlog_security" section.
Most of them are lines like this one
success - 2008/04/28 10:41:34 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: xxxxxx Source
Workstation: ABCDEFG Error Code: 0x0
The lines start with "success", and appear to end with "Error Code: 0x0"
I tried both these entries in client-local.cfg :
[win32]
eventlog:security
ignore success
It gave me no joy, but according to the comments in client-local.cfg, I
would have expected it to.
Or should it look like this
[win32]
eventlog:security
ignore 0
This did the trick.
Can you confirm that it would only remove the return code 0x0, and not
remove all lines containing a 0?
Thanks
Vernon
▸
-----Original Message-----
From: Etienne Grignon [mailto:user-87c74c1037a4@xymon.invalid] Sent: Thursday, 24 April 2008 4:51 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Flooding hobbit
Hello Vernon,
2008/4/18, Everett, Vernon <user-9da1a1882f49@xymon.invalid>:
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing. I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address? Unfortunately, because of its function, we can't reduce the logging on
the Windoze server, so we need to either
a) get hobbit to handle the problem (desirable solution)
b) get bbwin to truncate the event log (less desirable)
Do you use the central or local mode of BBWin ? Depending the mode you use, you may add ignore rules in your BBWin.cfg (local mode) or client-local.cfg (win32 section) on the hobbit server. Example for local mode in BBWin.cfg : <ignore logfile="Application" type ="Error" eventid="2001" /> Example for central mode in client-local.cfg : [win32] eventlog:application ignore 2001 -- Etienne GRIGNON NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.