Slashdot Mirror

← Back to Stories (view on slashdot.org)

Monitoring Your Unix Boxen?

Posted by Cliff on from the tracking-the-health-of-your-systems dept.

Griim asks: "I've been using Linux for years and loving it, and have also worked a bit on a few Sun stations and BSD boxes as well. My question is this: what is the easiest way to keep tabs on all of the activity?"

"I know a few people who 'tail -f' the main log files, or who run 'top' every so-often. These require constant monitoring though, and you could miss essential error messages if you step away for too long. Are there any projects that do this successfully? I've seen a couple out there that started to do this, but appear to be abandoned.

Ideally, I would like some type of all-in-one, that possibly generates a daily (email/web) report of network statistics, user logins, and (web)server traffic/hits, as well as anything 'suspicious' that might be happening, perhaps what apps have been taking most of the processor time, or if any of the daemons have been busier than they normally would be. I know there probably isn't one single app out there that does all of this, so what's the best configuration , for keeping tabs on multiple machines, something I can skim for a minute or two each day, to make sure things are the way they should be? I want to know what works best, and just as importantly, what *doesn't* work (I do realize that relying on a single solution would be bad here too, so if you have more than one suggestion, that would be appreciated)."

21 of 59 comments (clear)

  1. Tripwire by daeley · · Score: 4, Informative

    I cron tripwire on an old BSD box I have running and it works well enough. Linxen:

    Tripwire.org

    FAQ

    sourceforge page

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  2. Big Brother by MJArrison · · Score: 5, Informative

    I've user Big Brother for many years and it is very configurable. You can monitor anything from cpu usage, memory, disk space, available services, to random things like the weather and server room temp.

    All that being said, I found it to be flukey in its behavoir. Sometimes it would report that everything was not responding and it had to be punted before I would get the all clear. The other negative is the license. The program consists of nothing more than shell/perl scripts so it's obviously open, but it has some strange clauses about Non-Commercial use.

    Overall, I'd recommend trying something else, because BB was unreliable in my use, but YMMV.

    1. Re:Big Brother by Zocalo · · Score: 4, Informative
      If you look at, or already use, Big Brother then *please* make sure you read the article on it in issue #60 of Phrack as well. Owing to the way the software is implemented, the thing can be a goldmine of information for hackers and it is *essential* that your BB box is properly secured.

      That said, it does appear to be a capable, fully-featured package and I'd guess that as long as you take the proper precautions you should be OK. I can't comment on the stability though; the security concerns I had were enough to cause me to move along to the next product on my list.

      --
      UNIX? They're not even circumcised! Savages!
  3. Keep an eye on your network traffic by forged · · Score: 4, Informative

    Any network monitoring applet docked to your environment will do for real-time stuff, but for historical logs you should consider keeping MRTG logs as well. MRTG works with *everything* and the log file format it uses doesn't grow over time (magic!)

  4. logcheck by Col.+Klink+(retired) · · Score: 4, Informative

    I use logcheck (available as a Debian package). I run it only one one machine and I have all the other machines send their syslogs to that machine.

    --

    -- Don't Tase me, bro!

  5. He's watching you.... by mpechner · · Score: 5, Informative
    Take a look at big brother. http://bb4.com. Big brother is cross platform and has many hooks. It will monitor all unix and win machines. I do suggest using a UNIX machine as the server. BB has both email and pager support.

    The extensions for BB are at http://www.deadcat.net/

    I also like tripwire. Checksums of files on the system to know if important files have been changed. last time I used TripWire it has email alerts. The paid for version has an enterprise monitor.

    LogWatch is another. Generates email.

    Go through your linux and bsd daily, hourly and weekly scripts to see all the tools they run by default. These can be moved to most Unixs. Since most of these are shell and perl rpograms, some might be adaptable under windows using activeXPerl or Cygwin.

    The hardest part is fine tuning the emails and alerts to those things you really care about.

    MTRG and agreat snmp tool and tied in with BigBrother.

    I've has to set these up for security purposes at one site. For monitoring a server fam at another site. A compile farm for doing builds at my current job.

  6. It's all about Nagios... by Dimwit · · Score: 4, Informative

    Nagios rocks my socks. Does everything most commercial apps do, and it's free. Rock solid too.

    --
    ...but it's being eaten...by some...Linux or something...
    1. Re:It's all about Nagios... by Deagol · · Score: 4, Informative
      Nagios is pretty sweet -- we use it at our shop. It's handy to be notified as soon as a key server goes down.

      One thing I like to do personally is randomly pick a startup script (that's actually used in a particular server's configuration), and bury a single line in it that emails me "hostname has rebooted!" as the subject whenever it reboots. That way I know if a machine is ever rebooted with or (more importantly) without my knowledge.

      --
      Method of processing duck feet
  7. Nagios by nocomment · · Score: 5, Informative

    I'm running Nagios. It was SAINT, and before that it was known as SATAN. I've also used big sister before. That's a pretty good big brother clone. Nagios will do what your after though. Just remember that whatever you build will probably take awhile. Creating the config files takes forever.

    --
    /* oops I accidentally made a comment, sorry */
    /* http://allyourbasearebelongto.us */
    1. Re:Nagios by Mr_Person · · Score: 3, Informative

      Nope. SATAN was a vulnerability probing tool that came out of SGI quite a while back. SAINT was based on it (at least in function, I don't know if the code was based on it). They have nothing to do with Nagios.

      The previous version of Nagios was called Netsaint, but they changed the name to Nagios because of possible trademark problems with WebSAINT, which is a web based tool that uses SAINT.

      From the notice at the bottom of netsaint.org: NetSaint is not affiliated with World Wide Digital Security, Inc. (WWDSI); Richard S. Carson and Associates, Inc; and the marks WEB SAINT, SAINT, SAINTWRITER, SAINTEXPRESS, and SAINTBASIC owned by Richard S. Carson and Associates, Inc.

      And I may as well mention that Nagios/Netsaint is a really great tool and I highly recommend it. It won't, however, keep you up to date on "suspicious" activity - it's mostly for just making sure that your server and any services that run on it are going.

    2. Re:Nagios by PerryMason · · Score: 3, Informative

      It won't, however, keep you up to date on "suspicious" activity - it's mostly for just making sure that your server and any services that run on it are going.

      Well actually it _can_ keep you up to date on 'suspicious activity' if you are willing to write a plugin to say, monitor your IDS output.

      Nagios itself is nothing more than a web-based system of notification. The plugins provide whatever functionality you code into them, from monitoring a network service, to parsing a logfile, to monitoring temperature. Pretty much anything that provides you with feedback can be used as the input to a plugin.

      I actually wrote a little plugin that parses the output from my Win2k Terminal Server logs (via BackLogNT) on my central syslog server to email me everytime my boss logs on and logs off from Windows so I can figure out when he is leaving home and on his way into the office.....and he has yet to catch me playing games when I should be working. :)

      The long and the short is that Nagios handles the notifications, the plugins handle what is being measured/monitored.

      --
      "I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
  8. Orca by geog33k · · Score: 3, Informative

    I use Orca (but then I'm its author :) ) to monitor Solaris and Linux boxes. I used it at Yahoo!/GeoCities to monitor 200 boxes and it was easy to see when systems were doing odd stuff.

    Sample Solaris and Linux plots. The Solaris version shows a whole ton of web server stats.

  9. Lots of stuff by vadim_t · · Score: 4, Informative

    logcheck will mail you about unusual stuff that appears in log files.

    monit will monitor running damons and can restart them if they crash, use too much CPU/RAM, etc, mailing about anything interesting.

    tripwire or lire are nice for monitoring filesystem integrity, but these tools aren't easy to use. The database they use must not be located in a safe place, which can make them impractical.

    I think the best thing would be doing all logging to a safe computer that only runs the logging daemon, so that you can be sure you're not missing anything.

  10. Red Hat Comes with Logwatch by man1ed · · Score: 2, Informative

    Logwatch is a pretty decent system. I comes with Red Hat (and probably other distributions as well) and mails you a summary of the system log. The main thing I use it for is to keep track of what IPs are connecting to which services how many times.

  11. Adminux by jkidd · · Score: 4, Informative

    Have you looked at http://www.adminux.com It does security monitoring, error monitoring, performance monitoring. Cross platform support. It does cost... I used it to monitor 50 HP-UX boxes, 30 AIX boxes, some Suns, and Linux systms.

  12. Palantir by hkon · · Score: 3, Informative

    Palantir kan be found at www.netsonde.com. It's a system not entirely unlike Nagios, written mostly in Perl. Works with all the unix-like OSs I can think of in addition to Windows.

  13. Re:syslogd? by unixbob · · Score: 3, Informative

    you need a central syslog server. Syslogd can automatically send it's logs to a central syslog server using udp. Just look in your syslog.conf.

    We've got a nifty setup where we have syslog-ng running on our central syslog server. syslog-ng then squirts the data directly into a MySQL database. We've then got a custom PHP interface which sorts the errors by severity and colour codes them so we can always see what is going on. Our switches write to it. Our nokia firewalls write to it. Even the F5 load balancers and the Network Applicance NAS systems. It's so useful that we have installed ntsyslog onto our win2k servers so that all the info is in one place.

    --
    The Romans didn't find algebra very challenging, because X was always 10
  14. my 2 lines of perl... by Smoking · · Score: 3, Informative

    I had good experience with the following tools: cacti
    It's based on RRD the successor of MRTG (not much developed anymore, but still a good tool). Thanks Tobi btw.
    OpenNMS is a really powerful realtime monitoring tool
    Nagios also...
    Don't forget snort for your IDS needs and add acidlab for good visualization of snort's results.

  15. Re:User of the word boxen by david+duncan+scott · · Score: 2, Informative

    I could be wrong here, but I think there is a history involved. Back in the day, there was no good plural for "VAX", and many DEC people started referring to "VAXen" (these were, after all, the same people who often called themselves "VAXherds".) I believe "boxen" to be derived from "VAXen", and as such I find it has a certain old-fashioned charm.

    --

    This next song is very sad. Please clap along. -- Robin Zander

  16. Cacti by jdurham · · Score: 2, Informative

    I've been extremely impressed with Cacti for statistic monitoring. It can be found at: http://www.raxnet.net/products/cacti/ It's quite easy to set up, and for larger sites, it has an excellent user privilege system.

  17. gkrellm by dooby · · Score: 2, Informative
    is what I like to use for monitoring real-time stuff - like if my network traffic suddenly rockets, or memory is disappearing.

    It's skinnable, configurable and supports plugins. I've seen it working on Solaris and Linux, YMMV. It's here (with screenshots).