> I run several standard services (Web, Mail, DNS, …) and have configured Munin > to graph traffic and see what happened.
Good for you. I don't know if Munin is the go to tool for this in OpenBSD, so seconding your query for comparative or "works-for-me" type of (fresh) info, or search the mail archives. Probably Munin's trips and basic alert capabilities can help you sort your email feedback purposes, or you could further use a Nagios / Icinga monitoring and alert generating tool. One comment, the trouble with these type of tools (Munin like) are the lack of filters / plugins / lenses for the specific service (or operating system) you (want to) use, and out of date such integration. Yet it provides graphs which may be a powerful analytic tool. > I was wondering what was the usual OpenBSD way for proactive/real-time > traffic monitoring and alerting. Same thoughts here, there are some ports related to rrd, snmp, service specific live stat (top like) / graphing tools in the likes of: symon, pfstat, collectd, mrtg, nfsen, etc etc Most probably you want to pick your specific solution based on your needs from the options available as ports. > That is, which software to use that would, for example, read HTTPD logs and > alert if req/sec from same IP is over 50 ? Log processing at run time probably is not the best solution to reaction on live events, unless it's a tool specifically designed to do that. Apache has a scoreboard which I am not entirely sure is a good idea either and not many tools process that, despite being a valid approach in my practice this has been mostly difficult to tie to something useful apart from self hacked scripts. Thus said you can get the details from the network stack (pf and related), a relaying front end service, the actual service's live status output (if it provides state details), logging of the service details (verbosity), log processing of its output (virtual host logs), higher level self awareness if the service runs scripts or procedures in the respective application etc. Relayd(8) has relayctl(8), many other services too have the respective "apropos ctl" tool. It may be worth checking this option first as a front end stats between the network and the web service. This may be extremely premature, out of scope or unworthy of expectation and/or implementation, but a third party tool (e.g. your choice so far being Munin) monitoring the output of the respective so far hypothetical httpctl may be a solution too. I would not count on this though as the httpd in base has been conservative in features so far.