In message <[email protected]>,
Thomas Wollner writes:
>I`m thinking about integrating SEC within the nagios eventstream
>directly to have more correlation capabilites within nagios.
Cool.
>I want to correlate events based on i.e. device-locations:
>If I receive 2 or more events from the same location in a 1min
>timewindow, then check the location routers and maybe find a
>"location" down event and suppress the "symptoms".
Well some of that can be done directly in nagios with the parent
attribute of the host object.
I haven't had much success setting up a topology map in SEC however.
If the host names provide info about how things are laid out
(e.g. host.site.example.com) you can do some site corellation
(e.g. more than three hosts are reporting high cpu temps may indicate
a cooling failure at a site), but telling SEC that host B is
downstream of host A is more difficult.
I have had to write individual rules for each case rather than a
general set of rules and contexts that allow me to determine
realtionships between the hosts or services.
These rules can be autogenerated, but it is still a pain.
>Now I`m wonder if there are any "best practice receipts" on howto
>integrate the nagios evenstream with SEC?
What I did was three patches:
1) put in event broker calls in the main nagios loop
2) change the configuration objects to control which events/services
went through sec.
3) a new event broker module that is called at the points in (1)
I claim it's best practice to use a NEB module for sending events to
the external correaltor. Sadly my patches had to be more intrusive
that I would have liked because the event broker module has no way to
change the object definitions and add info the the object definitions.
Also I wouldn't use a fifo to hold the data between sec and nagios. I
was overflowing fifo's and had to go to files (which get rotated by a
control channel in nagios) to not lose events or hang nagios (by doing
a blocking write).
But other than that no opinions.
>Some mails from John P.
>Rouillard, which I found on the list, have shown that he listens to
>nagios/event_stream and nagios.log.
>I found some patches for nagios on the SEC pages, but they seem
>outdated (nagios v1).
The patches at:
http://www.cs.umb.edu/~rouilj/sec_nagios/dist-1.0b1.tgz
with documentation at:
http://www.cs.umb.edu/~rouilj/sec_nagios/nagios_sec_manual.txt
are for nagios 2.6 and I have applied them to 2.9 (which I run in
production). They were supposed to be applied to the nagios core early
in the 3.0 alpha series but fell throught the cracks, and things have
changed in nagios 3.x sufficiently that they don't apply cleanly
(particularly for the service control objects) anymore.
I have had a couple of people ask about them in the 3.0 series and I
know one person was going to rework them for 3.x, but I don't know
what the status is.
>Maybe John or others want to share his knowledge and experience
>on that topic?
All in all it works well. With the new jump capability in SEC it works
better with larger rules sets. I usually create seperate rules files
for each service I want to manipulate at least initially to reduce the
impact of reloading the rule sets.
As I mention above setting up a topology map in SEC is somewhat
tricky.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
