Hi Rocky:
In message
<2490B3D57700AD4BA03D09581F3DDFC9014EF4EB@GAALPA1MSGUSR9K.ITServices
.sbc.com>, "MILLS, ROCKY" writes:
>This reply is not related to your notes below but I am curious about how
>(and why) you're using SEC with Nagios. Could you elaborate at a high
>level?
>I'm not very familiar with Nagios but from my reading it contains a
>lot of functionality. Doesn't Nagios support SEC-like functionality?
In the case you cite, I am doing correlation on log events that is far
beyond what nagios can handle (its log analysis plugins are very
simple). I have a SEC daemon running that generates security alerts
into nagios for notification, escalation etc.
Unrelated to the case you cited, I also have an event broker for
nagios 2 that provides better correlation of nagios events including:
delay clear of event until you have had 2 or more successful polls
(nagios can require a certain number of failing event before
going into a hard state, sec is needed for the reverse.)
I never had flap detection working quite as I expected in nagios. I
disabled it and used the SEC integration instead.
apply different alarming thresholds to a single service depending
on:
time of day,
other external events
(nagios can do some of this on it's own, but it requires
rewriting plugins to be time aware, or creating a different
service for each set of time dependent thresholds)
change the severity of an event according to local requirements, or
specific types of failures in other services. Nagios's whole
mechnism for suppressing actions (notifications, polling) on a
dependent service depends on the critical/warning state of the
main service. Many plugins return critical for multiple states.
Say I want to suppress a warning on service A when service B
fails to respond, but not when service B exceeds a critial
response time. Both of these events are critical to the operation
staff and should be paged. If the plugin only has the critical
state to indicate both the failure modes, nagios can't
differentiate between service B not responding and service B
exceeding a threshold.
Using SEC I can differentiate between the two states and get the
nuanced dependency I want. If I wanted to do that in pure nagios,
I would need to run two versions of service check B (B1 and B2)
where A depends only on B2 that will generate a critial only on
threshold succeeeded and never on "not responding". So I need to
write more plugins, generate more load on the services (since
both B1 and B2 will have to poll it) etc.
rewrite the output from a plugin into a readable form when it
recognizes a particular failure mode (without having to mess with
the plugin which is a nightmare of spaghetti code). (e.g. when
ssh host keys change you get a line of @@@@@@@@@@@@@@@, SEC
rewrites that to "host key has changed" in the nagios interface)
See also:
https://www.usenix.org/legacy/events/lisa06/wips/rouillard.pdf
http://www.cs.umb.edu/~rouilj/sec_nagios/nagios_sec_manual.txt
for more discussion.
Note that I haven't and do not intend to update the SEC plugin for
nagios so it is little more than a historic curiosity once I get rid
of my nagios 2 install at $WORK.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
