Interested in Nagios<->ruleCore integration?
Stanley Hopcroft
Stanley.Hopcroft at ipaustralia.gov.au
Mon Nov 17 01:33:50 CET 2003
Dear Sir,
I am writing to thank you for your letter about a very good looking and
interesting product, and say
On Wed, Nov 12, 2003 at 05:15:14PM +0100, Marco Seiriö wrote:
>
> Hi list,
>
> We have built a kind event pattern detector, or event correlation engine
> as it also could be called. It's free and you can get it under GPL from
> www.rulecore.com
>
> I have been getting a number of requests to use ruleCore together with
> Nagios. But this requires some work to make Nagios and ruleCore talk to
> each other. I don't have any experience with Nagios so I wonder if
> somebody would be interested in doing this integration.
>
Nagios is an all in one availability monitor that
1 schedules service checks (and their retries)
2 contains hardwired logic to recognise a simple subset of events based
on heuristics or 'hard coded rules' such as
event of max retries of service check exceeded
=>
hard (confirmed) state transition and state trans event processing.
In my view, it would be good for Nagios to gain an event filtering/event
correlation/event facility to as you say, 'could add to or improve the
event detection capabilities to Nagios.'
One of the significant differences of the Tivoli product is its ability
to define predicates, event filters and rules in its rule processing
core (based on Prolog I believe).
This is advantageous because
. the event processing framework is non-procedural; the engine
establishes a predicate based on its definition and the events that have
been input. There is simply no need for a whole bunch of cases to deal
with sequencing.
. conclusions can be drawn about business systems based on the event
stream. This is a significant facility because it provides the potential
of
- a business view instead of or as well as a system view
- the ability to make decisions or conclusions based on best practise
rules. This instantly puts ones subject expertise to much greater use:
it can be used in the core of the monitor instead of your being asked or
having to do it yourself.
Unfortunately, I am not the Nag developer and am therefore speaking for
myself only.
However, there exists this (dumb) path to integration of RuleCore and or
Sec event processing and correlation, that allows the two to coexist
unchanged at the expense of having two products and clumbsier
processing.
1 Nagios acts as an event source to RuleCore (and or Sec); Nagios
schedules system and element checks and on _its_ detection of a hard
state, informs RuleCore via the Nagios notification or event handler
mechanism (to push the event of a hard state change somehow into
RuleCore).
2 Nagios defines passive service checks corresponding to the inferences
or conclusions about business systems and or cloned services that will
be processed by RuleCore.
3 RuleCore processes the Nagios events and any other events (from other
eevent sources such as trap handlers) then submits passive service check
results to Nag.
This is advantageous in that both products are unchanged. It is
suboptimal in that
- RuleCore cannot comment on element failures (that are related to other
events such as congestion) unless that event is passed to RuleCore.
- The IPC is via whatever the host supports and could be slow or
suboptimal
- Event correlation can only be done on hard state changes; Nagios event
processing cannot be expedited or altered by the conclusions that
RuleCore may already be able to make through its use of event filters,
correlation and or rules - this is simply another way of writing the
first point.
> What I understand from the requests I have received, ruleCore could add or
> improve the event detection capabilities to Nagios. But this I suppose you
> would know much more about ;)
>
> We can ofcourse help out with ruleCore specific changes or additions if
> just somebody tells us what to do.
>
Unfortunately I am not the person to do this. I am very grateful for
your work and thank you for the offer.
Good luck with what looks like a good product.
> /Marco
>
Yours sincerely.
--
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------
'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'
from Meditation 17, J Donne.
-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
More information about the Developers
mailing list