NSClient 1.0.8.0 Released Now: Monitoring NT event logs with Snare/Backlog, Swatch and passive checks.
Dean Bishop
dbishop at ehvert.com
Fri May 9 14:27:41 CEST 2003
Good morning,
I remember posting this to the list a while ago, I will go back and
dig it up again and post to the FAQ. I have made a couple of minor changes
since then.
You are correct in that swatch doesn't really take much in the way
of resources, but there are two other places where I see deficiencies in the
plan.
1) The syslog file. This not so much in disk space since it can be cleared
at any regular interval because it is used in near-real-time but rather in
disk activity. I am running this on an old dual P-II 350 with a RAID 5 made
of old slow disks and this can be overwhelming with 150 servers dumping
every event to it.
2) network traffic. This could actually be considered three deficiencies
because this setup increases the overall network traffic as well as the
traffic emanating from the server and therefore stealing bandwidth from
their NIC's. Not to mention the amount of traffic hitting the NIC on the
Nagios server.
Even if the filtering was done on the windows servers it would be a huge
improvement. Then the only thing for the Nagios box to do is clean up and
format the eventlog messages and send them to the external command file.
This would solve both of the aforementioned deficiencies.
As for the effect on Nagios' external command file, there is little. Most
of the events are not important to the site (logon failures, print
notifications, SMS errors, other bunk) so they never get formatted or sent
to the external command file.
I have, inadvertently sent all messages to the external command file and
Nagios (I think I was still running a beta version) stood up well. There
were roughly 3-5 events per second. Thank goodness for sendmail limits.
Regards,
dean
-----Original Message-----
From: Stanley Hopcroft [mailto:Stanley.Hopcroft at IPAustralia.Gov.AU]
Sent: May 9, 2003 5:47 AM
To: Dean Bishop
Cc: nagios-users at lists.sourceforge.net
Subject: Was: NSClient 1.0.8.0 Released Now: Monitoring NT event logs with
Snare/Backlog, Swatch and passive checks.
Dear Sir,
You may wish to submit a Nag FAQ about this clever and effective
way of monitoring NT event logs.
On Thu, May 08, 2003 at 11:23:14AM -0400, Dean Bishop wrote:
> Good morning,
>
> I just had to set up a site with nagios monitoring eventlogs
on
> windows servers. I did this by installing the BackLog service on each of
> the windows servers configured to send all events to the nagios box. The
> nagios box acted as a syslog server. I then configured swatch to watch
for
> specific things (e.g. certain events AND certain servername). Upon
finding
> such an instance in the syslog file swatch executed a perl script which
> formatted the event message, added the rest of the items necessary for a
> nagios external command, and then pushed it into the nagios external
command
> file.
>
> dean
>
I take your point about scalability although surely swatch doesn't use
much does it ?
Is the problem with Swatch/Perl, or Nag being hammered via the command
queue.
If that is the case you may be interested in the performance
enhancements planned for Nag 2.0); otherwise, it may be possible to
turbo charge swatch by embedding a Perl interpreter in a C program (and
have that execute the Swatch logic).
Yours sincerely.
--
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------
'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'
from Meditation 17, J Donne.
-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list