Re: mon monitor for arpwatch?

On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
> This stuff is supposed to just work. Like mon. And arpwatch
> has been around forever.
> 
> So, I'm wondering if anyone has put together a mon monitor that can
> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
> 

I don't, but I have been working on a monitor to check the arp table of
hosts and report anomalies.

Anyone interested?

--

-- 
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com

Re: mon monitor for arpwatch?

On 7/1/11 12:46 PM, Nathan Gibbs wrote:
> On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
>> This stuff is supposed to just work. Like mon. And arpwatch
>> has been around forever.
>>
>> So, I'm wondering if anyone has put together a mon monitor that can
>> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
>>
> I don't, but I have been working on a monitor to check the arp table of
> hosts and report anomalies.
>
> Anyone interested?

Yes.

A bit more control over reporting frequency and what is reported would be very good. Arpwatch 
produces an overload and makes it hard to use on a busy network since it is constantly shouting 
about things. If you can recognize that some particular hardware address was already reported for a 
particular behavior and not continue hollering about it, that would make it more valuable -- i.e. 
increase the signal to noise ratio. Any other correlation or diagnostic stuff would be good as well.

--

-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology&  Geology Departments

Re: mon monitor for arpwatch?

On 7/5/2011 12:00 PM, Chris Hoogendyk wrote:
> 
> 
> On 7/1/11 12:46 PM, Nathan Gibbs wrote:
>> On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
>>> This stuff is supposed to just work. Like mon. And arpwatch
>>> has been around forever.
>>>
>>> So, I'm wondering if anyone has put together a mon monitor that can
>>> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
>>>
>> I don't, but I have been working on a monitor to check the arp table of
>> hosts and report anomalies.
>>
>> Anyone interested?
> 
> Yes.
> 

OK, other things are slowing down my development efforts right now, but
I will get it done.

> A bit more control over reporting frequency and what is reported would
> be very good. Arpwatch produces an overload and makes it hard to use on
> a busy network since it is constantly shouting about things. If you can
> recognize that some particular hardware address was already reported for
> a particular behavior and not continue hollering about it, that would
> make it more valuable -- i.e. increase the signal to noise ratio. Any
> other correlation or diagnostic stuff would be good as well.
> 

Infocon monitor

http://isc.sans.org/diary.html?date=2011-06-26

for nagios

Now we have one too.


http://www.cmpublishers.com/oss/#infocon.monitor

--

-- 
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com

_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

http.monitor IPv6 version

Does anyone use http.monitor IPv6 version? I tried to modify original one
to use "use Socket6;", but it is hard for me. Any help will be appreciated.

Running a task once a day, at given time

Hello, this is my requirement: I want to run a monitor exactly once
per day, around 4am. If the monitor fails, I want to get exactly one
alert; if it succeeds, nothing should happen.

This is what I've tried so far:

watch myserver
        service testservice
                description Test for monitoring once per day
                interval 5m
                exclude_period hr {5-23} min {0-59}, hr {0-3} min
{0-59}, hr {4} min {5-59}
                monitor testservice.monitor
                period wd {Mon-Sun}
                        alert mail.alert alerts <at> example.com

Currently, "testservice.monitor" is a dummy script that always returns failure.

I figured that leaving a 5-minute window for the monitor to run, it
would run exactly once during that 5-minute window. However, it
doesn't seem to work that way as I get no email.

I also though of using "interval 1d", but there doesn't seem to be a
way to specify when, during the day, the monitor should run, so I
suppose that would just take the time the daemon is started as the
start of the period, which isn't what I want since I may restart or
stop/start the daemon at different times for different reasons.

Ideas? Thanks.

Defunct children after sending alert

_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Re: Defunct children after sending alert

On Tue, 19 Jul 2011, Giampaolo Rodolà wrote:

> By digging into commit history I found this:
> http://www.mail-archive.com/mon <at> linux.kernel.org/msg00828.html
> ...so I picked up latest development version from
> https://mon.wiki.kernel.org/index.php/Development and replaced the main mon
> executable but that didn't fix the problem.

let me know if the attached patch helps. watch the syslog "info"
output for "master alert pid", "child alert pid", and "reaped pid".
there should be one "reaped pid" for every "alert pid", assuming all
alert processes are exiting properly.

if that doesn't help, send a process tree output showing the zombies so
i can see whose zombies they are, actually.

Index: mon
===================================================================
RCS file: /cvsroot/mon/mon/mon,v
retrieving revision 1.27
diff -u -r1.27 mon
--- mon	20 Jun 2011 17:26:25 -0000	1.27
+++ mon	19 Jul 2011 11:54:30 -0000
 <at>  <at>  -3223,11 +3223,14  <at>  <at> 
     my ($summary, $tmnow, $buf);
 
     $tmnow = time;
-    return if (keys %running == 0);
 
     while ((my $p = waitpid (-1, &WNOHANG)) >0)
     {
-	next if (!exists $runningpid{$p});
+	if (!exists $runningpid{$p})
+	{
+	    syslog ("info", "reaped pid $p");
+	    next;
+	}
 	my ($group, $service) = split (/\//, $runningpid{$p});
 	my $sref = \%{$watch{$group}->{$service}};
 
 <at>  <at>  -5018,12 +5021,14  <at>  <at> 
     my $pid;
     if ($pid = fork()) {  ## Master
 	# Do Nothing
+	syslog ("info", "master alert pid $pid");
     } elsif (defined($pid)) { ## Child
 	my $pid = open (ALERT, "|-");
 	if (!defined $pid) {
 	    syslog ('err', "could not fork: $!");
 	    return undef;
 	}
+	syslog ("info", "child alert pid $pid");
 
 	#
 	# grandchild, the actual alert

_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Re: Defunct children after sending alert

_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Syslog problems

Hi, I'm using the stable mon-1.2.0-1 under Ubuntu 11.04 (Perl 5.10.1), and I
noticed that mon wasn't logging anything at all in syslog. Further
inspection revealed that the problem seems to be in the redefined syslog()
function:

no warnings; # Redefining syslog
sub syslog {
   eval {
       local $SIG{"__DIE__"}= sub { }; 
       my  <at> log = map { s/\%//mg; }  <at> _;
       Sys::Syslog::syslog( <at> log);
   }
}

since $_ is aliased in a map {} block, when the function is passed constant
strings, the map {} on  <at> _ fails with a "modification of a read-only value
attempted". However this is not apparent, not even in debug mode, since it
happens inside the eval{} block.

Suggested change (for example):

no warnings; # Redefining syslog
sub syslog {
   eval {
       local $SIG{"__DIE__"}= sub { };
       my  <at> log =  <at> _;
       s/\%//mg for ( <at> log);
       Sys::Syslog::syslog( <at> log);
   }
}

Regards,

--

-- 
D.