takizo, not takezo » nms

Install and Configure Thold on Cacti

takizo — Fri, 21 Aug 2009 11:51:14 +0000

There are a bunch of Cacti’s plugins which can do better monitoring. One of the recommended and popular plugin for Cacti is Thold. Thold is a plugin to monitor bandwidth usage and trigger an alert when it reaches the threshold. Plugin Architecture needs to be installed in order to activate it on Cacti.

Let’s start the installation and configuration.

Backup Your Cacti Files

Plugin Architecture will make some changes on some Cacti file, it’s recommend to backup Cacti’s core file before install Plugin Architecture. If Cacti application is monitoring thousand of routers, It’s advices not to backup RRA/RRD files together. Backing up RRA/RRD file will take up a lot of disk space and it’s time consuming. Log file folder can be excluded as well, since only the core files need to be backup.

Take /usr/local/share/cacti as the example of the located Cacti’s files, lets backup Cacti’s core files without RRA/RRD and log files;


cd /usr/local/share
tar -vzcf cacti-backup.tar.gz --exclude=cacti/rra/* --exclude=cacti/log/* cacti

After backup has been done, Plugin Architecture installation is ready to roll.

Install Cacti Plugin Architecture

Cacti Plugin Architecture can be downloaded from cactiusers.org. Documentation of Cacti Plugin Architecture installation is available on Cacti Users’ documentation wiki.

Install and Configure Thold Plugin

Refer to Cacti’s plugin installation, before installing Thold plugin, Settings plugin is needed for Thold plugin. Both of the plugin is available on Cacti Users website.

Make sure Thold plugin has been activated on include/global.php. Installation has been done, but Thold setting on is not show Cacti’s Setting page? Permission needs to be granted before Thold setting is shown on Setting panel. To do so, go to User Management, and select your username. On Realm permission, make sure Plugin Management is check.

Now Thold tab should be shown on Cacti’s Setting panel.

Detect DDoS Source & Destination IP Address with OURMON

takizo — Thu, 26 Jun 2008 09:00:32 +0000

We have OURMON running on one of network segment for quite some time, it is very helpful and resourceful when DDoS attack happened, especially to help our customer to find out which destination is targeted on the attack and from which sources. Below is the graph that we previously captured while running OURMON version 2.70.

OURMON Version 2.81

On the recent released of OURMON, the topn graphs didn’t show the traffic by Mbit/s instead of bit/s. The long no. is confusing when the NOC engineer is doing the monitoring(minimal 7 digits will show up). I have made some changes on omupdate.pl, one of OURMON script that generate html static page, to show extra value – Mbit/s. Our current OURMON graph looks something like below;

Below will show you how to add extra Mbit/s value on your OURMON Topn section;

edit omupdate.pl file

vi /usr/local/mrourmon/bin/omupdate.pl

On line 3137, add the code looks like below;


my $uappf = $items[$i+2];       # old hw app flags
my $uappl = $items[$i+3];       # app lower case
my $uapph = $items[$i+4];       # app upper case
my $bps = int(($items[$i+1] * 8)/30);
my $mbps = sprintf("%.2f", ($bps/1024)/1024); # convert bits to mbits
my $uaf = get_appflag($uappf, $uappl, $uapph);

this line of code my $mbps = sprintf(“%.2f”, ($bps/1024)/1024); is to declare the new variable $mbps and convert the bit/s value to Mbit/s by dividing 1024*1024.

Next is to display the value on the page, do something on line of code 3146;


"bits/sec: $bps, Mbits/sec: $mbps, "

Done, wait for a few second for the web page to refresh with extra Mbit/s value. Btw, you can remove bit/s if you want to, to save some extra space

OURMON Installation and Configuration on FreeBSD 7 with Multi-threading Support

psyber.monkey — Wed, 25 Jun 2008 15:57:38 +0000

OURMON is popular known as open source Network Monitoring and Anomaly Detection System. It’s very useful for a web hosting provider or Internet Service Provider to study their network behavior and detection for any network attack such as DoS or DDoS.

Beside study your network behavior, it also can analyze your network protocols activities, tcp w0rm activity, p2p activity and etc.

Here is the step by step OURMON installation and configuration on FreeBSD with multi-threading support.

OUR source package can be downloaded on official sourceforget download page. I strongly suggest that do not install OURMON from port (due to the update on the package is quite slow), but before proceed on OURMON source install, there are several dependencies need to be installed;

PCRE

cd /usr/ports/devel/pcre && make install clean distclean

libpcap

cd /usr/ports/net/libpcap && make install clean distclean

RRDTool

cd /usr/ports/databases/rrdtool && make install clean distclean

Apache Web Server

cd /usr/ports/www/apache20 && make install clean distclean

OURMON Installation and Configuration

After above dependencies has been installed, now we proceed with OURMON installation and configuration;

untar yor ourmon package and your will see a folder name mrourmon. Copy the folder to /usr/local;

cp -rf mrourmon /usr/local/

In order to enable multi-threading support, there are some changes need to be made on your OURMON’s Makefile.

cd /usr/local/mrourmon/src/ourmon
vi Makefile.bsd

On line 27 and 30, uncomment the line which look like below;

CFLAGS=-O4 -DBSD -DTHREAD
LFLAGS=-O4 -static -DTHREAD

Also on line 18, change the BINDDIR to the directory that we are going to install ourmon;

BINDIR=/usr/local/mrourmon/bin

After that, save the file and we are ready to roll, go to OURMON root directory and run configure.pl for installation;

cd /usr/local/mrourmon
./configure

Follow the on screen guide to go through the installation, after ourmon is install, we are ready to fire it up… But there are minor changes need to be made in order to support multi-threading. Open up ourmon start up file and make the below changes;

vi /usr/local/etc/rc.d/ourmon.sh

On line 11, add extra argument (-T 2 ) into OURMON launch command and it will look like this;

/usr/local/mrourmon/bin/ourmon -T 2 -a 30 -s 256 -f /usr/local/mrourmon/etc/ourmon.conf -i bce1 -D /usr/local/mrourmon/tmp &

the argument -T 2 is to spawn 2 ourmon processes, if you have more processor on your server, you might want to add more; after that monitor on your server load, see whether it will crash your server or not

Run top command and monitor on your server load.

Apache Configuration

By default, OURMON web html files are located at /usr/local/www/data/ourmon, we suggest that you setup virtualhost to access to OURMON from your web browser;

NameVirtualHost *:80

ServerAdmin sysadm@systems.takizo.com
ServerName ourmon.systems.takizo.com

DocumentRoot /usr/local/mrourmon/web.pages

AllowOverride All
Order Deny,Allow
Deny from all
Allow from 202.188.1.5 # only allow authorized IP Address to access your OURMON.

ErrorLog /var/log/ourmon-error_log
CustomLog /var/log/ourmon-access_log common

You might also interest to change the viewing of OURMON site at your own convenience at /usr/local/www/data/ourmon/index.html, remember to make a copy before you make any changes.

Below are some graph that shown on our OURMON page;

updated : 19/10/2008

1. when start ourmon with “/usr/local/etc/rc.d/ourmon.sh start” return error :

sysctl: unknown oid ‘debug.bpf_bufsize’
sysctl: unknown oid ‘debug.bpf_maxbufsize’

change “sysctl -w debug.bpf_bufsize=8388608″ & “sysctl -w debug.bpf_maxbufsize=8388608″ in /usr/local/etc/rc.d/ourmon.sh to “sysctl -w net.bpf.bufsize=8388608″ & “sysctl -w net.bpf.maxbufsize=8388608″ to solve the error.

2. should the promicuous interface not picking up any traffic, bring it down (e.g. ifconfig rl0 down) and bring it up (ifconfig rl0 up) again should do the trick. Use tcpdump -i rl0 to see if it see any traffice.