Daily/weekly/monthly output aggregation

Damian Gerow damian at sentex.net
Mon Nov 17 13:09:53 PST 2003


Thus spake Marty Landman (MLandman at face2interface.com) [17/11/03 15:57]:
> As a developer I'd like to throw my 2 cents in; although this stmt may come 
> as no news to anyone else imho the issue is what to parse out as 
> significant. With the underlined caveat that once you make (what's in 
> essence then) a policy decision about what system output is significant 
> enough to pass along to the admin as worthy of review the danger is in 
> everything that /isn't/ passed along.

Developer input is what I need at this point -- I have done development work
in the past, but I very quickly moved into sysadmin work.

> At least now you've got the gnawing feeling that you're behind in reading 
> the stuff; once you implement a system to decide what's worth reading 

I put 'read' in quotes, because I usually give each one a ten-second
once-over.  75% of the time, that's good enough, but I have missed more than
a couple of problems that I shouldn't have.

> you've gotten rid of that guilt pang. Should that evolve into a sense of 
> false security - well I can only speculate how many server crashes could've 
> been avoided if not for feelings of false security.

Being security-concious, this is a big concern.  Hence, my paper-napkin
draft of what needs to be done:

Everything gets stored in a SQL database, since it is the cure to any and
every computing problem that has ever been introduced.

Store a table of hostnames, and whether or not they are active.  When we run
the report generator, we can check to see if a hostname did *not* check in.
If not, we send an alert.

Each report is mailed to an address, that pipes the message to a program.
This program would break each report down into its already-labelled
sections, and store it *verbatim* in the database.  This makes looking up
past reports much, much easier.

The report generator would be run via a cron job.  The idea at this point is
to:

    - make sure all currently active servers have checked in, with the
      appropriate reports
    - detect any new servers that checked in
    - do, essentially, a diff against today and yesterday for each host
      (also do a diff against today and last week, when necessary)
    - if no changes, pring a 'Host OK' status
    - otherwise, print a line for every change.

The output of this would be one e-mail, that would be sent out however you
want it to be sent out.

I already have bigger ideas for this (i.e. paging if more that 'root/toor'
found with userid zero, paging if known hosts did not check in/unknown hosts
did check in, collision/error rate jumps too high, etc.), but I'd like to
avoid feature creap for now.

Any thoughts/suggestions/comments?


More information about the freebsd-isp mailing list