27-Mar-2012: initial release.
To monitor your server you can choose from many daemons and applications. You can do simple monitoring, monitor nothing at all, or make a very complex setup. Some solutions are networked and run distributed, others just run on one server only. If and what you want to do depends on your own needs and what spare resources your server has available. All solutions cost some memory and CPU power.
I have used several programs and combinations, but only a few from what is available, so this article is far from complete and will never be complete. The next table shows some monitoring programs and what they roughly can do.
|Monitor hardware||Monitor Processes||Monitor Services||Intrusion Detection||Can send Alerts||Data History|
None of these programs can do everything, so you have to use some of them together to cover all your needs. Here is a short description of these programs.
The net-snmp package monitors the OS, and hardware. Using this Simple Network Management Protocol you can retrieve data from a computer that runs some form of SNMP. How to get data from network cards, system information, disks is well defined with so called MIB’s. This protocol is well supported on all OS systems. The SNMP agents can be configured to sent alert messages called traps to a central server. The things that SNMP can monitor are disk space, running processes, system load and logfiles.
Nagios is a complete IT infrastructure monitoring system that uses it’s own internal protocol to talk to other Nagion clients. It can also use SNMP on clients where you cannot install Nagios on. It can check services, this means that if it checks a web service, it fetches a web page. This means that if anything that is broken on your server that prevents sending the requested page is an error. This is better then watching the needed processes because a process in memory doesn’t guarantee that it does something.
Nagios can also configured with dependencies, So server C can depend on server B that depends on server A. If server B goes down, Nagios doesn’t check server C anymore because it cannot reach that server. In such situations you only get alert messages of the real problems.
The alert message can be sent via email, or SMS. Who will receive, when and where to send messages can be configured in a wide variety of ways.
OSSEC is a host based intrusion detection system. It can use remote agents and can perform actions where you want. In our home server setup with virtual client servers, you can run the main OSSEC on the home server, watch intrusion attempts on the web server, and close the firewall for the attacker on the gateway server. OSSEC works by real time monitoring logfiles.
Fail2ban is an intrusion detection system too, but it watches and acts on one system only. If it close the firewall on your web server, the other servers are still reachable for the attacker. It is possible to make it to use the firewall on the gateway, but you have to create security holes to do that, simply because you must execute scripts on remote servers. Simply said, on s single server it works just fine, but in my opinion it’s not suitable to protect a network.
Cacti is not a real monitoring solution, it only make nice graphs of your system’s usage. On the local system it can directly get information from the OS, from remote systems it gets the data using SNMP. It needs MySQL to store the configuration.
Munin is a networked resource monitoring tool that can help analyze resource trends and “what just happened to kill our performance?” problems. Munin uses a monitoring host and clients. It is possible to send alerts via Nagios.
For our home server I selected to use Nagios and Munin to monitor the server, the virtual servers and some external equipment like a ADSL modem and a Linksys wireless router. With Nagios I also monitor some remote servers. OSSEC is installed to detect intrusion attempts and block attackers by dynamically making changes to the firewall on the gateway server.