so, I have a number of routers and switches. I want to graph interface utilization and errors for them.
What is the best way to do that?
-- Stewart
The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live.
Hi all
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address?
Unfortunately, because of its function, we can't reduce the logging on the Windoze server, so we need to either a) get hobbit to handle the problem (desirable solution) b) get bbwin to truncate the event log (less desirable)
Anybody seen this problem before? Any ideas?
Regards Vernon
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
On Fri, Apr 18, 2008 at 09:03:56AM +0800, Everett, Vernon wrote:
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address?
No.
Unfortunately, because of its function, we can't reduce the logging on the Windoze server, so we need to either a) get hobbit to handle the problem (desirable solution)
Only way to do that would be to change the MAX_HOBBIT_INBUFSZ definition in hobbitd/hobbitd.c. It is currently 10 MB:
/*
- The absolute maximum size we'll grow our buffers to accomodate an
- incoming message.
- This is really just an upper bound to squash the bad guys trying to
- data-flood us. */
#define MAX_HOBBIT_INBUFSZ (10*1024*1024) /* 10 MB */
Regards, Henrik
Hello Vernon,
2008/4/18, Everett, Vernon <Vernon.Everett at woodside.com.au>:
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address?
Unfortunately, because of its function, we can't reduce the logging on the Windoze server, so we need to either a) get hobbit to handle the problem (desirable solution) b) get bbwin to truncate the event log (less desirable)
Do you use the central or local mode of BBWin ?
Depending the mode you use, you may add ignore rules in your BBWin.cfg (local mode) or client-local.cfg (win32 section) on the hobbit server.
Example for local mode in BBWin.cfg : <ignore logfile="Application" type ="Error" eventid="2001" />
Example for central mode in client-local.cfg : [win32] eventlog:application ignore 2001
-- Etienne GRIGNON
Hi Ettienne
This sounds like a good plan. I think my knowledge of Windoze and BBWin is too lacking for me to think of this sort of thing on my own.
The bulk of the noise is coming through in the "Full log eventlog_security" section. Most of them are lines like this one success - 2008/04/28 10:41:34 - Security (680) - Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: xxxxxx Source Workstation: ABCDEFG Error Code: 0x0
The lines start with "success", and appear to end with "Error Code: 0x0"
I tried both these entries in client-local.cfg : [win32] eventlog:security ignore success
It gave me no joy, but according to the comments in client-local.cfg, I would have expected it to.
Or should it look like this [win32] eventlog:security ignore 0
This did the trick. Can you confirm that it would only remove the return code 0x0, and not remove all lines containing a 0?
Thanks Vernon
-----Original Message----- From: Etienne Grignon [mailto:etienne.grignon at gmail.com] Sent: Thursday, 24 April 2008 4:51 PM To: hobbit at hswn.dk Subject: Re: [hobbit] Flooding hobbit
Hello Vernon,
2008/4/18, Everett, Vernon <Vernon.Everett at woodside.com.au>:
Hoping somebody has encountered this before. We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE event log. So large, that hobbit is freaking out, and doing the "Data flooding from 1.2.3.4, closing connection" thing.
I know this is hobbit protecting iteself from a DOS attack, but is there a way around this? Can I somehow tell hobbit not to do this for that IP address?
Unfortunately, because of its function, we can't reduce the logging on
the Windoze server, so we need to either a) get hobbit to handle the problem (desirable solution) b) get bbwin to truncate the event log (less desirable)
Do you use the central or local mode of BBWin ?
Depending the mode you use, you may add ignore rules in your BBWin.cfg (local mode) or client-local.cfg (win32 section) on the hobbit server.
Example for local mode in BBWin.cfg : <ignore logfile="Application" type ="Error" eventid="2001" />
Example for central mode in client-local.cfg : [win32] eventlog:application ignore 2001
-- Etienne GRIGNON
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments.
I believe devmon can handle this...
However if you want something simple then mrtg is the way to go, well for bandwidth at least. You can then use bb-mrtg to integrate your mrtg stats into hobbit.
Mike
From: Stewart L [mailto:stewartl42 at gmail.com] Sent: 17 April 2008 20:37 To: Hobbit Mailing List Subject: [hobbit] Best way to do interface graphs?
so, I have a number of routers and switches. I want to graph interface utilization and errors for them.
What is the best way to do that?
-- Stewart
The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live.
This email has been scanned for all viruses by the MessageLabs service.
This email has been scanned for all viruses by the MessageLabs service.
On Thursday 17 April 2008 21:37:21 Stewart L wrote:
so, I have a number of routers and switches. I want to graph interface utilization and errors for them.
What is the best way to do that?
I am graphing all the interfaces on our 6 Cisco 6500 switches (another 2 by next week), 2 7600s, a 7200 router, and 4 PIX firewall pairs (6 other pairs need IOS upgrades before they will have any interface data to graph) with devmon, using the devmon rrd collector module shipped as a patch in the 0.3.0. final release.
$ ls /var/lib/hobbit/rrd/*/if_load*.rrd|wc -l 1487
I am not currently graphing errors, but it should be relatively easy. Add the rrd option to the table in the message file for the test, add 'if_err=devmon' to TEST2RRD (you should kill the hobbitd_rrd to get it to restart with this environment variable updated), and create a graph configuration for if_err (would be relatively similar to the one for if_load shipped in extras/devmon-graph.cfg).
I am actually more interested in adding graphs for discards on the firewall templates (as our internet-facing firewall has quite a high discard rate).
I have some other changes to make to the templates, so if error and discard graphs are of interest to others, I can probably get a new template release out pretty soon.
Regards, Buchan
Any chance folks have done templates for Fortinet Firewalls? I'm sure I can whip them out if not. I'm already doing custom graphs via ncv for cpu, memory, sessions, etc. I was planning on releasing my custom script to the shire next week.
Stew
On Fri, Apr 18, 2008 at 8:37 AM, Buchan Milne <bgmilne at staff.telkomsa.net> wrote:
On Thursday 17 April 2008 21:37:21 Stewart L wrote:
so, I have a number of routers and switches. I want to graph interface utilization and errors for them.
What is the best way to do that?
I am graphing all the interfaces on our 6 Cisco 6500 switches (another 2 by next week), 2 7600s, a 7200 router, and 4 PIX firewall pairs (6 other pairs need IOS upgrades before they will have any interface data to graph) with devmon, using the devmon rrd collector module shipped as a patch in the 0.3.0. final release.
$ ls /var/lib/hobbit/rrd/*/if_load*.rrd|wc -l 1487
I am not currently graphing errors, but it should be relatively easy. Add the rrd option to the table in the message file for the test, add 'if_err=devmon' to TEST2RRD (you should kill the hobbitd_rrd to get it to restart with this environment variable updated), and create a graph configuration for if_err (would be relatively similar to the one for if_load shipped in extras/devmon-graph.cfg).
I am actually more interested in adding graphs for discards on the firewall templates (as our internet-facing firewall has quite a high discard rate).
I have some other changes to make to the templates, so if error and discard graphs are of interest to others, I can probably get a new template release out pretty soon.
Regards, Buchan
-- Stewart
The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live.
participants (6)
-
bgmilne@staff.telkomsa.net
-
etienne.grignon@gmail.com
-
henrik@hswn.dk
-
Mike.Rowell@Rightmove.co.uk
-
stewartl42@gmail.com
-
Vernon.Everett@woodside.com.au