Archive for the 'Alerts' Category

Nagios Log Server vs. Elasticsearch – Logstash – Kibana

Recently I was asked the following questions via email and thought it would make a great post to explain the differences between deploying Nagios Log Server or just the Elasticsearch, Logstash, Kibana Stack (ELK).

The question was as follows:

In the company I currently work with, we were thinking about deploying ElasticSearch and Logstash along with Kibana, in order to further facilitate log processing and visualization.

What would the added value be if we went for Nagios Log Server instead of ElasticSearch, Logstash and Kibana?

Is there any downside in choosing to install ElasticSearch, Logstash and Kibana on our own instead of installing Nagios Log Server?

Nagios Log Server DashboardOn the surface this is a really straight forward question, and was also asked right away in the Log Monitoring and Log Management with Nagios presentation I gave at the Nagios World Conference.  Nagios Log Server does in fact use the ELK stack, and we are surely glad we chose the stack we did because of the outstanding performance, reliability, redundancy and expandability that it allows Log Server to take advantage of to build this spectacular product.

While both options allow a platform that will give the ability to index and analyze logs from various systems such as syslog, Windows Event Log, text based logs and many many more, Nagios Log Server was designed to be a full featured Log Management product, taking into account the needs of enterprise customers that require important items such as security and role based authentication.

So what makes Nagios Log Server stand out above the competition?  Usually, it all comes down to cost.  While other solutions may be “free” there is no such thing as free lunch, and the man hours learning about “free” technology, as well as the man hours configuring and maintaining such a system must be accounted for.  Additionally, once the “free” system is deployed, who do you contact when something goes wrong, and what is the associated cost?

Added Value

To the point of added value I will list below the extra / added functionality that Nagios Log Server brings to the table over the standard ELK stack.  For the most part, Nagios Log Server simply delivers the missing pieces expected in an enterprise solution, and at the same time provides commercial support for the product as well as saving many organization a ton of money, simply because we at Nagios have done the work figuring out all of the complex features, instead of you having to roll your own system out so to speak. Below is a short list of some of the value added features:

  • Commercial Support – This one item alone makes Log Server stand out.  All licenses come with customer only support.
  • Easy installation – Setup is incredibly easy, either start with a pre-created VM or run a simple install script and your Log Server will be online in a few minutes.  Setting up ELK for production does take a fair amount of knowledge for best practices, although they do make it pretty easy to get going in development environment.
  • Easy cluster formation – Log Server makes sure every member of the cluster knows which IP’s/hostnames it should communicate with and constantly keeps the list current.  While ELK does uses multicast discovery by default, this is almost never recommended in production.
  • Authenticated UI and API – Believe it or not, the ELK stack does not come with any semblance of authentication or authorization, which means anyone that can access the ELK system on the network can not only read, but Delete or Modify your sensitive log data. Log Server has full authentication and authorization to all difference users access to different information, as well as an API that is secured with keyed access.
  • Easy Log Source Wizards and Scripts – Built into Log Server are many easy setup instruction and scripts to make setting up various systems such as Windows Event Logs, or rsyslog a breeze to start sending logs into log server.  Additionally, we have built in easy import functionality to get historical logs into Log Server.
  • GUI based logstash configuration – I believe Log Server has the only GUI based logstash configuration management system in existence.  Easily add logstash configuration inputs, filters, and outputs, with full drag and drop functionality.  On top of that, from one central interface you can add, edit, modify and deploy the configuration files to ALL of the servers in your cluster instead of manually editing configuration files via text editor on each system manually.
  • Per user savable Dashboards – Users can save their custom dashboards that represent the log data the way they like to visualize it.  Each user can have any number of custom dashboards.
  • Per user savable Queries – Queries can be saved separate from dashboards, and you can apply different queries to be viewed in different dashboards.
  • Global Dashboards and Queries – Both queries and dashboards can be saved as Global by administrators so other individuals can use them.
  • Alerting based on Queries – Log server adds the ability to get alerts based on any query.  alerts can be sent via email, sent to a Nagios Monitoring server, sent to an SNMP Trap Receiver, or passed to a custom script for execution.
  • Automated Backup and Maintenance – Automated backup management is part of Log Server, and is basically set it and forget it function.  Once you have set where you want your backup information stored, it will keep all of your precious logs safe and secure there in case you need to retrieve them in the future.
  • GUI based Cluster Management – At a glance view and management of the Log Server cluster status right through the GUI.
  • GUI based Instance Management – Granular view of every member of the cluster, including about 60 metrics such as, disk utilization, memory usage, system load, and so much more.
  • GUI based Index Management – Detailed view (another 25 metrics per index) and actions on every index in the cluster, such as document count, size, and ability to open close, and delete indexes.

Any Downside to Log Server?

This is somewhat a loaded question, I’ll try to be as objective as I can.  I can really only think of two.

  • Not Always Free – While Log Server does offer a free version for a single instance up to an average of 500MB/day, Log Server is commercial software and isn’t free when scaled out to multiple instances, however, with an introductory price of $995, almost all organizations would have spent 10X that much in man hours alone just having their technical staff learn how to install and configure all of the open source components properly.  Once your team has figured it all out, you would have to create any of the above items if they are of value to your organization.
  • Currently Requires CentOS or RHEL – Currently Nagios Log Server is only supported on CentOS or RHEL operating systems, however we are working to get distributions on other operating systems available, and it can be run in a VM on virtually any OS.

We welcome additional questions in the comments below.  Feel free to take Nagios Log Server for a fully functional 90 day free trial.

How to Monitor Domain Expiration with Nagios XI 2014

Nagios XI - Domain Expiration WizardAnyone who rents or owns a domain knows that its registration will expire unless it is renewed. An expired domain can cause loads of issues for groups who rely on the accessibility of said domain whether they are large or small. One major issue that can stem from an expired domain in which you may have forgotten to renew is that a “squatter” could potentially register that domain under their own name and grab your valuable traffic for themselves. With the new Domain Expiration Wizard you can monitor down to the day of when your domain will expire. This is done by checking against the registrar to determine the time remaining so that you can renew your registration before it becomes too late. This is only one of the new wizards included in our latest release of Nagios XI 2014.

The Domain Expiration wizard can be ran in a few easy steps:

  • First, Enter the address of your domain:

Nagios XI - Domain Expiration Wizard

Continue reading ‘How to Monitor Domain Expiration with Nagios XI 2014’

Heartbleed: One Bug to Rule Them All

If you’ve missed the news in the last few days, OpenSSL has been found to contain a rather large issue in it’s implementation of TLSv1.1 and TLS1.2 for versions 1.0.1 through 1.0.1f and 1.0.2-beta. Thankfully, no other versions contain this issue and due to responsible disclosure, a patch is already available in the form of OpenSSL 1.0.1g, which many distributions are already making available via standard package management, such as yum and apt.

As for the juicy details… Heartbleed is a vulnerability caused by a missing bounds check and lack of validation, with the TLS heartbeat extension, that allows for up to 64k of memory to be leaked to an attacker. This is done via initializing a TLS connection over TCP or UDP. When this connection is begun, a heartbeat is shared between the client and server to validate that they are both in good working order. If a malformed, specifically empty, heartbeat is sent, the responding client or server will attempt to copy memory from a packet that is not available and instead respond with data that was previously at the same location that the packet should have been located in memory on the victim’s system. The process is not limited to a newly initialized connection and may be repeated at any point in time with existing connections as well. This could result in leaked memory containing rather benign large chunks of empty memory or severe issues such as private encryption keys, session id’s, passwords, and anything else that might be in the victim’s memory.

Just to clarify, this can affect both clients and servers. Yes, your Android phone’s web browser is just as affected as your Apache web server or OpenLDAP server. So, while updating your OpenSSL version, firmware and operating system are extremely important, one must also consider applications and services that ship with internal versions of OpenSSL or include libraries with compilation that standard updates may not correct.

Resolving this on most systems including current CentOS, RHEL, and Debian based distributions can already be found via standard updates with the included package managers. Systems that do not currently provide updated versions of OpenSSL can be manually updated by building version 1.0.1g from source or building previous versions with the -DOPENSSL_NO_HEARTBEATS flag. In the case of embedded systems such as switches, routers and phones, a firmware update request may have to be made to the vendor directly.

After seeing the large effect this particular bug is having worldwide, we decided to modify existing proof of concept code and provide Nagios users with an automated way to check your systems. Through a Nagios plugin, you can now validate whether your TCP services are vulnerable to the bug with both TLSv1.1 and TLSv1.2. Soon to be implemented updates will include checking of STARTTLS vulnerabilities and UDP connections.

Without further ado, we present the check_heartbleed plugin and heartbleed testing page.

Nagios Exchange: check_heartbleed.py
Nagios.com/heartbleed-tester

Monitoring AKCP sensorProbe2 with Nagios XI Using SNMP

The sensorProbe2, sensorProbe4, sensorProbe8 and Probe8-X20 are intelligent devices for monitoring environmental variables, power, physical threads and security. Various AKCP intelligent sensors can be connected via the RJ45 connectors to the sensorProbe devices.

AKCP sensorProbe2 Web Interface

I would like to show you how easy it is to monitor a Dual Temperature/Humidity AKCP Sensor in Nagios XI via SNMP active checks and SNMP traps.

Continue reading ‘Monitoring AKCP sensorProbe2 with Nagios XI Using SNMP’