[Nodebrain-users] (no subject)
Rule Engine for State and Event Monitoring
Brought to you by:
trettevik
Menu
▾
▴
[Nodebrain-users] (no subject)
|
From: Trettevik, Ed A <ed....@bo...> - 2003-03-19 16:29:06
|
Hi Ian, =20 I don't seem to be receiving mail sent to these lists---guess I need to = figure that out. =20 On Encryption: =20 NodeBrain uses AES (Rijndael) for data encryption, so it isn't my own = encryption. http://csrc.nist.gov/CryptoToolkit/aes/rijndael/ =20 For peer authentication, NodeBrain uses the RSA public/private key = encryption algorithm, again not my own. However, the authentication = protocol is unique to NodeBrain, and I think it is appropriate to = question the decision to create a new authentication protocol. I agree = that both SSH and SSL would provide a good foundation for NodeBrain = communication. I'm open to moving in that direction by adding one or = both as an option and then perhaps dropping some existing code. If = someone has worked with SSH or SSL code before and wants to help out, = that would be great. If not, I'll get around to it eventually. =20 If you are concerned about NodeBrain protocol (NBP), or prevented from = using it in your environment, you can run NodeBrain without using an NBP = listener, or you can bind the listener to the localhost interface to = avoid remote access. You can then code your NodeBrain rules to execute = ssh or scp commands to communicate over the network. =20 define in listener type=3D"NBP",interface=3D"127.0.0.1",port=3D12345; # = no remote access=20 -or-=20 define in listener = type=3D"NBQ",brain=3D"brainname",schedule=3D=3D~(30s); # no socket = connections =20 define r1 on(a=3D1 and b=3D2):-scp mytransactions = mya...@my...:. [use sshd]=20 -or-=20 define r1 on(a=3D1 and b=3D2):-myscript "my transaction" [use whatever] = On SEC: =20 No, I was not aware of SEC, and I appreciate your bringing it to my = attention. I took a quick scan at the link you provided. I don't know = enough yet to provide a proper comparison, but I'll comment anyway. :) I = think SEC and NodeBrain address the same problem space, event monitoring = and correlation, but with very different approaches to rule syntax. I = can't speak without bias on this subject, but it appears at first glance = that SEC has more variety in rule structure, a sign that rule coding is = done at a higher level. A rule type in SEC seems to identify a "logic = template", with specific types of parameters. NodeBrain rule syntax is = more general (if I'm understanding SEC correctly), allowing/requiring = users to define their own "logic templates" using source files and = symbolic substitution. The following NodeBrain code is valid syntax for = a new rule type that I'm just making up right now as an example. define myfilesys context; # Sample file system utilization monitor source myfilesysrule.nb = filesys=3D"/var",warnPercent=3D80,criticalPercent=3D90,interval=3D"30m"; source myfilesysrule.nb filesys=3D"/opt"; =20 With NodeBrain as is, one would have to define this new type of rule by = placing something like the following in the file called myfilesysrule.nb default warnPercent=3D75,criticalPercent=3D92,interval=3D"2h"; myfilesys define '%{filesys}' context; myfilesys.'%{filesys}' define percentUsed cell; myfilesys.'%{filesys}' define r1 on(~(%{interval})):-myfilesyschecker.pl = %{filesys} myfilesys.'%{filesys}' define r2 = on(percentUsed>=3D%{warnPercent}):-myalarm.pl "%{filesys} ..." myfilesys.'%{filesys}' define r3 = on(percentUsed>=3D%{criticalPercent}):-myalarm.pl "%{filesys} ..."=20 After symbolic substitution, the source commands expand as follows. > define myfilesys context; > source myfilesysrule.nb = filesys=3D"/var",warnPercent=3D80,criticalPercent=3D90,interval=3D"30m"; = > default warnPercent=3D75,criticalPercent=3D92,interval=3D"2h"; > myfilesys define '/var' context;=20 > myfilesys.'/var' define percentUsed cell;=20 > myfilesys.'/var' define r1 on(~(30m)):-myfilesyschecker.pl /var=20 > myfilesys.'/var' define r2 on(percentUsed>=3D80):-myalarm.pl "/var = ..."=20 > myfilesys.'/var' define r3 on(percentUsed>=3D90):-myalarm.pl "/var = ..."=20 2003/03/19 08:05:05 NB000I Rule file "myfilesysrule.nb" included. = size=3D426 > source myfilesysrule.nb filesys=3D"/opt" > default warnPercent=3D75,criticalPercent=3D92,interval=3D"2h"; > myfilesys define '/opt' context;=20 > myfilesys.'/opt' define percentUsed cell;=20 > myfilesys.'/opt' define r1 on(~(2h)):-myfilesyschecker.pl /opt=20 > myfilesys.'/opt' define r2 on(percentUsed>=3D75):-myalarm.pl "/opt = ..."=20 > myfilesys.'/opt' define r3 on(percentUsed>=3D92):-myalarm.pl "/opt = ..."=20 2003/03/19 08:05:05 NB000I Rule file "myfilesysrule.nb" included. = size=3D426 =20 Once you build a file like myfilesysrule.nb, you can think of the source = command as a higher level rule type of your creation, based on three = NodeBrain rules (r1,r2, and r3). It seems like SEC has predefined rule = types. I don't see anything wrong with that if SEC provides all the rule = types you need. There may also be a way of extending the rule types that = I didn't see. It also looks like SEC is more focused on log file monitoring than = NodeBrain. I would not advocate replacing working SEC rules with = NodeBrain rules for log file monitoring. But I can imaging someone = using SEC as an event source for NodeBrain event correlation. In that = way, they would not compete, but compliment each other. On right way to use NodeBrain?=20 Yes, your intended use is exactly the way I first applied NodeBrain. I = created a Unix System Monitor Kit with NodeBrain and a set of Perl = scripts. You can schedule your Perl scripts with cron, or NodeBrain. I = use NodeBrain when I want to schedule on conditions more than time, or = when I want to keep the scheduling rule with the response rules as shown = in the myfilesysrule.nb file above. In this example, I would call the = script myfilesyschecker.pl a "probe". It must find or compute = information and reports it back to the agent as follows. =20 # Perl code to report a value to a NodeBrain agent (myagent) system("nb \":>myagent assert myfilesys.'/var'.percent=3D75;\""); =20 I have Perl scripts that I call "alarm adapters" for sending email = notification, text pages, snmp traps, and alerts into a couple different = commercial event management systems. I also have Perl scripts called = "configuration adapters" that generate NodeBrain rules from = configuration files unique to the kit. Hopefully you will find NodeBrain = useful for building a similar kit for your own environment. Eventually = it would be nice if other projects adopted NodeBrain as a rule engine, = and shared rule sets and related scripts. =20 I'll try to find time to post sample rules on the web site. I can expand = on the example above to show how to avoid multiple alarms using a reset = threshold and the flip-flop operator. And I expect more examples using = event caches would be helpful. =20 Thanks for your comments and questions, and let me know if you run into = problems with NodeBrain. =20 Ed Trettevik <ea...@no...> |