|
|
Owl Monitoring SystemSensor Installation Manual |
| 3.1. | Gathering and Storing Sensor Data | ||
| 3.2. | Transferring Sensor Data | ||
| 3.3. | Sensor Heartbeats | ||
Before running your Owl Monitoring System, you must consider a number of questions. How many Owl sensors will be providing data to the Owl manager? How many queries will the sensors be performing? What queries will the sensors be performing? Will each sensor be performing the same queries? Will the sensor be providing "heartbeat" information to the manager? Who will transfer the sensor data to the manager? These questions are important for the sensor administrator, but they are critical for the manager administrator.
A query consists of three parts: a nameserver, a target host, and a query type. Responses to each query will be kept in their own datafile. The amount of data generated by each sensor will depend on the number of queries and the frequency with which the queries are performed.
The sensors will have to gather the data and more queries will result in more data that will be collected. The data will all have to be transferred from the sensor to the manager. If the manager is configured for graphing, then data from each query will be stored in its own database. These databases can be quite large, so the manager host must have a good amount of available disk space.
The administrators of an Owl sensor and the Owl manager (if they are different people) must coordinate the queries that the sensor will be performing. The manager's administrator can request that a set of queries be performed, but it is up to the sensor's administrator to actually configure the sensor for the queries. The manager is effectively at the mercy of the sensor.
Sensor data filenames contain metadata about the sensor data contained therein. Therefore, the filenames will reflect the queries that generated the files. The fields are separated by commas and have this format:
121129.1701,seattle-sensor,example.com,a.root-servers.net,A.dns
121129.1701,seattle-sensor,example.com,m.root-servers.net,A.dns
121129.1701,seattle-sensor,example.com,m.root-servers.net,NS.dns
121129.1701,portland-sensor,example.com,a.root-servers.net,A.dns
Breaking out the fields of the last example above gives this table:
| Field | Purpose | Example | |||
| Timestamp | File creation timestamp; (YYMMDD.hhmm) | 121129.1701 | |||
| Sensor Name | Name of sensor that recorded data | portland-sensor | |||
| Target Name | Host whose name was target of DNS lookups | example.com | |||
| Nameserver Name | Name of queried nameserver | a.root-servers.net | |||
| Query Type | Type of DNS query | A | |||
| File suffix | File suffix | .dns |
The Owl Monitoring System provides utilities to transfer sensor data from the sensor to the manager. One utility, owl-transfer runs on the sensor and transfers the data to the manager. The other utility, owl-transfer-mgr runs on the manager and transfers the data from the sensor. Both utilities are front-ends for the rsync program and run using an ssh-initiated connection.
In both cases, the transferring host must be able to ssh into the remote host without a password. The FOSS rrsync ("restricted rsync", written by Joe Smith, modified by Wayne Davison) is used to restrict the transferring host's access to the remote host.
The administrators of the sensor and the manager must agree on which host will be transferring data to the manager. The appropriate SSH public keys from the transferring host must be placed on the other host, so that the password-less ssh (as described above) may be performed.
An Owl system with multiple sensors may have a mixed transfer configuration. In such a system, some sensors will transfer their data to the manager, while the manager will transfer data from other sensors.
The heartbeat facility is not necessary for Owl operation and Owl runs perfectly well without it. However, it can provide a useful assurance to the manager administrator that the sensor is still working. Enabling this facility on the sensor is at the discretion of the sensor administrator. Since this requires a webserver to be running on the manager host, that aspect is at the discretion of the manager administrator.
|
Section 2. Installation |
Owl Monitoring System Sensor Installation Manual |
Section 4. Adding Sensors |