'RE: [Dragonidsuser] Heartbeat Status Script'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dragonidsuser
Subject:    RE: [Dragonidsuser] Heartbeat Status Script
From:       "Misciagna, Martin M." <Martin.Misciagna () unisys ! com>
Date:       2005-09-15 15:03:52
Message-ID: CD37228E9BE22B41B53208CE8A8AEC0B06BFC9BD () USBB-EXCH2 ! na ! uis ! unisys ! com
[Download RAW message or body]

Jordan,

In the environment we use OV, Concord and SystemsEdge on the Servers. In
order to detect the failure of a sensor over the event channel, we monitor
the replicator.log for anything expired. We ping the administrator port to
make sure network port is up. We are covered when it comes to the sensor
functioning and sending data to the efp. I can even get alarms and metrics
via Concord on network utilization.

The key with this request is to find an automated way of determining if a
hids or nids is red in the DPM. Before creating the script to monitor the
./Metrics/* for date and time, I wanted to find out if anyone else had
created one and or solved this issue another way.

Your response is appreciated. Your response helped me refine my question. I
still may use your script as it solves another problem of monitoring the
promiscuous interface. (Well sort of.)

Thank you,
Martin Misciagna
Unisys Remote Network Management Services
877-713-2354


-----Original Message-----
From: dragonidsuser-admin@enterasys.com
[mailto:dragonidsuser-admin@enterasys.com] On Behalf Of Jordan Wiens
Sent: Thursday, September 15, 2005 9:41 AM
To: dragonidsuser@enterasys.com
Subject: Re: [Dragonidsuser] Heartbeat Status Script

We just use scripts to see if there have been any traffic at all from
sensors instead of just HEARTBEAT events.  That way if the span goes down
but the host is still up and it's still sending heartbeats, but not seeing
any other traffic, it will hopefully catch it.  Of course, on a highly tuned
sensor with few events triggered, this may not be appropriate.

You may need to tweak some paths as appropriate (specifically, where your
mklog command and dragon DB directory is).

-----------/etc/cron.hourly/check-sensors.sh------------
#!/bin/sh

# Change these settings as necessary.
EMAILS="email@yourdomain,otheremail@yourdomain,email@pagerprovider,email@cel
lprovider"
SENSORLIST="sensorname1 sensorname2 sensorname3 sensorname4"

# Events is the minimum number of events that is normal for each sensor.
EVENTS=2

#PROGRAM PATHS
MKLOG=/home/dragon/bin/mklog
DRAGONDB=/usr/dragon/DB
MAILC=/bin/mail


SEND=0
DAY=`/bin/date -d '50 minutes ago' +%Y%b%d` AGO=`/bin/date -d '50 minutes
ago' +%H:%M`

for HOST in $SENSORLIST
do
COUNT=`$MKLOG -a $AGO -s $HOST  -l -f \
$DRAGONDB/$DAY/dragon.db|grep -v '^\*\*'|wc -l`

if [ $COUNT -lt $EVENTS ]
then
echo "$HOST : $COUNT events" >> /tmp/page.$$
SEND=1
fi
done

if [ $SEND -eq 1 ]
then
cat /tmp/page.$$|$MAILC -s "Missing data" $EMAILS rm /tmp/page.$$ fi
-----------/etc/cron.hourly/check-sensors.sh------------


--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Thu, 15 Sep 2005, Misciagna, Martin M. wrote:

> Using 6.3.3 software, has anyone developed a script to monitor the 
> heartbeat in the DPM? I need to know when a sensor turns red in the DPM.
>
> TIA
>
>
> Thank you,
>
> Martin Misciagna
>
> Unisys Remote Network Management Services
>
> 877-713-2354
>
>
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and
you will get back a message with instructions.

You must know your password to change your options (including changing the
password, itself) or to unsubscribe.  
If you forget your password, don't worry, you will receive a monthly
reminder telling you what all your enterasys.com mailing list passwords are,
and how to unsubscribe or change your options.  

["smime.p7s" (application/x-pkcs7-signature)]
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.

You must know your password to change your options (including changing the password, \
itself) or to unsubscribe.   If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.  



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic