halcyon ‐ a division of HelpSystems · This short-cut is used primarily to copy an individual...

halcyon ‐ a division of HelpSystems

guide to Linux templates

CopyrightCopyright 2010 - 2019 Halcyon - A Division of HelpSystems. All rights reserved.

This document is intended as a guide to the reports generated by using Halcyon software.

This documentation contains Halcyon proprietary and confidential information and may not be disclosed, used, or copied without the prior consent of Halcyon or as set forth in the applicable license agreement. Users are solely responsible for the proper use of the software and the application of the results obtained.

Although Halcyon has tested the software and reviewed the documentation, the sole warranty for the software may be found in the applicable license agreement between Halcyon and the user.

Publication Revision: June 2019

Overview Halcyon Templates are designed to provide the same level of monitoring across a number of similar devices by applying a set of user-defined rules with a single-click. This greatly reduces set-up time and ensures all systems are covered by at least a basic level of monitoring.

Should you need to make a system-wide change at a later date, a single update covers all systems using the template.

Network Server Suite Templates are also available for:

• Windows

• AIX

C H A P T E R

CHAPTER 1INSTALLATION

Network Server Suite comes supplied with two default monitoring templates each for Red Hat®, OpenSUSE® and ORACLE® versions of Linux® that cover the majority of everyday scenarios that your organization is likely to encounter.

Templates are created using the Central Configuration Manager and can then be quickly applied to all systems. More than one template can be applied to a system at any one time and it is also possible to have individual rules running alongside the template rules on any system.

Basic templates which monitor devices for routine issues and concerns such as low disk space, memory and so on can be deployed enterprise-wide. Business critical machines may require the application of an ‘advanced’ template additionally covering, for example, application event log and service monitoring.

Using the default templatesLaunch the Central Configuration Manager and select the Templates tab.

The following Linux® monitor templates are defined:

• Red Hat System Monitoring (Basic)

• Red Hat System Monitoring (Advanced)

• Linux System Monitoring (Basic)

• Linux System Monitoring (Advanced)

• ORACLE System Monitoring (Standard)

• ORACLE System Monitoring (Advanced)

I n s t a l l a t i o n 1-1

Figure 1.1 Default Linux Templates available within Network Server Suite

Applying TemplatesOnce a template has been created it can then be applied to other systems via the Templates tab of the Central Configuration Manager.

Templates can be applied directly to each system shown in the Template Systems panel.

1- 2 H a l c y o n T e m p l a t e s

Figure 1.2 Applying Templates

Once saved, the System to which the template has been applied is shown in bold type to Server Manager Level only. Individual monitors and rules remain in light type face.

Figure 1.3 System level Templates

Copy and paste This short-cut is used primarily to copy an individual system rule into an existing template rule. It is only possible to do this between same type monitors (with the exception of Event Log Monitors). For example, a Summary Performance Monitor rule can only be copied to a Summary Performance Template rule.

I n s t a l l a t i o n 1-3

Modifying Individual SystemsOnce a template rule has been applied it is important to ensure that the rule details are applicable to the new system in terms of level of criteria and actions undertaken. It is good housekeeping to keep the template rules as generic as possible and fine-tune them individually at system level.

For example, a rule applied across twenty systems with an action of sending a SMS message, initiates twenty identical messages to the same resource should an alert be raised.

Exporting and Importing TemplatesTemplates can be exported to and imported from other instances of Network Server Suite. Template files are saved with an extension of .csf.

Exporting and Importing Template options are accessed from within the Central Configuration Manager menu bar; Backup | Export Templates or Backup | Import Templates.

Note: Imported Templates do not override any existing templates on the system to which they are imported but add additional templates that did not previously exist.

Deleting TemplatesIf a template is deleted it is removed from all systems to which it has been applied.


C H A P T E R

CHAPTER 2LINUX TEMPLATES

Linux® TemplatesNetwork Server Suite templates are currently available for three versions of the Linux® operating system, RED HAT®, openSUSE® and ORACLE®.

These are very similar and only variations of the RED HAT® and ORACLE®

templates are listed in under the SUSE® templates headings.

ORACLE® Template dependenciesThe following dependencies must be installed before the ORACLE Linux templates can be applied:

• #yum install ld‐linux.so.2

• #yum install libz.so.1

RED HAT® System Monitoring Template (Standard)

The RED HAT® system monitoring (Standard) template includes the following rules:

Linux Logical Volume MonitorThis contains the following two rules:

Logical volume (LogVol00) status <> available - Measure(Status) Trigger(=available)This rule checks that logical volume LogVol00 is always available. If the status of LogVol00 is in any status other than available, an alert is raised.

L i n u x T e m p l a t e s 2-5


Script MonitorThis contains the following rules:

Check For Failed Raid Drives - Script(mdadm) -D /dev/md0 | grep Failed Devices 1|2|3This rule checks for up to 3 failed RAID drives. An alert is raised if any one of the RAID devices is found to be in a failed status.

Zombie process - Report on all - Script(ps -eo stat,pid | egrep “^Z” | awk ‘{print $2}’ ^[^$])A zombie process or defunct process is a process that has completed execution (via the exit system call) but still has an entry in the process table. It is a process in the ‘Terminated state’ and can cause a resource leak. This script monitor rule, which runs every 60 seconds, 24/7, checks for any processes deemed to be in a ‘Z’ status and if found, sends an alert to the Enterprise Console, listing each process.

Zombie process count - Script(ps -eo stat,pid | egrep “^Z” | wc -l ^[^0])Similar to the previous rule, this rule runs every 60 seconds, 24/7 and checks for any processes deemed to be in a ‘Z’ status. If found, an alert is sent to the Enterprise Console, providing a count of the total number of processes.

File & Folder MonitorThis contains the following five rules:

File(/etc/crontab) Has Changed - File (/etc) Trigger(Exists)Crontab is the program used to install, remove or list the tables used to drive the cron daemon. This rule checks to ensure that crontab has not been amended and raises an alert if any changes have been made.

File(/etc/inittab) Has Changed - File (/etc) Trigger(Exists)The inittab file describes which processes are started at bootup and during normal operation. This rule checks to ensure that the inittab file has not been amended and raises an alert if any changes have been made.


File(/etc/mail/sendmail.cf) Has Changed - File (/etc/mail) Trigger(Exists)This rule checks the file; /etc/sendmail.cf. This is a lengthy and detailed configuration file and direct editing of this file should be avoided. An alert is generated if a change is detected to the modified date of the file.

File(/etc/profile) Has Changed - File (/etc) Trigger(Exists)This rule checks the file; /etc/profile. This file contains system wide environment details and startup programs. An alert is generated if a change is detected to the modified date of this file.

File(/etc/xinetd) Has Changed - File (/etc) Trigger(Exists)Xinetd is a secure replacement for inetd, the Internet services daemon. Xinetd provides access control for all services based on the address of the remote host and/or on time of access and can prevent denial-of-access attacks. Each service has its own specific configuration file for Xinetd; the files a relocated in the /etc/xinetd.d directory. An alert is generated if a change is detected to the modified date of this file.

Log File MonitorThis contains the following rule:

Monitor for Failures in Secure Log - LogFile(/var/log/secure) Expression(Failure)This rule checks for any authentication failure errors present in the /var/log/secure log file and raises an alert if an error is found.

CPU, Filesystem and Memory MonitorThis contains the following five rules:

Filesystem (/) Disk Space Used >=80% - Group(Filesystem) Volume (/) Type(Filesystem Space Used %) Trigger(=80%)This rule checks that the root filesystem ‘/’ on volume ‘/’ has more than 20% free space available at all times. An alert is generated if the available disk space on filesystem ‘/’ equals or exceeds 80 percent.

Filesystem(/) Does Not Exist - Group(Filesystem) Volume(/) Trigger(Does Not Exist)This rule checks that the root filesystem ‘/’ is in existence on volume ‘/’. An alert is generated if the root filesystem ‘/’ is not found on volume ‘/’.


Filesystem(/) Inode Used >=90% - Group(Filesystem) Volume(/) Type(I-Nodes Used %) Trigger (=90%)This rule checks the percentage Inode used on root filesystem ‘/’. An inode is a data structure in UNIX operating systems that contains important information pertaining to files within a file system. When a file system is created in UNIX, a set amount of inodes are also created. Usually, about 1 percent of the total file system disk space is allocated to the inode table. An alert is generated if the percentage Inode used on root filesystem ‘/’ equals or exceeds 90 percent.

Paging Space >95% - Group(Memory) Type(Page File Used %) Trigger(=95%)This rule checks that the paging space available for use does not exceed 95%. An alert is raised if this figure is breached.

Sustained CPU >95% - Group(CPU) CPU(0) Type(CPU Load) Trigger (=95%)This rule checks the sustained usage of the CPU. An alert is generated if the sustained CPU load exceeds 95% at any one time.

Process MonitorThis contains the following rules:

Critical Process (crond) Does Not Exist - Type(Process By Name) Process(crond) Trigger(Does Not Exist)Cron jobs are managed by a daemon named crond. When cron schedules are added, deleted or modified by crontab, any changes are enacted by the crond daemon. Crond daemon runs constantly in the background and checks once a minute to see if any of the scheduled jobs need to be executed. If the crond process is not running, no cron jobs will be executed. This rule checks that the crond process exists and raises an alert if it is not found.

Critical Process (gdm-binary) Does Not Exist - Type(Process By Name) Process(gdm-binary) Trigger(Does Not Exist)Gdm (the GNOME Display Manager) is a configurable re implementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. This rule checks that the gdm-binary process exists and raises an alert if it is not found.


Critical Process (sshd) Does Not Exist - Type(Process By Name) Process(sshd) Trigger(Does Not Exist)OpenSSH Daemon (sshd) is the daemon program for ssh. Together these programs provide secure encrypted communications between two untrusted hosts over an insecure network.

The SSH daemon listens for connections from clients. It starts a new daemon for each incoming connection. These daemons then handle key exchange, encryption, authentication, command execution, and data exchange. This rule checks that the sshd process exists and raises an alert if it is not found.

Critical Process (syslogd) Does Not Exist - Type(Process By Name) Process(syslogd) Trigger(Does Not Exist)Syslogd provides the logging of system events. Every logged message contains at least a time and a hostname field and normally a program name field. This rule checks that the syslogd process exists and raises an alert if it is not found.

Critical Process (xfs) Does Not Exist - Type(Process By Name) Process(xfs) Trigger(Does Not Exist)X font server ‘xfs’ is a daemon that listens on a network port and serves X fonts to X servers (and thus to X clients). This daemon makes it possible to have a central repository of fonts on a networked machine running xfs so that all the machines running X servers on a network do not require their own set of fonts. This rule checks that the xfs process exists and raises an alert if it is not found.

Critical Process (xinetd) Does Not Exist - Type(Process By Name) Process(xinetd) Trigger(Does Not Exist)Xinetd is a secure replacement for inetd, the Internet services daemon. Xinetd provides access control for all services based on the address of the remote host and/or on time of access and can prevent denial-of-access attacks. This rule checks that the xinetd process exists and raises an alert if it is not found.

Ping MonitorThis monitor contains a single rule.

Check Server Can Ping Router - Host(1.2.3.4) Timeout(2000) Attempts(4) Success(50%) TTL(128)This rule checks that the server can ping a defined user-defined router. The host address of this template needs to be amended to the actual IP address of the router that you wish to monitor. An alert is generated if the success rate is less than 50% over the four attempts that the ping makes to communicate with the router.


Note: All actions for each of the above rules within this template are set to a default of sending an alert to the Enterprise Console. You must manually change this setting if you require an alternative action to be taken upon the generation of an alert.

RED HAT® System Monitoring Template (Advanced)

The RED HAT® system monitoring template (Advanced) includes all of the rules available in the Standard template plus these additional rules:

Linux® Logical Volume MonitorThis monitor contains the same rules as those available in the Standard template.

Script MonitorThis monitor contains the same rule as the one available in the Standard template.

File & Folder MonitorThis monitor contains the same rules as the Standard template and includes these additional three rules:

File (/etc/resolv.conf) Has Changed - File(/etc) Trigger(Exists)The configuration file resolv.conf contains information that allows a computer connected to the Internet to resolve names into addresses.

The resolv.conf file typically contains the IP addresses of nameservers (DNS name resolvers) that attempt to translate names into addresses for any node available on the network.This rule raises an alert if any changes are made to the resolv.conf file.

File (/etc/sysconfig/iptables) Has Changed - File(/etc/sysconfig) Trigger(Exists)Iptables is a generic table structure that defines rules and commands as part of the netfilter framework that facilitates Network Address Translation (NAT), packet filtering, and packet mangling in the Linux 2.4 and later operating systems. This rule raises an alert if any changes are made to iptables.

File (/etc/vsftpd/vsftpd.conf) Has Changed - File(/etc/vsftpd) Trigger(Exists)Vsftpd.conf is used to control various aspects of vsftpd's behavior. Vsftpd is the Very Secure File Transfer Protocol Daemon. This rule raises an alert if any changes are made to vsftpd.conf.

2- 1 0 H a l c y o n T e m p l a t e s

Log File MonitorThis monitor contains the same rule as the Standard template and includes these additional two rules:

Monitor for MySQL Errors - LogFile(/var/log/mysqld.log) Expression (error|failure)This rule checks the MySQL database server log file for any failure errors and raises an alert should any be found.

Monitor for Samba Errors - LogFile(/var/log/samba/smbd.log) Expression(error|failed)The Samba log files can help diagnose the vast majority of the problems that Samba administrators are likely to encounter. This rule checks the smbd.log file and raises an alert if any failure errors are found.

CPU, Filesystem and Memory MonitorThis monitor contains the same rules as the Standard template plus these additional five rules:

Filesystem (/boot) Disk Space Used >=80% - Group(Filesystem) Volume(/boot) Type(Filesystem Space Used %) Trigger(=80%)This rule checks to ensure that the disk space used in the filesystem ‘/boot’ remains at least 20% free at all times. If the level of disk space available falls below 20% an alert is raised.

Filesystem (/boot) Does Not Exist - Group(Filesystem) Volume(/boot) Trigger(Does Not Exist)This rule checks to ensure that the file system ‘/boot’ exists and raises an alert if it is not found.

Filesystem (/boot) Inode Used >=90% - Group(Filesystem) Volume(/boot) Type(I-Nodes Used %) Trigger(=90%)This rule checks the percentage Inode used on root filesystem ‘/boot’. An inode is a data structure in UNIX operating systems that contains important information pertaining to files within a file system. When a file system is created in UNIX, a set amount of inodes are also created. Usually, about 1 percent of the total file system disk space is allocated to the inode table. An alert is generated if the percentage Inode used on root filesystem ‘/’ equals or exceeds 90 percent.


Page File Used <30% (Suggests Too Much Paging Space) - Group(Memory) Type(Page File Used %) Trigger (=30%)This rule checks the page file used memory and raises an alert if the percentage figure falls under 30 percent, which would suggest that there is too much paging space assigned.

Page File Used >70% (Suggests Not Enough Paging Space) - Group(Memory) Type(Page File Used %) Trigger(=70%)This rule checks that page file used memory and raises an alert if the percentage figure exceeds 70 percent, which would suggest that there is too little paging space assigned.

Process MonitorThis monitor contains the same critical process rules as the Standard templates and adds another ten rules to monitor for the existence of the following optional processes.

Optional Process (httpd) Does Not Exist - Type(Process By Name) Process(httpd) Trigger(Does Not Exist)The httpd process is the HyperText Transfer Protocol Daemon. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process (mysqld) Does Not Exist - Type(Process By Name) Process(mysqld) Trigger(Does Not Exist)The mysql daemon launches the MySQL database server. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process (postmaster) Does Not Exist - Type(Process By Name) Process(postmaster) Trigger(Does Not Exist)Postmaster is the PostgreSQL multiuser database server. In order for a client application to access a database it connects (over a network or locally) to a running postmaster. The postmaster then starts a separate server process ("postgres") to handle the connection. The postmaster also manages the communication among server processes. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process (rpc.idmapd) Does Not Exist - Type(Process By Name) Process(rpc.imapd) Trigger(Does Not Exist)Rpc.idmapd is the NFSv4 ID name mapping daemon. It provides functionality to the NFSv4 kernel client and server, to which it communicates via upcalls, by translating user and group IDs to names, and vice versa. This rule checks for the existence of this daemon and raises an alert if it is not found.


Optional Process (rpc.statd) Does Not Exist - Type(Process By Name) Process(rpc.statd) Trigger(Does Not Exist)The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process(sendmail) Does Not Exist - Type(Process By Name) Process(sendmail) Trigger(Does Not Exist)Sendmail sends a message to one or more recipients, routing the message over whatever networks are necessary. Sendmail does internet work, forwarding as necessary to deliver the message to the correct place. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process(smbd) Does Not Exist - Type(Process By Name) Process(smbd) Trigger(Does Not Exist)This program is part of the samba(7) suite.

smbd is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process(spamd) Does Not Exist - Type(Process By Name) Process(spamd) Trigger(Does Not Exist)The program spamd is a service designed to reduce the flow of spam to your email inbox. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process(squid) Does Not Exist - Type(Process By Name) Process(squid) Trigger(Does Not Exist)Squid is an Internet Object Cache developed by the National Laboratory for Applied Networking Research (NLANR) and Internet volunteers. This rule checks for the existence of this file and raises an alert if it is not found.

Optional Process(vsftpd) Does Not Exist - Type(Process By Name) Process(vsftpd) Trigger(Does Not Exist)Vsftpd is The Very Secure FTP Daemon. Vsftpd supports both anonymous and non-anonymous FTP, PAM authentication, bandwidth limiting, and the Linux sendfile() facility. This rule checks for the existence of this file and raises an alert if it not found.


Ping MonitorThis monitor contains the same rule as the one available in the Standard template.

SUSE® System Monitoring Template (Standard)

The SUSE® system monitoring template (Standard) includes the same rules as RED HAT® system monitoring template (Standard) with the following exceptions:

Log File Monitor

Monitor for Failure in Messages Log - LogFile(/var/log/messages) Expression (error|fail)This rule checks for any error or failure messages in the /var/log/messages log file and raises an alert if any such messages are found.

SUSE® System Monitoring Template (Advanced)

The SUSE® system monitoring template (Advanced) includes the same rules as RED HAT® system monitoring template (Advanced).

ORACLE® System Monitoring Template (Standard)

The ORACLE® system monitoring (Standard) template includes the following rules:

Linux Logical Volume MonitorThis contains the following two rules:




Script MonitorThis contains the following rules:

Check For Failed Raid Drives - Script(mdadm) -D /dev/md0 | grep Failed Devices 1|2|3This rule checks for up to 3 failed RAID drives. An alert is raised if any one of the RAID devices is found to be in a failed status.

Zombie process - Report on all - Script(ps -eo stat,pid | egrep “^Z” | awk ‘{print $2}’ ^[^$])A zombie process or defunct process is a process that has completed execution (via the exit system call) but still has an entry in the process table. It is a process in the ‘Terminated state’ and can cause a resource leak. This script monitor rule, which runs every 60 seconds, 24/7, checks for any processes deemed to be in a ‘Z’ status and if found, sends an alert to the Enterprise Console, listing each process.

Zombie process count - Script(ps -eo stat,pid | egrep “^Z” | wc -l ^[^0])Similar to the previous rule, this rule runs every 60 seconds, 24/7 and checks for any processes deemed to be in a ‘Z’ status. If found, an alert is sent to the Enterprise Console, providing a count of the total number of processes.

File & Folder MonitorThis contains the following five rules:

File(/etc/crontab) Has Changed - File (/etc) Trigger(Exists)Crontab is the program used to install, remove or list the tables used to drive the cron daemon. This rule checks to ensure that crontab has not been amended and raises an alert if any changes have been made.

File(/etc/inittab) Has Changed - File (/etc) Trigger(Exists)The inittab file describes which processes are started at bootup and during normal operation. This rule checks to ensure that the inittab file has not been amended and raises an alert if any changes have been made.

File(/etc/mail/sendmail.cf) Has Changed - File (/etc/mail) Trigger(Exists)This rule checks the file; /etc/sendmail.cf. This is a lengthy and detailed configuration file and direct editing of this file should be avoided. An alert is generated if a change is detected to the modified date of the file.


File(/etc/profile) Has Changed - File (/etc) Trigger(Exists)This rule checks the file; /etc/profile. This file contains system wide environment details and startup programs. An alert is generated if a change is detected to the modified date of this file.

File(/etc/xinetd) Has Changed - File (/etc) Trigger(Exists)Xinetd is a secure replacement for inetd, the Internet services daemon. Xinetd provides access control for all services based on the address of the remote host and/or on time of access and can prevent denial-of-access attacks. Each service has its own specific configuration file for Xinetd; the files a relocated in the /etc/xinetd.d directory. An alert is generated if a change is detected to the modified date of this file.

Log File MonitorThis contains the following rule:

Monitor for Failures in Secure Log - LogFile(/var/log/secure) Expression(Failure)This rule checks for any authentication failure errors present in the /var/log/secure log file and raises an alert if an error is found.

CPU, Filesystem and Memory MonitorThis contains the following five rules:

Filesystem (/) Disk Space Used >=80% - Group(Filesystem) Volume (/) Type(Filesystem Space Used %) Trigger(=80%)This rule checks that the root filesystem ‘/’ on volume ‘/’ has more than 20% free space available at all times. An alert is generated if the available disk space on filesystem ‘/’ equals or exceeds 80 percent.

Filesystem(/) Does Not Exist - Group(Filesystem) Volume(/) Trigger(Does Not Exist)This rule checks that the root filesystem ‘/’ is in existence on volume ‘/’. An alert is generated if the root filesystem ‘/’ is not found on volume ‘/’.

Filesystem(/) Inode Used >=90% - Group(Filesystem) Volume(/) Type(I-Nodes Used %) Trigger (=90%)This rule checks the percentage Inode used on root filesystem ‘/’. An inode is a data structure in UNIX operating systems that contains important information pertaining to files within a file system. When a file system is created in UNIX, a set amount of inodes are also created. Usually, about 1 percent of the total file system disk space is allocated to the inode table. An alert is generated if the percentage Inode used on root filesystem ‘/’ equals or exceeds 90 percent.


Paging Space >95% - Group(Memory) Type(Page File Used %) Trigger(=95%)This rule checks that the paging space available for use does not exceed 95%. An alert is raised if this figure is breached.

Sustained CPU >95% - Group(CPU) CPU(0) Type(CPU Load) Trigger (=95%)This rule checks the sustained usage of the CPU. An alert is generated if the sustained CPU load exceeds 95% at any one time.

Process MonitorThis contains the following rules:

Critical Process (crond) Does Not Exist - Type(Process By Name) Process(crond) Trigger(Does Not Exist)Cron jobs are managed by a daemon named crond. When cron schedules are added, deleted or modified by crontab, any changes are enacted by the crond daemon. Crond daemon runs constantly in the background and checks once a minute to see if any of the scheduled jobs need to be executed. If the crond process is not running, no cron jobs will be executed. This rule checks that the crond process exists and raises an alert if it is not found.

Critical Process (gdm-binary) Does Not Exist - Type(Process By Name) Process(gdm-binary) Trigger(Does Not Exist)Gdm (the GNOME Display Manager) is a configurable re implementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. This rule checks that the gdm-binary process exists and raises an alert if it is not found.

Critical Process (sshd) Does Not Exist - Type(Process By Name) Process(sshd) Trigger(Does Not Exist)OpenSSH Daemon (sshd) is the daemon program for ssh. Together these programs provide secure encrypted communications between two untrusted hosts over an insecure network.

The SSH daemon listens for connections from clients. It starts a new daemon for each incoming connection. These daemons then handle key exchange, encryption, authentication, command execution, and data exchange. This rule checks that the sshd process exists and raises an alert if it is not found.


Critical Process (syslogd) Does Not Exist - Type(Process By Name) Process(syslogd) Trigger(Does Not Exist)Syslogd provides the logging of system events. Every logged message contains at least a time and a hostname field and normally a program name field. This rule checks that the syslogd process exists and raises an alert if it is not found.

Critical Process (xfs) Does Not Exist - Type(Process By Name) Process(xfs) Trigger(Does Not Exist)X font server ‘xfs’ is a daemon that listens on a network port and serves X fonts to X servers (and thus to X clients). This daemon makes it possible to have a central repository of fonts on a networked machine running xfs so that all the machines running X servers on a network do not require their own set of fonts. This rule checks that the xfs process exists and raises an alert if it is not found.

Critical Process (xinetd) Does Not Exist - Type(Process By Name) Process(xinetd) Trigger(Does Not Exist)Xinetd is a secure replacement for inetd, the Internet services daemon. Xinetd provides access control for all services based on the address of the remote host and/or on time of access and can prevent denial-of-access attacks. This rule checks that the xinetd process exists and raises an alert if it is not found.

Ping MonitorThis monitor contains a single rule.

Check Server Can Ping Router - Host(1.2.3.4) Timeout(2000) Attempts(4) Success(50%) TTL(128)This rule checks that the server can ping a defined user-defined router. The host address of this template needs to be amended to the actual IP address of the router that you wish to monitor. An alert is generated if the success rate is less than 50% over the four attempts that the ping makes to communicate with the router.

Note: All actions for each of the above rules within this template are set to a default of sending an alert to the Enterprise Console. You must manually change this setting if you require an alternative action to be taken upon the generation of an alert.

ORACLE® System Monitoring Template (Advanced)

The ORACLE® system monitoring template (Advanced) includes all of the rules available in the Standard template plus these additional rules:


Linux® Logical Volume MonitorThis monitor contains the same rules as those available in the Standard template.

Script MonitorThis monitor contains the same rule as the one available in the Standard template.

File & Folder MonitorThis monitor contains the same rules as the Standard template and includes these additional three rules:

File (/etc/resolv.conf) Has Changed - File(/etc) Trigger(Exists)The configuration file resolv.conf contains information that allows a computer connected to the Internet to resolve names into addresses.

The resolv.conf file typically contains the IP addresses of nameservers (DNS name resolvers) that attempt to translate names into addresses for any node available on the network.This rule raises an alert if any changes are made to the resolv.conf file.

File (/etc/sysconfig/iptables) Has Changed - File(/etc/sysconfig) Trigger(Exists)Iptables is a generic table structure that defines rules and commands as part of the netfilter framework that facilitates Network Address Translation (NAT), packet filtering, and packet mangling in the Linux 2.4 and later operating systems. This rule raises an alert if any changes are made to iptables.

File (/etc/vsftpd/vsftpd.conf) Has Changed - File(/etc/vsftpd) Trigger(Exists)Vsftpd.conf is used to control various aspects of vsftpd's behaviour. Vsftpd is the Very Secure File Transfer Protocol Daemon. This rule raises an alert if any changes are made to vsftpd.conf.

Log File MonitorThis monitor contains the same rule as the Standard template and includes these additional two rules:

Monitor for MySQL Errors - LogFile(/var/log/mysqld.log) Expression (error|failure)This rule checks the MySQL database server log file for any failure errors and raises an alert should any be found.


Monitor for Samba Errors - LogFile(/var/log/samba/smbd.log) Expression(error|failed)The Samba log files can help diagnose the vast majority of the problems that Samba administrators are likely to encounter. This rule checks the smbd.log file and raises an alert if any failure errors are found.

CPU, Filesystem and Memory MonitorThis monitor contains the same rules as the Standard template plus these additional five rules:

Filesystem (/boot) Disk Space Used >=80% - Group(Filesystem) Volume(/boot) Type(Filesystem Space Used %) Trigger(=80%)This rule checks to ensure that the disk space used in the filesystem ‘/boot’ remains at least 20% free at all times. If the level of disk space available falls below 20% an alert is raised.

Filesystem (/boot) Does Not Exist - Group(Filesystem) Volume(/boot) Trigger(Does Not Exist)This rule checks to ensure that the file system ‘/boot’ exists and raises an alert if it is not found.

Filesystem (/boot) Inode Used >=90% - Group(Filesystem) Volume(/boot) Type(I-Nodes Used %) Trigger(=90%)This rule checks the percentage Inode used on root filesystem ‘/boot’. An inode is a data structure in UNIX operating systems that contains important information pertaining to files within a file system. When a file system is created in UNIX, a set amount of inodes are also created. Usually, about 1 percent of the total file system disk space is allocated to the inode table. An alert is generated if the percentage Inode used on root filesystem ‘/’ equals or exceeds 90 percent.

Page File Used <30% (Suggests Too Much Paging Space) - Group(Memory) Type(Page File Used %) Trigger (=30%)This rule checks the page file used memory and raises an alert if the percentage figure falls under 30 percent, which would suggest that there is too much paging space assigned.

Page File Used >70% (Suggests Not Enough Paging Space) - Group(Memory) Type(Page File Used %) Trigger(=70%)This rule checks that page file used memory and raises an alert if the percentage figure exceeds 70 percent, which would suggest that there is too little paging space assigned.


Process MonitorThis monitor contains the same critical process rules as the Standard templates and adds another ten rules to monitor for the existence of the following optional processes.

Optional Process (httpd) Does Not Exist - Type(Process By Name) Process(httpd) Trigger(Does Not Exist)The httpd process is the HyperText Transfer Protocol Daemon. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process (mysqld) Does Not Exist - Type(Process By Name) Process(mysqld) Trigger(Does Not Exist)The mysql daemon launches the MySQL database server. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process (postmaster) Does Not Exist - Type(Process By Name) Process(postmaster) Trigger(Does Not Exist)Postmaster is the PostgreSQL multiuser database server. In order for a client application to access a database it connects (over a network or locally) to a running postmaster. The postmaster then starts a separate server process ("postgres") to handle the connection. The postmaster also manages the communication among server processes. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process (rpc.idmapd) Does Not Exist - Type(Process By Name) Process(rpc.imapd) Trigger(Does Not Exist)Rpc.idmapd is the NFSv4 ID name mapping daemon. It provides functionality to the NFSv4 kernel client and server, to which it communicates via upcalls, by translating user and group IDs to names, and vice versa. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process (rpc.statd) Does Not Exist - Type(Process By Name) Process(rpc.statd) Trigger(Does Not Exist)The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots. This rule checks for the existence of this daemon and raises an alert if it is not found.


Optional Process(sendmail) Does Not Exist - Type(Process By Name) Process(sendmail) Trigger(Does Not Exist)Sendmail sends a message to one or more recipients, routing the message over whatever networks are necessary. Sendmail does internet work, forwarding as necessary to deliver the message to the correct place. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process(smbd) Does Not Exist - Type(Process By Name) Process(smbd) Trigger(Does Not Exist)This program is part of the samba(7) suite.

smbd is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol. This rule checks for the existence of this daemon and raises an alert if it is not found.

Optional Process(spamd) Does Not Exist - Type(Process By Name) Process(spamd) Trigger(Does Not Exist)The program spamd is a service designed to reduce the flow of spam to your email inbox. This rule checks for the existence of this process and raises an alert if it is not found.

Optional Process(squid) Does Not Exist - Type(Process By Name) Process(squid) Trigger(Does Not Exist)Squid is an Internet Object Cache developed by the National Laboratory for Applied Networking Research (NLANR) and Internet volunteers. This rule checks for the existence of this file and raises an alert if it is not found.

Optional Process(vsftpd) Does Not Exist - Type(Process By Name) Process(vsftpd) Trigger(Does Not Exist)Vsftpd is The Very Secure FTP Daemon. Vsftpd supports both anonymous and non-anonymous FTP, PAM authentication, bandwidth limiting, and the Linux sendfile() facility. This rule checks for the existence of this file and raises an alert if it not found.

Ping MonitorThis monitor contains the same rule as the one available in the Standard template.


Oracle JDE EnterpriseOne templateOracle's JD Edwards EnterpriseOne® is an integrated applications suite of comprehensive enterprise resource planning software.

The Oracle JDE EnterpriseOne Linux template contains the following components:

Script Monitor

JDE: Monitor Overnight NIGHTOPR Batch Processes - Script(jdejobs nightopr ^([a-zA-Z0-9]+).*)This Script Monitor rule monitors for any jobs running under the overnight NIGHTOPR batch processes that are still running and raises an alert accordingly if any are found.

File and Folder Monitor

JDE: Monitor changes in JDE.INI - File or Folder(JDE_BASE\JDE.INI) Include(*) Trigger(Exists)JDE.INI is the main configuration file for JD Edwards EnterpriseOne installations. This rule monitors for any changes in this file and raises an alert if any modifications are recorded.

Log File Monitor

JDE: Monitor JDE LogFiles - LogFile(/var/log/jde/jde*) Expression(.+)This Log File Monitor rule checks a specific JD Edwards log file for any changes and raises an alert if any are found.

Note: Each log file to be monitored must be entered as a separate rule. Use the copy rule facility to save time.

Process Monitor

JDE: Execute Submitted Jobs Process Active - Type(Process By Name) Process(runbatch) Trigger(Does Not Exist) runbatch.exe is the job responsible for executing the submitted reports. This Process Monitor rule checks that the runbatch job is active and an alert is raised if it is found to not exist in the monitored system.


JDE: Kernel Processes Active - Type(Process By Name) Process(jde_k) Trigger(Does Not Exist)jdes_k is the job responsible for co‐ordination between the net and the queues. This Process Monitor rule checks that the jde_k job is active and an alert is raised if it is found to not exist in the monitored system.

JDE: Kernel Process Count - Type(Process By Name) Process(jde_k) Measure(NumberOfProcesses) Trigger(<4)jdes_k is the job responsible for co‐ordination between the net and the queues. This Process Monitor rule checks that at least four instances of the jde_k job are active and an alert is raised if any less than this number are found in the monitored system.

JDE: Network Listener Process Active - Type(Process By Name) Process(jde_n) Trigger(Does Not Exist)jde_n is a network listener that listens for connection requests. Depending on the jde.ini setting, zero, one, or more of these processes can run simultaneously. This Process Monitor rule checks that the jde_n job is active and an alert is raised if it is found to not exist in the monitored system.

JDE: Network Listener Process Count - Type(Process By Name) Process(jde_n) Measure(NumberOfProcesses) Trigger(<3)jde_n is a network listener that listens for connection requests. Depending on the jde.ini setting, zero, one, or more of these processes can run simultaneously. This Process Monitor rule checks that at least three instances of the jde_n job are active and an alert is raised if any less than this number are found in the monitored system.

Linux Reporting TemplateReporting templates allow you to apply the same reporting criteria across multiple systems in your enterprise. By using a reporting template you ensure that you are generating like-for-like reports across the same generic performance measurements of your systems. As with rule templates, a change made at rule level is reflected across all systems where that rule is implemented.

A basic reporting template, Advanced Reporting (Data Warehouse) covering the following performance measurements is shipped with Network Server Suite as standard.


Advanced Reporting (Data Warehouse) template

File & Folder MonitorThe File and Folder Monitor within the Advanced Reporting (Data Warehouse) template contains a single rule.

Monitor /var/lib/halcyon/advreport.dat in case >128MB - File(/var/lib/halcyon) Include(advreport.dat) Trigger(Exists)This rule is a Halcyon self-checking entry to ensure that data for the Advanced Reporting template is being collected regularly. If the advreport.dat file is bigger than 128MB, an alert is raised to warn you that data may not be being collected as expected.

Linux Reporting fieldsThis Linux reporting template contains the following reporting fields:

• CPU CPU Load

• Filesystem Filesystem Space Used %

• Memory Page File Used %

• Memory Physical Memory Used %

• Process By Name CPU Usage %

Halcyon TemplatesThe following system templates are available for use with Halcyon IBMi and Windows monitoring solutions:

• AIX• AIX TEMENOS 24• AIX VIOS• HP DATA PROTECTOR• IBM SERVICES MONITORING

iCLUSTER• INFOR M3• INFOR SYSTEM 21• INFOR XA• JD EDWARDS• LINUX• MAXAVA• MISYS EQUATION• MISYS MIDAS PLUS• POWER HA• QUICK EDD• ROBOT HA• SAP• STAND GUARD ANTI VIRUS• SYMANTEC BACKUP EXEC• SYMANTEC NETBACKUP• VISION iTERA• VISION OMS/ODS REPLICATION• WEBSPHERE MQ MONITORING• WINDOWS

Learn MoreFor white papers, online product tours, datasheets, technical tips and manuals, please visit: https://www.helpsystems.com/halcyon

Contactwww.helpsystems.com

US: Toll-free: 800-328-1000

+1 952-933-0609

Outside the U.S.: +44 (0) 1252 618030

TrademarksIBM®, iSeries®, Power/System i®, IBM i®, i5/OS® and AIX® are registered trademarks of International Business Machines Corporation in the United States and in other countries,

All other trademarks are respective of their own companies.

https://www.helpsystems.com/halcyon

https://www.helpsystems.com/halcyon

halcyon ‐ a division of HelpSystems · This short-cut is used primarily to copy an individual...

Documents

Transcript of halcyon ‐ a division of HelpSystems · This short-cut is used primarily to copy an individual...