mon system monitoring tool user list

Chris Hoogendyk | 14 Jun 2011 19:10

mon monitor for arpwatch?

OK. I know arpwatch itself is a monitoring tool. But I haven't figured out a direct way to tell it 
to reduce the noise. I have it running with "-d" in a terminal session with unlimited cache so I can 
scroll back, search, and check it out. But, if I ran it in the background, with it sending emails, 
it looks like it would immediately have the systems group yelling, "kill it. now."

I've seen a writeup in Linux Journal where they funnel all the output into a file, process it with 
perl into a database, and then provide a web interface to view the database. Why does everything 
have to be so involved? This stuff is supposed to just work. Like mon. And arpwatch has been around 
forever.

So, I'm wondering if anyone has put together a mon monitor that can mediate the notifications from 
arpwatch. I'm using arpwatch-NG1.7.

--

-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology&  Geology Departments
  (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk <at> bio.umass.edu>

---------------

Erdös 4

(Continue reading)

headers

Nathan Gibbs | 1 Jul 2011 18:46

Re: mon monitor for arpwatch?

On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
> This stuff is supposed to just work. Like mon. And arpwatch
> has been around forever.
> 
> So, I'm wondering if anyone has put together a mon monitor that can
> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
> 

I don't, but I have been working on a monitor to check the arp table of
hosts and report anomalies.

Anyone interested?

--

-- 
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com

headers

Chris Hoogendyk | 5 Jul 2011 18:00

Re: mon monitor for arpwatch?

On 7/1/11 12:46 PM, Nathan Gibbs wrote:
> On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
>> This stuff is supposed to just work. Like mon. And arpwatch
>> has been around forever.
>>
>> So, I'm wondering if anyone has put together a mon monitor that can
>> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
>>
> I don't, but I have been working on a monitor to check the arp table of
> hosts and report anomalies.
>
> Anyone interested?

Yes.

A bit more control over reporting frequency and what is reported would be very good. Arpwatch 
produces an overload and makes it hard to use on a busy network since it is constantly shouting 
about things. If you can recognize that some particular hardware address was already reported for a 
particular behavior and not continue hollering about it, that would make it more valuable -- i.e. 
increase the signal to noise ratio. Any other correlation or diagnostic stuff would be good as well.

--

-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology&  Geology Departments

(Continue reading)

headers

Nathan Gibbs | 6 Jul 2011 18:01

Re: mon monitor for arpwatch?

On 7/5/2011 12:00 PM, Chris Hoogendyk wrote:
> 
> 
> On 7/1/11 12:46 PM, Nathan Gibbs wrote:
>> On 6/14/2011 1:10 PM, Chris Hoogendyk wrote:
>>> This stuff is supposed to just work. Like mon. And arpwatch
>>> has been around forever.
>>>
>>> So, I'm wondering if anyone has put together a mon monitor that can
>>> mediate the notifications from arpwatch. I'm using arpwatch-NG1.7.
>>>
>> I don't, but I have been working on a monitor to check the arp table of
>> hosts and report anomalies.
>>
>> Anyone interested?
> 
> Yes.
> 

OK, other things are slowing down my development efforts right now, but
I will get it done.

> A bit more control over reporting frequency and what is reported would
> be very good. Arpwatch produces an overload and makes it hard to use on
> a busy network since it is constantly shouting about things. If you can
> recognize that some particular hardware address was already reported for
> a particular behavior and not continue hollering about it, that would
> make it more valuable -- i.e. increase the signal to noise ratio. Any
> other correlation or diagnostic stuff would be good as well.
>

(Continue reading)