Real-time monitoring

Real-time monitoring

Monitoring events in real time

Real-time alerting

Monitoring can be divided into two basic types: real-time and scheduled. In the first case, piece of monitoring software receives monitoring data and acts appropriately. In the second, software probes network resource for monitoring data when instructed. The two approaches are optimal under different circumstances: for example, when connectivity to remote device is lost, no real-time monitoring is possible (and it is not feasible to determine, without probing the device, that it’s actually online). Obviously, real-time one expects that monitoring software can receive incoming data, i.e. is listening for connections, which isn’t always possible.

Majority of monitors IPHost uses poll remote devices for data. There are, however, two monitor types that are instead listening for data, allowing implementing real-time monitoring: SNMP Generic Trap and Syslog monitor.

SNMP Generic Trap

While SNMP protocols family allow getting a value of certain SNMP variable (OID), it also allows receiving real-time events via so called SNMP traps.

To receive SNMP traps, IPHost listens to them on port mentioned on “Settings > System” section. Note that the SNMP trap port can only be set via IPHost configuration file (nms.ini), under “SNMP” section, in UDPTrapReceiverPort variable. By default, UDP port 162 is used when available; further ports are tried at installation time, if port 162 is already taken.

The specified port should be open in whatever firewall application is in use. We provide a simple instruction on setting up SNMP trap monitor. That could be tricky; for troubleshooting purposes, create trap accepting all possible events and filter only those necessary after the trap begins working.

Syslog monitor

The so called BSD Syslog Protocol, defined in RFC 5424 (previously, RFC 3164), defines standard protocol to deliver event messages. Since all Linux and Unix-like systems do include implementation of syslog agent (facility that sends syslog events), the monitor is a convenient tool to get real-time notification from devices running the mentioned OSes.

We provide detailed instructions on setting up Syslog monitor; similarly to SNMP Generic Trap, it is recommended to create a Syslog monitor catching every event, to make sure both ends are communicating as expected.

Syslog events are listened to at standard UDP port 514 (it can be altered in nms.ini: “Syslog section”, UDPReceiverPort variable).

It is recommended to use both scheduled (polling) monitors along with Syslog monitors on the same device; the first allow quick notifying on important events; the second can check the device in question is reachable.

Note that even though Windows system do not have syslog agent by default, Cygwin port (syslog-ng) can be used instead (most of syslog implementation for Windows are paid-for).

Final notices

One known problem with real-time monitors is the monitoring system should be open to certain systems (firewall should allow incoming traffic on certain port).

Another problem is IPHost should prevent “event flood” by restricting amount of incoming events. For example, there’s “Accept no more than…” parameter in both SNMP Generic Trap and Syslog monitor definition. To prevent overloading the monitoring system with events, that parameter should be always enabled and set to a reasonably high limit of incoming monitoring events.

Note that both monitor types reside upon starting in “Unknown” state until the appropriate monitoring event is received.