Neil Lathwood’s blog

Well since the post I made about Alternative Nagios software generated a bit of interest (well, one comment is a bit for this blog :)),  it made me want to try out the software mentioned again to see how it fairs against Nagios which has been my monitoring software of choice for a considerable amount of time. I also thought, why not provide the software I install and test to anyone who might be interested in trying out some of the NMS systems out there.

So without further ado, below you will find the monitoring software I have installed and tested. These are fully functional in all aspects, the only thing limited is the ability to change passwords so that people can’t lock one another out and also, smtp is blocked on this server meaning that any alerts generated won’t get sent out.

Nagios:
http://demo.nocmonitoring.co.uk/nagios/
username: admin
password: admin
Notes: You cannot add / edit / remove devices from this demo as Nagios relies on editing of configuration files directly which isn’t supported natively.

OpenNMS:
http://demo.nocmonitoring.co.uk:8980/opennms/acegilogin.jsp
username: admin
password: admin

Zenoss:
http://demo.nocmonitoring.co.uk:8080/
username: admin
password: admin

Zabbix:
http://demo.nocmonitoring.co.uk/zabbix/
username: admin
password: admin

I’ve got to say, after going through and testing all of these, at the basic level of just adding a device to be monitored for things such as http, it’s an extremely difficult process on all of them (Nagios was the easiest but again, this is probably due to my time served with this software). From the perspective of simplicity, I can’t understand how such a task of adding a device whether by hostname or IP can be such a complicated task.

Anyway, feel free to make use of the online demo’s and if you would like me to add anymore NMS systems to this list then please feel free to get in touch and I will see what I can do.

Enjoy

**Update

Jane has kindly pointed out the login for Zabbix didn’t work - changed it to the actual correct details so now it should.

Technology monitoring, nms, noc

For instance, your business is hosting your corporate website with a hosting company, the vetting process for this decision can be quite intense depending on the size of your company but obviously now concentrates on security amongst the service itself. However, security for your application doesn’t just stop at the hosting company, it goes much further than that, your DNS provider, SSL signing authority, etc.

At work, we are seeing more and more requests for information (RFI) in regards to tenders we are involved in. These processes are getting harder and more involved than years ago where the process was a bit more ‘laxed’, the sections on security from both a data storage and infrastructure point of view are becoming more and more detailed on the requirements but also more generic.  This is made all the more difficult at the RFI stage as 9 times out 10 you won’t know yet, what the potential client wants and security varies depending on requirements. For example, security from the point of view of a Colocation contract is vastley different than a Managed Hosting contract. They share similarities but the main service is very different meaning that our answers have to be more generic rather than tailored to the solution required.

This process however, seems to stop at the hosting company, even when they aren’t used for the whole solution. As I mentioned above, how much consideration is given to things like who the SSL signing authority is and how secure are there systems (MD5 considered harmful today), who is providing recursive DNS for the clients internal systems and have they patched for last years Source port vulnerability) all the way through to major vulnerabilities on operating systems typically found running within organisations (RPC Vulnerability for example or even the latest iWork 09 OSX vulnerability). The client side systems are usually covered with corporate security policies (you do have one of those don’t you?) but things like Zero Day exploits are a bit more difficult to defend against but not totally impossible. I mean just imagine if someone could hijack your domain name traffic and then spoof the SSL certificate used for your 10,000 transaction a day ecommerce site. The short and long term effects of something like that on a business could see the end of it before the charge backs on credit cards have hit shoppers bank accounts.

Based on the fact that companies seem to just stop at the stage of choosing a hosting company means that the solution as a whole is vulnerable to security holes from other suppliers or areas of the business. It wouldn’t matter how secure the hosting solution is if someone can redirect traffic to a fake website elsewhere. So the best answer to this question is, companies need to go as far as possible to gaurantee security for there solution. Extend the RFI out to more suppliers to ensure that all aspects are covered - or choose a one stop shop for the entire solution.

Security business, hosting, rfi, Security, tenders, vulnerabilities

I know friendsreunited.co.uk is old hat now, however this is something that has gone on since the sites inseption - unencrypted user passwords, now obviously I’m taking a stab in the dark that they are unencrypted when more than likely they actually do have some form of encryption happening, the only problem with this is it’s two-way, i.e. you can decode the passwords in the database.

For a large site such as this, you’d expect - and I see no reason why they couldn’t do this, to use some form of one-way encryption (md5 at the worst, SHA-1 or SHA-2 are now widely considered the more secure form of encryption with the latter being more so. SHA Encryption). If you haven’t noticed this weakness in the website, all you need to do is go to the Forgot Password link, enter in your email address that you have used to sign up previously and hit ‘Send Reminder’,  shortly an email should arrive in your Inbox stating your ‘forgotten password’ for the world (or at least someone peaking over your shoulder).

Now this doesn’t sound like too much of a problem in general but when you think of some of the things that can go wrong on email you then realise just how many oportunites people have to view your password:

Bounced emails, these could end up in your friendly neighboured sys admins Inbox instead.
Disgruntled employee’s.
Someone who re-registers your free email address or even domain because you let it expire.

What can you do about it, well not much really, I use a totally seperate password for accessing (not that often) Friendsreunited.co.uk that will limit any damage someone can do if they managed to gain access to your FR account - god forbid!

Security friendsreunited.co.uk, passwords, Security

Nagios is one of the standard NMS (Network Monitoring Systems) available to businesses today, it’s wealth of features provide a very flexible system, it’s scalable and customisable so should fit into the most demanding environments - is this all that’s available to assist in keeping an eye on your IT infrastructure 24×7?

No, that’s the simple answer. The longer answer is more complicated and depends on what your System Administrators can support from an application point of view. A lot of the NMS systems available are your standard Perl / C implementation on a flat file or MySQL/PostgreSQL backend so should be supported on most systems. Others however require Java or Python support, whilst this is simple enough to install and run on most Linux distributions, what happens when things go wrong? How many companies have IT staff who have taken the time to learn Java/Python for the next big Web 2.0 site?

I’ve used Nagios for a while now (some 5 years) and have always gone back to the start and looked over the alternatives at various times to see what they offer in terms of features and integration. Integration, that’s the key for me when it comes to choosing an NMS system, if it’s not able to offer a level of integration with the systems we already have (and we’re willing to do some work to make that happen), then it’s a non-starter no matter how laden with features it might be. Over the past couple of years, a wider choice has become available which makes choosing to switch, that much harder! Having the luxury of time to test these newer systems isn’t something that’s available to everyone including me so my ‘experience’ of other systems is limited compared to my time with Nagios, however, I know what I want and need so it doesn’t always take long before commissioning an app to the dusty code graveyard.

Let’s get into some of the more popular NMS systems available at present and what my impression of them has been…..

OpenNMS

OpenNMS is actually a really nice application to use for Network Monitoring, it’s discovery feature works really well and being configurable form XML files makes it extremely easy to setup and maintain. Installation is relatively straight forward if you are using the pre-packaged versions available or are a dab hand with Tomcat. The pre-configured range that I created for Network discovery worked fine and it detected all devices which responded to ICMP and monitoring of individual services/interfaces was simple if not time consuming if you have a large selection of devices to monitor.

The bad points for me are the fact that auto-discovery is the primary way of adding new devices to be monitored. You can add new devices in via the command line on the NMS server, this isn’t too much of an issue depending on how many new devices are added to your infrastructure on a day by day basis. If it’s a sizable amount then this isn’t going to be an option for long and with no way to add single devices in via a web interface your only options left is by some form of integration by way of a script. The next problem is managing the individual services/interfaces that are available for a particular device, this again appears to be a manual process with no easy way to integrate into your current NOC.

PostgreSQL is the supported DB of choice for this project, we haven’t at present migrated over to PostgreSQL which means that the maintenance of this solution would be higher than a MySQL based back end. That’s something to bear in mind in any solution you may migrate to or implement. PostgreSQL is gaining in popularity and features so this at some point will become a mute issue.

Zenoss

Wow! Zenoss appears to have improved quite a bit since the last version that I tested and looks to be highly recommended now. It’s features include a comprehensive API to allow integration with existing systems, this would enable the setup of monitoring new devices quite easy. Installation on platforms with supported binaries appears to be straight forward along with the configuration and setup of your first ‘Devices’ that need to be monitored. Auto-discovery is still an option and is more intelligent than OpenNMS, it provides a handy feature of ‘walking’ your network via routers to find all devices located on your network, this is quite a powerful feature on it’s own.

It supports the ability to expand your single monitoring server to a High Availability solution, whilst this isn’t quite out of the box, it really isn’t a complex setup for a Linux Sysadmin (Setup Guide). This enables you to grow your monitoring environment as your infrastructure grows or provide a level of redundancy to ensure that you know what is going on 24×7.

The changes and improvements that have been made since my last evaluation of Zenoss means that it’s about time that I tested it again - if it became a viable alternative then a lot of work would have to go into the migration from Nagios to Zenoss but it looks like it could be worthwhile.

Zabbix

I’m not a big a fan of the Documentation for Zabbix, everything is dumped into a single PDF which makes it difficult to filter out what is part of configuration and what is part of administration. For instance, to refresh my memory whether you could add a single host into the setup via the web administration, I checked the documentation. Now this was  a brief check, it was 00:15 but could I find anything other than auto-discovery? Nope, not a single thing, the system of course does allow this, you just have to struggle in the docs to find it. Not a great start but not a show stopper if an API was available - it doesn’t appear to be, I can see comments about this on the forum but so far nothing seems to have a materialised so far.

Repeat notifications has now been implemented since I last tested Zabbix, this is something that was extremely lacking in previous versions and is a must for any NOC, especially if your using email/sms/pager alerting. These methods are inherently unreliable when it comes to critical service so sending more than one alert is always a handy feature which meant that before, Zabbix would have sent a single alert when a device went down - and that was it, if you didn’t get that alert for whatever reason then you would be unaware of any issues until someone logged into the administartion system.

Distributed monitoring is included and seems to be extremely simple to setup, this is one of the better features of Zabbix and something worth considering if this is a requirement for your environment. In general Zabbix seems to have improved quite a lot since the last testing I did, the restrictive admin interface means it would be something that I wouldn’t really consider in a live environment.

Finally, a comprehensive list comparing the available NMS applications available is currently hosted on Wikipedia, go and check it out for a list of more NMS applications.

http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems

Technology nagios, nms, opennms, zabbix, zenoss