[Nagiosplug-devel] Plugin to monitor abnormal traffic behavior

John P. Rouillard rouilj at cs.umb.edu
Tue Feb 5 18:23:16 CET 2008

Previous message: [Nagiosplug-devel] Plugin to monitor abnormal traffic behavior
Next message: [Nagiosplug-devel] [ nagiosplug-Bugs-1878971 ] several typos
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <c0f3f780802042107y2c72c1f2m81caeb0fd850a40f at mail.gmail.com>,
"William Leibzon" writes:
>Your idea on how to do it is
>wrong - you can not just look at traffic level 1 day ago because maybe
>exactly at the moment one day ago it was higher or lower then normal. So
>what it requires is calculating 1 day (and most likely really 2 day since
>maybe it began bursting today) traffic average in additional to immediate
>traffic. This requires large historic data file - with 5 minute checks this
>gets to be at least 300 entries for each interface for one day and most
>likely 600 if you want either average of traffic from yesterday as base or
>average for last 2 days. You may think this can be done quickly and easily
>by just looking up octet data count 1 or 2 days ago, but no so fast - you
>may have had router reboots or counter overflow, possibly more then one. So
>you end up having to go through all those likely 600 entires to calculate
>the average while also accounting for such events.
>
>Now the above probably sounds a lot like fixed-size average values db which
>if you know is exactly what RRD is all about. So instead of in actual
>network check plugin if you really really need such a feature I'd recommend
>you put data from network check into RRD (as you would to plot performance
>data) and then have separate check that specifically looks up one day ago
>average in RRD and compares it to most recent data put in the same RRD file.
>This can be done with either existing plugins or with just minimum extra
>programming and is mostly a matter of configuration to make it all work
>together.

I agree. What I did a while ago was dump the data into an rrd database
with Holt-Winters forcasting turned on. Then I had a check that
reported when the FAILURES RRA indicated that the current value was
not within the expected estimation range. This works well for the
range where rrdtool's H-W algorithm is tuned to match the periodicity
of your data.

Note I never used it in production, only spent a couple of months
testing it with data from my monitoring installation and synthesized
data.

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

Previous message: [Nagiosplug-devel] Plugin to monitor abnormal traffic behavior
Next message: [Nagiosplug-devel] [ nagiosplug-Bugs-1878971 ] several typos
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list