Virus protection software and firewalls provide protection, but it is also useful to monitor the number of network connections. For example, a denial of service of attack or a brute force ssh login attack will increase the number of open connections. This can happen if an attacker bypassed the virus protection or firewall.
Bronshae monitors the number of open TCP and UDP connections along with other network services. If the number of open connections are above a specified threshold, then a notification is generated. Someone receiving the notification can then investigate whether it is an attack or a misbehaving application. The threshold can be changed on a server by server basis to accomodate different levels of open connections. The graph below depicts a simulated attack where the number of active connections spiked to 800 tcp connections.
On Linux hosts, Bronshae monitors the logged in user. If an attacker had used a brute force password attack, the successful login will be displayed along with the time. This information can be queried from either the user interface or from the command line. In the example, below I have queried several servers to identify who is currently logged in. The "(unknown)" user is possibly some kind of issue on Debian Linux.
By using Bronshae, you can add another level of attack detection. Knowing when a system has been compromised or under attack helps to increase the infrastructure security.
Sometimes it is necessary to monitor an internet connection for connectivity problems. Bronshae can accomplish this by using the HTTP or Clock Status Object.
The Clock Status Object is the easiest way to monitor internet connectivity because it does not require any configuration. The Clock Status Object compares the operating system's time with known internet time servers. If the connection fails, a notification will be generated. In some virtual environments, it is important that the clocks are synchronized to prevent clustering errors. The screenshot below depicts the results from querying the Clock Status Object.
If there is a need to monitor a particular website, then the HTTP Status Object can be used. Add the HTTP Status Object to a Bronshae Monitor Service and then configure it with the the URL to monitor.
The HTTP Status Object uses an HTTP HEAD request to check the availability of the site and the internet connectivity. The other settings include a username, password, and timeout for the website response. If the website uses HTTPS and a self-signed certificate, the app.Http.accept.cert setting can be set to true.
By using the Bronshae Clock or HTTP Status Object, you can find out about connectivity problems before your clients or customers.
Typically products have a hub and spoke style architecture where each monitor sends data to a centralized data collection server. The disadvantage with this architecture is that if the centralized data collection server is not available then there is not any visibility on the monitored operations. This can happen when the designated "monitoring" servers are rebooted or if there are network connectivity problems.
Bronshae solves this problem by providing redundancy with each of its services. For example, instead of having one failure point for data processing, Bronshae uses multiple Data Orchestration services for data processing. The monitors send their data to a Data Orchestration service for analysis and will automatically fail over to the other Data Orchestration services as needed. More redundancy can be added by simply configuring additional Data Orchestration services.
High availability is also present in other services like the SNMP service, Web service, and ServiceFS (File System Service). The SNMP service works in a similar fail over manner as the Data Orchestration service. The Web service provides a way to load balance web requests to Bronshae as pictured below.
By providing a highly available architecture, Bronshae prevents blind spots of monitored operations due to outages. Bronshae services automatically fail over without the need for any user intervention.
Monitoring PHP based websites can be difficult because not all hosting providers provide Unix shell access. Usually monitoring software can be installed on the server running the website database, but there are times when that is not possible. Adding PHP code to query the database statistics allows Bronshae to monitor PHP database based websites.
The first step is to determine the type of data for collection from the database. Information like the number of sessions, database size, uptime, and responsiveness are commonly collected. The number of database sessions can be found by querying the "Threads_connected" variable within MYSQL that represents the number of active connections. More information and other Server Status Variables can be found on the MySQL Server Status Variables page. The database uptime can be determined from the same set of Server Status Variables. The size of the database is calculated from the INFORMATION_SCHEMA.TABLES table. The responsiveness of the database is calculated by measuring the total time to collect the information.
The collected data will be placed into name value pairs like the following:
The Bronshae App Status Object will read the PHP output and then convert the name value pairs to an attribute. The collected data is then available for trend analysis or for adding to an operation. The PHP script is available at http://www.bronshae.com/images/articles/HowToMonitorPHPWebSiteDB/mysqlstats.php. After downloading the script, the mysqlstats.php file should be placed in a directory on the web server. For this example, I have put the script in a directory called /var/www/protected.
To protect the page from access by others, it is necessary to setup Apache authentication by using an .htpasswd and .htauth file. The htpasswd command is used to generate the .htpasswd file used by Apache. The command will prompt for a password and then store the encrypted password in the .htpasswd file.
% htpasswd -c /var/www/protected/.htpasswd user1
The .htaccess file is placed in the same protected directory as .htpasswd. More information about generating htaccess password can be found at Generate htaccess password (htpasswd) from the command line.
AuthName "Protected login"
require user user1
Test the access to the protected directory by entering the URL http://website/protected in a browser. There should be a prompt for the username and password before access is given.
The next step is to configure a Bronshae App Status Object to read the output from our mysqlstats.php script.
1. Visit Configure -> Monitors
2. Choose your host that will execute the App Status Object.
3. Add a Status Object called app.App. For this example, I left the name field blank.
4. Click on the Add button
5. Specify the URL, username, password, and name for the protected site. I am using the name MySQLDB. Note that I am also using https to the protected page.
6. Click on the Update button
After the app.MySQLDB Status Object is updated, the host will begin to query the remote website for information. Visiting either the Status by Host page -> Apps or the Status By Object -> app.MySQLDB will show the data being collected.
By adding an App Status Object, Bronshae can monitor vital website db characteristics like number of database sessions, responsiveness, database availability, and database size. This same technique of using an App Status Object with name value pairs can be used with other types of applications too.