Per Jessen said the following on 10/25/2008 09:46 AM:
Anton Aylward wrote:
I have no desire to turn this into a security issue - that topic was introduced by somebody else.
stet.
In a enterprise setting this is normally handled by a central syslog mechanism for the enterprise and there is some very sophisticated software supporting this.
In the enterprise, SNMP is by far the preferred method for real-time alerts, failing that email. The syslog is primarily for auditing and post-mortem purposes.
Our experiences differ. I've worked with real-time monitoring built around syslog at international banks and brokerages, and the datacenters for high-street stores. I was shocked when I first saw some of the heavy processing going on, not least of all putting the syslog records in a relational database so that all manner of analysis can be done, time trends and such like, that simply isn't possible with reports by email.
If the syslog was really so central in enterprise real-time monitoring of Linux systems, it's difficult to understand why popular monitoring tools typically provide an email option,
No, not at all. You are taking an exclusionary stance, I'm taking an exclusionary stance. E-mail and syslog can perform different ends. For example, a manager can request changes of access permission for his staff from the IT department via e-mail, and this is logged and archived for regulatory (e.g.Sarbanes Oxley) compliance and can be audited. Similarly external communications with vendors and contractors. How alerts resulting from any one of a number of mechanisms are delivered to users depends on context. It is also independent of the way that the alerts are generated and delivered to the mechanism that delivers alerts to the humans. I think you are confusing the two. E-mail is inherently asynchronous. SMTP is a store-and-forward protocol. It works even if there is a loss of connectivity; the messages will be delivered when connectivity is restored. It is a TCP rather than a UDP mechanism so it needs two-way connectivity. It is asynchronous at the human level. Mail delivered overnight, no matter how urgent, is waiting there for me when I log in the next morning, or perhaps the next day or the next week. Even if I am logged in I may be working on other matters and not have my mail reader window open. I may not have a system that pops up a "you have mail" on my screen. At the human level email is asynchronous and unreliable. More reliable, in that it will interrupt me (or even wake me) is delivery by pager or cell-phone. Yes, I can still turn them up or ignore them, but they don't require me to be logged in and I can be involved in other activities than computer related ones. And before you ask, yes my phone has interrupted at embarrassing moments. If email is routed to a program rather than a mailbox then the whole matter becomes moot. Automatic mail responders are inherently no different from any other watcher. The input might as well come from a filtered syslog or MQ channel. The only difference is between TCP and UDP. System control rather than simply passive monitoring is another matter. network components such as routers and switches report by syslog and SNMP, but syslog is a reporting mechanism not a controlling mechanism. If you want to expand this to control then pleas change the subject line. At present it says "monitor".
Which distro were you running? Maybe it was a better option for you.
SunOS back when, Solaris; UNIX V6 and V7 when I was a kernel hacker, SYSIII, SYSV Berkeley BSD 2.4 though 2.8 and 4.0 though 4.1; AIX from the beginning through to current; man versions of HP/UX; DG/UX; many now defunct versions of microprocessor "unix" not least of all SCO's XENIX, including the ports of it by HCR to various platforms. I even had one spell using Zeus on a machine running the Zilog Z-8001 processor though I thought the Onyx version on their box much more fun. I *like* AIX but can't afford it it home. I've run a number of versions of Linux over the last decade and half, but have little interest in switching back and forth.
I'm curious though, how did you manage to receive the various systems alerts and messages without a local MTA? Did you write your own /usr/sbin/sendmail to drop the text directly into the filesystem?
You are failing to differentiate between how I have configured systems and how I thing a system for a variety of different contexts should be allowed to be configured to suit the needs of that context. My how set-up and experimentation and each of my clients over the years have all been different. Again: you are being exclusionary, I'm being inclusive. I can say that SNMP is for command and control of devices that need controlling whereas many devices can simply report - via syslog. I can say that an auditor doing a BASEL, FFIEC, SOX or HIPAA audit is going to be more interested in mail records than syslog records. And there are contexts where that's absolutely correct. And some where none of it applies, since BASEL, FFIEC, SOX and all the rest don't apply everywhere. And some enterprises that don't use SNMP. One size doesn't fit all. Context is everything. -- "Too many preachers use the bible as a stepladder for their soapbox." -- John Tandervold -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org