On Tue, Oct 24, 2023 at 11:27 AM Ricardo Prudenciato via lpi-examdev < [email protected]> wrote:
> *205.3* > It will be nice to include some of the most used monitoring tools like > Zabbix. > On Tue, Oct 24, 2023 at 12:29 PM BHL via lpi-examdev < [email protected]> wrote: > I have a question about Zabbix. Zabbix is used for Linux, not Splunk or > Kibana? > On Tue, Oct 24, 2023 at 3:23 PM Simone Piccardi via lpi-examdev < [email protected]> wrote: > It was discussed in the last revision. There are many centralized > monitoring tool available on Linux, like Nagios and Icinga just to name > some "traditional" ones. I don't think there is one that can be choosed > against the others, so I'm against adding any of them to 205.3. > On Tue, Oct 24, 2023 at 4:23 PM Jeroen Baten via lpi-examdev < [email protected]> wrote: > That is certainly one way to make sure knowledge can not be tested, > On Tue, Oct 24, 2023 at 7:49 PM Alessandro Selli via lpi-examdev < [email protected]> wrote: > As far as I know (I never used it), Splunk is a cloud-based, web-managed > platform for generic, machine-generated big-data analysis and searching, > reporting tool. > > On https://www.splunk.com/en_us/download/splunk-cloud.html I can read > they offer a 14 days free cloud trial. > > The software download page only offers Free Trial packages, except for a > "Universal Forwarder" package that "collects data securely from remote > sources, including other forwarders, and sends it into Splunk software". > > It is not just a platform monitoring tool. > I've dealt with Splunk, the ELK stack, several other solutions built around Kibana, as well as some emerging solutions, the relate forwarders, both proprietary and open source, both rsyslog compatible and even one journald (binary**, instead of journald just pushing text to rsyslog**), among others, over the past decade. And then add in the auditd rules and add SELinux options to generate yet more logs**, and there's a lot of details. Security Information and Event Management (SIEM) is one deep pile to say the least. Coincidentally, at my primary employer (I have some clients on the side), we're in the middle of a major *'Threat Hunting'* toolset evaluation, as we don't just want to do SIEM, and we're trying to find an open source stack and use our own, on-premise appliances, and not just use someone else's (especially if they are not assembled, let alone managed, in the US). It's really slim pickings, and we're considering *'doing it on our own.'* So ... to 'step back' ... a plausible offering ... - Awareness of SIEM concepts - Basic open source 'forwarders' (e.g., rsyslog 514/tcp, possibly journald, but there's some valid debate on just sticking with rsyslog) - Awareness of aggregators (for forwarders) - Threat hunting is probably not LPIC-2 at all Now, that said ... some of that is already in other objectives, and ... may not be relevant to LPIC-2 at all, and more the LPIC-3 Security (definitely threat hunting). So ... it's really key to be general and not get into the weeds. Just whatever is required in accessing, possibly forwarding, information. ***KEY DETAIL: We keep looking at native journald (binary) options because the sheer rates of audits due to our required audit rules cause logging to be dropped on some heavily utilized systems (many GiB per hour). Yes, welcome to regulated environments, including financial. I have this same issue with things that want to use PAM, instead of SSSD, but that's another discussion on another, security domain.* On Tue, Oct 24, 2023 at 7:49 PM Alessandro Selli via lpi-examdev < [email protected]> wrote: > I think LPI should not cover Cloud-based services that are not available > as free software, that do not have native packages in any distribution that > I know of, that are only accessible through a web interface - which makes > it not Linux-specific - that requires people to send their data to a > private, for-profit public company and that requires that users have a paid > account to be able to access it past the two weeks of the free trial > offering. > I agree on all that, sans web interfaces invalidating. On Tue, Oct 24, 2023 at 7:49 PM Alessandro Selli via lpi-examdev < [email protected]> wrote: > Kibana i read on the Wikipedia is proprietary, source-available software > that it too has no related packages in the repositories of the Debian and > Rocky Linux distributions. > > It is a frontend for Elasticsearch, which is a "full-text search engine > with an HTTP web interface" (Wikipedia). > > Which means that it is not just a platform monitoring tool, even though of > course it can also do that, that it is not Linux specific and that is it is > not free software. For these reasons i feel it should not be mentioned in > any LPI exam objective. > > I feel we could at most add Zabbix to the the list of the universally > available free monitoring tools in Linux: > > 200.2 Predict Future Resource Needs (weight: 2) > > Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG > and Cacti > > but nothing more, as the list is already pretty beefy (even though Nagios > and Icinga2 are very similar). > Well, it should be. The latter started as a fork of the former, over a dozen years ago. -- Bryan J Smith - http://www.linkedin.com/in/bjsmith E-mail: b.j.smith at ieee.org or me at bjsmith.me
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
