[Nfsen-discuss] Holt-Winters alert plugin

Kiss Gabor (Bitman) Tue, 12 Jun 2007 18:54:29 -0700

Dear folks,

> I created a proof of concept alerting plugin to generate alerts based on Holt
> Winter information. My intention is creating a plugin that gives the same


This is a great job.
Moreover I got inspired to study the plugin interface. :-)

Now I can present an enhanced version of Werner's plugin.
(See attachment.)
The big news that it can send mails with clickable URLs like this:

| Date: Tue, 12 Jun 2007 17:20:24 +0200 (CEST)
| From: [EMAIL PROTECTED]
| To: [EMAIL PROTECTED]
| Subject: Holt-Winters alert
| 
| adsl.rrd traffic_udp 200706121715
| http://MY_HOST/nfsen2/nfsen.php?bookmark=MnwwfC4vbGl2ZXxhZHNsfFVEUHx0
| cmFmZmljfDF8MTE4MTY2MTAwMHwxMTgxNjYxMDAwfDExODE2NjEwMDB8MHwxfDA%3D
| 
| c6513_2.rrd flows 200706121715
| http://MY_HOST/nfsen2/nfsen.php?bookmark=MnwwfC4vbGl2ZXxjNjUxM18yfGFu
| eXxmbG93c3wxfDExODE2NjEwMDB8MTE4MTY2MTAwMHwxMTgxNjYxMDAwfDB8MXww

Following these links you can see right now the graph sourcing the alert.
Even the marker is set to the proper time.

Installation:
Similar to Werner's method with the following differences:

1. plugin is called 'holt_winters'. So nfsen.conf looks like this:
@plugins = (
    # profile    # module
    [ undef,     'holt_winters' ],
);

2. Monitored profiles are listed in nfsen.conf instead of external file
'holtwinter.dat':

%Pluginconf = (
    holt_winters    => {
        profiles        => [qw(live)],
        bookmark_base   => 'http://MY_HOST/nfsen2/nfsen.php',
    },
);

Parameter bookmark_base should be customised manually at this moment.


Before installing holt_winters plugin, you should apply the following
patches from sourceforge against nfsen-snapshot-20070312:
1731375, 1732044, 1735815.

Follow links on page
http://sourceforge.net/tracker/?group_id=134525&atid=730182


These are some bugfixes and enhancements of nfsen-snapshot-20070312
and are not related to holt_winters plugin. I hope Peter incorporates
them into the mainstream code.


Now I plan to create a dynamic alert list on the web page as "Nerd" does.
However I'm a PERL programmer but I have few practice with PHP. :-)
So it may occur that I can create a concept only till the Zurich
meeting.

Any comments and suggestions will be appreciated.

Gabor

#!/usr/bin/perl
#
#  vim: set ts=3 sw=3:
#
#	Holt-Winters Aberrant Behavior Detection plugin for NfSen
#	by Gabor Kiss <[EMAIL PROTECTED]>.
#	Based on work of Werner Schram <[EMAIL PROTECTED]>.
#
#	Original copyright messege follows:
#
###############################################################################
#	Copyright (c) 2007, SURFnet B.V. 
#	All rights reserved.
#
#	Redistribution and use in source and binary forms, with or without modification, 
#	are permitted provided that the following conditions are met:
#
#	*	Redistributions of source code must retain the above copyright notice, this
#		list of conditions and the following disclaimer.
#	*	Redistributions in binary form must reproduce the above copyright notice, this
#		list of conditions and the	following disclaimer in the documentation and/or
#		other materials provided with the distribution.
#	*	Neither the name of the SURFnet B.V. nor the names of its contributors may be
#		used to endorse or promote products derived from this software without specific 
#		prior written permission.
#
#	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY 
#	EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 
#	OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
#	SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
#	INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
#	TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 
#	BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON	ANY THEORY OF LIABILITY, WHETHER IN 
#	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
#	ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 
#	DAMAGE.
#
###############################################################################

package holt_winters;

use strict;
use warnings;
use Time::Local;
use IO::Dir;
use MIME::Base64;
use URI::Escape;
use NfSen;
use NfConf;
use Notification;

use Sys::Syslog;
Sys::Syslog::setlogsock('unix');

my $conf = $NfConf::Pluginconf{holt_winters};
my $bm_base = $conf->{bookmark_base};

sub alert_condition {
	my ($opts) = @_;

	my ($Year, $Month, $Day, $Hour, $Min) = $opts->{timeslot} =~ /(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})/;
	my $endtime = timelocal(0, $Min, $Hour, $Day, $Month-1, $Year);
	my @arguments = (
		"FAILURES",
		"--start", $endtime - 600,	# we need exacly two rows of RRA
		"--end",   $endtime - 300,
	);
		
	syslog('debug', "holt_winters: timeslot: ". $opts->{timeslot}. " alert: ". $opts->{alert}. " alertfile: ". $opts->{alertfile});

	my $ret = 0;
	my @mailtext;
	return unless ref $conf eq 'HASH' and exists $conf->{profiles};
	foreach my $profile (@{$conf->{profiles}}) {
		my $alertDir = "$NfConf::PROFILEDATADIR/$profile";
		my $dh = IO::Dir->new($alertDir) or
			syslog('err', "holt_winters: error opening $alertDir: $!"),
			return 0;

		while (my $rrdfile = $dh->read) {
			next unless $rrdfile =~ /\.rrd$/;

			my $fullpath = "$alertDir/$rrdfile";
			next unless -f $fullpath;

			my ($start, $step, $dslist, $data) = RRDs::fetch($fullpath, @arguments);
			my $nameidx = 0;
			foreach my $ds (@$dslist) {
				my $type = $dslist->[$nameidx];

				# Alert only if previous value was 0 but now it is 1
				my @failures = reverse @$data;	# tricky way to handle case of single row @$data array
				#syslog('debug', "$rrdfile $ds($nameidx) $failures[0][$nameidx]<=$failures[1][$nameidx]");
				next unless $failures[0][$nameidx] and !$failures[1][$nameidx];

				syslog('debug', "holt_winters: found abberant behavior in rrd: $fullpath in RRA $type");

				# prepare bookmark
				my ($bm_type, $bm_proto) = split('_', $type);
				$bm_proto ||= 'any';
				$bm_proto = uc($bm_proto) if $bm_proto =~ /p$/;	# TCP, UDP, ICMP
				(my $bm_channel = $rrdfile) =~ s/\.rrd//;
				my $bm_tend = NfSen::ISO2UNIX($opts->{timeslot})-300;
				my $bm_tleft = $bm_tend;
				my $bm_tright = $bm_tend;
				# bookmark: tab,sub_tab,profileswitch,
				# 				channellist,proto,type,wsize,
				# 				tend,tleft,tright,
				# 				logscale,ratescale,linegraph
				my $bookmark = join('|',
					2,0,"./$profile",
					$bm_channel,$bm_proto,$bm_type,1,
					$bm_tend,$bm_tleft,$bm_tright,
					0,1,0
				);
				$bookmark=encode_base64($bookmark);
				$bookmark=~s/\n//gs;
				$bookmark=uri_escape($bookmark);
				push(@mailtext,
					"$rrdfile $type $opts->{timeslot}\n",
					"$bm_base?bookmark=$bookmark\n",
					"\n"
				);
				$ret = 1;
			}
			continue {
				$nameidx++;
			}
		}
		$dh->close;
	}

	$ret and notify("Holt-Winters alert", [EMAIL PROTECTED]);

	return $ret;
}

sub Init {
	syslog('debug', "holt_winters: init");
	return 1;
}

1;

# vi: ts=3 sw=3

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

[Nfsen-discuss] Holt-Winters alert plugin

Reply via email to