> I run several standard services (Web, Mail, DNS, …) and have configured Munin
> to graph traffic and see what happened.
Good for you. I don't know if Munin is the go to tool for this in
OpenBSD, so seconding your query for comparative or "works-for-me" type
of (fresh) info, or search the mail archives.
Probably Munin's trips and basic alert capabilities can help you sort
your email feedback purposes, or you could further use a Nagios /
Icinga monitoring and alert generating tool.
One comment, the trouble with these type of tools (Munin like) are the
lack of filters / plugins / lenses for the specific service (or
operating system) you (want to) use, and out of date such integration.
Yet it provides graphs which may be a powerful analytic tool.
> I was wondering what was the usual OpenBSD way for proactive/real-time
> traffic monitoring and alerting.
Same thoughts here, there are some ports related to rrd, snmp, service
specific live stat (top like) / graphing tools in the likes of: symon,
pfstat, collectd, mrtg, nfsen, etc etc
Most probably you want to pick your specific solution based on your
needs from the options available as ports.
> That is, which software to use that would, for example, read HTTPD logs and
> alert if req/sec from same IP is over 50 ?
Log processing at run time probably is not the best solution to
reaction on live events, unless it's a tool specifically designed to do
that. Apache has a scoreboard which I am not entirely sure is a good
idea either and not many tools process that, despite being a valid
approach in my practice this has been mostly difficult to tie to
something useful apart from self hacked scripts.
Thus said you can get the details from the network stack (pf and
related), a relaying front end service, the actual service's live
status output (if it provides state details), logging of the service
details (verbosity), log processing of its output (virtual host logs),
higher level self awareness if the service runs scripts or procedures
in the respective application etc.
Relayd(8) has relayctl(8), many other services too have the respective
"apropos ctl" tool. It may be worth checking this option first as a
front end stats between the network and the web service.
This may be extremely premature, out of scope or unworthy of
expectation and/or implementation, but a third party tool (e.g. your
choice so far being Munin) monitoring the output of the respective so
far hypothetical httpctl may be a solution too. I would not count on
this though as the httpd in base has been conservative in features so
far.
