- data acquisition
- database
- web interface
Data acquisition is local on each host : no
network needed (this is the main difference with other projects, which collect data throw network and have a
centralised database)
Data acquisition is launched by cron each minute.
The cron job may be in
/etc/cron.d/ directory if it exists, else in root crontab.
Data acquisition do not use temporary files (except cpu module).
A debug mode is activated if the environment variable DEBUG_MODE is set.
each module as a config file named ...
config, which can be configured by the
web interface each module can be configured as enable (run_stop=0) or disable (run_stop=1)
since 0.9.2 release, a sample rate can be used to have less acquisition (sample_rate) :
set to 1 (default) say : every minutes
set to n say every n minutes
We use rrdtool software as database because
- it use a Round Robin Database
- it can produce graphs
- it as a Perl interface
we use one or (more often) several databases for each module : files with
.rrd suffix.
Two commands are interesting to look at database contents :
- rrdtool info the.rrd
- rrdtool dump the.rrd
remark : all the code is now in Perl, so we use Perl API to write or access data : with the Perl module
RRDs.pm
database architecture
(part of rrdtool manual )
You may log data at a 1 minute interval, but you are also be interested to know the development
of the data over the last year. You could do this by simply storing the data in 1 minute inter
val, for one year. While this would take considerable disk space it would also take a lot of time
to analyse the data when you wanted to create a graph covering the whole year. rrdtool offers a
solution to this problem through its data consolidation feature. When setting up an Round Robin
Database (RRD), you can define at which interval this consolidation should occur, and what con
solidation function (CF) (average, minimum, maximum, last) should be used to build the consoli
dated values (see rrdcreate).
Data values of the same consolidation setup are stored into Round Robin Archives (RRA)
So we define four Round Robin Archives (RRA), with average consolidation :
- the first as last hour data, with the maximum accurate (each minute)
- the second contains one day, a data by 2 minutes
- the third contains one week, with a data by 15 minutes
- the last contains some months, with a data by 1 hour
and we choose as consolidation method :
- average in general
- max for "alarms" (snort, firewall)
translation
back to main page
Page changed on 6 March 2003