- data acquisition
- database
- web interface
Data acquisition is local on each host : no network needed (this is the main difference with other projects, which collect data throw network and have a centralised database)
Data acquisition is launched by cron each minute.
The cron job may be in
/etc/cron.d/ directory if it exists, else in root crontab.
Data acquisition do not use temporary files (except cpu module).
A debug mode is activated if the environment variable DEBUG_MODE is set.
each module as a config file named ...
config, which can be configured by the
web interface each module can be configured as enable (run_stop=0) or disable (run_stop=1)
since 0.9.2 release, a sample rate can be used to have less acquisition (sample_rate) :
set to 1 (default) say : every minutes
set to n say every n minutes
We use rrdtool software as database because
- it use a Round Robin Database
- it can produce graphs
- it as a Perl interface
we use one or (more often) several databases for each module : files with
.rrd suffix.
Two commands are interesting to look at database contents :
- rrdtool info the.rrd
- rrdtool dump the.rrd
remark : all the code is now in Perl, so we use Perl API to write or access data : with the Perl module RRDs.pm
database architecture
(part of rrdtool manual )
You may log data at a 1 minute interval, but you are also be interested to know the development
of the data over the last year. You could do this by simply storing the data in 1 minute inter�
val, for one year. While this would take considerable disk space it would also take a lot of time
to analyse the data when you wanted to create a graph covering the whole year. rrdtool offers a
solution to this problem through its data consolidation feature. When setting up an Round Robin
Database (RRD), you can define at which interval this consolidation should occur, and what con�
solidation function (CF) (average, minimum, maximum, last) should be used to build the consoli�
dated values (see rrdcreate).
Data values of the same consolidation setup are stored into Round Robin Archives (RRA)
So we define four Round Robin Archives (RRA), with average consolidation :
- the first as last hour data, with the maximum accurate (each minute)
- the second contains one day, a data by 2 minutes
- the third contains one week, with a data by 15 minutes
- the last contains some months, with a data by 1 hour
and we choose as consolidation method :
- average in general
- max for "alarms" (snort, firewall)
translation
back to main page
Page changed on 6 March 2003