What kind of monitoring tool is the most beloved of the Ops people?
Which indicators need to be monitored? What can I monitor? How far can you monitor it? Perhaps these questions are not even clear to you. First look at the status of the Ops brothers.
1 . Current status of operation and maintenance
the traditional enterprise computer operation and maintenance is to notify the operation and maintenance personnel after the fault is found in the process of using the computer, and then the operation and maintenance personnel take the corresponding remedial measures. Operations and maintenance personnel spend most of their time and energy on simple and repetitive problems, and because of the failure of the early warning mechanism is not perfect, often after the failure will be processed, This situation makes the operation of personnel often in the passive "fire" state, This passive operations model is exhausting for IT departments. How to improve operation and maintenance quality? can the production department have a satisfactory assessment of the operations and maintenance department?
At present, we lack clear role definition and responsibility division in the Operations management process, and automated integrated operations management platform, so that the problem is difficult to quickly and accurately find the cause, and after the failure of the processing of the necessary tracking with the Records.
2 . Secrets hidden behind traffic
Network interface of the end, the size of traffic, has not satisfied the current operation and maintenance of the need for troubleshooting. We need to make the flow analysis more in-depth and more detailed.
650) this.width=650; "title=" 1.jpg "alt=" wkiol1yirppwkwliaamo8y4rtna113.jpg "src=" http://s3.51cto.com/wyfs02/M01/ 73/ce/wkiol1yirppwkwliaamo8y4rtna113.jpg "/>
Figure 1 traditional flow monitoring tools look at Appearances
Many exploits exploit attacks, ShellCode attacks are mixed with normal traffic into the Enterprise network Layer protection level. To know what is being carried in each packet, the normal camera has failed and requires a more powerful X -ray camera-for protocol analysis.
650) this.width=650; "title=" 2.jpg "style=" height:508px;width:732px; "alt=" Wkiom1yirqzyh8gvaahic-xpwrk090.jpg "src= "Http://s3.51cto.com/wyfs02/M02/73/D0/wKiom1YIrqzyh8GVAAHIc-XpWRk090.jpg" width= "728" height= "632"/>
3. The new challenge of safe operation and maintenance in the era of big data
Operations engineers in the big Data age, the following for a large number of network security events, if there is no effective tools to complete the analysis work, they often face the following challenges:
1) A large number of security alarms appear every day, and it is difficult for administrators to respond to these alarms.
2) The error is serious, the administrator cannot judge the fault accurately.
3) A large number of repetitive, fragmented and irregular alarm, a hacker attack action, will trigger different security equipment in different stages of the alarm, so that the alarm data between the time and space there is a large number of duplicate data, if not to achieve the correlation of security event processing, can not effectively improve the quality of the alarm.
whenthese problems occur in part because companies lack operational tools such as event monitoring and diagnostics, because failure events can be handled proactively and quickly without the support of efficient management tools. There are many operational monitoring tools on the market, such as the commercial version ofCisco Works,Solarwinds,ManageEngineand focus on fault monitoringWhatsUp, in the Open source field hasMRTG,Nagios,Cacti,Zabbix, Zenoss,OpenNMS,Gangliaand so on. Because they are not connected to each other, even if youDeploymentThese tools, many operators are not really free from it, because the current technology can get computer equipment, servers, network traffic, and even the database warning information, but thousands of warning information piled up together, so that people can not determine the root of the problem where, Lack of ability to sift through information and data mining,In fact, we are not lack of tools, commercial or open source, it is, a catch a lot of, why or not? What really is missing is the intelligence of the analytics data.
In addition, we look at a variety of monitoring systems need to log in, see a wide range of interfaces, update management most of the work is manual operation, even if a simple system changes or updates, often need to log on the system, when the number of devices reached hundreds of thousands, its workload can be imagined. Such changes and inspections are often carried out on a daily basis in IT operations, which will undoubtedly occupy a large number of operations resources. Therefore, operation and maintenance workers need a unified integrated security management platform is imminent.
past only by a few "technical danale" to fit all can not meet the requirements, enterprises need a secure operation and maintenance platform, to meet the specialization, standardization and process of the need to achieve operational automation management. Because the integrated Monitoring system can detect the hidden trouble in time, proactively tells the user to pay attention to the resources, to perceive the network threat, to eliminate the failure in the bud state. This greatly reduces the workload of OPS personnel, minimizes maintenance time and improves service quality.
4 . Manual integration of open source tools
Now that we can't find the right one, we're integrating common open source tools into a single Linux platform, isn't that the implementation of a unified management platform?
650) this.width=650; "title=" 28.jpg "style=" height:659px;width:1101px; "alt=" wkiol1yirt6z66r1aamoiyxe1b0723.jpg " Src= "Http://s3.51cto.com/wyfs02/M01/73/CE/wKioL1YIrt6z66R1AAMoiyXE1B0723.jpg" width= "1097" height= "690"/>
Manual difficulties in integrating open source monitoring systems:
1. software and dependency dependency issues are difficult to solve.
2. the interface repetition verification and interface style problem of each subsystem .
3. each subsystem data cannot be shared.
4. cannot implement correlation analysis between data.
5. the report cannot be generated in a consolidated format.
6. lack of a unified dashboard to showcase important monitoring information.
7. the network risk cannot be detected.
8. each subsystem maintenance difficulty, increases the operation and maintenance cost.
in practice, it is found that this kind of scheme first encounters the performance problem, some scripts consume more CPU and the I/O resources, so real-time data analysis is not possible. Imagine how many people and the time to develop an unknown monitoring platform?
5 . The choice of integrated secure operation and maintenance platform
a good security operations platform requires events and IT process is linked, Once the monitoring system discovers performance overruns or outages, it triggers related events and pre-defined processes to automatically start the failure response and recovery mechanism. It is also necessary to be able to filter out the operation and maintenance personnel to complete the daily repetitive work, improve operational efficiency. To achieve these functions are conventional monitoring software Cacti,Zabbix can not be implemented.
at the same time, it is also required to be able to predict the network worm threat, before the failure can be alerted, so that operations personnel to eliminate the failure in the embryonic state, Minimize the resulting losses. In general, the OPS need to be able to implement asset management, distributed deployment, vulnerability scanning, risk assessment, policy management, real-time traffic monitoring, anomaly traffic analysis, attack detection alarm, correlation analysis, and style= "font-family: ' Arial '; Risk calculation, security incident warning, event aggregation, log collection and analysis, knowledge base, timeline analysis, unified report output, multi-user rights management functions, is this integrated open source tool in the end? Where did it go?
There are two products available to meet this requirement, currently on the market products are mainly hp Arcsight (background hang oracle Library", IBM Security QRadar SIEM and ossim USM siem solution, in open source software ossim to be the best choice.
ossim just integrate some open source tools into a single platform, in ossim
AlienVault divided into open source Ossim and Commercial Editions USM two, through this integrated monitoring tool to achieve the constraints on user operating norms and computer resources Quasi real-time monitoring, including server, database, middleware, storage backup, network, security, computer room, business applications and other content, through the automatic monitoring management platform to achieve integrated processing and centralized management of failures or problems.
650) this.width=650; "title=" 30.jpg "style=" HEIGHT:338PX;WIDTH:336PX; "alt=" wkiom1yirvnj6y5daaehftx0jum888.jpg "src = "Http://s3.51cto.com/wyfs02/M02/73/D0/wKiom1YIrvnj6y5DAAEhFTX0JuM888.jpg" width= "491" height= "489"/>
If you do not want to buy expensive commercial software, and do not want to devote a lot of effort to development, then the implementation of integrated security management platform Ossim is the only choice.
Well, let's see what Ossim can do for you. Enter
This article from "Lee Chenguang original Technology blog" blog, declined reprint!
What kind of monitoring tool is the most beloved of the Ops people?