Categories
Linux

Compile Latest Ganglia for All Versions of Debian and Ubuntu

I have learned a lot since I wrote the original how-to. I do not have time to write a nice story but follow the steps below and you should be fine. This will provide you with the latest version of Ganglia on any Debian based distro.

Objectives:
1. Download latest sources from Ganglia git repository.
2. Compile, install and setup monitor-core.
3. Setup ganglia-web front-end.
4. Setup hsflowd on servers.

On your collector / PHP enabled web-server:

apt-get install build-essential automake autoconf pkg-config gperf libtool rrdtool librrd-dev libconfuse-dev libapr1-dev libpcre3-dev

cd ~
git clone https://github.com/ganglia/monitor-core.git ganglia
cd ganglia
git submodule init
git submodule update

./bootstrap

Update February 1, 2014: You need to install Concurrency Kit before running configure or it will fail.
Instructions:

"git clone http://concurrencykit.org/cgit/cgit.cgi/ck/"; "cd ck"; "./configure"; "make"; "make install"

and then switch back to your ganglia directory and continue.

./configure --with-gmetad
make
make install
ln -s /usr/local/lib64/ganglia /usr/lib/ganglia
useradd --system ganglia
groupadd --system ganglia

nano /etc/ld.so.conf
add line: /usr/local/lib

ldconfig

nano /usr/local/etc/gmetad.conf
change: data_source "your cluster name" 20 localhost
cp ~/ganglia/debian/gmond.conf /usr/local/etc/gmond.conf
nano /usr/local/etc/gmond.conf
change: mute = yes
change: name = "your cluster name"
change:
udp_send_channel {
  port = 8649
  ttl = 1
}
udp_recv_channel {
   port = 8649
}
sflow {
  udp_port = 8649
  accept_vm_metrics = yes
}
tcp_accept_channel {
  port = 8649
}

cd /var/www
git clone https://github.com/ganglia/ganglia-web.git ganglia
cd ganglia
mkdir dwoo/compiled
mkdir dwoo/cache
mkdir -p /var/lib/ganglia/rrds
chown nobody /var/lib/ganglia/rrds
chown -R www-data:www-data /var/www/ganglia
cp conf_default.php.in conf_default.php
cp version.php.in version.php
nano conf_default.php
change: $conf['gweb_confdir'] = "/var/www/ganglia";
change: $conf['gmetad_root'] = "/var/lib/ganglia";

gmond
gmetad

On servers you want to monitor:

apt-get install hsflowd

Note: This package does not appear to be included anymore. Visit their website.

nano /etc/hsflowd.conf
change: DNSSD = off
change: polling = 20
change: sampling = 2000
change:
collector {
ip = (IP running gmond+gmetad)
udpport = 8649
}

/etc/init.d/hsflowd start

Visit your webserver to see your graphs. DONE!

NOTE: There is a mistake in stacked.php as of January 16, 2013 which causes the graph to break. The exact error is: “PHP Parse error: syntax error, unexpected T_FOREACH in /var/www/ganglia/stacked.php”

To fix, search for “$min_index = min(array_keys($hosts))” and add a semi-colon to the end of the line:

nano /var/www/ganglia/stacked.php
change: $min_index = min(array_keys($hosts));

EDIT (8/5/2013): I recently read this article and decided to set my sampling rate to 2000. I was occasionally getting errors where my network speed was being measured in petabytes/s! Here is a second article about the same topic that is also worth a quick read.

Categories
Linux

Setup PSAD in Ubuntu 9+

Psad scans your firewall log in real time. It can be configured to automatically drop packets and more. While reading the guides that are available for this I ran into a problem, there was no /etc/syslog.conf. On Ubuntu’s webpage I found this release note. It says that as of Ubuntu 9.10, syslog has been upgraded with rsyslog. This can make setting up psad a little tricky.

This guide has been tested on Ubuntu 10.04 LTS Server and 10.10 Desktop

The first thing to do is install psad:

sudo apt-get install psad

Now edit the config file:

sudo nano /etc/psad/psad.conf

Change “ENABLE_SYSLOG_FILE Y;” to “ENABLE_SYSLOG_FILE N;”. We will not need psad to read our syslog.

Another setting to review right now depending on your environment is “EMAIL_ALERT_DANGER_LEVEL”.

Set the email at the top of the config file or leave the default, root. I have root’s mail set to forward to my real email address. To forward root (or any user’s) mail: place a file named “.forward” in their home folder. Inside the file enter the email address where the mail is to go.

Restart psad:

sudo /etc/init.d/psad restart

Next: configure iptables to log the non-legitimate packets. The logging rules need to go after the accept rules but before the drop. Confusing? It was for me.

For example, my default policy for INPUT and FORWARD is to DROP. After this my accept rules for specific ports are appended. Meaning our logging rules must go at the end of the file, before they are dropped because the packets were not accepted by any previous rules.

$IPT -A INPUT -j LOG --log-prefix "firewall1 "
$IPT -A FORWARD -j LOG --log-prefix "firewall1 "

The prefix is going to allow rsyslog to filter the messages. After applying the log rules it is possible to view the end of the syslog to see if logging is working.

sudo tail /var/log/syslog

The last step is for rsyslog to send the messages that contain “firewall1” to psad’s pipe.

sudo nano /etc/rsyslog.d/50-default.conf

We are going to place our rules at the top of the file. That way we can stop “firewall1” messages from making it to any other logs.

:msg, contains, "firewall1" |/var/lib/psad/psadfifo
:msg, contains, "firewall1" ~

Note: the ~ means to discard.

That’s it! Restart rsyslog:

sudo restart rsyslog

To view psad’s status:

sudo psad --Status

Comments and suggestions are welcome!!