Forum Moderators: phranque
I can run "tail -f" on a specific logfile to see the requests coming in, but that doesn't let me monitor all 20-odd domains at once. It also doesn't summarize the data.
What I'm envisioning would have output something like this:
Domains
domain1.com: x file requests/min y page requests/min
domain2.com: x file requests/min y page requests/min
domain3.com: x file requests/min y page requests/min
Pages requested in the last minute:
page1.html: X requests
page2.html: Y requests
page3.html: Z requests
Most active IP's in the last minute:
200.10.200.10: x files / y pages on [which domain(s)]
100.20.100.20: y files / y pages on [which domain(s)]
300.50.300.50: z files / y pages on [which domain(s)]
I looked long and hard on Google for such a tool but couldn't find anything. It seems like something like this should exist, because certainly other people have wanted that functionality besides me, and it shouldn't be that hard to program -- the program just needs to know which logfiles to watch and then parse all the data. In fact, if such a thing *doesn't* exist then I smell a market opportunity. :)
So, is there something like this already?
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On
this needs to be set/enabled first, then find this part:
# Allow server status reports, with the URL of [servername...]
# Change the ".your_domain.com" to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
# Deny from all
# Allow from .your_domain.com
</Location>
The way it is above, anyone can see the stats.
You basically get a realtime connection status report for the server, showing stats for each slot including the request itself. I can't display them here, but the key looks like this.
Srv - Child Server number - generation
PID - OS process ID
Acc - Number of accesses this connection / this child / this slot
M - Mode of operation
SS - Seconds since beginning of most recent request
Req - Milliseconds required to process most recent request
Conn - Kilobytes transferred this connection
Child - Megabytes transferred this child
Slot - Total megabytes transferred this slot
This would let you see if you're getting a million hits at the same time for a single file or from a single IP -- There is also a global display of requests/sec and bytes/request, and it's also useful for helping you configure the server's max connections [ThreadsPerChild=].
Current Time: Wednesday, 17-Jan-2007 21:21:41 Eastern Standard Time
Restart Time: Tuesday, 16-Jan-2007 18:25:34 Eastern Standard Time
Parent Server Generation: 1
Server uptime: 1 day 2 hours 56 minutes 7 seconds
Total accesses: 212293 - Total Traffic: 2.7 GB
2.19 requests/sec - 28.9 kB/second - 13.2 kB/request
1 requests currently being processed, 127 idle servers
______________W_________________________________________________
________________________________________________________________
................................................................
................................................................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"L" Logging, "G" Gracefully finishing, "." Open slot with no current process
It's basically a small page of plain text info -- so don't expect any fancy graphs or anything.
* I can't believe anyone runs an Apache HTTPd without using this.
Maybe a Perl script?
Matt
I dunno, though....it seems like a tool like this should be immensely popular, but if that were true, it also seems like someone would have created one before now.
(1) SNMP, and SNMP-monitoring tools.
SNMP is a protocol for gathering remote management information. Most OS's and most server applications (e.g. Apache) have SNMP built-in or through modules or plugins. In addition, many hardware devices (routers, etc.) support SNMP.
Although SNMP can be used both for monitoring and control, it is most commonly used for monitoring.
Once your OS and server(s) are set-up to use SNMP, you can use any of a huge variety of SNMP monitoring apps to poll them and display the data as you wish.
As an example of the type of information available remotely via SNMP would be CPU load, page swaps, disk usage, disk transfer rate, bandwidth, memory usage, etc. etc. etc. A webserver might report things such as open connections, bytes/second, number of unique users, number of logged-in users, etc. etc.
(2) Other management and reporting protocols. WBEM (Web-Based Enterprise Management), CIM, etc. These are less popular in the Linux world but more popular in the Windows world.
(3) Tools that integrate information from multiple sources. Nagios would be a good example of this. Nagios is able to use SNMP, WBEM, CIM, as well as simpler tools such as ping, local shell scripts, remote shell scripts, etc. It allows you to design displays that integrate the information you want in the way you want to see it. Although it has a web GUI for display, it does not have a GUI for setup. (You configure it using text files.) So, setup is a bit painful, but you can get just what you want, and it has a HUGE variety of ways you can get at the information that you want to display and log. Nagios has it's own client daemon that you can install on your servers, as well.
Okay, but I'm not really interested in protocols, I'm interested in an actual tool that does something similar to what I described. Do you know of any?
Nagios.
You're looking to find out what's happening "right now" -- you'll never find that in any of the Apache logs -- this is because requests are not logged until after they have been serviced, so if your HTTPd is being DOS'ed you won't see that reflected in the logs until after the attack has completed -- by then it's way too late, and you'd be hard pressed to look back into the logs to see the attack reflected.
Now, the /server-status works differently, in addition to showing the slots as they are being accessed servicing requests, it shows the connection state of each request in real time -- this is important because requests that have been serviced but are still in the KeepAlive state will still be unavailable to service a new request (from a new IP) -- download accelerators can be configured to open 20 or more connections to an HTTPd at the same time for each file they want, so it's real easy for a single IP to consume 100 slots for five files -- you may not see this in the log because the requests will not likely finish or start at the same time.
The part of the report I can not show was the detail listing -- this shows IPs and the time (in seconds) that the request has been serviced among other useful things like the actual GET/HEAD/POST, etc.. request itself.
* Don't dismiss it until you've seen it -- this is what you need.
Nagios can do this, as can a number of other solutions.
It can gather information from SNMP, wbem, or even any shell script that you can dream up. (Nagios will run the shell script periodically, remotely.)
SNMP (using an Apache SNMP module, and/or SNMP reporting built-in to Linux networking) will provide the kind of traffic information you are asking for, and Nagios can consolidate this from multiple sites. But you don't want to hear about SNMP. It's a protocol. Don't want to know anything about protocols...
You could certainly write some shell scripts to "tail the logs" as you suggested, and feed that information back to Nagios. But you don't want to be bothered.
The key here is "building". You have to do some work. Build it step by step, and perhaps the task won't seem so daunting. It's unlikely you are going to find exactly what YOU want, right out of the box.
