thold + flowview = cool reports

[elkoba]

Hello!

Just installed cacti with thold. What a great stuff!!

For me is just one very important thing is still missed... I wanna not only know when my network links are overused but also know who use them, who puts a lot of traffic on them. So there must be some kind of "thold+netflowmonitor" plugin. One part detects that thershold is reached, send signal to netflow analyzator which make an analysis for last maybe 30 min and sends report via email to administrator. So admin will know that in last 30 min link is used for 90% and that particular source/destenation IPs do that. - Everything in one mail with all graphs.. or just a link to this report in cacti web page.

I think its pretty obvious that that kind of plugin should exist.... but i cant find anything. There is thold and there is flowview. But they are separated.

Am I wrong about non-existence?

With Best Regards for all developers!

[TheWitness]

Thold 0.4.6 is almost there stand alone. However, as a technique, you can combine the following plugins:

1) Thold 0.4.6 and RPN Based Thresholds. An example RPN for a Traffic Graph would be:

|ds:traffic_in|,|query_ifHighSpeed|,1000,8,*,*,/,100,*

Which would provide (I think) percent utilization (oh and your Traffic Template needs ifHighSpeed)

You would log the Thold Triggers and Alarms to Syslog

2) Install Syslog 1.22 and Create Alarms based upon the Substring Matches from the Thold

3) Execute a command based upon that alarm Syslog triggering.

4) Make sure THold is ahead of Syslog in the Plugins Ordering

Mission Impossible, Accomplished.

TheWitness

[elkoba]

Good Day!

Hmm... So, Thold will generate syslog message when thershold is reached. That message will go into syslog server where it will be analysed by server and will trigger some syslog server's alarm which will execute some command (script). Right? But where is netflow info? That script executed by syslog server will do something with netflow analyzator? If so, then this is very tricky thing for me. So mission is not accomplished %)

Anyway thank you!


Best Regards,
elkoba

[Howie]

Nothing to do with Cacti, but nfsen/nfdump lets you write fairly complex queries against netflow data to generate alerts.

[TheWitness]

Yea, just took a cursory look. I definately get's the job done. The only way to do better is use a Database, which is supported using flow-tools when using MySQL. But it's so much work.

http://nfsen.sourceforge.net/

TheWitness

[Howie]

Yea, just took a cursory look. I definately get's the job done. The only way to do better is use a Database, which is supported using flow-tools when using MySQL. But it's so much work.

http://nfsen.sourceforge.net/

TheWitness

And I need a 620GB database like I need a hole in my head. (current size of our nfsen data pool - covers a couple of months)