EDDIE Manual

EDDIE - Manual

Installation
- Downloading
- Installing
Configuration
Other Features
- Console

Installation

Downloading

You need to download the following:

Required:
- EDDIE - http://eddie-tool.net/download/
- Python 1.6+ - http://www.python.org/ (must support threads) - Tested with Python versions 1.6.1 through to 2.2.1.
Optional:
- Elvin 4 - http://elvin.dstc.edu.au/ - Elvin is the message system supported by EDDIE and some of its related tools to pass alerts, collected data, etc between them. It is not required for basic monitoring.
- elvinrrd - http://www.psychofx.com/elvinrrd/ - the daemon for storing EDDIE-collected data into RRD databases.
- estored - available soon - the daemon for storing EDDIE-collected data into databases.

Installing

Follow the QUICKSTART document (also located in the eddie/doc/ directory) or continue with the steps below.

Python - first install Python by following the instructions included in the Python distribution. EDDIE is written in Python and will not work if Python is not available. Python must have been compiled with thread support as EDDIE is fully threaded. EDDIE has been tested with Python versions 1.6.1 through to 2.2.1 under Linux, Solaris and HP-UX.
EDDIE - un-tar EDDIE into your favorite directory, eg: /opt $ cd /opt $ gtar xvzf eddie-0.xx.tgz Edit the main EDDIE file, eddie.py in the bin directory $ vi eddie-0.xx/bin/eddie.py and change the first line to point to your Python interpreter, eg: #!/opt/python/bin/python Note: DO NOT remove the special '#!' characters.
That should be all that is needed to get EDDIE up & running. You can test that EDDIE will work by running it, eg: $ /installdir/eddie-0.xx/bin/eddie.py You should see the version of EDDIE and your system type, eg: EDDIE v0.25
systype: Linux/2.2.5-15/i586 You can see what systems are supported by EDDIE by looking in the eddie/lib/ directory. Besides common, the other directories will be specific to different operating systems (e.g., 'Linux', 'SunOS'). If your system is not supported yet you will have to wait for a port of EDDIE to your system or contact the developers to see about porting it yourself.
If you see the above output with no major error messages then EDDIE is working. However, without any configuration it will not be doing anything. Now the hard^H^H^H^Hfun part, building the configuration. (Press [CTRL]-C to stop it.)

Configuration

Config files

The EDDIE config files should be in /installdir/eddie-0.xx/config. EDDIE begins by looking for an eddie.cf file in this directory, ie: $ /installdir/eddie-0.xx/config/eddie.cf
EDDIE is distributed with a config.sample directory containing example configuration files. You should look over these to get an idea of how the configuration works.
You must first create a config directory, if one isn't there already, eg: $ mkdir /installdir/eddie-0.xx/config then create an eddie.cf file in this new directory. You can copy and change the config.sample/eddie.cf file if you like.
It is common for the EDDIE Directives (the rules which EDDIE uses to collect data and perform actions) to be written in separate rules files. These are then INCLUDEd in the main eddie.cf config file. The rules files can be in the same directory as eddie.cf or can be in subdirectories under it. It is common for a complex setup to split the rules into multiple files grouped by commonality.

Global configurables

The global configurables are usually in eddie.cf and are listed below:

LOGFILE - the file to log to (this should be the first thing set so that any problems are logged to the right place).
LOGLEVEL - how much detail to log to the above logfile.
ADMIN - the administrator's email address.
ADMINLEVEL - how much log detail to send to the admin.
ADMIN_NOTIFY - how often to send admin log emails.
NUMTHREADS - the maximum number of threads (including supporting threads and directive threads) EDDIE will attempt to limit itself to using. This should be a minimum of 5.
SCANPERIOD - the default time to wait between checks; can be overridden by each directive. See Time Definition for definition of time format.
CONSOLE_PORT - defines the tcp port EDDIE binds to to provide a console interface to the directive states; this defaults to 33343, and can be set to 0 to disable this feature (see Console).
EMAIL_FROM - the From: address to be used by the email action. Will default to the user EDDIE is run as.
EMAIL_REPLYTO - the Reply-To: address to be used by the email action. Defaults to empty string, "".
ELVINURL - the URL of an Elvin server (if required).
ELVINSCOPE - the scope of an Elvin server (if required).
INTERPRETERS - commands classed as "interpreters" by process checking rules.
CLASS - a grouping of hosts which share the same directives.
ALIAS - global aliases can be set here, if required.
INCLUDE - include another configuration file; it is common to split the rules into different files in a large installation.

eddie.cf is well documented, so read through the file and modify the settings to suit your environment.

The EDDIE configuration follows the standard Python code format. Where methods or child objects of an object are indicated by indenting them beneath the parent object definition, sub-objects or parameters of a directive object are similarly indicated by indenting them beneath the parent object definition. For example, a notification object definition may look like:

         N COMMONALERT:

             # Info
             Level 0:
                 email(INFO_EMAIL,INFO)

             # Warning
             Level 1:
                 email(ALERT_EMAIL,WARN)

             # Alert
             Level 2:
                 email(ALERT_EMAIL,ALERT),ticker(ALERT_P)

             # Serious Alert
             Level 3:
                 email(ALERT_EMAIL,ALERT),email(SYSSUP_EMAIL,ALERT_P),ticker(ALERT_P)

The parameters and child objects of the parent object, N, are indented. Similarly for the Level objects. If you are used to Python coding this will be second nature to you. If you are not, it will not be hard to pick up.

Similarly, directive definitions are formatted as follows:

             DIRECTIVE name:
                 argument1=value1
                 [argument2=value2
                 ...]

where "DIRECTIVE" is the directive name, like PROC or FS, and "name" is the user-defined name of this directive object. The arguments customize the directive appropriately. Some arguments are directive-specific while others are common to all directives. E.g.:

             PROC test:
                procname='syslogd'
                rule=NR
                scanperiod='30s'
                action='COMMONALERT(commonmsg.proc,1)'

This is an example definition of a PROC directive, called 'test'. It contains the PROC-specific arguments, 'procname' and 'rule'. 'scanperiod' and 'action' are arguments which are common to all directives. Some arguments are optional while others are required, and errors will be raised if they are missing. In this example 'procname', 'rule' and 'action' are all required. 'scanperiod' is optional.

Simple Configuration

An EDDIE configuration can be simple to get basic monitoring started quickly and made as complicated as required to perform advanced operations. A simple example rules file is shown below to monitor basic services on a host. This rules file, named simple.rules, would be placed in the same directory as eddie.cf and eddie.cf would contain the entry

INCLUDE 'simple.rules' The file simple.rules contains

        # Process checks
	PROC syslogd:
            procname='syslogd'
            rule=NR
            action="email('root', '%(procp)s is not running on %(h)s')"
	PROC inetd:
            procname='inetd'
            rule=NR
            action="email('root', '%(procp)s is not running on %(h)s')"
	PROC sshd:
            procname='sshd'
            rule=NR
            action="email('root', '%(procp)s is not running on %(h)s')"

	# Filesystem checks
	FS root:
            fs='/'
            rule="capac>=90"
            action="email('root', '%(fsf)s over 90%% on %(h)s')"
	FS varlog:
            fs='/var/log'
            rule="capac>=90"
            action="email('root', '%(fsf)s over 90%% on %(h)s')"

        # Service Port checks
	SP smtp_port:
            port='smtp'
            protocol='tcp'
            bindaddr='0.0.0.0'
            action="email('root', '%(spprot)s/%(spport)s on %(h)s is not listening')"
	SP http_port:
            port='http'
            protocol='tcp'
            bindaddr='0.0.0.0'
            action="email('root', '%(spprot)s/%(spport)s on %(h)s is not listening')"

        # System statistics checks
	SYS loadaverage:
            rule="loadavg1 > 3.00"
            scanperiod='1m'
            action="email('root', '%(h)s load-average > 3.00')"

Directives

The directives are the configuration commands which tell EDDIE what to do. They are of the form:

   DIRECTIVE name: arg1=value1
		   arg2=value2
		   argn=valuen

Where "DIRECTIVE" is the name of the directive itself (see Built-in Directives); "name" is a user-defined name of the directive definition (the directive ID is usually constructed as "DIRECTIVE.name", e.g., "FS.root", and will appear in the logs, console, etc); "args" are arguments to define what the directive should do and how it should do it. Some arguments are common to all directives and others are specific to that type of directive.

Common Directive Arguments:

scanperiod=<time> - this changes how often the directive will be run (the default is the time period specified by SCANPERIOD in eddie.cf). See Time Definition for formats of <time>.
numchecks=<integer> - the number of checks to perform before the state will be set to fail and actions called. The time between these "re-checks" is set by the checkwait argument.
checkwait=<time> - the time between "re-checks" if the numchecks argument is greater than 1. See Time Definition for formats of <time>.
action=<actionlist> - this is a list of actions (see Actions) to be performed if the directive enters the failed state. i.e., if the directive is performing a check and the check fails, these actions will be called.
act2ok=<actionlist> - this is a list of actions (see Actions) to be performed when the directive state changes from failed to ok.
actelse=<actionlist> - this is a list of actions (see Actions) to be performed when the directive state was ok and is still ok after running any checks.
console=<display_string> - define what is output to EDDIE Console connections for the current directive. Set to None to hide this directive from the Console.

Built-in Directives: The built-in directives are as follows:

PROC - define a process checking rule.
FS - define a filesystem checking rule.
SP - define a local service port checking rule.
PID - define a PID-file checking rule.
COM - define a custom command rule.
PORT - define a remote port checking rule.
IF - define a network interface checking rule.
NET - define a network statistics rule.
SYS - define a system statistics rule.
STORE - define a data storage rule.
LOGSCAN - define a log scanning rule.
POP3TIMING - time & check on POP3 connections.
RADIUS - perform radius authentication tests.
CRON - a special test for cron.
METASTAT - some tests for Solaris Disksuite.
PING - network host ping testing.
FILE - for testing file stats or changes.

Note that there may be many more directives depending on the version of EDDIE or any new or optional directives which may have been added to the distribution.

PROC

PROC-specific arguments:

procname: specifies the name of the process to perform the check on. The value is a string and is defined as the name of the program running, not including any path information or arguments. For example, if a process is shown as "/usr/sbin/syslogd -r", the value of procname should be "syslogd" only.
An exception is programs executed by some type of interpreter, like 'sh', 'perl', 'python', etc. Any program name defined in the global config INTERPRETERS (see Global configurables) is assumed to be an interpreter and the procname in this case will be the first argument (excluding any path information). For example, a program shown in ps as "/usr/bin/perl /var/tmp/test -x" will match a procname value of "test" provided that "perl" exists in the INTERPRETERS setting.
The procname argument must be specified.
Example: procname='syslogd'
rule: the rule used to perform the check. If the rule evaluates to true, then the action(s) will be taken. The simplest rules are "NR" and "R". These are shorthand rules meaning either "true if the process is Not Running" or "true if the process is Running" respectively.
The rule can also be a string which will be evaluated in a Python name-space. The variables available in this name-space will be every piece of data about the process that EDDIE can find, like "uid", "ppid", "pcpu", "vsz", etc. The types of data available will be OS-dependent. You should examine the proc.py module in the system-specific lib directory to see what is available.
The rule could be something like "vsz > 40000" which would be true if the memory footprint (vsz) of the program was over 40000 bytes.
The rule argument must be specified.
Examples: rule=NR
rule='pcpu > 50.0'

The PROC directive is used to perform process checks. In the simplest case it is used to check if a process is not running when it should be (or running when it should not be). More complex rules can also be written, using most of the process statistics such as memory-usage, owner, percentage cpu used, running time, etc.
Examples:

        # alert if cron is not running
        PROC cron:
            procname='cron'
            rule=NR
            action='email("alert", "cron is not running on %(h)s")'

        # syslog has a memory leak - alert if using over 50MB
        PROC syslogmem:
            procname='syslogd'
            rule='vsz > 50000'
            action='email("alert", "syslogd using over 50MB")'

FS

FS-specific arguments:

fs: specifies the filesystem to perform the check on. The value, a string, is the mount point of the filesystem (e.g., "/", "/var/log").
The fs argument must be specified.
Example: fs='/var/log'
rule: the rule used to perform the check. If the rule evaluates to true, then the action(s) will be taken. The rule is a string which will be evaluated in a Python environment. The environment will contain variables representing the filesystem statistics. The variables are:
- size - the size in KB
- used - the amount of the filesystem used in KB
- avail - the amount of the filesystem available in KB
- capac - the percentage of filesystem used
The rule argument must be specified.
Examples: rule='capac > 95.0'
rule='avail < 350000'

The FS directive is used to perform filesystem checks. Rules can be simple or complex, based on the size of the filesystem, amount of space used and available, and percentage full.
Examples:

        # alert if / over 95% full
        FS root:
            fs='/'
            rule='capac > 95'
            action='email("alert", "/ is over 95%% full on %(h)s")'

        # alert if /var has less than 100MB available
        FS var:
            fs='/var'
            rule='avail < 100*1024'
            action='email("alert", "/var has less than 100MB free on %(h)s")'

SP

SP-specific arguments:

port: specifies the port to perform the check on. The value can either be the port number as an integer; or the port name as a string, as found in /etc/services. (e.g., 25, 80, "smtp", "ftp").
The port argument must be specified.
Examples: port=80
port='smtp'
protocol: the protocol corresponding to the port being checked. This is a string, and will be commonly "tcp" or "udp".
The protocol argument must be specified.
Example: protocol="tcp"
bindaddr: the address the listening protocol/port should be bound to. This is usually an IP address, or the wilcard address: '0.0.0.0' on Linux or '*' on SunOS. (See 'netstat -anv'.)
Examples: binaddr='0.0.0.0'
bindaddr='10.0.0.5'

The SP directive is used to perform checks on listening service ports. These can be either tcp or udp ports. If nothing is currently listening on the given port, protocol and bind address combination, the check has failed and the action(s) will be called.
Examples:

        # alert if nothing listening on http port
        SP http:
            port='http'
            protocol='tcp'
	    bindaddr='0.0.0.0'
            action='email("alert", "http port not bound to on %(h)s")'

        # alert if nothing listening on port 22 on 10.0.0.5
        SP sshport:
            port=22
            protocol='tcp'
	    bindaddr='10.0.0.5'
            action='email("alert", "10.0.0.5:22 not bound to")'

PID

PID-specific arguments:

pid: specifies the pid file to perform checks on. This is simply a filename as a string. (e.g., "/var/run/sshd.pid").
The pid argument must be specified.
Example: pid="/var/run/syslog.pid"
rule: two rules are supported for the PID directive. EX checks that the pid file exists, and actions are called if not. PR checks that the pid found in the pid file currently exists in the process table. If not, the actions are called.
The rule argument must be specified.
Examples: rule=EX
rule=PR

The PID directive is used to perform simple checks using pid files which some program generate. The first check is whether the pid file exists or not, which can often indicate whether the program is running or not; and the second check makes sure the pid found in the pid file is a in the process table.
Examples:

        # alert if the sshd pid file doesn't exist
        PID sshdpid1:
            pid='/var/run/sshd.pid'
	    rule=EX
            action='email("alert", "sshd pid file not found on %(h)s")'

        # alert if the sshd pid doesn't match the process table
        PID sshdpid2:
            pid='/var/run/sshd.pid'
	    rule=PR
            action='email("alert", "sshd pid not in process table on %(h)s")'

COM

COM-specific arguments:

cmd: specifies the command to execute. This is a string which will be executed by a system() call, hence a standard shell command.
The cmd argument must be specified.
Example: cmd="ps -ef | grep netscape | wc -l" # count number of netscapes running
rule: the rule to test the output of the executed command. This is a string that is executed in a Python environment. Three variables are set in the environment to be used for testing:
- out: The standard output (stdout) of the command;
- err: The error output (stderr) of the command;
- ret: The return value of the command executed.
The rule argument must be specified.
Example: rule="int(out) > 4"

The COM directive is a generic directive to be used to perform custom checks that other directives cannot handle. It simply executes the given string via a system() call, and captures the stdout/stderr and return value for testing by a custom rule.
Security note: if EDDIE is run as root, the config files should not be world-writable as obviously directives like COM can execute any commands.
Examples:

	# Check load average (the hard way)
	COM loadavg: cmd="uptime | cut -d, -f4 | awk '{print $3}'"
		rule="float(out) > 6.0"
		action='email("alert", "Load on %(h)s is > 6.0")'

	# Check number of netscapes running
	COM loadavg: cmd="ps -ef | grep netscape | wc -l"
		rule="int(out) > 6.0"
		action='email("alert", "There are %(comout)s netscapes running on %(h)s")'

PORT

PORT-specific arguments:

host: the remote host to connect to. This is a string representing the hostname or IP address.
The host argument must be specified.
Example: host="10.0.0.5"
port: the tcp port to connect to of the above host. This value is an integer.
The port argument must be specified.
Example: port=25
send: a string to send to the remote host.
The send argument must be specified, but can be an empty string, "".
Example: send="\n"
expect: a regular expression string to match the reply with. If the reply from the remote host does not match the expect regular expression, the action(s) are called.
The expect argument must be specified, but can be an empty string, "".
Example: expect="220.*"

The PORT directive tests remote tcp based services. The simplest test is whether the service is accepting remote connections (when both send and expect are empty strings). The test can be made more complex by defining send and expect with appropriate strings. The send string will be sent to the remote host after connecting, and any reply will be matched against the expect regular expression. Actions are called depending on the match.
Examples:

	# check that 10.0.0.5 is accepting connections on port 80
	PORT webcheck:
		host='10.0.0.5'
		port=80
		send=""
		expect=""
		action="email('alert', 'port 80 not responding on 10.0.0.5')"

	# check that 10.0.0.5 is accepting connections on port 25
	PORT smtpcheck:
		host='www.domain.name'
		port=25
		send="\n"
		expect="220.*"
		action="email('alert', 'port 25 not responding on 10.0.0.5')"

IF

IF-specific arguments:

name: the name of the interface to check.
The name argument must be specified.
Example: name="hme0"
rule: the rule is either one of the simple preset checks, NE or EX, or a custom check given as a string. The simple checks are used to test if the interface is either non-existent (NE), or does exist (EX). The custom string check is executing in a Python environment and the following variables are available to be tested:
- name: the name of the interface;
- mtu: the MTU value;
- net: the network address;
- address: the IP address;
- ipkts: the input packet count;
- ierrs: the input packet error count;
- opkts: the output packet count;
- oerrs: the output packet error count;
- collis: the collision count;
- queue: the queue count.
The rule argument must be specified.
Examples: rule=NE rule="100.0*ierrs/ipkts > 10.0"

The IF directive provides a mechanism for testing network interfaces. Interfaces listed in "netstat -i" are available for testing. The test can be simply whether the interfaces exists on a host or not; or it can be a more complex rule based on various statistics about that interface.
Examples:

	# alert if eth0 interface has disappeared
	IF ethexists:
		name='eth0'
		rule=NE
		action="email('alert', 'eth0 has disappeared on %(h)s')"

	# alert if input packet errors are greater than 10%
	IF ierrs:
		name='hme0'
		rule="100.0*ierrs/ipkts > 10.0"
		action="email('alert', 'input packet error > 10% on hme0')"

NET

NET-specific arguments:

rule: the rule is a string to be executed in a Python environment. Variables representing network statistics are available for testing in this environment. The variables present are the fields shown from a 'netstat -s' call on the local host.
The rule argument must be specified.
Example: rule="udpInErrors > 0"

The NET directive provides an interface to the kernel network statistics usually provided by a call to 'netstat -s'. Simple or complex rules can be written using those network statistics.
Example:

	# alert if any UDP input errors
	IF udpinerr:
		rule="udpInErrors > 0"
		action="email('alert', '%(h)s has UDP input errors')"

SYS

SYS-specific arguments:

rule: the rule is a string to be executed in a Python environment. Variables representing system statistics are available for testing in this environment. The variables present are system dependent but are currently:
Solaris:

  System stats from '/usr/bin/uptime':
      uptime          - time since last boot (string)
      users           - number of logged on users (int)
      loadavg1        - 1 minute load average (float)
      loadavg5        - 5 minute load average (float)
      loadavg15       - 15 minute load average (float)

  System counters from '/usr/bin/vmstat -s' (see vmstat(1M)):
      ctr_swap_ins                            - (long)
      ctr_swap_outs                           - (long)
      ctr_pages_swapped_in                    - (long)
      ctr_pages_swapped_out                   - (long)
      ctr_total_address_trans_faults_taken    - (long)
      ctr_page_ins                            - (long)
      ctr_page_outs                           - (long)
      ctr_pages_paged_in                      - (long)
      ctr_pages_paged_out                     - (long)
      ctr_total_reclaims                      - (long)
      ctr_reclaims_from_free_list             - (long)
      ctr_micro_hat_faults                    - (long)
      ctr_minor_as_faults                     - (long)
      ctr_major_faults                        - (long)
      ctr_copyonwrite_faults                  - (long)
      ctr_zero_fill_page_faults               - (long)
      ctr_pages_examined_by_the_clock_daemon  - (long)
      ctr_revolutions_of_the_clock_hand       - (long)
      ctr_pages_freed_by_the_clock_daemon     - (long)
      ctr_forks                               - (long)
      ctr_vforks                              - (long)
      ctr_execs                               - (long)
      ctr_cpu_context_switches                - (long)
      ctr_device_interrupts                   - (long)
      ctr_traps                               - (long)
      ctr_system_calls                        - (long)
      ctr_total_name_lookups                  - (long)
      ctr_toolong                             - (long)
      ctr_user_cpu                            - (long)
      ctr_system_cpu                          - (long)
      ctr_idle_cpu                            - (long)
      ctr_wait_cpu                            - (long)

  Process/memory stats from '/usr/bin/vmstat' (see vmstat(1M)):
      procs_running   - number of processes running (int)
      procs_blocked   - number of processes blocked (int)
      procs_waiting   - number of processes waiting (int)
      mem_swapfree    - amount of free swap (kB) (int)
      mem_free        - amount of free RAM (kB) (int)

Linux:

  loadavg1              - 1min load average (float)
  loadavg5              - 5min load average (float)
  loadavg15             - 15min load average (float)
  ctr_uptime            - uptime in seconds (float)
  ctr_uptimeidle        - idle uptime in seconds (float)
  ctr_cpu_user          - total cpu in user space (int)
  ctr_cpu_nice          - total cpu in user nice space (int)
  ctr_cpu_system        - total cpu in system space (int)
  ctr_cpu_idle          - total cpu in idle thread (int)
  ctr_cpu%d_user        - per cpu in user space (e.g., cpu0, cpu1, etc) (int)
  ctr_cpu%d_nice        - per cpu in user nice space (e.g., cpu0, cpu1, etc) (int)
  ctr_cpu%d_system      - per cpu in system space (e.g., cpu0, cpu1, etc) (int)
  ctr_cpu%d_idle        - per cpu in idle thread (e.g., cpu0, cpu1, etc) (int)
  ctr_pages_in          - pages read in (int)
  ctr_pages_out         - pages written out (int)
  ctr_pages_swapin      - swap pages read in (int)
  ctr_pages_swapout     - swap pages written out (int)
  ctr_interrupts        - number of interrupts received (int)
  ctr_contextswitches   - number of context switches (int)
  ctr_processes         - number of processes started (I think?) (int)
  boottime              - time of boot (epoch) (int)

HP-UX:

  System stats from '/usr/bin/uptime':
      uptime          - (string)
      users           - (int)
      loadavg1        - (float)
      loadavg5        - (float)
      loadavg15       - (float)

  System counters from '/usr/bin/vmstat -s' (see vmstat(1)):
      ctr_swap_ins                                    - (long)
      ctr_swap_outs                                   - (long)
      ctr_pages_swapped_in                            - (long)
      ctr_pages_swapped_out                           - (long)
      ctr_total_address_trans_faults_taken            - (long)
      ctr_page_ins                                    - (long)
      ctr_page_outs                                   - (long)
      ctr_pages_paged_in                              - (long)
      ctr_pages_paged_out                             - (long)
      ctr_reclaims_from_free_list                     - (long)
      ctr_total_page_reclaims                         - (long)
      ctr_intransit_blocking_page_faults              - (long)
      ctr_zero_fill_pages_created                     - (long)
      ctr_zero_fill_page_faults                       - (long)
      ctr_executable_fill_pages_created               - (long)
      ctr_executable_fill_page_faults                 - (long)
      ctr_swap_text_pages_found_in_free_list          - (long)
      ctr_inode_text_pages_found_in_free_list         - (long)
      ctr_revolutions_of_the_clock_hand               - (long)
      ctr_pages_scanned_for_page_out                  - (long)
      ctr_pages_freed_by_the_clock_daemon             - (long)
      ctr_cpu_context_switches                        - (long)
      ctr_device_interrupts                           - (long)
      ctr_traps                                       - (long)
      ctr_system_calls                                - (long)
      ctr_Page_Select_Size_Successes_for_Page_size_4K - (long)
      ctr_Page_Select_Size_Successes_for_Page_size_16K - (long)
      ctr_Page_Select_Size_Successes_for_Page_size_64K - (long)
      ctr_Page_Select_Size_Successes_for_Page_size_256K - (long)
      ctr_Page_Select_Size_Failures_for_Page_size_16K - (long)
      ctr_Page_Select_Size_Failures_for_Page_size_64K - (long)
      ctr_Page_Select_Size_Failures_for_Page_size_256K - (long)
      ctr_Page_Allocate_Successes_for_Page_size_4K    - (long)
      ctr_Page_Allocate_Successes_for_Page_size_16K   - (long)
      ctr_Page_Allocate_Successes_for_Page_size_64K   - (long)
      ctr_Page_Allocate_Successes_for_Page_size_256K  - (long)
      ctr_Page_Allocate_Successes_for_Page_size_64M   - (long)
      ctr_Page_Demotions_for_Page_size_16K            - (long)

The rule argument must be specified.
Example: rule="loadavg1 > 2.0"

The SYS directive provides an interface to the kernel's system statistics. Simple or complex rules can be written using those system statistics.
Example:

	# alert if 1 minute load average > 2
	IF loadavg1:
		rule="loadavg1 > 2.0"
		action="email('alert', '%(h)s has loadavg1 > 2.0')"

STORE

TBA

LOGSCAN

LOGSCAN-specific arguments:

file: the filename to scan.
The file argument must be specified.
Example: file="/var/log/syslog"
regex: the regular expression to scan for. Each line is compared against the regular expression and matching lines are added to the logscanlines variable.
The file argument must be specified.
Examples: regex=".*"
regex=".*ALERT.*"

Action string variables:

logscanfile (string): the filename being scanned
logscanlinecount (int): the number of lines matched during this scan
logscanlines (string): all the matching lines separated by carriage-returns

The LOGSCAN directive is used to watch files. A regular expression is used to pick out important lines from the file. The simplest action is to have the matched lines emailed to a user.
Example:

	# Email all entries from /var/log/messages to alert every 12 hours.
        LOGSCAN messages:
	    file='/var/log/messages'
            regex='.*'
            scanperiod='12h'
            action='email("alert", %(h)s:%(logscanfile)s", "-- Logscan matched %(logscanlinecount)d lines: --\n%(logscanlines)s")'

POP3TIMING

POP3TIMING-specific arguments:

server: the server to connect to. This is the a hostname followed by an optional tcp port separated by a colon.
The server argument must be specified.
Examples: server="10.0.0.5"
server="pop3.domain.com:1100"
user: the user name to login as.
The user argument must be specified.
Example: user="fred"
password: the password to login with.
The password argument must be specified.
Example: password="foo"

Action string variables:

pop3timinghost (string): the hostname of the POP3 server
pop3timingport (int): the tcp port of the POP3 server
pop3timingusername (string): the user being logged in
pop3timingpassword (string): the password of the user
pop3timingconnecttime (float): the elapsed time before the banner is shown in the tcp connection in seconds
pop3timingauthtime (float): the time taken to AUTH the user in seconds
pop3timinglisttime (float): the time taken to perform a LIST command in seconds
pop3timingretrtime (float): the time taken to perform a RETR command in seconds

The POP3TIMING directive is used to measure the performance of a POP3 server. EDDIE connects to the given POP3 server/port and logs in as the given user, then performs some standard commands before closing the connection. The time taken for each step of the connection are timed and stored in variables to be used by the action(s).
Example:

        POP3TIMING pop3test:
	    server='pop3.domain.com'
            user='fred'
            password='foo'
            action="email('mary', 'host=%(pop3timinghost)s, username=%(pop3timingusername)s, connecttime=%(pop3timingconnecttime)s, authtime=%(pop3timingauthtime)s, listtime=%(pop3timinglisttime)s, retrtime=%(pop3timingretrtime)s')"

RADIUS

TBA

CRON

TBA

METASTAT

TBA

PING

TBA

FILE

TBA

Notification and Message objects

Notification objects define levels of actions to be performed. Usually, the higher the level, the more serious the actions will be. Later versions of EDDIE will use notification objects for advanced features like problem escalation.
Message objects define messages to be used in actions like email or paging. They are grouped together to provide a common way to call them from notification objects.

N - define a Notification object, containing levels of actions.

         N name:
             Level 0:
                 action1, [action2, ...]
             Level 1:
                 action1, [action2, ...]
             Level n:
                 action1, [action2, ...]

Levels should range from 0 to 9, with 9 being the most critical. E.g.:

         N COMMONALERT:

             # Info
             Level 0:
                 email(INFO_EMAIL,INFO)

             # Warning
             Level 1:
                 email(ALERT_EMAIL,WARN)

             # Alert
             Level 2:
                 email(ALERT_EMAIL,ALERT),ticker(ALERT_P)

             # Serious Alert
             Level 3:
                 email(ALERT_EMAIL,ALERT),email(SYSSUP_EMAIL,ALERT_P),ticker(ALERT_P)

Actions are defined like function calls, and multiple actions are separated by commas. See Actions for more information.

M - define a message group. This simply allows you to group together messages and message subgroups.

MSG - define a message object. This allows you to define a message object. A message object has a name and one or more strings of text. The way the strings are used by actions depends on the action. For example, the email() action wants two strings, the first being the subject and the second being the body of the email.

	 M groupname:
	     MSG msgname1: "string1"
		 "string2"
	     MSG msgname2: "string3"
		 "string4"

	 M groupname:
             M subgroupname1:
	         MSG msgname1: "string1"
		     "string2"
	         MSG msgname2: "string3"
		     "string4"
             M subgroupname2:
	         MSG msgname3: "string5"
		     "string6"

E.g.:

         # Define common messages.  These are used by the COMMONALERT notification object
         M commonmsg:
             # Define a subgroup of messages to be used by PROC directive actions
             M proc:
                 # Warning-level message for email
                 MSG WARN: "Warning: %(procp)s on %(h)s not running"
                     "The %(procp)s process on %(h)s is not running"

                 # Warning-level message for paging or tickertape
                 MSG WARN_P: "Warn: The %(procp)s daemon on %(h)s is not running." ""

	         # Alert-level message for email
                 MSG ALERT: "Alert: %(procp)s on %(h)s not running"
                     """ALERT: The %(procp)s daemon on %(h)s is not running.

         %(problemage)s
         %(problemfirstdetect)s
         """

                 # Alert-level message for paging or tickertape
                 MSG ALERT_P: "ALERT: The %(procp)s daemon on %(h)s is not running." ""

Other Features

Console

EDDIE features a Console facility which provides live information about the active directives via a TCP connection. The TCP port used is set by the CONSOLE_PORT setting in eddie.cf and defaults to port 33343. Set this to 0 to disable this feature.

By default every directive is shown in the Console output in the format "<ID> - <state>". This can be modified with the console directive argument, or the directive not shown at all by setting this argument to None.

Substitution variables available to the console argument string are:

state - current state of directive (e.g., "ok", "fail")
lastchecktime - date/time of last directive execution
problemfirstdetect - date/time of current failure first detected (only if state is failed)
problemlastfail - date/time of current failure last detected (only if state is failed)
others - directive-specific variables normally available to actions

Directive examples:

    # check root filesystem usage
    FS rootfs:    fs='/'
                  rule="capac > 95"
                  action='email("root", "%(fsf)s at %(fscapac)s%%")'
                  console='%(state)s %(fscapac)s%%'

    # email me load average every 5mins
    SYS loadavg5: rule="1"
                  action="email('chris', '%(h)s loadavg5: %(sysloadavg5).02f')"
                  scanperiod='5m'
                  console="loadavg5=%(sysloadavg5).02f"

    # store root filesystem data in RRD (don't show on Console)
    FS root_rrd:  fs='/'
                  rule="1"
                  scanperiod='5m'
                  action='elvinrrd("fs-%(h)s_root", "used=%(fsused)s", "size=%(fssize)s")'
                  console=None

Console example:

    $ telnet localhost 33343
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    Eddie Console Gateway
    FS.rootfs - ok 33%
    SYS.loadavg5 - loadavg5=0.14
    Connection closed by foreign host.

Appendix A

Time Definition

The format for specifying time is either:

Integer number = that number in seconds; or
A string of the form "<int>[smhdwcy]" (an integer followed by one of the specified characters) where the characters define the time scale:
- s = seconds
- m = minutes
- h = hours
- d = days
- w = weeks
- c = calendar months
- y = years

[ EDDIE Homepage ]