Big Brother

A Web-based Systems and Network Monitoring and Notification System

This document introduces Big Brother, a solution to the problem of Systems Monitoring.

Commercial solutions are available, however these solutions are very expensive, costing many thousands of dollars in additional hardware and software. More distressing though, is the obvious complexity of these solutions, most requiring several hundred man-hours of consulting time just to set up. Finally, they don't use the Web as their interface, not only making truly remote monitoring impossible, but also making data sharing extremely difficult.

Big Brother is a simple, effective solution to the Systems Monitoring problem, and is presented here for your comments and suggestions.

---

What is Big Brother?

Big Brother is a loosely-coupled distributed set of tools for monitoring and displaying the current status of an entire network and notifying the admin should need be. It came about as the result of automating the day to day tasks encountered while actively administering Unix systems.

It consists of five major parts:

• Central monitoring station (Display Server) This station accepts incoming reports and prepares them for display. Big Brother uses the Web as its user interface, so it can be accessed by anyone with clearance to access the Big Brother site. Furthermore, additional views or displays can be created quickly and easily by writing simple Bourne Shell scripts. This server is known as the BBDISPLAY server.

• Network monitor (bb-network.sh). The network monitor runs on any Unix machine and periodically contacts every element listed in the etc/bb-hosts file via ping. Additional tests are performed if the service is listed on the line in the etc/bb-hosts file. This system is known as the BBNET machine. The results are then sent to the system designated as the Display Server (BBDISPLAY). Connections to the internet may likewise be monitored.

• Local System Monitor (bb-local.sh). Each server in the network runs a local system monitor which periodically samples disk space, CPU usage, number of users, and ensures that required processes are on-line and active. It reports the results to the Display Server, and also has the ability to directly page the administrator in the case of an emergency.

• Pager Programs (bb-page.sh). The client (bb) that sends single lines of information to the designated server (bbd) and executes a script (page) which forwards this information using Kermit via modem to the designated pager. This server is known as the BBPAGER server.

• Intra-machine communications programs (bb, bbd, nettest). A client (bb) that sends single lines of information to the designated Display and Pager Servers (running bbd) which then take appropriate action. These programs communicate using port 1984; what else would Big Brother use?

The Big Brother Display:

Big Brother was designed to provide instant information about the health of a Systems and Network environment to anyone, anywhere, with Web access to the site.

Network information is now instantly available to those who need it most: managers, systems administrators, and people on the help desk can actively and simply monitor the health of the network.

If any condition is severe, the administrator will have been paged, can use Big Brother to get additional information, and can proceed to fix the problem. Problem verification, data sharing and correction should improve immediately, since everyone has implicit access to the same information.

Finally, since warnings are displayed, corrective action can be taken even before users notice that there is a problem.

The display matrix shows a status of green (ok), yellow (warning), red (severe), and purple (no contact) and clear (not tested) for each system/area combination. Furthermore, the entire screen changes color to reflect the most serious condition on the network. In order of increasing severity these conditions are: green, yellow, blue, red.

Therefore one single warning anywhere on the network results in the entire display turning yellow which is highly visible, even from far away.

Each of the elements in the display matrix can then be clicked on to provide additional information, including the code, time, and specific information about the area being monitored.

Additionally, Big Brother now makes detailed information about every server in the network instantly accessible, just by clicking on the server name.

---

Big Brother Warning Conditions:

Every element in the etc/bb-hosts file is accessed every 5 minutes. Any loss of contact results in a code red, and the administrator being paged, unless this condition is explicitly permitted, for example with dialup devices that may not be online.

The BBNET machine tests each element in the etc/bb-hosts file every 5 minutes using a bbnet. Each system can have specific services like ftp, http, and mail tested, as required. Inability to contact a server is a severe condition. Inability of access a page due to a "Server Error" results in a warning condition.

All systems are monitored for disk usage. Any disk over 90% full is considered a warning condition. Disks over 95% full are marked as a severe condition, since this situation can quickly result in a system crash or hang.

All systems are monitored for CPU usage. A load average over 1.50 is a warning condition, 3.00 merits a severe condition. These values are configurable.

Processes are monitored on each system as well. The choice of what is to be monitored is dependent of what each system actually does. Sendmail and http are monitored on all systems by default. A page may be generated or a warning condition results if any of these important processes should not be running.

System messages are monitored. Big Brother watches the system message file for NOTICE and WARNING conditions. NOTICE conditions result in the admin being paged immediately. WARNING conditions cause a yellow dot to appear. Clicking on the corresponding dot will report the message that caused the display.

And finally the whole system itself is monitored by the BBDISPLAY. Any report over 30 minutes old results in that report, and the entire screen being marked in purple, indicating a likely loss of contact within the Big Brother system itself.

Note that all of the above are configurable parameters.

---

Design Considerations:

Some of the guidelines involved in the design of Big Brother are the following:

• Usefulness. Display only useful information in a timely and effective manner. Too much information can be as bad as too little, especially if it's displayed in an obscure manner.

• Intelligence. Use of heuristics to determine health, in a manner similar to what an actual administrator or user would do, instead of very low-level testing.

• Highly scalable. Easily made more redundant through replication of the individual components. All that has to be decided on is the level of redundancy required and where to install the scripts. No additional cost and little additional complexity.

• Modular. Big Brother is designed in a totally modular fashion, using simple Bourne shell scripts to test each area. Adding more monitoring areas only requires the creation of a script to monitor that area. New monitoring areas can be added and distributed in a manner of minutes.

• Easily Customized. Error levels and actions can be designated on a system-by-system basis, just by editing the appropriate script.

• Replication. Separation of local system reporting and network reporting means that there is built-in replication, at the system level and the network level. Further redundancy is built-in at the display level through checking timestamps of incoming reports; loss of reports indicates a problem which causes the screen to turn blue. Finally, each client has the ability to send messages to the pager daemon; this further reduces the likelihood of non-notification in the event of catastrophic systems failure.

• Simplicity. The design is extremely simple, the client/server programs are less than 8K bytes in size, and messages are less than 100 bytes. It is extremely lightweight and very efficient.

• Open and Standard. Using the Web as the display mechanism allows extremely rapid prototyping of displays, and provides a standard and elegant method of distributing this essential information, worldwide. The C programs involved are small, simple and standard. Shell scripts are obviously portable, as are programs like lynx and kermit, which are used for testing. Therefore, all the elements of Big Brother can be easily ported to any Unix System.

---

What Big Brother isn't:

Big Brother is not a replacement for a qualified and experienced Systems Administrator. On the contrary, it is a big brother to the Sys Admin. It does not shut down machines or terminate processes, although it could be programmed to do so. It just identifies and notifies.

Big Brother does not explicitly monitor individual hardware components. However, failure of a hardware component is very likely to cause a severe condition through loss of service.

Big Brother does not monitor performance of the network, servers, databases or any individual application. It will however provide information about CPU loads and implicit information about response time; i.e. telnet connections have 15 seconds to answer.

Your Comments and Suggestions are welcome!

Send them via e-mail to sean@maclawran.ca

---

About the Creator:

The photo which adorns the Big Brother Display is Sean MacGuire. He is Big Brother... it is meant to be reminicent of George Orwell's book 1984. That's why it's not a pretty picture.