6. Monitoring of Kernun UTM Operation

6.1. Logging Configuration

All Kernun UTM proxies write information about their state and progress into the log. The log can be used later to analyze the traffic, generate statistics, find out why a certain connection was refused, or look for system errors. Logging is switched on for all proxies by default. To alter the log settings of a proxy, add a log section with desired items (see below) into it.

Logging can be done either by the standard syslog daemon (the default is the LOCAL4 facility, which logs into the /var/log/kernun-debug file), or directly into a specified file. Moreover, there is a possibility to log a small amount of the last data for each proxy into a memory-mapped file, which can be used for system failure analysis. The facility item is used to change the facility number, the file item to enable logging into a file and the mem-file item to specify the memory-mapped file.

There are 9 levels of log messages (the lower the number, the higher the severity) and the administrator can choose the level of logging. The log level of a proxy can be set either in the configuration using the level item, or at runtime by sending a SIGUSR1/SIGUSR2 signal to the proxy process to increase/decrease the level. The proxy logs only messages with a level lower or equal to its log level. The log message level is appended to the MsgID column of the message, so you can easily filter only messages of a certain log level in the log browser (Section 1.3, “Logs”).

Each log message contains the MsgID column, which stands for the type of the message. For every log message type, there is a manual page in the section 6. The Message ID consists of a component code (an application name, possibly with a suffix), message number and message log level. Most of the information on normal traffic can be gathered from the level I (information statistical messages) and level N (noticeable conditions), which are both logged with any log level set. For example, a simple HTTP 1.1 request is started by TCPS-706-N which informs about a new TCP connection and assigns the connection to a child, then a session is started (HTTP-710-I) and proceeds with the first phase of acl. If the session is accepted, then the HTTP request is started (HTTH-702-I), request-acl is evaluated (HTTH-811-I) and the client is connected to the server (MNIO-710-N). When the answer, the document, arrives from the server, doc-acl is evaluated and the message HTTH-893-I is added to the log. If the document was accepted, the request end message HTTH-713-I is added and the proxy waits for other requests on the same socket (we are communicating over the multi-request HTTP 1.1 protocol). Then, possibly, more requests are served and, eventually, the session is ended (HTTP-711-I), the proxy finishes the connection and waits for a new one (messages TCPS-707-N and TCPS-715-N). The log of the described situation is shown in Figure 5.25, “Log of an HTTP request”.

Figure 5.25. Log of an HTTP request

Log of an HTTP request

For more information on logging, see logging(7). For details concerning configuration of logging, see the log(5) manual page.

6.2. Log Rotation

The created log files grow enormously and might fill all the free disk space. Another problem of logging is that manipulation with big files is more difficult (and slower) than with smaller ones. Kernun UTM provides tools for log rotation as a method of solving the above-mentioned problems. Log files are regularly (daily, weekly or monthly) renamed and the system starts afresh with an empty log file. The old log files are thrown away after a certain period. The administrator can configure log rotation by adding an rotate item into the system-level rotate-log section for the entire Kernun UTM or into the log section of a particular proxy, if it logs into a separate file. In the rotate item you can specify the owner, group and rights of the file, the number of coexisting history logs, the compression method and the time of log creation. The logs can be rotated either periodically (daily, weekly or monthly), or when the size of the log exceeds a specified limit. The log rotation will only work if you have it scheduled in the crontab, as illustrated e.g. in the sample crontab file /usr/local/kernun/conf/samples/include/crontab.cml.

6.3. Monitoring of Active Sessions

Each of the connection-oriented proxies (http-, ftp-, imap4-, pop3-, smtp-, sip-, sqlnet- and tcp-proxy) and udp-proxy are able to write information about the current sessions (connections they are currently serving) into special binary files that can be used to monitor their current state. A log does not provide all the necessary information when huge files are being downloaded: we are informed that the request has started, but do not know anything until it ends. This is the right time to use the monitor(1) application, which collects information about the current session's progress and is able to present it to the user (either as plain text, or in the HTML format). Monitoring is best accessible from the GKAT window of the Kernun GUI via the Monitor tab in the detail of a proxy (or the Proxies root node). The information in the monitor include the name and type of the proxy, the PID of the proxy process, the duration of the current session, the server and client IP addresses and names, the number of bytes transferred and delivered in both directions, the connection speeds, and the URI of the document (in the case of http- or ftp-proxy). Monitoring is only available for proxies that contain the monitor section in their configuration.

Monitoring information is also stored in a database that is used for graph generation; for more details see Section 6.5, “Monitoring of System Parameters”.

6.4. Proxy Statistics Generation

Every proxy can generate statistics of its usage; these statistics are then shown in the statistics browser window (Figure 5.26, “Statistics browser window”), which is accessible via the File | Statistics menu in the GKAT. In the browser, the tree on the left-hand side shows the available statistics (for each of the available periods and all the proxies that generated statistics in that period). The right-hand part of the window shows the statistics of the selected period, date and proxy as an HTML page.

Figure 5.26. Statistics browser window

Statistics browser window

To enable the generation of statistics for the desired proxies or the whole system, insert stats-daily, stats-weekly and/or stats-monthly sections into their configurations. Inside these sections, you can specify the number of top results for each watchable parameter (if not set, the default value will be used). By default, the generation scripts for each of the periods are scheduled in the crontab. Therefore, no changes should be necessary. Figure 5.27, “Configuration of statistics” shows a sample statistics configuration for an http-proxy. Sample configuration with generation of statistics for most of the proxies and the whole system is included in /usr/local/kernun/conf/samples/cml/statistics.cml.

Figure 5.27. Configuration of statistics

Configuration of statistics

6.5. Monitoring of System Parameters

Kernun UTM is able to monitor various system parameters, from hardware temperature to proxy loads, and store their values in a database. Later it is possible to create and view graphs generated from these values and thus examine the traffic load history. The graphs are generated by the command line tool rrd, described in the rrd(1) manual page, which can be also used to view the available graph types and intervals. The easiest way to access the graphs is using the Graphs tab in the GKAT window of the Kernun GUI. It is available for all the proxies and network interfaces, and for several system components. All the system parameters are displayed in the Graphs tab of the top-level GKAT node, as depicted in Figure 3.8, “Graphs page”. While system components other than proxies generate their graphs automatically, you have to insert a monitoring section into the configuration of a proxy to generate its graphs.

Chosen graphs can be added to the Favorite graphs tab in the Graphs tab of the top-level GKAT node to make them more accessible; the period of the displayed graphs can be changed using a combo box.