And now: Monitoring!
To start, monitoring is basically one or more services that are “watching” some computing resource. Glancing at the list, most of these are outside the hobbyist sphere, and look to be pretty hefty servers.
Also, I’m not going over the two Kubernetes apps, since they are in their own category I was planning to skip, but as they are both monitoring and that makes sense for Kubernetes, I’ll do a post on it after all.
InfluxDB TICK Stack
The open source TICK Stack, which includes InfluxDB, is a high performance platform to collect, store, visualize and act on time-series data for DevOps metrics, IoT telemetry, and real-time analytics. The four TICK Stack components: Telegraf for collecting data, InfluxDB for storage, Chronograf for graphs, and Kapacitor for alerts; contain everything needed to make beautiful dashboards, observe Kubernetes clusters, store syslog messages, and even monitor your smart home. Get started in 60 seconds with the InfluxDB TICK Stack 1-Click App.
That sounds neat and all, but getting “started in 60 seconds with the InfluxDB TICK Stack 1-Click App” is followed by one of the longest post-install instructions I’ve seen, which ends with:
Next Steps
To run InfluxDB in production, there are several additional steps you should take, including:
- Follow the security recommendations for each TICK component:
I don’t know… I feel like if I am going through that much trouble to lock this thing down, I’m probably building my own server images and tracking each component in version controlled configuration.
Maybe one-click apps in this category are demos.
HoneyDB Agent
The HoneyDB Agent is a low-to-medium interaction honeypot for security purposes, that supports emulation of common TCP and UDP network services. The HoneyDB Agent can be configured to send captured honeypot data to the HoneyDB web site - a community-driven honeypot data collection and aggregation security service. Using the HoneyDB Threat Info RESTful API, you can download your honeypot data and/or all community contributed honeypot data to help defend your applications and network
This relies on generating keys from the HoneyDB website:
After you create a HoneyDB Agent One-Click Droplet, the HoneyDB Agent (honeydb-agent) will be installed. The next step is to SSH into the Droplet to configure and start the honeydb-agent service. The first time you SSH into the Droplet you will be prompted to configure honeydb-agent by entering your agent keys. Agent keys can be generated and retrieved by creating a free account at HoneyDB.io. Once you’ve entered the agent keys into the prompt the honeydb-agent service will start.
I’m not going to look into this now, but this could be interesting. Maybe this is a great community resource… but how likely is that?! Anyhow, the license for the agent software is at https://riskdiscovery.com/honeydb/license
:
HoneyDB License
HoneyDB Agent End User License Agreement (HoneyDB Agent EULA)
Copyright Notice: HoneyDB Agent License;
Copyright (c) 2019 HoneyDB. All rights reserved.
Redistribution of HoneyDB Agent binary forms and related documents, are permitted provided that redistributions of HoneyDB Agent binary forms and related documents reproduce the above copyright notice as well as a complete copy of this EULA.
You agree not to reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of this software, or create derivative works from this software.
The HoneyDB Agent is bundled with open source software components, some of which fall under different licenses. By using HoneyDB Agent or any of the bundled components, you agree to be bound by the conditions of the license for each respective component.
This software is provided “as is†and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall HoneyDB be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
HoneyDB is the sole distributor of HoneyDB Agent licenses. This agreement and licenses granted by it may not be assigned, sublicensed, or otherwise transferred by licensee without prior written consent of HoneyDB Any licenses violating this provision will be subject to revocation and deactivation.
Open source software components
Python 2.7 (https://docs.python.org/2.7/license.html#psf-license-agreement-for-python-release
)
Twisted (http://www.opensource.org/licenses/mit-license.php
)
I tend to charge folks a premium when I have to deal with such bullshit.
Grafana
The analytics platform for all your metrics. Grafana allows you to query, visualize, alert on and understand your metrics no matter where they are stored. Create, explore, and share dashboards with your team and foster a data driven culture. Trusted and loved by the community.
Hey, Grafana! Such fun, pretty software! Here is a screenshot of their demo site (https://play.grafana.org
):
A couple years ago I had to put together some graphs. Capitalists, they love having their BIG BOARDS.
So I went about using all the visual graphing things I could get my hands on. Grafana was quick to get up and running, and nearly impossible to self-host in any meaningful way. There were no docs, and it seemed apparent the front end was open-sourced to drive customers to “Grafana CloudButt”.
So, may I point a domain at this Droplet and get a Let’s Encrypt Cert?
After you create a Grafana One-Click Droplet, Grafana will be installed. Start adding your datasources and dashboards by visiting http://Droplet_IP:3000 The default login credentials are admin/admin - you will be prompted to change this after your first login.
Again, a demo server… so much for fostering a data-driven culture!
Prometheus
In Greek mythology, Prometheus is a Titan, culture hero, and trickster figure who is credited with the creation of man from clay, and who defies the gods by stealing fire and giving it to humanity, an act that enabled progress and civilization. Prometheus is known for his intelligence and as a champion of mankind.
Wow, that sounds like a lot for server software to live up to! Let’s see what this VPS is about?!
Prometheus is an open-source systems monitoring and alerting toolkit part of the Cloud Native Computing Foundation. Since its inception in 2012, many companies and organizations have adopted Prometheus, and the project has a very active developer and user community. Prometheus’s main features are: - a multi-dimensional data model with time series data identified by metric name and key/value pairs - PromQL, a flexible query language to leverage this dimensionality - no reliance on distributed storage; single server nodes are autonomous - time series collection happens via a pull model over HTTP - pushing time series is supported via an intermediary gateway - targets are discovered via service discovery or static configuration - multiple modes of graphing and dashboarding support
…
Oh.
Well, at least whoever supports this image must make it really easy to get up and running on a secure production node!
Supported By:Grafana Labs
Quick Start
After the droplet is created you can visit the prometheus UI on
http://your_server_ip:9090/
Prometheus by default is configured to monitor itself and nodeexporter. You can add more targets by editing the config file located at /etc/prometheus/prometheus.yml
on the droplet. For a run through of what is happening and how to write queries, refer to this guide.
Production
When running in production, you should make sure that prometheus is not exposed to public but rather only to a few users protected by a reverse-proxy/firewall. This guide gives you an example on how to do that using basic auth and NGINX.
Securing Prometheus API and UI endpoints using basic auth
Prometheus does not directly support basic authentication (aka “basic auth”) for connections to the Prometheus expression browser and HTTP API. If you’d like to enforce basic auth for those connections, we recommend using Prometheus in conjunction with a reverse proxy and applying authentication at the proxy layer.
FastNetMon
FastNetMon is a very high performance DDoS detector built on top of multiple packet capture engines: NetFlow, IPFIX, sFlow and SPAN/port mirror. FastNetMon can detect malicious traffic in your network and immediately block it with BGP blackhole or BGP flow spec rules. FastNetMon has solid support for all top network vendors and has unlimited scalability due to flexible design. You could integrate FastNetMon into any existing network without any changes and additional hardware!
With clear simple monthly pricing, you can trial FastNetMon for one month completely free.
Okay, so this is a commercial VPS, so there’s that. But check the warez list:
Package |
Version |
License |
fastnetmon |
2.0.x |
Commercial |
grafana |
6.2.1 |
Apache 2 |
influxdb |
1.7.4 |
MIT |
clickhouse-server |
19.4.3.11 |
Apache 2 |
MongoDB |
3.6 |
SSPL |
Grafana and InfluxDB are included in this package. It’s almost like they shouldn’t be their own one-click apps. But the thing that caught my attention, something I missed earlier:
AGPL; that’s true and not true. From https://www.mongodb.com/community/licensing
:
MongoDB Database Server and Tools
- MongoDB, Inc.’s Server Side Public License (for all versions released after October 16, 2018, including patch fixes for prior versions).
- Free Software Foundation’s GNU AGPL v3.0 (for all versions released prior to October 16, 2018).
That’s certainly a flag. I mean, for MongoDB. Makes sense FastNetMon would include it. Next!
Zabbix
Zabbix is an enterprise-class open source distributed monitoring solution designed to monitor and track performance and availability of network servers, devices, services and other IT resources. Zabbix is an all-in-one monitoring solution that allows users to collect, store, manage and analyze information received from IT infrastructure, as well as display on-screen, and alert by e-mail, SMS or Jabber when thresholds are reached. Zabbix allows administrators to recognize server and device problems within a short period of time and therefore reduces the system downtime and risk of system failure. The monitoring solution is being actively used by SMBs and large enterprises across all industries and almost in every country of the world.
Zabbix does not play around! Zabbix is enterprise AF! Zabbix has… jabber support!
Well let’s get into it!
First of all, Zabbix is a lot of software. One cubic lot of warez, soft.
Package |
Version |
License |
Zabbix server |
4.2.0 |
GNU GPLv2 |
Zabbix web |
4.2.0 |
GNU GPLv2 |
Zabbix agent |
4.2.0 |
GNU GPLv2 |
Zabbix get |
4.2.0 |
GNU GPLv2 |
Zabbix sender |
4.2.0 |
GNU GPLv2 |
Zabbix Java gateway |
4.2.0 |
GNU GPLv2 |
Nginx |
1.14.2 |
Custom |
MariaDB |
10.2.23 |
GNU GPLv2 |
PHP-fpm |
5.4.16 |
PHP v3.01 |
OpenJDK |
1.8.0.201 |
GNU GPLv2 |
Okay, here are a few assumptions I make about this project based on that table:
- Zabbix is pointedly modular
- A lot of GPL, MariaDB and OpenJDK means software freedom is a consideration
- Several java apps with a web interface: this software is gonna be cloud-ugly.
Let’s test the last one!
Ah, it isn’t that bad (https://www.zabbix.com/screenshots
):
Those are fine, and if this thing is easy to configure, I’d say it wins the monitoring category, as it is so far the only server that isn’t for demo purposes.
I don’t normally link to the docs for these things, but here’s one: Best practices for secure Zabbix setup
Why? It’s DokuWiki! And it definitely pegs Zabbix to a particular era of enterprise support that included versioned docs for each release as technical wiki books. And if this continues to work for them, then hey, that’s a business model worth investigating!
Oh, anyhow, the docs show setting up reverse proxies and all that. Could use some work there, especially as a one-click install. However, this may not be the best VPS for using Zabbix. Yep!
First, there is one last entry, a branded Zabbix install, in this category. Secondly, as I was poking around in the docs, I noticed 4 Installation from packages, which includes all the major food groupsdistro server families. Considering you’ll need to configure your web server separately, that’s probably the best way to go, unless…
Zeromon Zabbix
The Zeromon Zabbix One-Click will install the latest version of Zabbix 4.0.x from the Zabbix.com software repositories. Additionally, Apache, PHP, Postfix, UFW, and MariaDB will be pre-configured. All that you will need to do is log in to the Zabbix web interface running on your Droplet in order to start monitoring agents. Certbot is also pre-installed allowing you to quickly and easily set up HTTPS/SSL encryption for your Zabbix web interface.
Oh, there’s one more line…
You’ll need to deploy Zeromon Zabbix using an SSH key for login, setup will not complete using a root password
Okay, so this one sounds better than the more Zabbixy Zabbix. Let’s see those warez!
Package |
Version |
License |
Zabbix |
4 (Zabbix repository) |
GPL 2 |
Apache HTTP Server |
2.4 |
Apache 2 |
MariaDB |
10.1 |
GPL 2 |
PHP |
7.2 |
PHP 3 |
Certbot |
0.31 (PPA) |
Apache 2 |
Postfix mail daemon |
3.3 |
IBM 1 |
Aside: look up Postfix’s license later…
Okay, so LAMP stack with Zabbix and Certbot, even some Postfix. Sounds dope. What is Zeromon?
No, the folks we are looking for make a hosted image for Zabbix, and would love to charge you for it!
But as their footnote says:
*DigitalOcean does not currently allow vendors to charge for marketplace images.
Alas! They have released their something on Microsoft’s code platform, and the README has this quip:
The cost for usage of the Amazon AMI software is $0.05 USD per hour (or basically, $36.00 USD per month) for all instance types in all regions, in addition to the EC2 pricing itself. We also offer a 7-day 100% money-back guarantee.
The DigitalOcean Marketplace “One-Click” installation is currently undergoing testing and is free to deploy for the near future.
So that’s the agenda.
Install from packages it is!
Okay, that’s Monitoring. No voting this time, I’ll do Blogs & Forums next. There are a bunch, so I’ll probably break it up into multiple posts. And some time I’ll hit the monitoring apps for Kubernetes, but it doesn’t really excite me…