[Opendnssec-user] Monitoring OpenDNSSEC
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Nov 15 12:50:39 UTC 2013
On 15.11.2013 13:02, Volker Janzen wrote:
> Hi,
>
> On Wed, 6 Nov 2013 16:28:53 +0100, Jerry Lundström
> <jerry at opendnssec.org> wrote:
>> You can monitor the ods-enforcerd and ods-signerd processes, use the
>> "ods-signer running" and there should be a pid file somewhere (depend
>> on the OS or if you compiled yourself).
>
> according to some more research I decided not to use the PID file, I'm
> now checking if there is one process running for enforcer and one for
> signer on the opendnssec user. Is it possible that there is more than
> one process (e.g. forked worker processes)?
>
> I used this NRPE configuration:
>
> command[check_ods_enforcerd]=/usr/lib/nagios/plugins/check_procs -c 1:1
> -u 104 -C ods-enforcerd
> command[check_ods_signerd]=/usr/lib/nagios/plugins/check_procs -c 1:1
> -u 104 -C ods-signerd
>
>> You can also monitor the
>> syslog for the STATS line from ods-signerd and errors. The Enforcer
>> will run once an hour (or as often you configured it) and you could
>> monitor that output and that you get that each hour.
>
> I think the STATS lines will not appear often enough to see if there is
> really activity. But I see output from ods-enforcerd every hour. This
> might be a way to start.
It depends on what you want to monitor: the enforces runs as configured
(eg: <Enforcer><Interval>PT3600S</Interval>...)
The STATS lines can be used monitor the ods-signerd, if your zone file
gets updated quite often.
We also use a cron jobs which regularly does:
#/usr/sbin/ods-signer running
Engine running.
If the enging is not running, the signer is restarted.
We also monitor the serial of the unsigned and signed zone files. If the
unsigned serial is higher, this means that the signer did not signed the
new zone. As we update the zone a few times a day, this is an indirect
indication if the signer is running.
regards
Klaus
More information about the Opendnssec-user
mailing list