wiki:KrakenLinuxSentry
Last modified 14 months ago

Kraken Linux Sentry

  1. Kraken Linux Sentry
    1. Author
    2. Control Features
      1. process-list
      2. arp-cache
      3. netstat
    3. Loggers
      1. CPU Usage
      2. Memory Usage
      3. Network Usage
    4. See also
    5. History

Linux Sentry is a SIEM (Security Information and Event Management) agent for linux operating systems. It provides performance loggers and remote command handler.

Author

Control Features

 LinuxCommandHandler implements  SentryCommandHandler and provides linux system information.

process-list

getProcesses() returns process informations.

data structure (encoded by kraken codec):

  • object list
    • key-value map
      • pid (int): process id
      • name (string): process name
      • cpu_usage (int): cpu usage of the process
      • working_set (long): memory usage of the process

arp-cache

getArpCache() returns arp entires in arp cache.

data structure

  • object list
    • key-value map
      • adapter (string): adapter name
      • type (string): static, dynamic, etc
      • mac (string): mac address in 00:00:00:00:00:00 format
      • ip (string): ip address

netstat

getNetStat() returns network connections.

data structure

  • object list
    • key-value map
      • tcp and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • remote_ip (string): remote ip address
          • remote_port (int): remote port
          • state (string): Closed, Listen, SynSent, SynReceived, Established, FinWait1, FinWait2, CloseWait, Closing, LastACK, TimeWait, DeleteTCB or Unknown
          • pid (int): process id
      • tcp6 and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • remote_ip (string): remote ip address
          • remote_port (int): remote port
          • state (string): Closed, Listen, SynSent, SynReceived, Established, FinWait1, FinWait2, CloseWait, Closing, LastACK, TimeWait, DeleteTCB or Unknown
          • pid (int): process id
      • udp and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • state (string): LISTEN hard-coded
          • pid (int): process id
      • udp6 and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • state (string): LISTEN hard-coded
          • pid (int): process id

Loggers

CPU Usage

system logtype

field name type description
logtype string system
idle int idle percent
kernel int kernel mode usage percent
user int user mode usage percent
msg string cpu usage: USAGE%

Memory Usage

system logtype

field name type description
logtype string system
pfree long physical free memory (KB)
ptotal long physical total memory (KB)
vfree long virtual free memory (KB)
vtotal long virtual total memory (KB)
msg string memory usage: physical PFREE/PTOTAL, virtual VFREE/VTOTAL

Network Usage

device logtype: network usage log per adapter

field name type description
logtype string device
scope string device
interval long interval in milliseconds
index int adapter index
type int 6 only (ethernetCsmacd)
description string adapter description
mtu int max transfer unit
mac string mac address (00:00:00:00:00:00 format)
bandwidth long link bandwidth (bps unit)
rx_bytes_delta long rx octets delta from last measure
tx_bytes_delta long tx octets delta from last measure
rx_ucast_pkts_delta long rx unicast octets delta from last measure
tx_ucast_pkts_delta long tx unicast octets delta from last measure
rx_nucast_pkts_delta long rx non-unicast octets delta from last measure
tx_nucast_pkts_delta long tx non-unicast octets delta from last measure
rx_errors_delta long rx error count delta from last measure
tx_errors_delta long tx error count delta from last measure
rx_discards_delta long rx drop count delta from last measure (packet loss)
tx_discards_delta long tx drop count delta from last measure (packet loss)
msg string network usage: NAME (MAC), RX[RXUSAGE%, RXBPS, RXFPS], TX[TXUSAGE%, TXBPS, TXFPS]

total logtype: network usage log for device which has most rx or tx utilization

field name type description
logtype string total
scope string total
max_usage int max network usage (percent)
description string
mac string mac address

See also

History

  • 1.0.0 release (2010-11-16)