Octopussy (software)

Last updated
Octopussy
Developer(s) Sebastien Thebert and others
Initial releaseDecember 2005 [1]
Stable release
1.0.16 / June 3, 2017;5 years ago (2017-06-03) [2]
Repository
Written in Perl, ASP
Operating system Linux
Type Log analysis, security software
License GPLv2
Website octopussy.pm

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server (thus often called a SIEM solution). [3] Therefore, software like Octopussy plays an important role in maintaining an information security management system within ISO/IEC 27001-compliant environments.

Contents

Octopussy has the ability to monitor any device that supports the syslog protocol, such as servers, routers, switches, firewalls, load balancers, and its important applications and services. The main purpose of the software is to alert its administrators and users to different kinds of events, like system outages, attacks on systems or errors in applications. [4] However, unlike Nagios or Icinga, Octopussy is not a state-checker and therefore problems cannot be resolved within the application. The software also makes no prescription whatsoever on which messages must be/must not be analyzed. As such, Octopussy can be seen as less powerful than other popular commercial software in the same category (event monitoring and log analysis). [5]

Octopussy is compatible with many Linux system distributions like Debian, Ubuntu, OpenSUSE, CentOS, RHEL and even meta-distributions as Gentoo or Arch Linux. Although Octopussy was originally designed to run on Linux, it could be ported to other Unix variants like FreeBSD with minimal effort. Octopussy has extensive report generating features and also various interfaces to other software, like e.g. NSCA (Nagios), Jabber/XMPP and Zabbix. With the help of software like Snare even Windows EventLogs can be processed. [6]

Octopussy is licensed under the terms of the GNU General Public License.

Characteristics

Although Octopussy is free and open-source software it has a variety of characteristics also found in some professional enterprise applications like Splunk, SAWMILL or Kiwi Syslog.

The dashboard page in Octopussy 0.9.4+ (2007-2014) Octopussy-v09-Dashboard-2007.png
The dashboard page in Octopussy 0.9.4+ (2007-2014)

Octopussy features

At the time of writing, Octopussy comes with the following set of features:

Supported services

Some of the (meta-)services supported by/known by Octopussy are:

Apache 2, BIND, BSD Kernel, BSD PAM, BSD System, Cisco Routers (ASR), Cisco Switches, ClamAV, DenyAll Reverse Proxy, DRBD, F5 BigIP, Fortinet FW, HP-Tools, Ironport MailServer, Juniper Netscreen FW, Juniper Netscreen NSM, LDAP, Linux AppArmor, Linux Auditd, Linux IPTables, Linux Kernel, Linux PAM, Linux System, Monit, MySQL, Nagios, Neoteris/Juniper FW, NetApp NetCache, Postfix, PostgreSQL, Samba, Samhain, SNMPd, Squid, SSHd, Syslog-ng, TACACS, VMware ESX(i), Windows Snare Agent, Windows System, Xen ... [7]

The alert viewer page in Octopussy 0.9.4+ (2007-2014) Octopussy-v09-Alert-Viewer-2007.png
The alert viewer page in Octopussy 0.9.4+ (2007-2014)

Processible events

Events receivable from services and thus processible by Octopussy include:

Dependencies

The software requires RSYSLOG installed on the syslog-server and expects systems that are monitored to run one of the numerous available syslog services, like e.g. syslogd/klogd, RSYSLOG or syslog-ng. [8]

The software further depends on the Apache 2 HTTP Server installed, with Apache::ASP, Mod_Perl and Mod_SSL. Octopussy also requires a MySQL DBMS (actual database is installed/copied during Octopussy setup) as well as a recent Perl interpreter installed on the operating system, with a variety of Perl modules from CPAN (e.g. Crypt::PasswdMD5, DBD::mysql, JSON, Unix::Syslog, XML::Simple). [9] A comprehensive list of those modules can be found within the software packages/archives README.txt file. In addition to that NSCD and RRDtool are a requirement. RRDtool aids in the creation of graphs that will be displayed on the Octopussy dashboard or shown on a per-device/per-service level. [10]

Architecture

Architecture of Octopussy 1.0.14 (2014) Octopussy-v10-Schema-2014-v3.png
Architecture of Octopussy 1.0.14 (2014)

Octopussy receives syslog messages via syslog protocol and therefore behaves passively, not running any type of network agent on the remote machines under monitoring/surveillance. [11] Octopussy completely conforms to RfC 3164 and RfC 3195 of the IETF, describing syslog as the logging mechanism in Unix-like/BSD operating systems. [12] [13] That especially includes the internal representation of the facility and severity-principle where applicable.

The software is driven by a semi-stateful event correlation engine. This means that the engine records and thus knows its internal state, but only uses it to some extent to link together logically related elements for the same device, in order to draw a conclusion (i.e. to generate an alert). In Octopussy the semi-stateful correlation engine, with its so called sliding window (a shifting window being the logical boundary of a number of events during a certain period of time), is capable of comparing known past events with present ones based on a limited number of comparative values.

Octopussy Dispatcher

The Octo-Dispatcher is the component used by the Octopussy software to receive syslog lines from RSYSLOG and dispatch them into device directories. [14] Every device registered and activated within Octopussy gets its syslog messages assigned to it depending on the device name. Noteworthy is also the adjacent Octo-Replay component, which is the program used by the Octopussy software to replay log messages for some device or service (it receives and processes recognized logs and puts them back into the incoming directory).

Octopussy Parser

The Octo-Parser and Octo-Uparser are two of Octopussy's most important core components. The Octo-Parser is the program used by the Octopussy software to parse logs in syslog format for each device registered within Octopussy. [15] It basically uses a regex-engine and commences pattern matching on incoming syslog messages. The Octo-Uparser is restarted every time device's services are changed, to check if previously received "unknown" log messages can be associated with a service.

In some cases Octo-Pusher is also called in advance to process non-syslog messages incoming from some devices. In that regard, the device setting "asynchronous" is helpful to process such log messages, after they were sent to an Octopussy server using e.g. FTP, rsync or SSH/SCP.

An RRD graph page in Octopussy 0.9.4+ (2007-2014) Octopussy-v09-RRD-Graph-2007.png
An RRD graph page in Octopussy 0.9.4+ (2007-2014)

Octopussy Interface

The Octopussy interface (GUI) is the default user-interface and provides configuration management, device and service management as well as alert definition and therefore extends the Octopussy core components. Devices are displayed in tabular form on the Devices page, with the following descriptors as a minimum: hostname, IP address, log type, device model/type, FQDN and OS.

Hence, the interface (Octo-Web) mainly provides access to other Octopussy core components like Octo-Commander, Octo-Message-Finder, Octo-Reporter and Octo-Statistic-Reporter. The Octopussy front-end/GUI is written in Perl 5, employing Apache::ASP to structure and display content. [16]

In addition to that, Octopussy core services can also be accessed from the operating system shell. That represents a convenient way for administrators to start/stop services or make fundamental configuration changes.

Octopussy RRD

The Octopussy RRD graph generator is a core component of the software and installed by default. Since the generation of such graphs is very resource intensive administrators may opt to disable it on an Octopussy syslog server with a less powerful CPU and a low amount of RAM. The generated RRD graphs displays the activity of all active services for monitored devices, highly depending on the specific service. After a restart of the Octopussy software or during operation, Octo-Dispatcher and Octo-Parser will always process syslog messages in their buffer and queue first and RRD graph generation is delayed. [17] Octo-RRD further depends on Octo-Scheduler, to execute the Octopussy::Report function in order to generate syslog activity RRD graphs, that have been scheduled previously. Finally Octo-Sender has the capability to send report data to arbitrary recipients.

Extensions

There is a plug-in/module system in Octopussy, which is mainly geared towards the modification of Octopussy reports. Such a plug-in consists out of a description file, which defines the plug-in name and functions, and a code file with perl code to process the actual data. [18]

There are also extensions for software related to Octopussy, like e.g. a Nagios plug-in that checks the Octopussy core services (i.e. Octo-Dispatcher, Octo-Scheduler, etc.) as well as the Octopussy parser states and log partitions. [19]

Services & Patterns

The creation of new services and service patterns presents the most important way to extend Octopussy without making changes to the source code. However, since patterns are outlined as simplified regular expressions, administrators should have at least some basic knowledge about regex in general. It is further strongly recommended to build on already existing services and also understand the meaning of a message objects' basic fields, which are message ID, pattern, log level, taxonomy, table and rank. [20]

Usually the logs wizard is used to search the system for unrecognized syslog messages per device to generate new service patterns. During the process the creation of patterns should be in a way that enables Octopussy to distinguish messages based on their severity and taxonomy. [21]

See also

Related Research Articles

Nagios Core, formerly known as Nagios, is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.

<span class="mw-page-title-main">Multi Router Traffic Grapher</span>

The Multi Router Traffic Grapher (MRTG) is free software for monitoring and measuring the traffic load on network links. It allows the user to see traffic load on a network over time in graphical form.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.

In computing, a solution stack or software stack is a set of software subsystems or components needed to create a complete platform such that no additional software is needed to support applications. Applications are said to "run on" or "run on top of" the resulting platform.

<span class="mw-page-title-main">LAMP (software bundle)</span> Acronym for a common web hosting solution

LAMP is an acronym denoting one of the most common software stacks for many of the web's most popular applications. However, LAMP now refers to a generic software stack model and its components are largely interchangeable.

A software repository, or repo for short, is a storage location for software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source control or repository managers. Package managers allow automatically installing and updating repositories.

syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. As of today, syslog-ng is developed by Balabit IT Security Ltd. It has three editions with a common codebase. The first is called syslog-ng Open Source Edition (OSE) with the license LGPL. The second is called Premium Edition (PE) and has additional plugins (modules) under a proprietary license. The third is called Storebox (SSB), which comes as an appliance with a Web-based UI as well as additional features including ultra-fast-text search, unified search, content-based alerting and a premier tier support.

The following tables compare general and technical information for a number of notable network monitoring systems. Please see the individual products' articles for further information.

Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, queued operations to handle offline outputs, support for different module outputs, flexible configuration options and adds features such as using TCP for transport.

<span class="mw-page-title-main">LYME (software bundle)</span>

LYME and LYCE are software stacks composed entirely of free and open-source software to build high-availability heavy duty dynamic web pages. The stacks are composed of:

SNMPTT is an SNMP trap handler written in Perl for use with the NET-SNMP/UCD-SNMP snmptrapd program. Received traps are translated into user friendly messages using variable substitution. Output can be to STDOUT, text log file, syslog, NT Event Log, MySQL (Linux/Windows), PostgreSQL, or an ODBC database. User defined programs can also be executed.

<span class="mw-page-title-main">Shinken (software)</span>

Shinken is an open source computer system and network monitoring software application compatible with Nagios. It watches hosts and services, gathers performance data and alerts users when error conditions occur and again when the conditions clear.

<span class="mw-page-title-main">Extromatica Network Monitor</span>

Extromatica Network Monitor is a network monitoring application created and maintained by Extromatica company. It is designed to monitor network hardware, servers and network services for faults and performance degradation. It alerts users when things go wrong and again when they get better. The software supports a variety of real-time notification mechanisms, including Short Message Service (SMS).

<span class="mw-page-title-main">Icinga</span> Monitoring software

Icinga is an open-source computer system and network monitoring application. It was originally created as a fork of the Nagios system monitoring application in 2009.

<span class="mw-page-title-main">Monitorix</span>

Monitorix is a computer network monitoring tool that periodically collects system data and uses the web interface to show the information as graphs. Monitorix allows monitoring of overall system performance, and can help detect bottlenecks, failures, unusually long response times and other anomalies.

Mojolicious is a real-time web application framework, written by Sebastian Riedel, creator of the web application framework Catalyst. Licensed as free software under the Artistic License v 2.0, it is written in the Perl programming language, and is designed for use in both simple and complex web applications, based on Riedel's previous experience developing Catalyst. Documentation for the framework was partly funded by a grant from The Perl Foundation.

The following outline is provided as an overview of and topical guide to the Perl programming language:

Checkmk is software developed in Python and C++ for IT Infrastructure monitoring. It is used for the monitoring of servers, applications, networks, cloud infrastructures, containers, storage, databases and environment sensors.

Rainer Gerhards is a German software engineer, network engineer, and protocol designer best known for his Computer data logging work including Rsyslog and Reliable Event Logging Protocol. He began developing Rsyslog in 2004, to forward log messages in an Internet Protocol Network from UNIX and Unix-like computer systems. In 1988, Gerhards founded the company RG Informationssysteme, which was later rebranded as Adiscon GmbH in 1997.

<span class="mw-page-title-main">NXLog</span>

NXLog is a multi-platform log collection and centralization tool that offers log processing features, including log enrichment and log forwarding. In concept NXLog is similar to syslog-ng or Rsyslog but it is not limited to UNIX and syslog only. It supports all major operating systems such as Windows, macOS, IBM AIX, etc, being compatible with many SIEM, log analytics suites and many other platforms. NXLog can handle different log sources and formats, so it can be used to implement a centralized, scalable logging system. NXLog Community Edition is proprietary and can be downloaded free of charge with no license costs or limitations.

References

  1. "Octopussy Detailed Changelog". octopussy.pm, S. Thebert, et al. 2014-04-15. Archived from the original on 2016-03-07. Retrieved 2017-03-21.
  2. "Octopussy News - Octopussy v1.0.16 release!". octopussy.pm, S. Thebert, et al. 2017-06-03. Retrieved 2017-11-03.
  3. "Octopussy – Perl/XML Logs Analyzer, Alerter & Reporter". ubuntugeek.com, ruchi. Retrieved 2017-03-23.
  4. "Octopussy 1.0.0 überwacht Logfiles". Linux Magazin, Mathias Huber. 14 November 2011. Retrieved 2017-03-23.
  5. "Octopussy - Introduction". gentoo-en.vfose.ru, Cyberwizzard, et al. Retrieved 2017-03-23.[ permanent dead link ]
  6. "Octopussy FAQ - How can I handle Windows Hosts?". octopussy.pm, S. Thebert, et al. Retrieved 2017-03-23.
  7. "Octopussy – Perl/XML Logs Analyzer, Alerter & Reporter". ubuntugeek.com, ruchi. Retrieved 2017-03-23.
  8. "Step by Step procedure to install Octopussy (RSyslog Server) on Ubuntu". vulpoint.be, Js Op de Beeck. Retrieved 2017-03-23.
  9. "The CPAN Search Site - search.cpan.org". cpan.org. Retrieved 2017-03-21.
  10. "Octopussy". gentoo-en.vfose.ru, Cyberwizzard, et al. Retrieved 2017-03-23.[ permanent dead link ]
  11. "Configuring Devices to send syslog messages to Octopussy". github.com, S. Thebert. Retrieved 2017-03-23.
  12. "The BSD syslog Protocol". IETF, Network Working Group. Retrieved 2017-03-24.
  13. "Reliable Delivery for syslog". IETF, D. New, M. T. Rose. Retrieved 2017-03-24.
  14. "Octopussy - Octopussy Octo-Dispatcher". github.com, S. Thebert. Retrieved 2017-03-23.
  15. "Octopussy - Octopussy Octo-Parser". github.com, S. Thebert. Retrieved 2017-03-23.
  16. "Octopussy - Octopussy Binaries". github.com, S. Thebert. Retrieved 2017-03-23.
  17. "Octopussy - Octopussy-RRD". github.com, S. Thebert. Retrieved 2017-03-23.
  18. "Octopussy Plugin Howto". octopussy.pm, S. Thebert. Retrieved 2017-03-24.
  19. "Nagios Exchange - Nagios Plugin that checks Octopussy (check_octopussy.pl)". nagios.org/nagiosexchange. Retrieved 2017-03-24.
  20. "Octopussy FAQ - What is a Message in Octopussy?". octopussy.pm, S. Thebert. Retrieved 2017-03-24.
  21. "Octopussy Tutorial: New Service Creation". octopussy.pm, S. Thebert. Retrieved 2017-03-23.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.