Tuesday, April 12, 2005

Blogging from USENIX 2005

I flew from my home in northern Virginia to Anaheim, CA this morning to attend part of USENIX 2005. I managed to join Practical System and Network Monitoring by John Sellens of Syonex. I looked forward to this talk because I typically do not deal with the network performance side of monitoring.

John had to rush the end of his talk because he spent too much time discussing network monitoring projects that he did not recommend or didn't like. I still found his content useful, and I expect his talk tomorrow on System and Network Monitoring: Tools in Depth to be rewarding. Probably the most important lesson from his talk was the need to try out Nagios. I also started thinking about interesting ways to use Net-SNMP to retrieve information from systems running SNMP agents.

John explained that no one has written a definitive text on network performance monitoring. Perhaps I will tackle that subject in the future, or will integrate the key theories, tools, and techniques into a future edition of one of my existing book lines?

Finally, in the spirit of Aaron Higbee's recent Secureme blog rant on conference attendees, I offer this thought. What's the deal with people who attend conferences, especially day-long tutorial sessions, but never look up from their laptop? I bet 1/4 to 1/3 of the people in my session spent more than half their time staring at the LCD screens while John spoke. I guess these attendees don't care to concentrate on the speaker's message when the attendees aren't paying for the privilege of being in a class. Alternatively, if you already know the material, why sit through the class at all?

If you're attending USENIX too, stop by my Thursday class Network Security Monitoring with Open Source Tools. I think I'll also be signing copies of my book on Thursday during class breaks or lunch.

3 comments:

Thomas Stromberg said...

If you are interested in Nagios, I highly recommend checking out Zabbix. Like Nagios, you define events and setup constraints on what the expected results should be. Unlike Nagios, Zabbix records the full results data, which is almost always numbers, like the # of seconds a plug-in or command took to run, load, number of swapouts per second. Using this data, you can generate graphs and trend data just like mrtg or cricket.

Also unlike Nagios, you don't have to write plug-ins to check items and exit with a certain code. You simply tell Zabbix to run a command on a remote host, such as:

vmstat | awk '{ print $9 }' | tail -1

.. and then in the web interface define what numbers should trigger certain events.

Zabbix is fairly new, and honestly, only the 1.1 alpha's are really worth it, but it's something to keep an eye on in the next 6-12 months. I've migrated my network from Nagios to it so I wouldn't have to setup mrtg/cricket on all of the hosts to gather trend data.

Keydet89 said...

I've noticed the same sort of thing about conference attendees...get in a room full of people, and you'll notice a good number of them glued to their laptops...checking email, doing IM, etc. I can see if someone comes into the back of the room and takes a seat away from everyone else...they may simply be trying to get something done.

Another thing that gets me is the guys (and yes, it's always been guys, women don't seem to do this...) who huddle around a laptop and chatter away while you're presenting, and then ask, "what happens if...?" My stock response is something along the lines of, "why don't you try it and then share your results with us?" After all, you've got a system right there to try it on!

I agree with you, though...why sit in on a presentation if you already know the info, and all you're interested in doing is checking your email/IM?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

I've got /my/ answer to your conference attendee complaint -- I'm in the lecture because I'm desperately hoping to learn something new and interesting, but because I likely won't and don't want to waste the time, I'll work on something else while I'm there, keeping one ear half-open with a filter for new and interesting things.


jsyn