iNet: A Remote Monitoring System using i-mode Phone - CiteSeerX

iNet: A Remote Monitoring System using i-mode Phone Hideki Koike and Kazunao Wakai Graduate School of Information Systems University of Electro-Communications 1-5-1, Chofugaoka, Chofu, Tokyo, 182-8585, Japan [email protected]

Abstract Many system administrators sometimes carry pagers or note PCs to monitor the system from remote． Although the pager is easy to carry, it only receives short messages． The note PC enables the administrators to investigate the system in detail． It is, however, heavy and takes much time to establish communication. This paper described a remote monitoring system using mobile phone (i-mode phone). The system composed of two sub systems: a passive monitoring system and active monitoring system. The passive monitoring system monitors the system, and send alarms via email and voice when a particular value of the system matches a pre-defined condition. The active monitoring system allows the administrators to interact with the remote system using i-mode capability. It displays current status of the system with color diagram and text.

1

Introduction

Administration of computer systems is getting more and more important. Traditionally the system administration has been done in order to ensure stable and continuous execution of the systems during business hours. However, even during the business hours the administrators could not keep watching the system all the day because, for example, they might leave for lunch. On the other hand, currently it becomes necessary to monitor the system for 24 hours because of the globalization of the business or the increase of illegal access from all around the world. Therefore, there is a strong demand for a system which monitors the system and sends warnings to the administrator when some trouble occurs. For this purpose, some administrators carry pagers or note PCs. However, as we describe in the next section, both have their advantages and disadvantages.

This paper describes a remote monitoring system using Internet phone. The next section describes a comparison between the monitoring using pagers, using note PCs, and using Internet phones. Section 3 describes a remote monitoring system which we developed. Section 4 describes an example session using the system. Then we discuss advantages and disadvantages of the system. Section 6 concludes the paper.

2 2.1

Methods for Remote Monitoring Pager v.s. Note PC

Currently there are two major ways to monitor remote computer systems: using a pager and using a note PC. Many system administrators carry each or both devices. The first advantage to use the pager is its portability. It can be carried anytime, anywhere because it is very light. The next advantage is that is is possible to receive messages anytime, anywhere. It is important that such messages can be received passively without making any action. On the other hand, the major disadvantage of the pager is that the length of the message is very short. With such small amount of information, the administrator can recognize that something is happening to the system, but they cannot understand the detail of the trouble. On the other hand, the administrator can investigate the system in detail and interactively by using note PCs from the remote. However, one of the major disadvantage of the note PC is its heaviness. Current note PCs are 1.0 - 3.0 kg in weight and are “portable.” However, it cannot be carried all the time (e.g. when going for lunch, bar, restroom, etc.). The next disadvantage is that time and effort are required for making a connection to the remote sys-

Page 1

command execution

filtering data target systems

collecting data

checking each data

making Compact HTML pages

server

WWW server

browsing

alerting by email/voice i-mode phone

Figure 1: Overview of iNet system.

Page 2

tem. For example, in order to connect to the remote system, the administrator first has to connect his PC and his cellular phone with a cable. Then he has to dial to the Internet service provider with some login procedures. Although the time required for this sequence might be 1 or 2 minutes, such time delay is not negligible in some emergent situations. Moreover, the note PC is not always connected to the network. It cannot passively receive warnings from the remote system. From these discussions, we think the following requirements are important for the remote monitoring system. • its device can be carried anytime, anywhere (portability);

Table 1: Comparison between pager, note PC, Internet phone.

portability connectivity info. amount passiveness interactivity

pager

note PC

○ ○ × ○ ×

× × ○ × ○

PASSIVE Server

iMODE

ACTIVE Graphics & HTML

• they can see a certain amount of information (information amount);

• they can get the information interactively (interactivity);

2.2

Internet phone

In recent years, Internet accessible phones are spreading very rapidly. Such phones have a capability of sending/receiving emails and browsing web pages. For example, over 44,000,000 Internet phones are currently being used in Japan (at the end of September 2001). The Internet phones have advantages of pagers and those of note PCs simultaneously. First, the Internet phones are as portable as pagers. Second, they can passively receive emails anytime, anywhere. Moreover, as we describe in the later section, it is possible to observe the activity of remote system in detail. Table 1 shows a comparison between pager, note PC, and Internet phone.

Internet phone ○ ○ △ ○ ○

Voice Message & email

• the administrator can connect to the remote system quickly (connectivity);

• they can receive messages passively (passiveness);

pager+ note PC × × ○ ○ ○

Figure 2: Passive monitoring and interactive monitoring. Figure 1 illustrates an overview of the system. The main feature of the system is that both passive alerting system by email and interactive monitoring system using web are integrated into one system by using i-mode phone (Figure 2). In the following, we will describe passive alerting system and interactive monitoring system.

3.1

Passive alerting system by email

The alerting system periodically collects the information of the target computers. If the values exceeds a threshold which is pre-defined by the administrator, the system sends an email and makes a call to the WARN! Command

WARN!

Command

3

Implementation

WARN! Command

Based on the discussion in the previous section, we developed a remote monitoring system using Internet phone. As the Internet phone, we chose i-mode phone by NTT DoCoMo1 . 1 The

systems for other carriers were also developed

QUEUE

Command

Figure 3: Alert delivery.

Page 3

Link

Figure 5: Command menu.

3.3

Monitoring commands

Currently the system provides the command menus such as shown in Figure 5. Figure 4: An example screen.

phone. The reason to use email and voice call is to ensure the alert reaches to the administrator. The system currently uses the execution result of some UNIX system commands, system logs, and logs produced by intrusion detection system. As is shown in Figure 5, since each alert is sent after the system checks all the result, the phone does not receive multiple emails when two or more troubles occurs at one time.

3.2

Remote monitoring by web browsing

The other feature of our system is an interactive remote monitoring capability using web browsing. The system displays current status of the remote systems with visualization and text. Figure 4 is an example screen which is displayed on the phone. Textual representation can show detailed information of the system. However, the small display can show a limited number of characters (e.g. 100 characters) at one time. On the other hand, visual representation can show abstract image of large amount of information. Although the administrators cannot obtain detailed information from this small visualization, they can obtain macroscopic understanding as soon as they can. If they want to know the detail, they may refer other pages liked from this page.

3.3.1

top

Top command shows the system usage statistics. Fig.6(a) shows the visualization obtained by invoking the top command. It displays CPU load, the number of processes, CPU usage, memory usage, swap usage by taking the horizontal axis as time. At the same time, the detailed information such as CPU load, CPU consumption, the number of running/sleeping processes, memory usage, etc. are shown by text. 3.3.2

w

W command is used to know the current activity on the system. Fig.6(b) shows the example visualization. The upper graph shows the number of users and the lower graph shows the number of commands invoked. As the detailed information, the name of the terminal, the host from which the user is logged in, the time the user logged on, and the name and arguments of the current process are displayed as text. 3.3.3

last

Last command is used to list the sessions. Fig.6(c) illustrates the example visualization. The horizontal axis represents time. The number of accesses are displayed as bar charts and they are categorized by its network domains. 3.3.4

netstat

Netstat command is used to see the statistics of the connection to the host. Fig.6(d) shows its example vi-

Page 4

Subject: iNet WARNING —— 2000/05/12 17:16 [NETSTAT] Access from other hosts vanhalen．other．net Port 23/3299 Queue 0/0 TIME WAIT Figure 7: Warning mail from NETSTAT system. sualization. This digram shows the number of access in each period of time. And the access is categorized by its network domains as in the previous last command. As a detailed information, a list of connection port. The connection status and queue status are displayed in another page. 3.3.5

df

Df command is used to monitor the disk usage. Fig.6(e) shows an example visualization. The vertical axis represents a list of file systems and the horizontal axis represents time. As a detailed information, the name of the file system, the amount of all disk space, that of used disk space, that of the free disk space are displayed. 3.3.6

warning email was sent from netstat, the administrator chooses the netstat command. Fig. 4 shows a page produced by netstat. The left figure is a main page. On the beginning of the page, the time data was collected, and the name of hosts are displayed. Next, a visualization is displayed. Then, a list of the name of hosts which accessed to the target is appeared. Below each host name, a list of icons, which represent connection status, and port numbers are displayed. Each host name is a link to another page which shows detailed information of the access. In the warning email (Fig. 7), the administrator sees the host name “vanhalen.” Therefore, s/he chooses this link. Then s/he sees a screen as in Fig.4 (right). In addition to the previous information, the complete host name, the status of send/receive queues, the connection status are displayed. From this information, the administrator knows that the host “vanhalen” connected by using telnet protocol, its connection status is TIME WAIT, and the connection is closing. If the connection is not closed, the administrator can investigate what the user is doing by choosing “w” and “top” commands. Even if the connection has been already closed, s/he can understand which account name was used by using “last” command.

syslog

Syslog command is used to see abstracted image of UNIX syslog file. Fig.6(f) illustrates an example visualization. The upper graph shows the number of log entries produced in each period of time. The lower graph shows the length of the log entries in each period of time. This visualization is used to find abnormal increase of log entries in each period (such as DoS attacks). Figure 8: A snapshot produced by LAST command.

4

Example

This section demonstrates an example usage of our system. When the target system is accessed using telnet protocol from unknown host, since this access matches to the rule for netstat, the administrator receives an email such as shown in Fig. 7. The administrator accessed to the system by using his i-mode phone. Then s/he sees a screen such as Fig.5. This page shows a list of commands. Since the

Fig. 8 shows a list of account names. It displays the start and stop times for the session, and the name of the host. From Fig. 8 we can see the account “ghintec” was used to log on.

5

Discussion

The system has been used in our laboratory for about 1.5 years. Throughout the experimental use, the following advantages and disadvantages were reported.

Page 5

(A) top command

(B) w command

(C) last command

(D) netstat command

(E) df command

(F) syslog command

Figure 6: Example visualizations produced by each command. The main advantage of our system is that the system provides remote monitoring capability anytime anywhere with keeping the same portability as pagers. It is difficult to say whether or not the trouble at the remote system is serious just by seeing the message received by pagers. On the other hand, it is much easier for the administrator to recognize the situation by seeing more detailed information with visualization and text. Moreover, our system enables quick decision making and fine monitoring because it does not require time and effort in order to connect to the remote system.

5.1

warning system

It is not enough to detect the trouble in the system. Currently we are combining our system with intrusion detection system (IDS, e.g. Snort [4]). When IDS detects illegal access, the system sent the warning email to the phone. However, if the system receives huge number of access at a short period of time, such as seen in DoS attacks, the number of warning emails also increases. As a result, the administrator has to choose important warnings from huge amount of mails. Also, current phones can hold about 200 emails. If the emails exceeds its limit, other emails are kept at the i-mode center and they are not sent to the phone.

5.2

Monitoring system

It is easily imagined that it would be much useful if the administrator can invoke system commands directly, such as “shutdown”. It is possible and easy to add such function to our system. However, such function is not officially implemented because of some security issues. For example, in our current implementation, everyone can access to the system since we do not use any authentication. To make our system practical, this issue must be solved. Each HTML page is updated periodically by using UNIX cron. The page which the administrator is seeing is not current status of the system but the status a few minutes before. It is necessary to implement such real-time capability.

5.3

i-mode specific issues

There are some limitations in our system which are based on i-mode specification. • page size In the current i-mode specification, the max page size is limited to 5 k byte. To make more effective visualization, this limitation should be enlarged. • max number of emails As we mention earlier, the number of email which can be saved in the phone is about 200. This is not enough and should be enlarged.

Page 6

• The delay of email delivery Emails are delivered via i-mode center. When the center is crowded (such as at commuting time (7:00am and 5:00pm)), it takes a little longer to receive emails. In our experimental use, it sometimes delayed 3 to 5 minutes. This delay might be critical when the system is in emergent situation. Also, the system does not work when the i-mode center is down. This issue might be minimized by using phones of other telephone carriers with i-mode phone.

6 6.1

Related Work Automatic monitoring

There are some automatic monitoring systems. For example, Swatch [3] monitors log files and activates corresponding actions which are pre-defined in its configuration file.

6.2

[3] Hansen, S. and Atkins, E.: Automated System Monitoring and Notification With Swatch, USENIX Seventh System Administration Conference, pp. 145–155 (1993). [4] Roesch, M.: Snort - Lightweight Intrusion Detection for Networks (1999). USENIX LISA ’99 conference. [5] T. Takada and H. Koike: MieLog: a log browser using information visualization and text mining, Trans. of IPSJ, Vol.41, No.12, 2000. in Japanese. [6] K. Wakai and H. Koike: A Remote Network Monitoring System using Cellular Phone, in Proc. of DICOMO’2000, IPSJ, pp.415–420, 2000. in Japanese. [7] Wilson, B.: GKrellM. http://web.wt.net/ billw/ gkrellm/gkrellm.html.

Visualization

In order to monitor the system, there are some tools which visualizes the status of the system in real-time. For example, xload or GKrellM [7] display the load balance of the system in real time. Such visualization is simple, but it is useful to find abnormal behavior of the system. Seelog [1] visualizes each line of a log file as colored line. Such visualization technique is useful to see statistical information of the log file. We applied this technique in Fig.6(f).

7

Conclusions

This paper described a remote monitoring system using Internet cellular phone. The system simultaneously provides portability and passiveness as pagerbased system, and interactivity as note PC based system.

References [1] Stephen G. Eick, and Paul J. Lucas., Displaying Trace Files, Software Practice and Experience, Vol. 26, No. 4, pp.399 – 409, April(1996) [2] N. Habra, et.al.: ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis, Proceedings of ESORICS’92 , pp. 23–25 (1992).

Page 7