1. Engine Advanced Administration

The NEXThink Engine runs as an appliance, and as such, NEXThink provides the Operating System.

This Operating System is based on Linux CentOS, the current CentOS version used is 5.4 (as of Nov. 17th, 2009). The following documentation requires knowledge of Linux basic commands. For more general information about Linux CentOS, see http://www.centos.org

Contents

Engine Advanced Administration
Tools you will need
Getting started
Engine default settings, working directory, configuration and log file
Start/Stop the Engine
Performing manual backup of the Engine Memory Database
Engine status monitoring
The nxinfo command
Fine tuning the Engine
1. The Engine configuration file: nxengine.xml
2. Engine maximum number of events: <max_connections>
Contact Information

2. Tools you will need

You will need a SSH Client.

For Windows XP/Vista Operating System, a free implementation of SSH client is Putty. It can be freely downloaded here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

3. Getting started

Open an SSH session on the Engine Server, with the default credentials: login=nexthink and password=123456

For security reasons, don't forget to change your password the first time you log in.

Some privileged commands and access to files owned only by “root” are only accessible to the “root” superuser. Using the default “nexthink” SSH account, you will need to pre-pend the Linux “sudo” command to the command you want to use with privileges. On first call of the “sudo” command, you will need to supply the “nexthink” user own password.

Example:

[nexthink@nxt ~]$ /etc/init.d/nxlaunch start
You need to be root to use this command !
[nexthink@nxt ~]$ sudo /etc/init.d/nxlaunch start
Password:

4. Engine default settings, working directory, configuration and log file

4.1. Engine defaults settings

Engine default IP Address is 192.168.0.99 with a network mask of 255.255.255.0 The default interface used by the Engine is eth0

Engine V3 Default Network Settings
Service	IP Address	Port	Protocol	Username	Password	Notes
SSH	192.168.0.99	22	SSH	nexthink	123456	Nexthink built-in Support Account for maintenance operations
Web-Console	192.168.0.99	99	HTTPS	admin	admin	Nexthink web-console Admin Account for Engine configuration
Listening Port for Collector	192.168.0.99	999	UDP
Finder	192.168.0.99	999	TCP	admin	admin	Nexthink Finder Admin Account
Portal	192.168.0.99	80	HTTP	admin	admin	Nexthink Portal Admin Account

4.2. Engine working directory

The Engine working directory is located under /var/nxengine, and is structured the following way:

/var/nxengine/
|-- BACKUPS
|   |-- nxengine-backup-8.gz
|   `-- nxengine-backup_before-3.0.3.3.gz
|-- nxengine-backup.gz -> /var/nxengine/BACKUPS/nxengine-backup-8.gz
`-- nxengine.db

In this example,

nxengine.db is the database file onto which the Engine is regularly flushing its in-memory contents for persistence.
nxengine-backup.gz is a symbolic link (soft link) to the most recent compressed backup file located in the BACKUPS directory (backup of the nxengine.db file occurs every night at 04:00 AM)
BACKUPS: directory where the nxengine.db daily backups are stored, rotation is made on a 10 day cycle (i.e. maximum 10 files)

4.3. Engine configuration file

The Engine configuration file is nxengine.xml, and is located under /etc/nxengine:

/etc/nxengine/
|-- certificate.pem
|-- key.pem
|-- licenses.txt
|-- nightly_backup.sh
|-- nxengine-default.xml
|-- nxengine.xml
`-- products.db

After any configuration change in the nxengine.xml file, the Engine must be restarted to take them in effect.

5. Start/Stop the Engine

5.1. Stopping the Engine

[nexthink@reflexengine ~]$ sudo nxinfo launch --remove

5.2. Starting the Engine

[nexthink@reflexengine ~]$ sudo nxinfo launch --add

5.3. Restarting the Engine

[nexthink@reflexengine ~]$ sudo nxinfo launch --restart

Hint: In multi engine configuration engine number should be provided as parameter. Like,

[nexthink@reflexengine ~]$ sudo nxinfo launch --remove -g 2

[nexthink@reflexengine ~]$ sudo nxinfo launch --add -g 2

[nexthink@reflexengine ~]$ sudo nxinfo launch --restart -g 2

Prior to Engine 3.2.4.X

The Start/Stop of the Engine is controlled via the Unix Daemontools (see http://cr.yp.to/daemontools.html), especially by the "svc" and "supervise" programs.

When the server boots up, svc is called to start the Engine service. It is the responsibility of supervise to monitor the "nxengine" service. It restarts the nxengine service if it dies. 'Stopping the engine'

[nexthink@reflexengine ~]$ sudo svc -d /var/spool/services/nxengine/

'Starting the engine'

[nexthink@reflexengine ~]$ sudo svc -u /var/spool/services/nxengine/

'Restarting the engine'

Stop and start the engine to do a restart.

When starting the Engine, you would view live the Engine logfile to check the start process until it show "nxengine is up and running"

[nexthink@nxt ~]$ sudo tail -f /var/log/kengine
Sep 24 17:13:52 nxt NX: [DataStorage.cpp:1422|0xa3c8240] loading signatures ...
Sep 24 17:13:52 nxt NX: [DataStorage.cpp:1480|0xa3c8240] loading events ...
Sep 24 17:13:52 nxt NX: [DataStorage.cpp:1571|0xa3c8240] database loaded in 2.22528s
Sep 24 17:13:52 nxt NX: [DataManager.cpp:231|0xa3c8240] updating objects ...
Sep 24 17:13:52 nxt NX: [DataManager.cpp:234|0xa3c8240] objects updated in 121.078ms
Sep 24 17:13:52 nxt NX: [NxEngineMain.cpp:191|0xa3c8240] nxengine is up and running

5.4. Engine log file

The Engine log file location is: /var/log/kengine

To view “live” the log file, use the unix "tail" command:

[nexthink@nxt ~]$ sudo tail –f /var/log/kengine

(hit CTRL+C to exit)

Should there be any Engine problem, this logfile is to be checked first.

6. Performing manual backup of the Engine Memory Database

Use nxinfo backup for that purpose.

[nexthink@nxt ~]$ nxinfo backup -n /home/nexthink/nxengine-backup-`date +%Y-%m-%d-%Hh%Mm`.gz

And it will create the file with the correct : /home/nexthink/nxengine-backup-2009-12-14-15h55m.gz

For the usage of nxinfo backup, see:

[nexthink@nxt tmp]$ nxinfo backup --help
usage: nxinfo backup [options]
Backs up the database. The backed up database is compressed in a <gzip> format.

general options:
  -h [ --help ]         Help message
  --engine arg (=1)     Engine number
  --parameter arg       Configuration parameter
  --config arg          Configuration file

backup options:
  -n [ --name ] arg     Backup file name

7. Engine status monitoring

Query the Engine Status and statistics:

[nexthink@nxt ~]$ nxinfo info
process:
 id ..................... 2398
 state .................. Running
 version ................ 3.1.0.4
 executable ............. /usr/bin/nxengine
 virtual memory ......... 1.1GB
 physical memory ........ 951.3MB
 start time ............. 2009-08-12T15:20:51
 uptime ................. 42d 19h 13min 22s
 timezone ............... utc
 finder ................. tcp/999
 collector .............. udp/999
 maximum events ......... 30000000
database:
 logins ................. 16
 users .................. 7256
 products ............... 5937
 applications ........... 7192
 binaries ............... 11575
 sources ................ 7832
 destinations ........... 4612
 signatures ............. 347278
 usages ................. 891708
 events ................. 30000000
 first .................. 2009-04-30T19:19:26
 last ................... 2009-06-02T02:15:00

nxinfo info is a quick way to find out the status and health of an Engine.

Important information reported here are:

version: Engine version number (release version)
physical memory: the physical memory currently used by the Engine
maximum events and events: maximum number of events that can be recorded by the Engine. This parameter is configurable via the file /etc/nxengine/nxengine.xml. events shows the current number of events stored in the Engine. In that example, maximum events has been reached, and thus some fine tuning will be needed (increase that maximum if the RAM size allows it)
logins: number of user accounts in the Engine
users: number of users seen on the endpoints
product/applications/binaries: number of applications seen on the endpoints
sources: number of end-poins (workstations) running the NEXThink Collector and that are registered by the Engine. This value must match the number of sources included in the license file
first and last: show currently data history range available in the Engine

8. The nxinfo command

The nxinfo command is a powerful multi-purpose utility. It can be used to interact with Engine, mainly for administration tasks.

For debugging purpose, it can also be used to fetch data directly from the running Engine, though the preferred and recommended way to read and manipulate data is to use the NEXThink Finder.

To show which options are available, type:

[nexthink@nxt ~]$ nxinfo help
usage: nxinfo <command> [options]
Available commands are:
- nxinfo info [options]
- nxinfo shell [options]
- nxinfo lua [options]
- nxinfo perf [options]
- nxinfo backup [options]
- nxinfo config [options]
- nxinfo machine [options]
- nxinfo stop [options]
- nxinfo log [options]
- nxinfo license [options]
- nxinfo sql [options]
- nxinfo ldap [options]
- nxinfo mail [options]
- nxinfo database [options]

Type 'nxinfo <command> --help' for help on a specific command.

Among them, the useful options for administration are: info, perf, config and log. This page will not cover these more advanced options.

9. Fine tuning the Engine

The default settings will suit most environments, from 10 to 3000+ endpoints monitored by the NEXThink Collector. It has been designed to offer maximum flexibility and performance while being able to store and serve up to 50M events (50M is the default maximum number of events).

These settings are fine to get you started, but over time, you may need to adjust them, depending mainly on the following factors:

number of endpoints
endpoints activity (executions and connections made on endpoints)
available physical memory
historical data size you want to retain

The Engine uses the /etc/nxengine/nxengine.xml file as its configuration file.

9.1. The Engine configuration file: nxengine.xml

Default nxengine.xml contains:

<config>
    <engine>
        <network>10.0.0.0/8</network>
        <network>172.16.0.0/12</network>
        <network>192.168.0.0/16</network>
        <network>224.0.0.0/4</network>
        <network>255.255.255.255/32</network>
        <limit>
            <max_connections>50000000</max_connections>
        </limit>
        <finder>
            <port>999</port>
        </finder>
        <driver>
            <port>999</port>
        </driver>
        <database>
            <file>/var/nxengine/nxengine.db</file>
        </database>
        <server>nxt.intra.nexthink.com</server>
        <supervisor>
            <port>999</port>
            <authority>873e9c0b50183b613336eea1020f4369</authority>
        </supervisor>
    </engine>
</config>

You will notice that some parameters are configurable directly from within the web-console, e.g. ports used for the Finder/Collector (driver).

Not all parameters are present in the nxengine.xml file. To display a list of all currently running parameters in the Engine, use the nxinfo config -w command:

[nexthink@nxt nxengine]$ nxinfo config -w
<config>
    <server>nxt.intra.nexthink.com</server>
    <init_file></init_file>
    <startup_file></startup_file>
    <products_file>/etc/nxengine/products.db</products_file>
    <timezone>
        <name>UTC</name>
    </timezone>

... OUTPUT TRUNCATED ...

    <limit>
        <max_connections>50000000</max_connections>
        <max_alerts>500</max_alerts>
        <max_log_files>5</max_log_files>
        <max_log_file_size>100000</max_log_file_size>
        <max_cleanup_time>1200</max_cleanup_time>
        <max_binaries>10000</max_binaries>
        <max_services_per_application>5000</max_services_per_application>
        <max_inactivity_period>3456000</max_inactivity_period>
        <max_log_files>5</max_log_files>
        <max_alert_items>100</max_alert_items>
    </limit>
    <nxinfo>
        <unix_socket>/var/nxengine/.nx_unix_socket</unix_socket>
        <shared_mem>nxengine_26507</shared_mem>
    </nxinfo>
    <license>licenses.txt</license>

... OUTPUT TRUNCATED ...

</config>

This option nxinfo config -w is useful for debugging and reviewing the Engine settings.

The configurable Engine internal parameters are in the <limit> node from this output, which you can add to the same node in the /etc/nxengine/nxengine.xml file and modify their values.

9.2. Engine maximum number of events: <max_connections>

The <max_connections/> parameter can be reduced or increased depending on the factors mentioned above. You may set this value up to 80M as a maximum, to get the largest possible data history, should the Engine has reached the 50M default limit. Using a value above 80M is not recommended.

This parameter has direct impact on memory consumption, performance, and Engine behavior regarding the pruning of old data and their replacement with new ones. Adjust this value properly to obtain the best balance between Engine performance and the size of the historical data, based on the hardware you have, especially on large network environment.

Admitedly, as you will never find two identical network environments in terms of activity, the default setting is suited for most environments (up to 3000 endpoints).

You may need to check the Engine's health on a regular basis, and modify this setting to get an optimal running Engine, an environment being never static, and changes will occur overtime (all this depends on network activity, applications executions, new applications appearing, users' activity etc.).

10. Contact Information

If you require further assistance regarding the present documentation or if you want to contribute to the accuracy of published information, please open a case using http://support.nexthink.com.

CategoryEngine CategoryV4

advanced/Engine Advanced Administration