LDAP monitoring

[nina guo]

Hi dears

I want to compare the value of contextCSN from each ldap server.

contextCSN can be obtained with ldapsearch command.

contextCSN=$(echo $ldap_search_result | grep contextCSN | awk '{ print $2 }')

May I ask if it is possible to compare the value?

[nina guo]

For example

contextCSN=$(echo $ldap_search_result | grep contextCSN | awk '{ print $2 }')

define a metrics:

contextCSN_metrics{instance="ldap01"} $contextCSN

in alert rules:

expr: contextCSN_metrics == ?

[nina guo]

And one more question is , I already have node exporter to scrape target group A, but I only want to monitor ldap on ldap servers which are in group A, can I implement this with textfile collector? Is textfile colloector share the same target files with node exporter?

[Brian Candler]

> I want to compare the value of contextCSN from each ldap server.

If you know a specific value of contextCSN that you're looking for, then you can put it in a label, and your alerting expression can check for the absence of a timeseries:

    expr: absent(foo{instance="bar",contextCSN="abcd1234"})

Otherwise, the way blackbox_exporter deals with this is to put a *hash* of the IP address as a numeric metric.

# curl -g 'localhost:9115/probe?module=smtp_starttls&target=aspmx.l.google.com:25'

...

# HELP probe_ip_addr_hash Specifies the hash of IP address. It's useful to detect if the IP address changes.
# TYPE probe_ip_addr_hash gauge
probe_ip_addr_hash 2.750000148e+09

The hash by itself is not meaningful, but it can be compared with previous values of the hash to see if the IP address changes.  You could do the same thing for contextCSN.

[Brian Candler]

On Thursday, 28 July 2022 at 06:43:09 UTC+1 ninag...@gmail.com wrote:

And one more question is , I already have node exporter to scrape target group A, but I only want to monitor ldap on ldap servers which are in group A, can I implement this with textfile collector? Is textfile colloector share the same target files with node exporter?

textfile collector is one of the (many) collectors which are parts of node_exporter.  Any single scrape of node_exporter will return all metrics from all enabled collectors on that node.

Therefore, if you have a scrape job which scrapes node_exporter, then you'll get textfile collector results from all of those nodes - at least, those which have the --collector.textfile.directory flag set.

[Michael Ströder]

On 7/28/22 09:02, Brian Candler wrote:
> > I want to compare the value of contextCSN from each ldap server.
>
> If you know a specific value of contextCSN that you're looking for, then
> you can put it in a label, and your alerting expression can check for
> the absence of a timeseries:
>     expr: absent(foo{instance="bar",contextCSN="abcd1234"})

OpenLDAP's contextCSN values change a lot for each write operation to
one of the provider replicas. From my understanding putting these values
in labels would create a new time-series all the time you write to your
OpenLDAP servers.

Or maybe I did not really get your idea.

Ciao, Michael.

[Michael Ströder]

On 7/28/22 05:56, nina guo wrote:
> I want to compare the value of contextCSN from each ldap server.

You seem to be using OpenLDAP.

Note that contextCSN values have to be compared pair-wise distinguished
by serverID.

The OpenMetrics output of my slapdcheck [1] is still not really nice
because it's mainly a compat wrapper around the legacy monitoring data.
But you can query the metrics and it already does the pair-wise
contextCSN comparison.

I usually invoke slapdcheck as systemd one-shot service [2] triggered by
a systemd timer unit [3] and let it write the output to a file to be
collected by node-exporter's text-file collector. (The caveat is that
the metrics time is not the same like the collect time.)

BTW: I find it also useful to let mtail extract some other metrics from
OpenLDAP stats log level messages [4]. Beware the example adds client IP
addresses to labels which can lead to time-series explosion if you have
many LDAP clients from different IP addresses. Adapt it to your needs.

[1] https://code.stroeder.com/ldap/slapdcheck

[2]
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/templates/systemd/slapdcheck.service.j2

[3]
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/templates/systemd/slapdcheck.timer.j2

[4]
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/templates/mtail/ae-slapd.mtail.j2

Ciao, Michael.

[nina guo]

Thank you very much for your detailed guidance Michael. I will continue to investigate.

Many thanks for your continuous help Brian.

[nina guo]

If node exporter is running in k8s, and I started a container in the k8s cluster to configure textfile collector. 

With this way, is there any different with textfile collector configured on a server?

In order to get the .prom file, what should I do in k8s cluster?

[nina guo]

Hi,

I will schedule a cronjob as a pod in k8s cluster to generate the metrics.

The node exporter is already deployed in the k8s cluster.

If I use textfile collector, is it the same with configuring in a server, that is storing the .prom in /var/log/collector, then node exporter will collect the metrics automatically?