[rancid] Re: rancid use scenarios

Ryan Speed rspeed at gmail.com
Wed May 31 16:11:43 UTC 2006


rancid just found its director of marketing me thinks ;)

On 5/30/06, Mordechai T. Abzug <morty at frakir.org> wrote:
> On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote:
>
> We have 350+ nodes in rancid.  We have a number of smaller management
> domains rather than one massive implementation; the largest domain has
> 125 rancid-monitored nodes.  rancid is relatively lightweight,
> especially if you tune down the number of parallel gets, so we run it
> as an extra process on existing NMS stations.  It also requires almost
> no space, thanks to using CVS; from a resource consumption
> perspective, it actually scales lots better than some commercial
> equivalents.
>
> If you are located in the US, regardless of your feelings, chances are
> that you need rancid or something like it for legal compliance --
> between SOX, FISMA, and HIPAA, most commercial and government entities
> need lots of monitoring.  If you don't think you need it now, but you
> are subject to any kind of auditing and haven't been audited yet, do
> yourself a favor and implement it now.
>
> Quite aside from legal issues, tools like rancid are great for lots of
> real-life reasons.  They are good for:
>
> * detecting surprise changes ("when did that change occur?  Sure would
>   be nice to have an automated tool to tell us when someone makes a
>   change in the middle of the night and forgets to send email");
>
> * security monitoring of routers ("where did that permissive ACL come
>   from?  Sure would be nice if a tool could tell us what changes
>   occurred on routers, so if anything suspicious happens, we can know
>   immediately instead of when it ends up in the media");
>
> * exercising router flashes ("Whoops, the flash went bad but the
>   device continued to function in-memory, so nobody noticed until a
>   power outage.  Sure would be nice if we had a tool that periodically
>   logged in to devices and ran a bunch of commands that demonstrate
>   that it is working well");
>
> * backing up configs ("Our last manual backup of the router config was
>   5 years ago; we've upgraded it twice, and added lots of ACLs since
>   then.  Wouldn't an automated way to get config backups make sense?")
>
> If your people are against freeware, or want "Enterprise" features,
> there are COTS tools that do more than rancid out of the box, or at
> least satisfy management desire for a commercial provider.  Opsware
> NAS is particularly studly; it will automatically go out when config
> change events are reported via syslog, grab the latest update, and
> tell you who did the change (if available).  It can get asset and
> module information.  It can do "policy compliance."  It can integrate
> with HP OV NNM and other products.  Of course, Opsware costs mucho
> dinero and requires beefy hardware, while you can set up a reasonable
> rancid setup using an old PC and no commercial software.
>
> If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all
> Juniper, etc.), your vendor may provide/sell you an element manager
> (CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like
> functionality.  Unfortunately, it will be specific to said vendor.  If
> you are or might become heterogeneous, rancid or other vendor-neutral
> package is a good call.
>
> - Morty
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>


-- 
><(((°>
Ryan Speed
http://speedo.ca (Personal site)
http://gallery.speedo.ca (Photo Gallery)
http://newsbc.ca (News BC)
http://newsbc.ca/movies (Movie Reviews)



More information about the Rancid-discuss mailing list