Security monitoring is a constantly changing area; the threats can appear at any moment; when there are so called 0-day threats, there are quite few techniques available to efficiently prevent an unknown yet type of problem. However, there are typical behavior patterns that can be detected using well-known pieces of software and monitor types. Most techniques mentioned below are related to Unix-like systems; however, exactly the same approaches can be used for every operating system.

Monitoring is typically viewed as informative service: when a problem arises, messages are being sent, to alert people in charge to detected problems. However, IPHost Network Monitor allows creating composite alerts, including several so-called simple actions (such as “send mail”, “display pop-up” and so on). These simple actions can be used to proactively react to certain failure conditions – not only to inform of them, but also take measures to handle the actual issues.

Security issues can be a challenge; preventing them via properly set up monitoring can save many resources. However, as network grows, the list of resources subject to monitoring may grow much faster. A typical situation is a data center: when new hosts (servers) are added, multiple monitors of the same type can be added (depending on server type: Web server, mail server and so on). In such a situation, it is required to reduce possible amount of monitors to as small number as possible.

Default monitoring settings can be quite usable for most use cases; however, as the monitoring setup grows, certain configuration tweaks might be required to make monitoring more efficient. Alerts should actually attract attention of network administrator; otherwise, they are as good as gone. Alerts sent by monitoring tools should reach their destination. Although it can look obvious, there are several common pitfalls we should warn you about.