Post by Mordechai T. Abzug
We have 350+ nodes in rancid. We have a number of smaller management
domains rather than one massive implementation; the largest domain has
125 rancid-monitored nodes. rancid is relatively lightweight,
especially if you tune down the number of parallel gets, so we run it
as an extra process on existing NMS stations. It also requires almost
no space, thanks to using CVS; from a resource consumption
perspective, it actually scales lots better than some commercial
equivalents.
If you are located in the US, regardless of your feelings, chances are
that you need rancid or something like it for legal compliance --
between SOX, FISMA, and HIPAA, most commercial and government entities
need lots of monitoring. If you don't think you need it now, but you
are subject to any kind of auditing and haven't been audited yet, do
yourself a favor and implement it now.
Quite aside from legal issues, tools like rancid are great for lots of
* detecting surprise changes ("when did that change occur? Sure would
be nice to have an automated tool to tell us when someone makes a
change in the middle of the night and forgets to send email");
* security monitoring of routers ("where did that permissive ACL come
from? Sure would be nice if a tool could tell us what changes
occurred on routers, so if anything suspicious happens, we can know
immediately instead of when it ends up in the media");
* exercising router flashes ("Whoops, the flash went bad but the
device continued to function in-memory, so nobody noticed until a
power outage. Sure would be nice if we had a tool that periodically
logged in to devices and ran a bunch of commands that demonstrate
that it is working well");
* backing up configs ("Our last manual backup of the router config was
5 years ago; we've upgraded it twice, and added lots of ACLs since
then. Wouldn't an automated way to get config backups make sense?")
If your people are against freeware, or want "Enterprise" features,
there are COTS tools that do more than rancid out of the box, or at
least satisfy management desire for a commercial provider. Opsware
NAS is particularly studly; it will automatically go out when config
change events are reported via syslog, grab the latest update, and
tell you who did the change (if available). It can get asset and
module information. It can do "policy compliance." It can integrate
with HP OV NNM and other products. Of course, Opsware costs mucho
dinero and requires beefy hardware, while you can set up a reasonable
rancid setup using an old PC and no commercial software.
If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all
Juniper, etc.), your vendor may provide/sell you an element manager
(CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like
functionality. Unfortunately, it will be specific to said vendor. If
you are or might become heterogeneous, rancid or other vendor-neutral
package is a good call.
- Morty
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Post by Saku Ytti
% LC_ALL=C;find -name "router.db"|xargs wc -l|tail -n 1
6163 total
Works for us, 1700 of these are collected every 4h, rest once a week.
Several hardware vendors (~7 vendors), including support for telco systems
(binos) and corecess that we've added in-house (happy to provide if needed).