{"id":33144525,"url":"https://github.com/Vadims06/ospfwatcher","last_synced_at":"2025-11-16T00:01:15.837Z","repository":{"id":38688218,"uuid":"420008585","full_name":"Vadims06/ospfwatcher","owner":"Vadims06","description":"History of all changes in OSPF Topology","archived":false,"fork":false,"pushed_at":"2025-08-24T13:51:37.000Z","size":28364,"stargazers_count":72,"open_issues_count":7,"forks_count":14,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-24T18:54:45.015Z","etag":null,"topics":["elk","monitoring","network","network-analysis","ospf","ospf-monitoring","topolograph","topology-management"],"latest_commit_sha":null,"homepage":"https://topolograph.com/ospf-isis-monitoring","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Vadims06.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-10-22T07:38:58.000Z","updated_at":"2025-08-24T13:51:41.000Z","dependencies_parsed_at":"2024-04-18T03:44:53.667Z","dependency_job_id":"e9e64713-588f-4a92-8b2b-3ef0c2f0f1f1","html_url":"https://github.com/Vadims06/ospfwatcher","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/Vadims06/ospfwatcher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vadims06%2Fospfwatcher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vadims06%2Fospfwatcher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vadims06%2Fospfwatcher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vadims06%2Fospfwatcher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Vadims06","download_url":"https://codeload.github.com/Vadims06/ospfwatcher/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vadims06%2Fospfwatcher/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":284640341,"owners_count":27039411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-15T02:00:06.050Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elk","monitoring","network","network-analysis","ospf","ospf-monitoring","topolograph","topology-management"],"created_at":"2025-11-15T13:00:29.831Z","updated_at":"2025-11-16T00:01:15.830Z","avatar_url":"https://github.com/Vadims06.png","language":"Python","funding_links":[],"categories":["Network Monitoring","Tools"],"sub_categories":["SD-WAN","NETCONF"],"readme":"# OSPF Topology Watcher\nOSPF Watcher is a monitoring tool of OSPF topology changes for network engineers. It works via passively listening to OSPF control plane messages through a specially established OSPF adjacency between OSPF Watcher and one of the network device. The tool logs OSPF events and/or export by Logstash to **Elastic Stack (ELK)**, **Zabbix**, **WebHooks** and **Topolograph** monitoring dashboard for keeping the history of events, alerting, instant notification. Components of the solution are wrapped into containers, so it can be increadebly fast to start it. The only thing is needed to configure manually - is GRE tunnel setup on the Linux host.\n\n\u003e [!NOTE]\n\u003e Upvote in [issues/12](https://github.com/Vadims06/ospfwatcher/issues/12) if\n\u003e you are interested in tracking OSPF topology changes via BGP-LS.\n\n## Logged topology changes:\n* OSPF neighbor adjacency Up/Down\n* OSPF link cost changes\n* OSPF networks appeared/disappeared from the topology\n\n## Architecture\n![](docs/ospfwatcher_plus_topolograph_architecture_v3_xdp_rules.png) \nEach Watcher instance maintains all routes and updates within an isolated network namespace. This isolation ensures efficient monitoring without interference and prevent route leaks.\n\n#### Listen only mode\nThe FRR container is isolated in an individual network namespace and the **XDP OSPF filter** inspects all outgoing OSPF advertisements. It checks if FRR instance advertises only locally connected network (assigned on GRE tunnel) and no more. If it advertises multiple networks, OSPF Database description (DB) or LSUpdate will be dropped. It prevents the network from populating by unexpected network prefixes. \n\n\u003e [!NOTE]\n\u003e ospfwatcher:v1.1 is compatible with [topolograph:v2.7](https://github.com/Vadims06/topolograph/releases/tag/v2.27)\n\u003e , it means that OSPF network changes can be shown on the network graph.\n\n### Functional Role\n![](docs/functional-watcher-role.png)\n\n## Demo\nInstant notifications \n[![OSPF Watcher instance notification](./docs/ospfwarcher_socket_demo.png)](https://youtu.be/2IHbxmDVMA0) \nClick on the image in order zoom it. \n![](https://github.com/Vadims06/ospfwatcher/blob/ada2ca86df171ec5f1b550da821f0a8ca1cb1df4/docs/ospf-watcher-demo.gif)\n\n## Discovering OSPF logs in Kibana. Examples\nOSPF cost changes on links \n![](docs/cost-changes-raw-logs.png)\n\nLogs if OSPF adjacency was Up/Down or any networks appeared/disappeared. \n![](docs/host-updown-raw-logs.png)\n\n#### Topolograph OSPF Monitoring. New subnet event shows where the subnet appeared \n![](docs/ospf_monitoring_new_subnet.PNG) \n\n#### Topolograph OSPF Monitoring. Filter any subnet-related events, select Change metric event\nnew and old metric is shown\n![](docs/ospf_monitoring_change_metric.PNG) \n\n#### Topolograph OSPF Monitoring. up/down link events\nRed timelines show link (~adjacency) down events, green one - up link (~adjacency). \nTimeline `10.1.1.2-10.1.1.3` has been selected.\n![](docs/ospf_monitoring_down_link.PNG)\n\n## OSPF topology change notification/alarming via Zabbix. Examples\nZabbix's dashboard with active OSPF alarms detected by OSPFWatcher \n![](https://github.com/Vadims06/ospfwatcher/blob/cc690cff7cb9a99543b4a4c5163db54284e8f888/docs/zabbix-ui/zabbix_dashboard_with_all_alarms.png)\n\n#### Zabbix OSPF neighbor up/down alarm\nThis alarm tracks all new OSPF adjacencies or when device loses its OSPF neighbor\n![](https://github.com/Vadims06/ospfwatcher/blob/cc690cff7cb9a99543b4a4c5163db54284e8f888/docs/zabbix-ui/zabbix_ospf_neighbor_up_log_latest_data.png)\n\n#### Zabbix OSPF Cost changed on transit links\nTransit links are all links between active OSPF neighbors. If cost on a link was changed it might affect all actual/shortest paths traffic follows \n![](https://github.com/Vadims06/ospfwatcher/blob/cc690cff7cb9a99543b4a4c5163db54284e8f888/docs/zabbix-ui/zabbix_ospf_link_cost_change_log_latest_data.png)\n\n#### Zabbix alert if OSPF network was stopped announcing from node\nIf a subnet was removed from OSPF node (the node withdrew it from the announcement) it means the network from this node became unavailable for others, this event will be logged too.\n![](https://github.com/Vadims06/ospfwatcher/blob/cc690cff7cb9a99543b4a4c5163db54284e8f888/docs/zabbix-ui/zabbix_ospf_network_up_log_latest_data.png)\n\n#### Slack notification\nHTTP POST messages can be easily accepted by messengers, which allows to get instant notifications of OSPF topology changes:\n![](docs/slack/slack_notification.PNG)\n\n## Quick lab\n#### Containerlab\nHere is a lab for tracking OSPF topology changes placed here **containerlab/frr01**. Watcher logs: \n![](docs/ospfwatcher_containerlab.png) \nOSPF topology changes are printed by Watcher in a text file only.\n```\n./containerlab/frr01/prepare.sh\nsudo clab deploy --topo ./containerlab/frr01/frr01.clab.yml\n``` \n\n## How to connect OSPF watcher to real network \nTable below shows different options of possible setups, starting from the bare minimum in case of running Containerlab for testing and ending with maximum setup size with Watcher, Topolograph and ELK. The following setup describes setup **№2**. \n| № | Deployment size | Number of compose files | Text file logs | View changes on network map | Zabbix/HTTP/Messengers notification | Searching events by any field any time |\n|---|--------------------------------------------------------------------------------------------|-------------------------|----------------|-----------------------------|-------------------------------------|----------------------------------------|\n| 1 | Bare minimum. Containerlab | 0 | + | - | - | - |\n| 2 | 1. Local Topolograph \u003cbr\u003e2. local compose file with ELK **disabled** (commented) | 2 | + | + | + | - |\n| 3 | 1. Local Topolograph \u003cbr\u003e2. local compose file with ELK **enabled** | 3 | + | + | + | + |\n\n#### Setup №2. Text logs + timeline of network changes on Topolograph \n1. Choose a Linux host with Docker installed\n2. Run script: \n```bash\ncurl -O https://raw.githubusercontent.com/Vadims06/topolograph-docker/master/install.sh\nchmod +x install.sh\nsudo ./install.sh\n``` \nIt will: \n\n 1. Setup Topolograph\n It's needed for network events visualization on Topolograph UI. Skip if you don't want it. \n* launch your own Topolograph on docker using [topolograph-docker](https://github.com/Vadims06/topolograph-docker) or make sure you have a connection to the public https://topolograph.com\n* create a user for API authentication using `Local Registration` form on the Topolograph page, add your IP address in `API/Authorised source IP ranges`.\nSet variables in `.env` file: \n\n\u003e [!NOTE]\n\u003e * `TOPOLOGRAPH_HOST` - *set the IP address of your host, where the docker is\n\u003e hosted (if you run all demo on a single machine), do not put `localhost`,\n\u003e because ELK, Topolograph and OSPF Watcher run in their private network\n\u003e space*\n\u003e * `TOPOLOGRAPH_PORT` - by default `8080`\n\u003e * `TOPOLOGRAPH_WEB_API_USERNAME_EMAIL` - by default `ospf@topolograph.com` or\n\u003e put your recently created user\n\u003e * `TOPOLOGRAPH_WEB_API_PASSWORD` - by default `ospf`\n\u003e * `TEST_MODE` - if mode is `True`, a demo OSPF events from static file will be\n\u003e uploaded, not from FRR\n\n2. Setup OSPF Watcher\n```bash\ngit clone https://github.com/Vadims06/ospfwatcher.git\ncd ospfwatcher\ncp .env.template .env\n```\nGenerate configuration files \n`vadims06/ospf-watcher:v1.7` includes a client for generating configurations for each Watcher for each OSPF area. To generate individual settings - run the client with `--action add_watcher` \n```\nsudo docker run -it --rm --user $UID -v ./:/home/watcher/watcher/ -v /etc/passwd:/etc/passwd:ro -v /etc/group:/etc/group:ro vadims06/ospf-watcher:latest python3 ./client.py --action add_watcher\n``` \nOutput: \n```\n+---------------------------+\n| Watcher Host | +-------------------+\n| +------------+ | | Network device |\n| | netns FRR | | | |\n| | Tunnel [4] | | Tunnel [4] |\n| | gre1 [3]TunnelIP----+-----------------------+[2]TunnelIP |\n| | eth1------+-vhost1 | +-----+ | OSPF area num [5] |\n| | | Host IP[6]+-------+ LAN |--------[1]Device IP |\n| | | | +-----+ | |\n| +------------+ | | |\n| | +-------------------+\n+---------------------------+\n[1]Network device IP [x.x.x.x]: \n```\nThe script will create:\n1. a folder under `watcher` folder with FRR configuration under `router` folder\n2. a containerlab configuration file with network settings\n3. an individual watcher log file in `watcher` folder. \n\nOSPF routes of each Watcher instance stay isolated in watcher's network namespace. To stop OSPF routes from being installed even in the watcher's network namespace, we the following policy has been applied on the watcher:\n```bash\n# quagga/config/ospfd.conf\nroute-map TO_KERNEL deny 200\nexit\n!\nip protocol ospf route-map TO_KERNEL\n```\n\n5. Start OSPF Watcher \n[Install](https://containerlab.srlinux.dev/install/) containerlab\nTo start the watcher run the following command. `clab deploy` is like a `docker compose up -d` command \n```\nsudo clab deploy --topo watcher/watcher1-tun1025/config.yml\n```\nIt will create:\n* Individual network namespace for Watcher and FRR\n* A pair of tap interfaces to connect the watcher to Linux host\n* GRE tunnel in Watcher's namespace\n* NAT settings for GRE traffic\n* FRR \u0026 Watcher instance\n* assign XDP OSPF filter on watcher's tap interface\n\n6. Start log export to Topolograph and/or ELK (optionally if you configured Step 2 or 3) \n```\ndocker-compose build\ndocker-compose up -d\n``` \n\n### Device configuration\nSetup GRE tunnel from the network device to the host. An example for Cisco\n\n\u003e [!NOTE]\n\u003e You can skip this step and run ospfwatcher in `test_mode`, so test LSDB from\n\u003e the file will be taken and test changes (loss of adjacency and change of OSPF\n\u003e metric) will be posted in ELK.\n\n```bash\ninterface gigabitether0/1\nip address \u003cGRE tunnel ip address\u003e\ntunnel mode gre\ntunnel source \u003crouter-ip\u003e\ntunnel destination \u003chost-ip\u003e\nip ospf network type point-to-point\n```\nSet GRE tunnel network where \u003cGRE tunnel ip address\u003e is placed to `quagga/config/ospfd.conf` \n\nCheck OSPF neighbor, if there is no OSPF adjacency between network device and OSPF Watcher, check troubleshooting `OSPF Watcher \u003c-\u003e Network device connection` section below (to run diagnostic script).\n\n#### *Optionally*\nSetup ELK (skip it, it's only needed for setup № 3) \n* if you already have ELK instance running, fill `ELASTIC_IP` in env file and uncomment Elastic config here `ospfwatcher/logstash/pipeline/logstash.conf`. Currently additional manual configuration is needed for Index Templates creation, because `create.py` script doesn't accept the certificate of ELK. It's needed to have one in case of security setting enabled. Required mapping for the Index Template is in `ospfwatcher/logstash/index_template/create.py`.\nTo create Index Templates, run:\n```\nsudo docker run -it --rm --env-file=./.env -v ./logstash/index_template/create.py:/home/watcher/watcher/create.py vadims06/ospf-watcher:latest python3 ./create.py\n``` \n* if not - boot up a new ELK from [docker-elk](https://github.com/deviantony/docker-elk) compose. For demo purporse set license of ELK as basic and turn off security. The setting are in docker-elk/elasticsearch/config/elasticsearch.yml \n```\nxpack.license.self_generated.type: basic\nxpack.security.enabled: false\n``` \n\n\u003e [!TIP]\n\u003e When the Elastic output plugin fails to connect to the ELK host, it blocks all\n\u003e other outputs and ignores `EXPORT_TO_ELASTICSEARCH_BOOL` value from env file.\n\u003e Regardless of `EXPORT_TO_ELASTICSEARCH_BOOL` being `False`, it tries to\n\u003e connect to Elastic host. The solution - uncomment this portion of config in\n\u003e case of having running ELK.\n\n ## Kibana settings\n 1. **Index Templates** \n Have been already created by `ospf-logstash-index-creator` container in compose yaml file.\n Open `Management -\u003e Stack Management -\u003e Index Management -\u003e[ Index Templates ]` to make sure that the following templates are in the list:\n * `ospf-watcher-costs-changes`\n * `ospf-watcher-updown-events` \n ![](docs/kibana_index_template.png) \n 2. **Index Pattern**\n Create indices with the same name as index templates\n Go to:\n old ELK `Stack Management/ Kibana/ Stack Management/ Index Pattern -\u003e Create index pattern`\n new ELK 8.x `Management -\u003e Stack Management -\u003e Index Management -\u003e [ Indices ]`\n\n then `Create index`\n * ospf-watcher-costs-changes\n * ospf-watcher-updown-events\n ![](docs/kibana_indices.png)\n\n 3. **Data View**\n Create data view for two event types.\n Go to `Management -\u003e Stack Management -\u003e Data Views`\n then `Create data view`\n ```\n Name: ospf-watcher-costs-changes\n Index pattern: ospf-watcher-costs-changes\n Timestamp field: use watcher time\n ```\n ![](docs/kibana_data_view.png) \n Repeat the same for `ospf-watcher-updown-events`\n As a result, there are two data views should be listed\n ![](docs/kibana_data_view_list.png) \n\n\u003e [!TIP]\n\u003e What time to use @timestamp or watcher?\n\u003e \n\u003e It's better to use `watcher` time, because connection between Watcher and\n\u003e Logstash can be lost, but the watcher continues to log all topology changes\n\u003e with the correct time. When the connection is repaired, all logs will be added\n\u003e to ELK and you can check the time of the incident. If you choose `@timestamp`\n\u003e - the time of all logs will be the time of their addition to ELK.\n\n 4. **Additional checks**\n Make sure that:\n * `.env` has `EXPORT_TO_ELASTICSEARCH_BOOL=True`\n * `./logstash/pipeline/logstash.conf` has ELK uncommented\n ## Browse your topology changes logs\n Your logs are here http://localhost:5601/ -\u003e `Analytics/Discover` `watcher-updown-events`. \n \n ## Zabbix settings\n Zabbix settings are available here ```/docs/zabbix-ui```. There are 4 hosts and items (host and item inside each host has the same names) are required:\n * ospf_neighbor_up_down\n * ospf_network_up_down\n * ospf_link_cost_change\n * ospf_stub_network_cost_change\n\n ## WebHook setting\n1. Create a Slack app\n2. Enable Incoming Webhooks\n3. Create an Incoming Webhook (generates URL)\n4. Uncomment `EXPORT_TO_WEBHOOK_URL_BOOL` in `.env`, set the URL to `WEBHOOK_URL`\n\n##### Logs sample 1 \n```\n2023-01-01T00:00:00Z,demo-watcher,host10.10.10.4,down,10.10.10.5,01Jan2023_00h00m00s_7_hosts,0,1234,192.168.145.5\n```\n\n* `2023-01-01T00:00:00Z` - event timestamp\n* `demo-watcher` - name of watcher\n* `host` - event name: `host`, `network`, `metric`\n* `10.10.10.4` - event object. Watcher detected an event related to `10.10.10.4` host\n* `down` - event status: `down`, `up`, `changed`\n* `10.10.10.5` - event detected by this node.\n* `01Jan2023_00h00m00s_7_hosts` - name of graph in Topolograph dashboard\n* `0.0.0.0` - OSPF area ID\n* `1234` - AS number where OSPF is working\n* `192.168.145.5` - IP address on detected node\n*Summary: `10.10.10.5` detected that `10.10.10.4` host on the interface with `192.168.145.5` IP address in area 0 in AS 1234 went down at `2023-01-01T00:00:00Z`*\n\n##### Logs sample 2 \n```\n2023-01-01T00:00:00Z,demo-watcher,network,192.168.13.0/24,changed,old_cost:10,new_cost:12,10.10.10.1,01Jan2023_00h00m00s_7_hosts,0.0.0.0,1234,internal,0\n```\n\n* `2023-01-01T00:00:00Z` - event timestamp\n* `demo-watcher` - name of watcher\n* `metric` - event name: `host`, `network`, `metric`\n* `192.168.13.0/24` - event object. Watcher detected an event related to `192.168.13.0/24` subnet\n* `changed` - event status: `down`, `up`, `changed`\n* `10` - old cost\n* `12` - new cost\n* `10.10.10.1` - event detected by this node.\n* `01Jan2023_00h00m00s_7_hosts` - name of graph in Topolograph dashboard\n* `0.0.0.0` - OSPF area ID\n* `1234` - AS number where OSPF is working\n* `internal` - type of network: `internal` or `external`\n* `0` - subtype of network: type-1, type-2 or 0 for internal subnets\n*Summary: `10.10.10.1` detected that metric of `192.168.13.0/24` internal stub network changed from `10` to `12` at `2023-01-01T00:00:00Z` in area 0*\n\n### Listen-only mode. XDP in action.\nIf for some reason an extra network is advertised from Watcher, this announcement will be dropped. \nLab schema: there are two wireshark sessions on the interfaces before (on the left side) and after (on the right side) XDP filter. \n![](./docs/FRR_Watcher_Wireshark.png) \nThis examples shows that `8.8.8.8` prefix was redistributed on Watcher and added into its announcement, but it was dropped by XDP and eventually didn't reach the network.\n![](./docs/lsa5_drop_highlighted.png) \nThe same logic is applied on Database Description messages\n![](./docs/lsa5_drop_db_description_highlighted.png) \nand for extra stub networks in LSA1 Update\n![](./docs/lsa1_two_stub_networks_drop_highlighed.png) \nTo check XDP logs, run\n```\nsudo cat /sys/kernel/debug/tracing/trace_pipe\n```\nTo check whether XDP filter is assigned on the interface, run\n```\nubuntu20:~/ospfwatcher$ ip l show dev it-vhost1025\n178: it-vhost1025@if177: \u003cBROADCAST,MULTICAST,UP,LOWER_UP\u003e mtu 1500 xdp qdisc noqueue state UP mode DEFAULT group default\n link/ether aa:c1:ab:e3:cb:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 0\n prog/xdp id 153 \u003c-- !!!\n```\nDemo video\n[![OSPF Deep packet inspection using XDP](./docs/logo_ospfwatcher_xdp_512_512.png)](https://www.youtube.com/watch?v=mC4PVD5hrRU)\n\nTo enable/disable XDP\n```\nsudo docker run -it --rm -v ./:/home/watcher/watcher/ --cap-add=NET_ADMIN -u root --network host vadims06/ospf-watcher:latest python3 ./client.py --action enable_xdp --watcher_num \u003cnum\u003e\n```\n##### Support\nCurrently XDP was tested on Ubuntu 18,20 Kernel 5.4.0-204-generic.\nIf you faced with XDP errors - skip it while generating config file or use `--action disable_xdp` as it mentioned in the example above.\n\n## Troubleshooting\n##### Symptoms\nNetworks changes are not tracked. Log file `./watcher/logs/watcher...log` is empty.\n\n##### Steps:\n1. Run diagnostic script. It will check **OSPF Watcher** \u003c-\u003e **Network device** connection (iptables, packets from FRR/network device)\n\n ```\n sudo docker run -it --rm -v ./:/home/watcher/watcher/ --cap-add=NET_ADMIN -u root --network host vadims06/ospf-watcher:latest python3 ./client.py --action diagnostic --watcher_num \u003cnum\u003e\n ``` \n2. Login on FRR.\n\n ```\n sudo docker exec -it watcher#-gre#-ospf-router vtysh\n ```\n `show ip ospf neighbor` should show network device as a neighbor in the output.\n\n##### Symptoms\nDashboard page is blank. Events are not present on OSPF Monitoring page.\n##### Steps:\nOSPF Watcher consists of three services: OSPFd/FRR [1] -\u003e Watcher [2] -\u003e Logstash [3] -\u003e Topolograph \u0026 ELK \u0026 Zabbix \u0026 WebHooks. Let's start checking each component one by one.\n1. Check if FRR tracks OSPF changes in `./watcher/logs/watcher...log` file (previous case) \nYou should see tracked changes of your network, i.e. here we see that `10.0.0.0/29` network went up at `2023-10-27T07:50:24Z` on `10.10.1.4` router. \n ```\n 2024-07-22T20:24:08Z,watcher-local,network,8.8.0.60/30,changed,old_cost:12,new_cost:-1,10.10.10.5,01Jan2023_00h00m00s_7_hosts,0.0.0.0,65001,external,1\n ```\n2. Check that logstash container from [docker-compose.yml](./docker-compose.yml) is running via `docker ps` command. \n\n 1. Uncomment `DEBUG_BOOL=\"True\"` in `.env` and start continuous logs `docker logs -f logstash`.\n 2. Copy and paste the log from the first step in watcher's log file `./watcher/logs/watcher#-gre#-ospf.ospf.log`. `docker logs -f logstash` should print the output. If not - check logstash container.\n \n3. Check if logs are in Topolograph's DB. Connect to mongoDB and run:\n ```\n docker exec -it mongodb /bin/bash\n ``` \n Inside container (change): \n ```\n mongo mongodb://$MONGO_INITDB_ROOT_USERNAME:$MONGO_INITDB_ROOT_PASSWORD@mongodb:27017/admin?gssapiServiceName=mongodb\n use admin\n ```\n 1. Check the last two/N records in adjacency changes (`ospf_neighbor_up_down`) or cost changes (`ospf_link_cost_change`)\n ```\n db.ospf_neighbor_up_down.find({}).sort({_id: -1}).limit(2)\n db.ospf_link_cost_change.find({}).sort({_id: -1}).limit(2)\n ```\n Sample output: \n ```\n { \"_id\" : ObjectId(\"67a9ecfe112225e8df6000001\"), \"graph_time\" : \"01Jan2023_00h00m00s_7_hosts\", \"path\" : \"/home/watcher/watcher/logs/watcher1-gre1-ospf.ospf.log\", \"area_num\" : \"0.0.0.1\", \"event_name\" : \"metric\", \n ```\n\n\u003e [!NOTE]\n\u003e If you see a single event in `docker logs logstash` it means that mongoDB\n\u003e output is blocked, check if you have a connection to MongoDB\n\u003e `docker exec -it logstash curl -v mongodb:27017`\n\n ii. Check that `graph_time` is **not** empty. If so, check that you can login on the Topolograph page [`Login/Local Login`] using credentials defined in `.env` and your local network is added in `API/Authorised source IP ranges`. Usually, `10.0.0.0/8`, `172.16.0.0/12` ,`192.168.0.0/16` is enought.\n\n##### Development \nLogstash pipeline development.\nStart logstash container\n```\n[ospf-watcher]# docker run -it --rm --network=topolograph_backend --env-file=./.env -v ./logstash/pipeline:/usr/share/logstash/pipeline -v ./logstash/config:/usr/share/logstash/config ospfwatcher_watcher:latest /bin/bash\n```\nInside container run this command:\n```\nbin/logstash\n```\nIt will expect watcher's log file change, so add new log (copy and paste this line) into `./watcher/logs/watcher#-gre#-ospf.ospf.log` file\n```\n2023-01-01T00:00:00Z,watcher-local,network,10.1.14.0/24,changed,old_cost:10,new_cost:123,10.1.1.4,01Jan2023_00h00m00s_7_hosts,0.0.0.0,12345,internal,0\n```\nThe output should be:\n```\n[INFO ] 2024-05-13 21:15:25.462 [[main]-pipeline-manager] javapipeline - Pipeline started {\"pipeline.id\"=\u003e\"main\"}\nThe stdin plugin is now waiting for input:\n[INFO ] 2024-05-13 21:15:25.477 [Agent thread] agent - Pipelines running {:count=\u003e1, :running_pipelines=\u003e[:main], :non_running_pipelines=\u003e[]}\n2023-01-01T00:00:00Z,watcher-local,network,10.1.14.0/24,changed,old_cost:10,new_cost:123,10.1.1.4,01Jan2023_00h00m00s_7_hosts,0.0.0.0,12345,internal,0\n{\n \"graph_time\" =\u003e \"01Jan2023_00h00m00s_7_hosts\",\n \"event_detected_by\" =\u003e \"10.1.1.4\",\n \"subnet_type\" =\u003e \"internal\",\n \"int_ext_subtype\"=\u003e \"0\",\n \"asn\" =\u003e \"12345\",\n \"watcher_name\" =\u003e \"demo-watcher\",\n \"watcher_time\" =\u003e \"2023-01-01T00:00:00Z\",\n \"@timestamp\" =\u003e 2024-05-13T21:15:50.628Z,\n \"old_cost\" =\u003e \"10\",\n \"@version\" =\u003e \"1\",\n \"host\" =\u003e \"ba8ff3ab31f8\",\n \"event_name\" =\u003e \"network\",\n \"new_cost\" =\u003e \"123\",\n \"event_object\" =\u003e \"10.1.14.0/24\",\n \"event_status\" =\u003e \"changed\"\n}\n```\nAdd your changes in `./logstash/pipeline` file, stop logstash process via CTRL+C `bin/logstash` and start it again. Add the same log in the watcher's log file and check how logstash works with your new changes.\n\n### Minimum version\n#### Logstash\n 7.17.21, this version includes bug fix of [issues_281](https://github.com/logstash-plugins/logstash-input-file/issues/281), [issues_5115](https://github.com/elastic/logstash/issues/5115) \n\n#### scapy\n2.5.0 works, 2.6.0 raises an exception\n\n### Topolograph suite\n* OSPF Watcher [link](https://github.com/Vadims06/ospfwatcher)\n* IS-IS Watcher [link](https://github.com/Vadims06/isiswatcher)\n* Topolograph [link](https://github.com/Vadims06/topolograph)\n* Topolograph in docker [link](https://github.com/Vadims06/topolograph-docker)\n\n### Community \u0026 feedback\n* https://t.me/topolograph\n* admin at topolograph.com\n\n### License\n GPL-3.0 license\n Elastic search was used with Basic ELK license. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVadims06%2Fospfwatcher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FVadims06%2Fospfwatcher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVadims06%2Fospfwatcher/lists"}