Black Box Plugin
Purpose
The purpose of this plugin is to provide a "Black Box" recorder for the Ardexa edge device.
Usage
The Ardexa Black Box
recorder, as the name suggests, records all relevant Ardexa edge environmental factors, to the Ardexa cloud, at regular intervals. Normally, the ArdexaLinux image contains all the necessary modules to manage the black box recorder. This plugin is an update to the ArdexaLinux Black Box module. As of Version 1.6.5 or greater, data will be sent to the cloud and be available in the ANALYSIS section of the Ardexa cloud. This plugin is scheduled to run every 5 minutes by the native Linux Cron subsystem. The following data will be recorded, noting that some data may not be available on certain hardware platforms:
The 5 Minute Weighted Load Average
is the load average over 5 minutes, divided by the number of cores/CPUs. In addition, the following data is dumped to a file for later forensics. This "dump" file is located at /var/log/ardexa-black-box-dumps.log
, and will record data as follows:
if CPU exceeds 60%, it will dump the top 4 processes by CPU usage
if MEM exceeds 60% or SWAP by 15%, it will dump the top 4 processes by MEM usage
all connected USB devices are dumped every 5 minutes
once a day, the contents of
/etc/resolv.conf
is dumped
The dump files are archived on a daily basis and kept for about 3 months. Dump files older than 3 months are deleted.
If the black box detects that more than 75% of the disk has been used, it will attempt to delete data from the logging area (/opt/ardexa/logs
). If this area uses less than 5% of the disk, data will not be deleted. Only the oldest month/year will be deleted in a 5 minute run.
Also; black box will stop entries from journald
being sent to syslog
. This is accomplished by setting ForwardToSyslog=no
in the /etc/systemd/journald.conf
file.
Troubleshooting
Follows these steps to troubleshoot this plugin
Check that version 2.0.0 or greater is installed, as follows:
The command
ardexa_black_box
will run the black box and log data to the latest file. Check it is being received by running the command:cat /opt/ardexa/logs/black_box/Black\ box/latest.csv
Ensure an entry in the
/etc/cron.d
directory, under a filename calledardexa-black-box
. Cron will be used to run the 5 minute runs. The Ardexa agent is NOT used for the scheduled run.
Last updated