Daily Use

Monitoring

The Monitoring page is the operator dashboard for the obserae daemon. Use it when you need to know whether ingestion, sessions, queries and alerting are healthy.

The Cockpit answers “what is happening in the network?”. Monitoring answers “is the service itself keeping up?”.

It requires the system:manage permission.


What To Watch

AreaHealthy signalWarning sign
IngestionFlow records keep arriving and recent batches complete quickly.Flow rate drops to zero, UDP drops increase, or batches take longer over time.
SessionsOpen sessions stay comfortably below their cap.Session pressure turns amber/red or evictions increase.
MemoryMemory settles into a plateau for the current traffic volume.Memory rises for hours without plateauing, especially on small hosts.
PipelineInternal queues stay mostly empty.A queue stays full, meaning one stage is slowing the rest.
Database activityRecent operations complete quickly.A long-running operation blocks writes or query work piles up.
Matcher / alertingRules run on schedule.Rules fall behind, show compile errors or repeatedly exceed their budget.

The top bar shows a warning icon from any page when Monitoring needs attention. Click it to jump directly to the relevant dashboard.


Ingestion

Use this section to answer:

  • Are exporters still sending data?
  • Are records being accepted fast enough?
  • Is the disk keeping up?

If flow records stop increasing, start with Configuring Exporters and the troubleshooting steps in Operations.


Sessions And Pressure

Open sessions are bounded to protect the host. If the gauge approaches the cap, obserae may close the oldest open sessions early so the daemon remains stable.

Common causes:

  • a scan or flood creates many short-lived attempts;
  • an exporter sees only one direction of traffic;
  • normal concurrency is higher than the configured cap.

When this happens, inspect the Sessions page before tuning. If the traffic is legitimate, raise sessions.max_open_ksessions. If it is a scan, keep the cap and investigate the source.


Memory

Memory should reach a stable range for a given traffic volume and retention policy. On small hosts, set storage.memory_limit and enable retention early.

Useful rule of thumb:

  • Flat memory: normal.
  • Memory rises after traffic or query spikes, then settles: usually normal.
  • Memory rises steadily for hours under stable traffic: investigate.

For deeper troubleshooting, see Operations.


Database Activity

The activity panel shows what is running now and what just completed. Use it when:

  • flows are arriving but visibility feels delayed;
  • a heavy investigation query slows other work;
  • alerting rules are late;
  • backups or retention are running during busy periods.

obserae-cli ps gives the same view from the terminal:

obserae-cli ps
obserae-cli ps --watch 1s

Suggested Alerts Outside Obserae

Your monitoring system should alert on:

  • no increase in flow count for a site that should be active;
  • disk free below your operational threshold;
  • session pressure near the cap for more than a short burst;
  • repeated output delivery failures;
  • backup failure or no successful backup in the expected window.

Use obserae-cli status --json as the main machine-readable health snapshot.

obserae-cli status --json

See Also