Monitoring
The Monitoring page is the operator dashboard for the obserae daemon. Use it when you need to know whether ingestion, sessions, queries and alerting are healthy.
The Cockpit answers “what is happening in the network?”. Monitoring answers “is the service itself keeping up?”.
It requires the system:manage permission.
What To Watch
| Area | Healthy signal | Warning sign |
|---|---|---|
| Ingestion | Flow records keep arriving and recent batches complete quickly. | Flow rate drops to zero, UDP drops increase, or batches take longer over time. |
| Sessions | Open sessions stay comfortably below their cap. | Session pressure turns amber/red or evictions increase. |
| Memory | Memory settles into a plateau for the current traffic volume. | Memory rises for hours without plateauing, especially on small hosts. |
| Pipeline | Internal queues stay mostly empty. | A queue stays full, meaning one stage is slowing the rest. |
| Database activity | Recent operations complete quickly. | A long-running operation blocks writes or query work piles up. |
| Matcher / alerting | Rules run on schedule. | Rules fall behind, show compile errors or repeatedly exceed their budget. |
The top bar shows a warning icon from any page when Monitoring needs attention. Click it to jump directly to the relevant dashboard.
Ingestion
Use this section to answer:
- Are exporters still sending data?
- Are records being accepted fast enough?
- Is the disk keeping up?
If flow records stop increasing, start with Configuring Exporters and the troubleshooting steps in Operations.
Sessions And Pressure
Open sessions are bounded to protect the host. If the gauge approaches the cap, obserae may close the oldest open sessions early so the daemon remains stable.
Common causes:
- a scan or flood creates many short-lived attempts;
- an exporter sees only one direction of traffic;
- normal concurrency is higher than the configured cap.
When this happens, inspect the Sessions page before tuning. If the traffic is
legitimate, raise sessions.max_open_ksessions. If it is a scan, keep the cap
and investigate the source.
Memory
Memory should reach a stable range for a given traffic volume and retention
policy. On small hosts, set storage.memory_limit and enable retention early.
Useful rule of thumb:
- Flat memory: normal.
- Memory rises after traffic or query spikes, then settles: usually normal.
- Memory rises steadily for hours under stable traffic: investigate.
For deeper troubleshooting, see Operations.
Database Activity
The activity panel shows what is running now and what just completed. Use it when:
- flows are arriving but visibility feels delayed;
- a heavy investigation query slows other work;
- alerting rules are late;
- backups or retention are running during busy periods.
obserae-cli ps gives the same view from the terminal:
obserae-cli ps
obserae-cli ps --watch 1s
Suggested Alerts Outside Obserae
Your monitoring system should alert on:
- no increase in flow count for a site that should be active;
- disk free below your operational threshold;
- session pressure near the cap for more than a short burst;
- repeated output delivery failures;
- backup failure or no successful backup in the expected window.
Use obserae-cli status --json as the main machine-readable health snapshot.
obserae-cli status --json
See Also
- Operations - production monitoring checklist.
- Lifecycle - retention and backups.
- Sessions - interpreting session pressure.
- CLI - terminal activity view.