Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SPONSORED BY
ANOTHER
10 Tools
More marvelous utilities
for configuring and
managing your
Terrific
FOR THE BUSY ADMIN
2017 EDITION
network
Find the perfect tool to
Rescue lost data
Roll back config changes
Correct Bash input
Visualize Ping statistics
Bonus articles
5 Log Monitoring Tools
Web Analytics without Google
www . admin - magazine . com US$ 7.95
Welcome ANOTHER 10 TERRIFIC TOOLS
ANOTHER
ADMIN
10 Tools Terrific
Network & Security
Dear Readers:
Every system administrator needs a toolkit of simple, Magazine columnist Charly Khnast, includes useful
useful tools to help with practical tasks. ADMINs 10 utilities for security, performance monitoring, network
Terrific Tools series shines the spotlight on the best free troubleshooting, and more. Read on! We hope you find
tools for admins. This latest list, from the toolkit of Linux some tools for your own toolkit in this years collection.
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 3
ANOTHER 10 TERRIFIC TOOLS Etckeeper
Fountain
of Youth
Track /etc changes in Git so you can restore previous configurations. By Charly Khnast
4 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Prettyping and Asciiflow ANOTHER 10 TERRIFIC TOOLS
Block
Heroes
Transform boring ping data into colorful statistics. By Charly Khnast
One weapon for command-line using nocolor. Prettyping passes select boxes, lines, arrows, text, and
warriors is Prettyping [1], a shell on to ping any parameters that it so on, and then simply draw on the
script that wraps around the isnt familiar with. blank sheet using the mouse (Figure
ping command. It reads 2). Once you are happy with your
its tasks, keeps a re- work, you just press the export sym-
cord of run times and Everything <--|__ASCII__| bol and hey, presto the finished
packet losses, and ASCII graphic appears in your clip-
shows at the command If you read RFCs, you will occasion- board. Asciiflow also has an import
line in block graphics the aver- ally see small ASCII graphics that function. My verdict on it: \o/. n
age values since starting the show connections more compactly
tool and for the past 60 seconds than is possible with sentences. Au-
(Figure 1). thors typically painstakingly create Info
The script runs on any system with such charts with boxes and arrows [1] Prettyping:
Bash and Awk (i.e., also on OS X with ASCII symbols, such as plus [http://denilson.sa.nom.br/prettyping/]
and probably also in the new Linux and minus signs, (back-)slashes, and [2] Asciiflow: [http://asciiflow.com]
environment on Windows 10). Pret- pipes. Naturally, at some point, vari-
typing detects whether it is running ous ASCII graphic victims have writ-
in a terminal and how wide the ter- ten tools but none are as easy and
minal is, then scales the output ac- intuitive to use as Asciiflow [2].
cordingly. If you think the output is Asciiflow is a website that at first
a little too clownish, you can switch looks like a blank sheet of graph pa-
to a more staid monochrome display per. In a toolbar at the top, you can
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 5
ANOTHER 10 TERRIFIC TOOLS Dnstop
Most distributions include dnstop. asking for .xyz domains but hey ho, In my short observation period, this
If you prefer to build it yourself, you if I press 2 or 3, I can extend the view was all of them, thankfully:
will find the source code online [1], to include the second and third levels.
but make sure you download and code Count %
build the matching Libpcap [2] first. Frequent and Rare
I launched the tool on the computer
hosting my DNS cache with the fol-
Resource Records Noerror 23987 100.0
lowing command: Pressing T takes you to another If I use dnstop for evaluations at
practical statistic. It shows you what work and then save them some-
dnstop l 3 eth0 resource record types are most fre- where I need to think about data
quently requested. It is unsurpris- protection. To avoid problems from
The l 3 parameter tells dnstop to ing to see requests for A (IPv4) and the outset, I tend to launch the tool
explore name requests up to the third AAAA records (IPv6) topping the with a for anonymize. Then, dn-
level. For a request like www.linux- list (Figure 2). Well back in the field, stop replaces the client IP addresses
magazine.com, com is the first or top- is the A6 record, which comes from with consecutive numbers, while
level domain, linux-magazine is thus the early days of IPv6 and is about as all the other evaluations work as
the second-level domain, and www is widespread as gas streetlamps today. expected. n
the third level. Other fairly sparsely represented re-
When I press the 1 button on a com- cords include DNSKEY, which come
puter running the command listed from DNSSEC (DNS Security). In con- Info
above, I can see which top-level trast to A6 IPv6, DNSSEC is increasing [1] Dnstop: [http://dns.measurementfactory.
domains are most frequently queried steadily but still not well established. com/tools/dnstop/]
(Figure 1). What I am interested in Pressing R (for Result) shows you [2] Libpcap: [https://github.com/
here is which device on my network is how many requests were successful. thetcpdumpgroup/libpcap]
Figure 1: Pressing the 1 key displays statistics with the requested top-level domains. Figure 2: Pressing T shows you the Resource Record overview. The A records
It comes as little surprise that .com tops the list, but who is looking for .xyz? typical of IPv4 have a two-thirds majority.
6 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
The Fuck ANOTHER 10 TERRIFIC TOOLS
Expletives
Not Deleted
Correct your command-line misspellings. By Charly Kuhnast
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 7
ANOTHER 10 TERRIFIC TOOLS testssl.sh
A Key Role
A handy script for testing SSL certificates. By Charly Khnast
Web servers with SSL certificates will testssl P <address> the whole arsenal of test routines
likely be the rule. The administrators (Figure 1).
responsibility for keeping track of which Listing 2 shows the strongest en-
SSL and TLS settings are up to date on cryption method the server was able Aha
which servers tends to grow proportion- to negotiate. The script additionally
ally. I have found a trusty helper for this helps me discover whether the server Finally, a tip from the developer of
task, testssl.sh [1], a shell script with supports HTTP/2 with: testssl.sh: If you additionally install
many capabilities. For example, typing the aha [2] tool, you can easily con-
testssl.sh Y <address> vert the console output to HTML:
testssl U https://<server>
It might then respond with Ser- testssl.sh <address> | aha > U
runs scan tests for popular exploits vice detected: HTTP HTTP2/ALPN /<Path>/servertest.html
like Heartbleed, Poodle, and Crime http/1.1 (offered).
(see output in Listing 1), and I can The tests are not restricted to HTTPS. After wrapping this up in a small
trigger each test option individually. I can test a mail server like this: shell script, I can then use cron to
To discover whether a server is vul- check the TLS and SSL status of my
nerable for Logjam, I would just type: testssl.sh starttls smtp <address> servers on a weekly basis. n
8 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Socket Statistics ANOTHER 10 TERRIFIC TOOLS
Short Cut
A fast and easy tool for monitoring network stats. By Charly Khnast
A bunch of parameters control the socket. I need to use root privileges for
behavior of netstat. Administrators this; otherwise, p has no effect.
can also happily combine options so process is
that some netstat calls look like an Numbers, Please! on port 25. Logical
armadillo has rolled across the key- links are also okay:
board. With ss (like socket statistics), A further default is that ss translates
there is an even more specific tool the port numbers from the /etc/ser # ss t4 dport = :443 or dport = :80
for this purpose. It comes from the vices file into names. I can switch ESTAB 0 0 10.0.0.201:53389 10.0.0.118:http
iproute2 package [1] just like its sib- this off using n (for numeric). If I
lings bridge, rtacct, rtmon, tc, ctstat, want the tool to resolve the IP ad- ccze [2] sorted the coloration in
lnstat, nstat, routef, routel, rtstat, dresses concerned into names, I just Figure 1, but grc [3] or rainbow [4]
and ip. add an r. Using 4 and 6, I can limit would have managed it, too. n
Because a running Linux uses several it to one of the two TCP/IP versions.
hundred or more ports, ss comes with I find it useful to filter by source
plenty of filters. I mostly need the t (sport) and destination port (dport). Info
and u parameters, which restrict the For example, [1] Iproute2: [http://www.linuxfoundation.
results to TCP or UDP sockets. Other org/collaborate/workgroups/networking/
parameters limit the list to raw, Da- # ss natp6 sport = :25 iproute2]
tagram Congestion Control Protocol LISTEN 0 100 :::25 :::* U [2] Ccze: [http://freecode.com/projects/ccze/]
(DCCP), package, and Unix domain users:(("master",27452,13)) [3] Grc: [http://kassiopeia.juls.savba.sk/
sockets. ~garabik/software/grc.html]
Caution: The tool only displays TCP shows whether the mail server is [4] Rainbow:
sockets for existing connections by listening via IPv6 (yes) and which [https://github.com/nicoulaj/rainbow]
default (es
tablished or
close_wait). If I
also want to see
sockets in the
lists status as
I usually do I
have to type
ss ta. If I only
want the tool
to pay attention
to listening TCP
sockets and sup-
press all others,
I use ss lt. If
I add p here,
I can also see
which process
opened the Figure 1: The socket collector ss, color-supported here, too, provides a good overview.
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 9
ANOTHER 10 TERRIFIC TOOLS ddrescue
Recovery
Needed
Read errors wont deter this helpful data recovery tool. By Charly Khnast
Krrr, krrr ! At least things are creating an image with all the data that on my test Ubuntu using these three
clear-cut when a hard disk gives up can be accurately read. In the following steps:
the ghost: You toss the offending disk, example, /dev/sdd1 is a partition with
get a new one, and put the backup on read errors on a USB flash drive: sudo addaptrepository ppa:hamishmb/myppa
it. However, those undead data me- sudo aptget update
dia that trick people into continuing sudo ddrescue n /dev/sdd1 U sudo aptget install fym ddrescuegui
working on them with no idea of the /home/charly/stick.img logfile.log
potential impact are a real pain. As Figure 1 shows, the interface is
I recently determined that an SDHC The second, more time-consuming businesslike and functional. The
card in my camera saves one out of phase involves using the tool to sort GUI sets the important parameters,
20 images (on average) as a colorful through the faulty blocks and save as but not all of them by far. Although
mess of pixels. I do know that mem- much data from them as possible. The I hope no one will need to use
ory cards give up the ghost sooner or command is just the same as before, ddrescue permanently, the GUI is
later. However, I didnt realize that except you leave out the n parameter. nevertheless a real help. n
my camera could save to two cards In the wake of ddrescue, there is still
simultaneously a feature I stupidly an armada of other parameters that Info
didnt use. But, Im all the wiser now. control the tools behavior. [1] ddrescue:
What if really important data is There is also a GUI [2] that you can [http://www.gnu.org/software/ddrescue/]
stored on a haywire device that you use to make some quick, useful de- [2] DDRescue-GUI:
just cant get rid of? This is where fault settings. I installed it quickly [https://launchpad.net/ddrescuegui]
ddrescue [1] comes in. The tool is al-
ready quite ancient, but its developers
look after it untiringly and adapt it to
new types of data media. (It should
not be confused with the even older
dd_rescue.) Ddrescue is officially
named GNU ddrescue; the packages
on Debian and derivatives are there-
fore dubbed gddrescue.
The tool is included with many popu-
lar distributions. The first two letters
subtly indicate a relationship with dd,
and ddrescue actually generates a data
mediums or partitions image. Unlike
dd, however, it cant be stopped by read
errors; instead, it stubbornly saves ev-
erything that it can get its teeth into.
Two-Speed Transmission
Administrators usually use ddrescue in Figure 1: The genuinely helpful front end for ddrescue is DDRescue-GUI, which graphically implements the
two phases. The first phase involves important parameters.
10 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Keepalived ANOTHER 10 TERRIFIC TOOLS
Fit Without a
Pacemaker
Configure a floating IP address for failover. By Charly Khnast
Services without which nothing whereas the other only gets the IP if [2] Corosync:
works are clear candidates for dop- the master is down. The VRRP (Vir- [http://corosync.github.io/corosync/]
pelgngers on my network. If the tual Router Redundancy Protocol) is [3] Keepalived: [http://www.keepalived.org
master fails, or if I just need to shut used to swap states.
down the server for maintenance, To be able to bind services to an IP Listing 1: keepalived.conf
I want the service automatically to address that does not (yet) exist on 01 ! Configuration File for keepalived
start on the second server and to be the system, I need to make some 02
available on the same IP address as changes to /etc/sysctl.conf: 03 global_defs {
before, if possible. 04 notification_email {
To do this, the IP address needs to sudo echo "net.ipv4.ip_nonlocal_bind = U 05 charly@kuehnast.com
migrate quickly and without much 1" >> /etc/sysctl.conf 06 }
overhead to the backup machine. sudo sysctl p 07 notification_email_from ha_test@kuehnast.com
08 smtp_server localhost
Addresses like this are known as
09 smtp_connect_timeout 30
floating IPs. The migration helpers Now I can launch Keepalived by
10 }
here are Pacemaker [1] and Coro- typing:
11
sync [2]. These tools cant do much 12 vrrp_instance VI_1 {
more than facilitate the move, how- sudo service keepalived start 13 state MASTER
ever, so the solution seems a little 14 interface eth0
over the top for a simple failover The floating IP appears on the server 15 virtual_router_id 51
scenario. with the higher priority value. If I 16 priority 100
A more streamlined solution called shut down the master, I can see from 17 advert_int 1
Keepalived [3] is part of the default the Syslog on the secondary machine 18 authentication {
toolset in most distributions. I just that it quickly assumes the master 19 auth_type PASS
installed Keepalived and jumped in role (Figure 1). 20 auth_pass meinpasswort
feet first. What I found were two 21 }
servers with IP addresses 10.0.0.1 and 22 virtual_ipaddress {
23 10.0.0.100
10.0.0.2. My floating IP of choice is Info
24 }
10.0.0.100. [1] Pacemaker:
25 }
[http://clusterlabs.org/wiki/Pacemaker]
Minor Difference
The /etc/keepalived/keepalived.conf
configuration file looks like Listing 1.
It differs on the two machines only
in one aspect: the priority (line 16).
I need to configure a smaller num-
ber on one of the machines than on
the other to define the master. This Figure 1: A glance at the Syslog on the slave machine shows that it has become the master after a failure of
server gets the floating IP by default, the production machine.
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 11
ANOTHER 10 TERRIFIC TOOLS paping
A Better ping
Use this connectivity checker when ping cant connect. By Charly Kuhnast
Hi there! Anybody home? Quite of- <no_of_checks>, I can define how of- apps? No way: The open source
ten, admins need to make sure that ten Paping checks out the target. tool has apparently reached the
at least the physical connection be- end of its design cycle no-
tween two computers is still up or Give Him a Break! body has touched the C++
back up. Obviously, ping is the tool code for two years, but that is
of choice when it comes to proving If you know that your target re- not surprising for such
or refuting accessibility. However, sides on a particularly slow or fast a simple tool.
there are cases in which a firewall line, you might want to tune the t If your Linux
blocks the ICMP ping. Anyone with a <timeout_in_msec> parameter; that is, distribution
modicum of knowledge can save the the time in which Paping abandons does not include
energy they would otherwise waste its task. Without the option, the tool Paping in its reposi-
cussing and instead type: throws in the towel after 1 second tories, you can grab the
(1,000ms). source or Linux version
nmap p <port> Purists who find the attractive built for 32- and 64-bit
output shown in Figure 1 too psy- systems [1].
Dont cheer too soon, though, be- chedelic, or cave dwellers sitting Firewall in the way during
cause often an intrusion prevention in front of terminals or dot matrix ping testing? I dont care! n
system blocks the Nmap signature of printers, can use the nocolor op-
the workaround. tion. This kicks Paping back into the
Paping [1] establishes a connection monochrome era. Info
to a configurable port and immedi- So, will Papings programmer Mike [1] Paping:
ately terminates it again. This works Lovell be building an API for Android [https://code.google.com/p/paping/]
almost anywhere. It measures the
round-trip time in milliseconds, just
like ping. The simplest form of the
call is very intuitive:
paping <target>
paping www.google.com p 80 c 4
12 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
httpstat ANOTHER 10 TERRIFIC TOOLS
My Point of View
This simple tool wil help you discover how long a web server takes to serve up https:// for web pages secured with
TLS.
an HTML page. By Charly Khnast
Figure 1 shows httpstat measuring an
unencrypted call. Four milliseconds for
a DNS reply is a really good value, but I
Httpstat is a Python script that wraps If the Python installer pip is present cheated: The name of the site is cached
itself around cURL. Apart from Py- on your system, you also can pick up on my local Dnsmasq. As soon as my
thon 2 or 3 and cURL, it has no other the script and call it with: computer has to turn to my providers
dependencies. You can retrieve it from DNS, the value rises to 80-200ms. The
the GitHub repository and call it using: pip install httpstat TCP handshake is 22ms, which is about
httpstat <URL> par for the course.
wget https://raw.githubusercontent.com/ U The time the server needs to create the
reorx/httpstat/master/httpstat.py Although you can leave an http:// page (Server Processing) shows whether
python httpstat.py <URL> out of the URL, you cannot omit the web server has some tuning poten-
tial that I have not tapped. My example
is not representative, because instead
of HTML, the server simply outputs
301 Moved Permanently, which means
I should have called the page using
HTTPS. A browser would do that inde-
pendently, but not cURL.
Figure 2 requests the same page using
HTTPS. The lookup and TCP values re-
main the same, but the TLS Handshake
takes forever for this static page. The
value can go up to several seconds for a
big site with a large volume of dynamic
content and advertising banners.
Httpstat is not controllable using
command-line parameters because
Figure 1: The page that httpstat requests via HTTP, and receives quickly, is only an error message in reality. they would be fielded by cURL; how-
ever, you can influence the tool with
environment variables. The line
export HTTPSTAT_SHOW_SPEED=true
Info
[1] httpstat:
Figure 2: When requested using HTTPS, the HTML page obviously takes longer to appear. [https://github.com/reorx/httpstat]
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 13
ANOTHER 10 TERRIFIC TOOLS Five Log Monitoring Tools
Small Supervisor
Anyone who wants to watch logfiles can use a
full-featured monitoring tool like Nagios; however,
a lightweight alternative also sniffs out threats
and takes much less time to set up. By Tim Schrmann
14 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Five Log Monitoring Tools ANOTHER 10 TERRIFIC TOOLS
Figure 1: LOGalyze displays statistics directly in the web interface as a pie, bar, or line chart. Here it is clear
Logcheck
that the number of events dropped in recent times.
The Debian project currently looks
Sometimes the developer provides be quickly booted using a prepared after Logcheck [2], which is available
a set of oft-needed rules. Powerful script. under GPLv2. It independently as-
tools may also put together a report Initially, administrators can create sesses logfiles for problems, security
about the state of the system and in- one or more collectors in the user vulnerabilities, and possible intrusion
dicate security problems. However, a interface. These collectors retrieve the attempts. After its started, Logcheck
comparison of the above candidates log data via the network or from a accesses the syslog and the auth.log
shows that these functions are not a file. Admins can switch each collector by default. However, you can use the
matter of course (Table 1). on or off individually. LOGalyze then tool on other logfiles.
generates statistics and reports from Logcheck compares all records added
LOGalyze the imported data and summarizes all since the last test with a load of pre-
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 15
ANOTHER 10 TERRIFIC TOOLS Five Log Monitoring Tools
16 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Five Log Monitoring Tools ANOTHER 10 TERRIFIC TOOLS
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 17
ANOTHER 10 TERRIFIC TOOLS Five Log Monitoring Tools
18 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Five Log Monitoring Tools ANOTHER 10 TERRIFIC TOOLS
While Logcheck only sends the na- services using Logwatch, they need an eye on several logfiles and only
ked events to the admin, Logwatch Perl scripts. want to trigger actions in certain
provides the admin with a summary. MultiTail is worthwhile for admin- cases. Sending emails and forward-
If admins want to monitor their own istrators who literally want to keep ing filtered events may be possible;
however, to do so admins need to
write suitable regular expressions
and manually configure MultiTail.
The tool is therefore useful as a very
good supplement to Logcheck and
Logwatch.
Finally, SwatchDog is comparable to
Logwatch: It can be set up quickly
but requires knowledge of regular
expressions. Additionally, it only re-
ports individual events specified by
the administrator. n
Info
Figure 9: As this diagram of Petit shows, a lot of events were entered in the first five minutes of the log recording. [1] LOGalyze: [http://www.logalyze.com]
[2] Logcheck:
Old Comrades [http://logcheck.alioth.debian.org]
Anyone searching the Internet for other Petit [8] is about the same age, but it is still [3] Logwatch: [https://sourceforge.net/
alternatives to the featured tools will auto- in the repositories of Ubuntu. The tool uses projects/logwatch/]
matically stumble upon a few representatives language analysis methods to curb the flood [4] MultiTail:
that are now obsolete. The Logdigest [6] of data, especially in system logs. This allows [https://www.vanheusden.com/multitail/]
tool works like Logcheck, but has been on administrators to, for example, list all words [5] SwatchDog:
ice since 2009. LogSurfer [7] is pretty that occur particularly frequently in a logfile. In [https://sourceforge.net/projects/swatch/]
similar to SwatchDog, but can also group addition, the tool draws a graph that presents [6] Logdigest: [https://sourceforge.net/
similar events. In addition, LogSurfer is the number of messages in a given period of projects/logdigest/]
written in C and should therefore work time (Figure 9). The hash function, which keeps
[7] LogSurfer:
much more quickly. However, the most track of similar messages in the log, is also
[http://www.crypt.gen.nz/logsurfer/]
recent version of the tool was released in interesting. It allows the viewer to immediately
September 2011. see which errors occur most frequently. [8] Petit:
[http://crunchtools.com/software/petit/]
ANOTHER 10 TERRIFIC TOOLS Web Analytics Tools
customers and their interests. The The market offers many different web advertising and market research. Such
following applies: The closer an op- analytics tools. They include around a profile is only allowed to contain an
erator knows the visitors and their 150 commercial, typically proprietary anonymized IP address in addition to
preferences, the better the operator applications, aimed at larger corporate the data on the use of the website. IP
can optimize its offerings to suit the websites. There are also some free and addresses are typically automatically
target group. partly also open source tools. This ar- truncated to this end.
20 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Web Analytics Tools ANOTHER 10 TERRIFIC TOOLS
Piwik
Piwik (Figure 2) is growing in popu-
larity around the world. Users have
downloaded the cross-platform inde-
pendent, open source program, which
is written in PHP, almost three million
times since 2008. Fans of GA will
most likely find the functions they are
familiar with from Google in Piwik,
Figure 1: GoAccess demo application in the browser. Site visitors are offered an opt-out
in an IFrame, and Piwik respects the
The TMG also requires the service must have an option to object to the browsers Do Not Track feature.
provider to inform the user in a pri- creation of user profiles. Piwik collects data with tracking pix-
vacy statement on the website of Probably the most controversial and els, JavaScript, log analysis, and cook-
whether, to what extent, and for what at the same time most successful tool ies, and stores these in a MySQL da-
purpose it processes the IP address. for website traffic analysis pages is tabase. Access is via a web interface.
And, the TMG stipulates that users the Google Analytics online service, The latest version, 3.0.1, introduces a
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 21
ANOTHER 10 TERRIFIC TOOLS Web Analytics Tools
new user interface on the basis of Ma- information on the countries of origin thus ensures data protection. There
terial Design and Angular 1.4. Piwik is and the browsers and operating systems are also corresponding apps for the
available under the GPLv3, but partly used. Referrers tell the operator which iOS and Android platform. Last but
also under the BSD license. website sent a visitor to their offering. not least, users will find a detailed
The tool relies on plugins to implement list of features with in-depth expla-
Data Collection its functions; you can add or remove nations [11] on the project website.
these as needed. Piwik supports real- Admins can use plugins to extend the
Piwik Web Analytics collects relevant time updates, shows developments already abundant wealth of features
data such as visitor counts, keywords, and trends, offers campaign and target that Piwik comes with out the box.
referrers, and much more. This data tracking for online stores, and is multi- A recent addition is the premium pl-
tool prepares the data in a graphically client capable for multiple websites. ugins, of which the project recently
appealing way and delivers the results Thanks to the configurable dashboard, presented three [12]. Admins need
in the form of reports. These include admins can manage all their sites at to store Piwik software on the server
statistics on page views and unique a glance. A tool for aliasing the IP ad- and then install the system in a
visits. The visitor analysis also provides dresses is also part of the package and browser. If needed, you can integrate
Figure 2: Piwik is the best known and functionally the most similar open source alternative to Google Analytics.
Figure 3: Piwik can be combined with various web applications, for example, WordPress.
22 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Web Analytics Tools ANOTHER 10 TERRIFIC TOOLS
Figure 4: You can try out Open Web Analytics with the aid of an online demo.
Piwik via enhancements in WordPress Open Web Analytics competitors need to load as exten-
(Figure 3), MediaWiki, Magento, sions. They help admins analyze
Joomla, vBulletin, and more than 60 Under development since 2009, Open mouse movements on web pages.
other applications. Web Analytics (OWA) is not as well OWA uses a PHP front end with a
A demo version is available [13] on known as Piwik, but it keeps pace MySQL back end and collects statis-
the project website. Piwik Pro sees with Piwik and GA in terms of its tics by integrating a JavaScript into
the application run in the cloud [14]. feature set, even outpacing them in the target site (Figure 5). Admins
Piwik is under active development places (Figure 4). For example, it can evaluate the results using Ja-
and has a fairly lively community. offers integrated heat maps, which vaScript, but also directly via PHP
ANOTHER 10 TERRIFIC TOOLS Web Analytics Tools
Figure 5: OWA collects statistics on referrers as shown here by integrating JavaScript into the landing page.
24 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I W W W. A D M I N - M AGA Z I N E .CO M
Web Analytics Tools ANOTHER 10 TERRIFIC TOOLS
comply with European data protection two other candidates. Although both [11] Piwik features:
regulations. published their latest versions in the [http://piwik.org/features/]
Whether hosting locally is an ad- last twelve months, growth is far [12] Premium plugins:
vantage or a disadvantage for you more restrained all told, and there are [https://piwik.org/blog/2016/11/premium
is something you have to decide for fewer developers on board. If you are pluginsnowavailablemarketplace/]
yourself. But if you want to install, interested in the integration of the ac- [13] Piwik demo: [http://demo.piwik.org]
update, and maintain the applica- quired data with your business data, [14] Piwik hosting: [http://piwik.org/hosting/]
tions yourself, you will need powerful eAnalytics is the obvious choice; [15] Event queuing: [http://www.
hardware in contrast to a scenario however, this unfortunately means openwebanalytics.com/?cat=9&paged=3]
with GA. Piwik and eAnalytics, at doing without access to the source [16] Queued tracking: [https://plugins.piwik.
least, offer supervised hosting. code for the current versions. n org/QueuedTracking]
If you completely reject GA, but do not [17] eAnalytics on SourceForge:
have sufficiently powerful hardware Info [https://sourceforge.net/projects/
for the mainline programs featured [1] Analog: [https://en.wikipedia.org/wiki/ eanalytics/]
here, you can turn as an alternative to Analog_(program)] [18] eAnalytics Tag:
lean logfile analysis programs such as [2] Webalizer: [http://www.webalizer.org] [http://eanalytics.de/resources/
AWStats, Webalizer, or Analog. These [3] AWStats: [http://www.awstats.org] download/eanalyticsdownload.html]
may not provide the same wealth of [4] Google Analytics: [19] Tagging Guide: [http://eanalytics.de/
information as the analytic applica- [https://analytics.google.com] uploads/media/eAnalytics_Page_Tag-
tions, but they do still prepare the data [5] Piwik: [https://piwik.org] ging_Guide_english_V1_7.pdf]
in a clear-cut and graphically appeal- [6] GoAccess: [https://goaccess.io] [20] VMware image:
ing way. They are fine if you only need [7] Open Web Analytics: [http://eanalytics.de/resources/
an approximate overview. [http://openwebanalytics.com] download/eanalyticsdownload.html]
Piwik has the edge in terms of popu- [8] eAnalytics: [http://eanalytics.de]
larity, dissemination, and developer [9] Telemedia Act (in German): [http://www. Author
community, which improves reliabil- gesetzeiminternet.de/tmg/__15.html] Ferdinand Thommes lives and works as a
ity and allows for long-term planning. [10] Google Analytics opt-out: [https://tools. Linux developer, freelance writer, and tour
The situation is not so clear with the google.com/dlpage/gaoptout] guide in Berlin.
Figure 6: eAnalytics is open source software from Germany. The figure shows the default view; the latest version of the software is available as a package for Ubuntu 14.04.
W W W. A D M I N - M AGA Z I N E .CO M 1 0 T E R R I F I C TO O L S FO R T H E B U SY A D M I N : 20 1 7 E D I T I O N S P O N S O R E D BY L P I 25