I recently read a PC World article comparing the top cloud services for business and personal use. In their comparison of the top collaboration tools, they listed the new version of Microsoft Office 365, which basically takes the Office suite and puts it on the web. This got me thinking about the proliferation of web consoles in the IT space and otherwise -- in a world where everyone expects their data and applications to be at their fingertips, it's not surprising that IT pros are similarly expectant. Now, many of our tried and true tools of the trade have web interfaces, and I think that's pretty cool. Web consoles allow you to use tools remotely without having to remote into your management machine, and many of them even allow you to view the websites on mobile devices. What's more, web consoles can give non-administrative users read-only access to the data they want to see without giving them the keys to the kingdom. Like I said: Cool.


Taking Management and Monitoring Consoles to the Web

During my time here at SolarWinds, I've watched as we've taken several product consoles to the web. Most of the original SolarWinds products were built for the web (for example, when I joined SolarWinds, Network Performance Monitor network monitoring software was mostly online). Others have had to make a small journey to get there. One such example is Patch Manager, the ideal patch management solution. Earlier this month, we announced version 1.80, which introduces a read-only web console for Patch Manager administrators to view critical data about the patch management performance and compliance throughout their organizations. Administrators can even assign Windows or non-Windows accounts full or limited access to the console without giving those users access to the full administrative console. Having worked with this product since we acquired EminentWare at the beginning of the year, I think this is going to be a great addition to any patching environment.


For additional information about this new version of Patch Manager, patch management. Check out the announcement on our Product Blog, or download the free trial.

Specialized Network Switches are a Reality.


An article popped up in Wired on September 10, 2012  entitled "Mystery Google Device Appears in Small-Town Iowa". From the sound of the headline, I expected for the device to be something you might see in Roswell, New Mexico, and it was not helpful that the device is called a Pluto Switch. But alas, the tin foil lined hatters among us can relax. There is probably a better explanation than Google having wired the solar system. To me Google has always been about speed, innovation, efficiency, and accuracy. There are tons of switches out there that have enormous capabilities, so why would Google be interested in manufacturing their own stitches?


Google's speed is accomplished using a variety of proprietary methods.  If they were to ask a manufacturer to strip down a switch to do just the things they needed, and to do them very quickly, Google risks technology leaks. Also, seeing that what Google needs is hundreds of network dragsters, nobody is outfitted to make that, and modified coupes will not do. A home grown switch can be entirely purpose-built to fit Google's needs without the overhead of features that will not be implemented. The control over hardware functionalist is only half of the benefit Google get's from their home grown switch. They also have full control and design authority over the software.  This way they can make exactly the switch they need and continue to set the bar in search engine speed and several other technologies.


Another thing I find interesting in watching vendors taking new ideas like ultra-fast switches to market is this - the vendors rarely make a management suite compatible with these devices and with common industry network management. That is just not their goal. But this is our sweet spot at SolarWinds!


Google has a great track record of turning out products and services that most of us didn't see coming. It is interesting to get a glimpse into how they make that happen. Now that they have the Google car, and space is only a 2 hour drive, I really hope they are working on vertical driving!


Defining VM Sprawl

Posted by LokiR Sep 28, 2012

Zombies spawning and spreading like a cancer, leaving crying orphans in their wake. Rogues flitting in the background, hirable for a price and always ready to stab you in your back.


These all sound like elements to a cheap, zombie apocalypse film, but spawning, zombies, orphans, and rogues are actually components of VM sprawl.


VM sprawl is frequently defined as the unwarranted proliferation of virtual machines in the virtual environment.


How Does Sprawl Occur?


VM sprawl is a common problem to virtual environments that are not tightly controlled by a single person. In years prior, while not uncommon, it was still relatively rare to inventory your server room and find an extra server or two. In these days of easy to deploy virtual machines/servers, it is much easier to add VMs and forget about them.


Unless you employ draconian controls, you will usually face VM sprawl of some severity if you are administering your virtual environment.


Why Is VM Sprawl a Problem?


Outside of making your environment difficult to manage, unchecked VM sprawl can lead to other, potentially dangerous issues. Unchecked growth can lead to bottleneck situations, where your potential growth is checked by one or two resources. These VMs may have inappropriate privileges to the network, such as an unsecured domain controller or directory server. They could be a potential virus vector for the rest of your computers. They could be used by unscrupulous hackers to access sensitive information on your network. You could even face legal problems if hackers did access sensitive information, especially if you are subject to government or industry regulation.


In short, VM sprawl and overall VMware performance monitoring can become a huge problem and risk to your organization.


For more information about VM sprawl, and how to combat it using SolarWinds' Virtualization Manager and to perform effective VMware monitoring, see this video.

Software as a Service (SaaS) sounds like a terrific deal, because it requires relatively little money up front. You only pay for what you use each month. And then there’s no worry about upgrades, support, or maintenance. All you have to do is pay and play, right?


Well, it’s not necessarily that simple. For example, with SaaS, how much control do you have over your business data? How do you know your data is secure, always accessible and compliant, and won’t be lost during an outage? (Think of Salesforce.com’s worldwide outages this summer, which affected some 70,000 customers.) Or what about the security of your own network, now that you’re hooked into the cloud? Who else has access to that? Is this really the game you want to play?


And then there are the SaaS costs, which may or may not be cheaper than managing your company’s data in house. How much does it cost you when you when your SaaS provider has an outage or a security breach and you can’t access your data? Or what about if you need additional services, like testing, monitoring, and extra security for your data? How do those extra services affect the fees you pay for SaaS?


Before making big decisions about your data, get the all the facts. Determine all your potential options and all their costs. Evaluate your access, availability, and security needs. And take a look at SolarWinds’ Cloud Computing 101: The Need-to-Know-Basics video. The video offers up valuable information on SaaS and its variations, as well as the different types of cloud computing.

We’ve received an email from Manage Engine proposing that they would like an “independent” expert to work on a comparison of SolarWinds Server and Application Monitor and Manage Engine’s Applications Monitor. Their idea is to ask an “independent expert” [READ: ANALYST] who covers the application performance management market and compares lists of features without regard to the usability or true value of those features.  They don’t measure the complete ROI from the customer’s eyes.  Our idea of an "independent expert" is the user…  the sysadmins and IT guys that actually do the work and use the product everyday to solve problems. 


We know thousands of those experts.., we call them our customers.


What is important to our customers is something that we understand.  And we know the answer through hundreds of daily interactions with customers and our product management team on thwack and through customer surveys. 

What is important to our customers boils down to this:
• How proactive is the product at solving server monitoring problems – does it have the right features?
• How long does it take to set up?
• How intuitive is the server performance monitoring tool for the user?
• How much time does it save?
• How much value does the server monitor tool provide relative to its true cost?


In the end, why should our customers believe some “independent” expert when the products are freely downloadable from the web.  We want real users to compare for themselves.  Anyone can download Server & Application Monitor for a free-30 day trial here. Do your own comparison with Manage Engine Applications Monitor, and document your findings on thwack.com, in the Spread the Word section.   

dnsAnyone who deals with SolarWinds on a regular basis knows that we value our users and their opinions very highly. We pay a lot of attention to our online community (meaning thwack, where we are now) for user input. So, it's no surprise that thwack has been a great source for UX feedback. In this ongoing series of how our users directly impact the look and feel of our products, I wanted to share a case from DNSstuff.


Recently, we redesigned the DNSReport Tool results page. This is the most used, flagship tool in DNSstuff. It provides 55 tests that give a full diagnostic health check of any domain from an external view.  The report is comprehensive, and providing this information in an easily digestabile form is vital to it being useful to end users.


Here is the original:


Our objective was to take this format and improve on it, making it even easier to understand and use. One goal in particular was to make it easy to see how many issues the domain has in each area. We came up with this, and we asked users what they thought about it on the DNSstuff forum.




They didn't like it. Even though it may "look" better from a design perspective, it quickly became clear that we missed the mark from a functionality and usefullness perspective. Here are a few comments. We appreciate users who get to the point, so no one's feelings were hurt at the directness in these comments:


"the new is terrible

the old was much better

better overlook in the old

the new is like finding the needle in a haystack"




"This is making me do more work. Please bring the old one back. If you have the will, you could provide a link to the old one, and you'll know you're successful when people shift over to the new one on their own." (This comment came with a lot of very specific feedback on what wasn't working in the new design.)




"We would often print the old format report before going in to a prospective client pitch meeting.  The lack of color was great because the yellow and red color blotches let everyone focus right away on the problem areas and the technical detail was right there too.  With the new report format we actually have to read each section to figure out whether there is a problem or not -- and then we take a yellow highlighter to the printed copy to mark which areas need attention."



This is just a small sample of the excellent feedback we received in this thread. The end result - we understood so much more about what our users needed and wanted from this report, and we were able to design something that worked even better than what the old site offered.


Here's the end result.




This report actually looks better *and* works better. We also learned a lot about how DNSstuff users are working with this report on a day to day basis. The users like the changes, and we got a lot of positive feedback on the improvements. We love getting feedback of all kinds (and kind words are always appreciated!) The whole excercise was fun, interesting, and a win/win for everyone.



Read the previous post in this series.

The Mayan calendar will run out of pages in December of this year, so some think this means that the end of all things is imminent. Count me a skeptic, but, if you don't have both a plan for regular data backup and a disaster recovery solution in place, you might as well accept, skeptically or otherwise, that disaster is imminent, at least in your network closet.


Defining Network Disasters, Mundane and Massive

Stuff breaks. It happens. That's why you have a network monitoring system (NMS) in place; you want to know when it all, or at least some part of it all, falls apart. As I posted earlier, a typical NMS, like Orion NPM, works primarily by regularly polling status from monitored network objects. As each monitored object responds, your NMS passes status data, most likely, to some form of database. It's stored in a database so you can call it up and manipulate it later. When interfaces on a router serving your sales team start flapping, you know because your NMS alerted you to it within seconds of it happening. This is exactly the type of relatively mundane, daily disaster for which you stood-up your NMS in the first place. But what if the server hosting your NMS database crashes? Or, what if the server hosting your NMS decides to have a bad day? What do you do when massive disaster strikes?


When Massive Network Disaster Strikes

As an IT pro, you need to get data about your network promptly, and you need to be able to review it over time. Getting data promptly is what your NMS does; making that data accessible for review later is what your database does. That's two points of vulnerability. How do you protect yourself?


Protecting Against NMS Failure with Failover & Disaster Recovery

You've got an NMS so you can have data at your disposal. If your NMS fails you can't do your job. If you can't get your NMS back up, you might be better off getting a new job. There are a couple of different ways you can prevent this sad fate, of course. In short, you need to set up a second server to fill in for your primary NMS if and when it fails. In a future post, I'll go through some of your options in this regard, but if you want to do some extra credit reading, you can check out our Failover Engine.


Protecting Against NMS Database Failure

There's probably a database tied to your network management system and, if you're wise, your database and NMS are on physically separate servers. The previous section dealt, at least preliminarily, with failure of your NMS server. You can and should protect against database failures by simply, and regularly, creating database backups. It's really that simple.


OK, so it isn't really that simple.


Here's some more information on backing up some common databases that we use around here:

If you're using SolarWinds NPM for your network monitoring, you can configure regularly scheduled database backup and compaction. For more information, see "Creating a Database Maintenance Plan" in the SolarWinds Orion NPM Administrator Guide.

Change in IT Practice

Unless there is a Private Branch Exchange (PBX) that already handles the telephony within an established company, a contemporary IT team would not include architecting or managing such a system as part of their core competence. Instead, the team probably leases a bundle of Digital Signal 0 (DS0) lines from the local telephone company and internally sets-up a voice-over-IP (VoIP) network. Calls take the form of packet-switched voice data relayed through a core QoS-enabled switch between endpoints outside the internal network and VOIP phones on the edge of the internal network.


What's at the Other End of the Voice-Over-IP Phone?

VOIP phones have a switch port to which the end user can connect a desktop computer, so that behind any VoIP phone there is commonly at least one other device using a separate DHCP lease; and the phone and the device(s) connected to its switch port are treated as directly connected to the network switch. If the device connected through the phone's switch port is a hub, then there may be as many as 6 devices using different DHCP leases. Or, connect a wireless controller to the phone's switch port and a number of wireless access points and SSIDs may be running behind that particular VoIP phone.


Monitoring a VoIP-integrated edge network can be challenging in at least two ways: seeing reliable topology information (what is connected to what and at what remove) and seeing devices in terms of their Layer2 (data-link; for example, MAC) and Layer3 (network-link; for example, IP) relationships and activity. Lacking views into these aspects of your network can limit your ability to investigate or troubleshoot unusual events or trends that impact the call quality that your  Quality-of-Service (QoS) monitoring tools (measuring latency, jitter, etc.) are showing you.


Since a VoIP network almost always serves other networking purposes within the business you usually cannot resolve disruptions by simple exclusion (for example, of traffic from specific domains like youtube.com).


Ports of Call

Applications that monitor your VoIP implementation for call quality (latency, jitter, etc.) usually do not track device port connections. So you may see the results of the staff breaks that involve executing World of Warcraft maneuvers through your network but you won’t be able to figure out who is behind those bursts of bandwidth use that are wreaking occasional havoc on the sales team’s ability to use their phones.


Effectively analyzing network events impacting VoIP QoS requires an ability to correlate switch ports with user login data, MAC and IP address bindings, and traffic activity.  SolarWinds User Device Tracker (UDT) is a tool that offers exactly these correlations. Explore its resources in this live demo; and see the administrator's guide for detailed information on how to get things done with UDT.

You've heard of "rightsizing," right? When it refers to an organization, it heralds a stressful time waiting for that pink slip. When it refers to a virtual infrastructure, it also heralds a stressful time, though without the pink slip.


Let's say you're in charge of your organization's virtual infrastructure. Some people complain that their VMs are slow - the CPU or the memory is consistently pegged when they're using the VM - and they can't work. Other people have no issues with their VMs; in fact, the VMs they used are lightning fast, and their usage barely makes a difference in the CPU. Perhaps when you open your VM manager, you notice that you have significantly more VMs than people.


The Problems


While there are any number of reasons for these issues, though no user would call "lightning fast" VMs an issue, for the purposes of this post, let's us reduce these issues to underallocated VMs, overallocated VMs, and VM sprawl.



A virtual machine does not have enough resources allocated for its current usage and runs into performance problems. Either the usage profile has changed or the VM never had the correct amount of resources. In general when performance is slow, the memory or CPU is the culprit.



When a VM has more resources than it uses, the VM is overallocated. Many people do not consider overallocation to be a problem, and some VM administrators even think they're doing someone a favor by setting up a super beefy VM. While it's not a problem for the user, it will eventually be a problem for the other people using VMs on the same host since resources are reserved that will not be used. A pie analogy works well here. There is a finite amount of pie, and you have taken two slices when you only want to eat one.



VM sprawl occurs when more VMs are deployed than are used or needed, thus reducing the total amount of resources available for other VMs. This is unique to virtual environments, as VMs are considered "cheap" to create and few remember to delete VMs that they no longer need.


The Solution


These problems can be solved with a judicious application of "rightsizing". Merriam Webster defines rightsize as "to undergo a reduction to an optimal size". In virtual infrastructures this means reallocating resources so that each VM has exactly what it needs and reducing the amount of resource draw by VMs that are not being used.


For underallocated VMs, this means adding resources or, possibly, moving the VM to a different host.


For overallocated VMs, you reduce the amount of resources a VM uses to free those resources for use by other VMs.


For VM sprawl, you identify the unused VMs and remove them, including any leftover files.


Going through each host, cluster, or VM manually to check the resources, or conducting user surveys on the performance of their VMs is time consuming and not particularly cost effective. Instead, use one of the many VM management tools to help identify these types of problematic VMs.


Coming to VMware monitoring, you can see this Tech Tip from SolarWinds to learn about how SolarWinds Virtualization Manager, the ideal VMware monitoring software that can help you rightsize your environment. VMware performance monitoring, simplified!

Like any file system, the name for an object in an LDAP container must be unique. Thus, CN=Kate uniquely identifies this object within its container, OU=CustomerSupport. As a result, the entire DN uniquely identifies this particular object in the entire directory tree.


Search Operation

The most important operation in LDAP is the ability to search. This is how objects are found in the directory tree and how values are read. The syntax is somewhat different from more familiar query syntaxes such as SQL. However, LDAP is also much simpler than SQL with SQL's joins, sub-queries, ordering, and grouping. An LDAP query is composed of four basic parts: a search root, a search scope, a filter, and a list of attributes to return. There are more parameters and options, but these basic four are enough for most cases.

Search Root

The search root determines the place in the tree from which the search will start. This value is passed as a DN in string format. To search the entire directory, pass the DN of the object that is the root of the tree. To search lower in the hierarchy, specify a lower-level DN.

Search Filter

The search filter determines which objects will be returned in the query. It is analogous to the Where clause in a SQL statement. Each object in the scope of the query will be evaluated against the filter to determine whether or not it matches. Objects that do not meet the filter criteria are eliminated from the search.


Basic LDAP Syntax


The following table outlines basic operators for use with LDAP:



Operator Definition




Equal to

This argument means an attribute must be equal to a certain value to be true.


This will return all objects that have the first name of "Kate."

Note: Because there is only one argument in this example, it is surrounded with parentheses for illustration.



Use & when you have more than one condition and you want all conditions to be true. For example, if you want to find all of the people that have the first name of Kate and live in Austin, you would use the example in the right-hand column.




The ! operator is used to exclude objects that have a certain attribute. If you need to find all objects except those that have the first name of Kate, you would use the example in the right-hand column. This would find all objects that do not have the first name of Kate.

Note: The ! operator goes directly in front of the argument and inside the argument's set of parentheses.


Note: Because there is only one argument in this example, it is surrounded with parentheses for illustration.



Use the * operator to represent a value that could be equal to anything. If you wanted to find all objects that have a value for title, you would then use the example in the right-hand column. This would return all objects that have the title attribute populated with any value.



Wildcard (Example 2)

This would apply to all objects whose first name starts with "Ka."


Advanced Examples of LDAP Syntax:

  • You need a filter to find all objects that are in NYC or Austin, and that have the first name of "Kate." This would be: 
  • You have received 9,360 events in the Application log and you need to find all of the objects that are causing this logging event. In this case, you need to find all of the disabled users (msExchUserAccountControl=2) that do not have a value for msExchMasterAccountSID. This would be:


Note: Using the ! operator with the * operator will look for objects where that attribute is not set to anything.


SolarWinds SAM makes use of LDAP by having its own built-in LDAP User Experience Monitor.

In honor of the late Neil Armstrong, I'd like to take a look at networking in the final frontier.  There are a lot of really interesting things happening in space right now - the landing of Curiosity, the first docking of a privately owned space craft to the International Space Station, space tourism, nanosatellites, and the private Mars One project to colonize Mars are just a few.


This raises questions to my mind that revolve around communication. How will network connections be formed between interplanetary objects?  We still have problems with being on the wrong side of celestial bodies, interference, and poor satellite coverage for the current space program. Plus, we don't even have world-wide Internet-connectivity or reliable connections.


What place does traditional, "terrestrial," networking have when there is no end-to-end path. Moreover, how do we bring networking to the stars when we can barely network two WANs together without intermittent connectivity issues?


Delay/Disruption Tolerant Networking


Well, one answer that is being heavily researched is Delay Tolerant Networking (DTN), also known as Disruption Tolerant Networking and, potentially, Delay and Disruption Tolerant Networking.


DTN addresses networking issues in mobile or extreme environments that lack continuous networking connectivity. In conventional networking, if a node can't connect to another node to deliver its packets, the packets are dropped. TCP/IP does not tolerate disruptions between end-to-end paths and times out after a relatively short time period.  Packets are dropped and not enough data may arrive at the destination. In the case of interplanetary communications, this can be disastrous since there are frequently times when there is no direct line to the next node.


DTN bundles the data and holds it until it can transmit the information to the next node. Unlike TCP/IP, DTN will store that bundle until it can successfully forward the bundle to another node.  This implies extra storage capacity on the nodes so the nodes can contain multiple bundles.  It also implies a certain amount of intelligence in DTN nodes to determine not only the best route for the bundle but also the best route without overwhelming the next node with data it cannot store. (Yes, there are many security concerns around storing bundled information.)


So, how will this benefit us poor terrestrials?


The potential benefits of DTN

Well, ignoring the vaguely science-fictional scenario of communicating with deep-sea bases, I can think of quite a number of use cases. Military communications is an easy use case, especially with submarines or with troops deployed to areas without consistent communication lines. I've frequently wished for a data connection in the middle of a hike in the woods so I could figure out what the heck just bit me, so increasing connectivity to the "wilderness" is a fond hope. This could provide more connectivity to developing nations. As the many natural disaster can illustrate, an important use case for everyone is more consistent connectivity during natural disasters.


Assuming this is the future, or a close facsimile thereof, how in the world do you monitor that?   

The Payment Card Industry (PCI) requires companies that process credit or debit card transactions to comply with 6 control objectives outlined in their Data Security Standard (DSS). These 6 objectives are:

  1. Build and maintain and secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

These 6 objectives cover a total of 12 requirements that range from implementing safeguards such as firewall and anti-virus software, to implementing and maintaining strict policies for network and data security. Complying with these requirements can be a big job - especially for small- to medium-sized operations with limited IT resources. So it's important to have the right tools in place to make compliance as painless as possible.


The Case for a Firewall Configuration Management Tool

Several of the requirements for PCI compliance have to do with implementing and maintaining firewalls throughout the network. After you've gotten past the "implementing" part, a firewall configuration management tool can help you keep things organized and running smoothly. It can even help with reports and inobtrusive access when the auditors come knocking. Here are a few of the high points of what such a tool can do to help:

  • Make rules and ACLs easier to read and analyze
  • Identify redundant and unused rules
  • Suggest and implement changes based on rule analysis and connectivity needs
  • Test changes to firewall devices before they're implemented
  • Provide risk analysis reports for internal and external audits


One such tool recently came to SolarWinds by way of our acquisition of Athena Security: Firewall Security Manager (previously Athena FirePAC). For additional information about what FSM can do to help you maintain PCI compliance, check out the Athena Security Technology Brief, "PCI Compliance Audit Using SolarWinds Firewall Security Manager."

NetFlow is great for troubleshooting network bottlenecks and finding unwanted traffic, but there is a common pitfall that may be blocking or distorting your view of your network traffic. The issue is data flooding.This is a very easy trap to fall into once you have seen the value of your initial NetFlow implementation. The usual response to seeing flows on your network is typically, "Show me more!". More visibility into your network is a good thing, until you reach the point where more is just more. After that the more you add the less you get, so more becomes less. Let me explain.


Data Flooding in Network Management

Consider the case where a user in a small office is accessing less-than-productive materials from the Internet. At a minimum this is just a waste of time and money, at worst it could be a serious regulatory violation that could result in loss of business or loss of an accreditation. Chances are that this traffic would transverse a WAN connection to the main site, and then connect to the Internet from there. If NetFlow exporters are configured just at the WAN interfaces, which is common, then this traffic will most probably be noticed and action can be taken to correct the issue. Now imagine if we were to apply NetFlow at all the LAN switch interfaces and the WAN interfaces. Intra-LAN (switch to switch) traffic is typically ninety percent or more of the total network traffic. So now this crucial WAN traffic is being buried in a mountain of LAN traffic. To make things worse, a great deal of the LAN NetFlow exports are duplicate counts of the same data passing from switch interface to switch interface. Since this is strictly internal traffic that never touches a WAN interface, the chances of the traffic being unwanted is about nil. Finding the offending WAN traffic in this mountain of data may not be possible by any means.


Is This a NetFlow Problem?

No, it is more of a planning problem. Any tool used improperly can turn against you. So, what can you do to correct or just plain avoid this issue? Take a look at this paper on NetFlow Basics and Deployment Strategies and compare the deployment examples with your NetFlow implementation.  If you are new to the world of flow analysis take a peek at the SolarWinds NetFlow Traffic Analyzer demo at http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/SummaryView.aspx

Ok, you're not a programmer, you're a SysAdmin. Your job is to keep things up and running. When something goes down, you need to figure out why so you can get it back up ASAP. With PowerShell at your fingertips, you can accomplish this and become a hero at the same time.


What is PowerShell?

PowerShell is a command-line shell created for system administrators. PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination. It is built on top of the .NET Framework Common Language Runtime (CLR) and the .NET Framework, and accepts and returns .NET Framework objects. In English, this means you can get the information you need almost instantly using PowerShell, if you know how to ask for it.


The Cmdlet

A cmdlet is a simple command that can manipulate objects in PowerShell. Cmdlets have a unique format -- a verb and noun separated by a dash (-), such as Get-Help. You can use each cmdlet separately or in combination to perform complex tasks. PowerShell includes more than one hundred cmdlets, and you can write your own.


Things you should know about PowerShell:

  • PowerShell does not process text. Instead, it processes objects based on the .NET Framework.
  • PowerShell comes with a set of built-in commands with a consistent interface.


PowerShell and SAM: Configuration and Usage

The ability to employ PowerShell scripts within SAM is a powerful advantage for system administrators. In order to use PowerShell with SAM you must have PowerShell 2.0 or later installed on the main Orion server and target servers. PowerShell 2.0 can be found here. After confirming that PowerShell is installed on the servers, ensure that Windows Remote Management (WinRM) is properly configured and enabled on the SAM and target servers. To do this, follow these steps:


1. On the SAM server, open a command prompt as an Administrator. To do this, go to the Start menu and right-click the Cmd.exe and then select Run as Administrator.

2. Enter the following in the command prompt:

    winrm quickconfig –q
    winrm set winrm/config/client @{TrustedHosts="*"}


3. On the target server, open a command prompt as an Administrator and enter the following commands, where IP address is the IP address of your SAM server.:

    winrm quickconfig
    winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}


After you successfully complete these steps, PowerShell will be able to properly communicate with SAM. See Configuring and Integrating PowerShell.


In part 2, we'll discuss PowerShell Templates and Monitors.


BTW, check out the new...






Posted by Bronx Sep 22, 2012

A Trip Down Amnesia Lane.

Remember when computers used bloated CRT monitors and AOL was still fighting for survival as the internet with training wheels? Remember life before wi-fi, cell phones, and apps? Pretty ugly, huh? If you were a SysAdmin during this dark time, you were pretty much chained to your desk trying to solve a host of problems using little more than your experience for reference. Wanted to leave the office for lunch? Puh-lease.

Application and Network Monitoring Eases your Life.

You know it does. Troubleshooting applications and networking issues has never been easier than it is today, with the right software. Simply look at a computer screen and your entire networked world appears before you. Gone are the days of figuring out where the problems are coming from. Your only concern at this point is fixing the problems the software already found for you. (Pretty slick.) But you’re not out of the office yet.

I Really Love my Phone.

To me, the right apps and mobile websites on your phone are kind of like what motorcycles are to husbands. Think about it. If you're a SysAdmin, you can finally get out of the office! Go to lunch, take a vacation, ride that motorcycle. The advent of mobile tools allows you see what’s going on in your world from virtually anywhere in the real world, instantly. This benefits you, the SysAdmin.



Imagine you’re on vacation and lounging by the pool sipping a Piña Colada. Suddenly, you get an alert email on your phone that Server XYZ is down! Relax. Go to the web console of your monitoring software from your phone, examine the issue, and then determine what needs to be done. Look at that, you also have a phone and email client right in your hand. All the tools you need to monitor your network, diagnose problems, and communicate are right in the palm of your hand! The point is, now, you will always be in the loop, and sometimes in the water.


Motto: Mobile monitoring software = mobile you.

When last we talked, we visited about why UX testing at SolarWinds is such a vital component to the way we do business. In short, we believe if users are happy and successful with our products, then we as a company will also be happy and successful. Today, I wanted to share two concrete examples of how our products changed after user feedback and UX testing.


Server & Application Monitor – Making Templates Easier to Edit


SAM, application monitor makes application monitoring set up easy by providing templates. These templates organize all the discrete components that you would want or need to monitor to ensure your applications are performing optimally. Most templates have lots of individual counters they monitor, reflecting the complexity of the application and the depth or monitoring that SAM, server performance monitoring tool provides. As SAM added more templates and increased the depth of monitoring, these templates have gotten longer, making editing the templates quite a laborious task. Every time a user retrieved settings or made a change, the data would have to be transmitted back to the server—similar to refreshing the webpage every time you fill out a field in a very long online form. User complaints were a regular occurrence. So, SolarWinds listened to our users, and we delivered a new multi-edit option which came out with the 5.2 release. This new feature in SAM, server monitoring is super responsive and allows for users to make simple edits quickly and efficiently.


Old Way to Edit Templates in Server & Application Monitor

SAM 5 0 Template Editor.png

The template lists all the counters that are revealed by the application and point to application performance and health. To modify the template, the user needs to open each one, determine if that is what he/she wants to change, modify the settings, then save the changes. Each current setting and change is transmitted back to the server, making for a tedious process.


SAM 5.0 Template Editor Expanded.png

Here is a template, expanded so you can see the counter settings. Often, the change a user wants to make in one setting will be the same change he/she will want to make in another component monitor, so there’s going to be a lot of repeated effort.


After talking with users, we found that quite often, they were changing the same data in multiple places in the template. This was something we could easily solve with multi-edit functionality. The resulting enhancement is below.


Template Editor.png

Multi-edit functionality allows you to make the same change throughout the template with one step.


This simple change has already saved our users countless time and frustration! It’s easy to understand, and simple to use. It’s a win/win for everyone.


Log and Event Manager Gets a Wizard


Next, we’ll look at Log and Event Manager (LEM). Before UX texting and enhancements, users manually deployed the LEM appliance. They did this with only  the aid of a pdf. This created a number of problems – first and foremost being that users couldn’t figure out where to go, and the process didn’t make sense. The pdf was unruly, and people started off confused and overwhelmed. LEM can require additional software components to be installed, and users would have to install each one separately. Again, they had to rely on the pdf to tell them all about the process. They got lost, there were too many steps, some of which were multi-steps within steps in two different places.


Yah, no kidding.


And to top it all off, users manually configured the LEM appliance. You get all this way, and then you had to go to a virtual console and do some more. Users found this disorienting. In general, it wasn’t a great way to start off with LEM.


So, we looked into streamlining the process. The result is a nice, user-friendly wizard. Here’s how it works:


  1. Users run the wizard, which guides them on how to install the appliance
    Solution: LEM shows them exactly where to go and what to do
  2. The wizard prompts them to install any additional software, and we added a web console
    Solution: users don’t  have to figure out what software to install

        Solution: the web console often eliminates the requirement for some additional software components

3.     Users don’t have to configure the LEM appliance, but if they do make changes, they can use the appliance configuration wizard
        Solution: the appliance has preset defaults that get things up and running without extra steps
        Solution: the in-appliance wizard helps customers perform common tasks when deploying to production


Some screenshots of the new process follow. Much better than a pdf!







What a difference this has made! Users find LEM infinitely easier to install, they don’t have concerns about choosing the right options, and the whole experience is smooth sailing.


In Conclusion…


These are two recent examples, and we have so many more. In the next post in this series, I’ll be talking to some of our customers who have participated in UX testing to get their input on being involved in the process.


In the comments, I’d love to hear if you have experienced either of these changes first hand, and if you have any feedback on them.


Read the next post in this series.

Over the last few weeks, several bloggers here at SolarWinds have blogged about the concerns IT professionals face as the BYOD (Bring Your Own Device) trend continues to rise (see the most recent one here). As I've read these posts, I've wondered, "Am I just another headache to the IT guys because I use my iPad at work?" Luckily, the answer to that is "Probably not," since our IT guys have all the right tools in place. But another thing these posts have prompted me to do is reflect on how my iPad helps improve my productivity and flexibility, both at the office and away.


How I Use My iPad for Work

Several of my coworkers have gotten iPads and asked me how I use mine at work. Sure, I use it to stream Pandora while I work, but I've also found several other, more productive, uses for my handheld device. For example:

  • I use a handwriting app to replace the tattered and inevitably discarded notebooks I used to carry around.
  • I use the Chrome browser to sync my bookmarks from my desktop browser and to view, manage, and send KB articles from meetings or even the hallway.
  • I use an Outlook app and several chat apps to stay connected, even when I'm grabbing lunch.


I also use my iPad to work from home. Oftentimes, this is far more convenient than booting up my PC at 6 o'clock in the morning to log into a meeting with our Dev team overseas. Here's what I use:

  • The GoTo Meeting app to join meetings and share screens
  • The Cisco AnyConnect app to connect to our corporate VPN
  • An RDP app to log directly into my work PC


How You Can Use Yours

My list is probably pretty typical for the average savvy mobile device user. But what about for you tech gurus? Well, SolarWinds recently acquired two companies that brought us some incredible mobile solutions for IT professionals. If you support end-users in your role as an IT professional, check out these two products:


Network Security Audit

Posted by DanaeA Sep 21, 2012

Audit - The word alone puts panic in everyone’s heart. The idea of having to do one for your entire network drops you to your knees and makes you reach for that comforting Mountain Dew. If you had network security management software, and had it configured properly, this would be a piece of cake for you. But you don’t. Now I’ll tell you why you should:

    • Networks are never completely secure. You can have a user that downloads software they found online and  another who is surfing the internet reading all those funny memes. But little does either know that they are also downloading a virus. This can cause havoc on your network.
    • Networks change. Hardware is added, removed, and changed. Operating systems are updated and new patches/updates are released.


You should take a baseline record of your network for comparison reasons. Performing regular network audits allows you to keep up with all the changes around you without having to live off Mountain Dew and pull your hair out every time something goes wrong. Comparing your baseline with your current network configuration can save you hours of detective work.


Using SolarWinds Log & Event Manager (LEM), you can create a baseline, configure alerts, and have notifications sent to you when something changes on your network. Auditors typically require that IT administrators review the critical events, simply put a event log analysis on their networks on a daily basis, and LEM includes over 300 “audit-proven” templates to assist with keeping track of events.

Let me first recall some basics. Your company’s website is as available to customers and partners only as long as your name-server is available to answer DNS queries for the server IP address(es) associated with the company’s domain name (your_company.com). The answer your name-server sends in response to a DNS request includes a value (in seconds) for time-to-live (TTL)—the time for which the answer should be considered reliable for another name-server to hold in cache.


When your customer types your_company.com into a browser, the browser asks the name-server tending the local domain—within which the customer’s request originates—to resolve the domain name to an IP address; so that the browser can then ask the appropriate web server to send over your company’s homepage. If the local name-server cannot immediately give the answer it queries an internet root name-server, which also does not give the answer outright but rather directs the local name-server to an appropriate top tier name-server (.com, .net, .org, etc.). The top tier name-server gives the IP address sought by the local name-server and the local name-server relays it to your customer’s browser; the browser finally is able to request the relevant webpage from the web server running behind your_company.com. Eight points of communication precede the customer seeing the first webpage; usually it all happens within a few seconds.


Apart from having your name-server include a TTL with its answers to DNS queries, and hoping that the name-servers in other domains are configured to respect TTL values, there is nothing you can do to influence the speed with which DNS facilitates the delivery of the first webpage from your site.


But latency in delivery of your web content is irrelevant compared to the failure to return any content due to the unavailability of your domain’s name-server. In that case, instead of the—at worst—slowly loading homepage, the customer receives the fatal error message related to being unable to find the web server.


Redundancy Ensures Availability

Most likely, if your company does business through its website, all production servers are sitting in a third-party datacenter with the infrastructure to guarantee the availability of power and cooling. That part of the availability formula is usually out-sourced, in other words.

Since serving up web content depends on your name-server, having two name-servers is much better than having one. You can setup the two name-servers as equally authoritative for your domain, so that the query load is balanced in a round robin while both servers are up, and so that each name-server is capable of handling all queries if the other goes down.


But if your primary datacenter goes down—and this happens often enough to be of concern, despite infrastructural redundancies—redundant name-servers are of not help to you.  So the best practice is to have redundant name-servers along with your production web content in two different datacenters.


Monitoring What is Available

Let’s assume that you have the name-servers setup in the recommended double redundancy (two name-server pairs in two datacenters). You already have a highly available DNS operation.


Now you need a process for maintaining the records on your name-servers that tell your customer’s browser which web servers to contact for various resources. Since human error is most prevalent in configuration file updates, you need to know when DNS records on the name-servers are modified and if the modifications are accurate.


dnsstuff.com is an excellent resource for tools related to exploring and maintaining the DNS piece of your web service operation.

This subject may be akin to beating a mostly dead horse, but I know people still struggling with situations that can be solved with tools that can calculate showback.


The Scenario


So, let's assume you are an IT person with, shockingly, little to no budget for non-planned expansion. Suddenly, a wild resource hog appears! This department (or person) wants - no, needs - more resources to do their jobs. Except this department has more resources allocated to it than the rest of the business units you support.  In fact, they have a history of asking for (and receiving) more and more resources. Nobody really knows what they do with those resources.


While there are many responses to a resource hog, most people go with frequent repetitions of  "No." Every time you say no, the resource hog gets other people in the department to ask for more.  Sometimes the resource hog gets management involved, which leads to long meetings with budget committees or department heads going over why IT can't just acquiesce with the resource hog's demands. This occasionally leads to you cannibalizing your budget or throwing out your brilliant expansion plans and everyone is mad at IT.


Have no fear, for there is hope. Let me introduce you to showback.


What is Showback?


"Showback" is basically buzzspeak for showing who is using which resources in your virtual environment.  It is frequently discussed with "chargeback," wherein business units are billed for their IT resource consumption.


This sounds like a lot of work, right?  If you have access to virtual infrastructure management software, like SolarWinds Virtualization Manager, VMware perfromance monitoring this is actually pretty easy.  The software takes care of most of the work. You can track what resources a department utilizes, when people have last logged in to VMs, the hosts' loads, and other, relevant metrics.


What Does Showback Do for You?


Most of the time resource hogs don't know what they have available to them or poorly allocate their resources. By using a virtual environment management product, you can highlight underutilized resources, overloaded hosts, zombie VMs, and more. For example, if the resource hog department has 20 hosts, but only use five hosts, it's easy to see that not only do they not know about the other 15 hosts, but that they're overloading the five hosts. And honestly, sometimes they are overloading all 20 hosts and they have a legitimate, if poorly planned, need.


As an aside, if you use SolarWinds Virtualization Manager for VMware monitoring, you can use a feature called Capacity Planning to show when you're actually going to run out of resources, based on past resource usage, and then plan appropriately.


This all leads to less aggravation and smoother sailing. You can save your time, management's time, and the resource hog's time. You could even save some money by equitably managing your virtual infrastructure needs with fewer surprises.

If you've been in network administration for any length of time, you've no doubt seen a disaster or two like these:


Luis Guevera submitted this to our What's Hiding in Your Closet contest.

Daniel Parmelee submitted this to our What's Hiding in Your Closet contest.


The desire to have a neatly ordered network closet is known and shared widely. But effective network organization is more than just neat stacks and tightly bundled cables in physical space. Is there a logic to your network structure? Even if you are just adding devices as you need them or are allowed to buy them, you need to impose some sort of order on your network.


Get your Network Organized

Getting your network organized is especially important as you start to consider trying to determine what is happening on your network. That's right, network organization is part of effective network monitoring. Of course it is.


Here at SolarWinds, we approach logical network organization with three basic concepts: custom properties, groups, and dependencies.


Custom Properties

Custom properties are simply properties that you define and use in accordance with your own specific needs, such as country, building, asset tag, or serial number. These properties are not necessarily available in the MIB, so they are not updated via SNMP polling. In physical space, you can think of custom properties as informative labels you can directly stick to your network devices. With a Network Management Software (NMS) that uses a database, like SolarWinds NPM, custom properties are simply additional fields in your database that then allow you to sort and report as you need.


For example, if it is your IT practice to label each network device with a company ID, you would want to think of that company ID as a custom property for searching, sorting, and reporting with your NMS.


Groups are a logical extension of custom properties in that they give you that ability to logically organize individual network objects into groups that you can then manipulate as larger monitored network objects, regardless of device type or location. You already, naturally, think of your network in terms of groups of devices.


You might want to push a particular update out to all users of a particular OS. If you've defined a group based on OS, you could simply select the group and push your update to all users in the defined group. It's obviously a lot easier to select a single group object to update than it would be to select all the individual members of that group.



Dependencies allow you to more faithfully represent what can actually be known about your network. In any network, there are some devices that are functionally dependent on other devices. Accounting for the functional dependencies that exist on your network will improve both the effectiveness and the efficiency of your network monitoring over the long haul.


As an example, if your network is set up in such a way that packets leaving a wireless router "W" cannot reach the server hosting your NMS without passing through switch "S", you will only ever know the status of wireless router "W" if switch "S" is operationally up. The problem is that wireless router "W" will appear operationally down if switch "S" is actually down, simply because, if switch "S" is down, it's impossible for packets to get from wireless router "W" to your NMS. The link at switch "S" is broken. It's likely that you'd have an alert configured to fire on all down objects. In this situation, you'd get a false positive down alert on wireless router "W" simply because your NMS wouldn't know any better. Documenting dependencies, and using them to better configure your network monitoring profile can eliminate a lot of false positive alert triggers and give you more accurate insight into the state of your network.


For more information about custom properties in SolarWinds NPM, see the chapter, "Creating Custom Properties", in the SolarWinds Orion NPM Administrator Guide. For more information about groups and dependencies in SolarWinds NPM network monitor, see the Solarwinds technical reference, "Using Orion Groups and Dependencies".

Whether you’re planning to celebrate International Talk Like a Pirate Day today or not, you’re likely to curse like a sailor when you find pirates have been creeping around your network. For hackers, the big fun may be just proving they can get onto your “secure” network. Or, the pirates can be the malicious kind, looking to steal or corrupt your data. Either way, your network isn’t secure. Arrrgh! All the rum on the high seas won’t help you now. Old Captain Morgan may help you feel better, but he won’t make your network any more secure.


But a good security strategy using the right tools can make your network as safe as it needs to be. Strategies include developing a set of rules for security that include not only rules that network users follow – like password requirements and access limits, but rules that define what your system needs to look for that isn’t secure. These rules could define IP addresses not to accept data from or notify you of unrecognized data types on your network. Rules-based network security covers all your bases, because it is very flexible and can be designed to meet your specific company needs. And you probably want your network security strategy to play well with multiple vendors, provide object and rule analysis, and be easy to use and interpret.


The Geek's Guide to Network Security would be a great place to start your research and find out more about security options. For rules-based security, you might also want to take a look at the SolarWinds FireWall Security Manager. This easy-to-use tool includes security auditing, multi-vendor management, and firewall change reporting – as well as modeling that shows how rules changes can affect your network.  So get to work, secure that network, and keep those pirates at bay!

None of us are really normal. But when our tools make the things in our professional lives "normal," they make things a whole lot easier. What I'm talking about is a process commonly know as normalization. Normalization is the way in which a software program takes information from a variety of sources and translates it into a format that's much more reader-friendly. For example, a log management program consumes logs from all of your devices, even across vendors, and parses the data into a common set of columns and fields. That way, when you're looking at the logs from your Cisco and Check Point firewalls side-by-side, you'll actually be comparing apples to apples instead of apples to kumquats.


Another example is how SolarWinds Firewall Security Manager normalizes firewall and network configuration files so you can compare them in a meaningful way, even when your devices span several vendors.


But normalization doesn't just make things look pretty. Normalization can also facilitate things like event correlation and cross-vendor migrations. For example, with Log & Event Manager, you can create countless rules and filters to alert you immediately when specific conditions are met, even if those conditions are reported by more than one device. One way LEM uses this is in its port scan rule: It looks for a specific number of TCPTrafficAudit alerts, which can come to LEM from a variety of devices in a variety of formats. As long as the alerts come from the same source and are hitting distinct ports, LEM can escalate them to let you know you could be getting scanned.


To learn more about how SolarWinds uses normalization, check out these products:

Basic Configuration Management Strategy

According to Enterprise Management Associates, approximately 70% of network issues are caused by configuration issues, such as typos, inability to track changes, deploying inconsistent or non-standardized configurations. Unless you implement a strategy to avoid such issues, network issues will occur more frequently, especially when device configs aren't backed up, rollbacks are not an option, and change tracking is not in place.

If you are new to managing networks, one topic that you should explore is how to increase network availability by using configuration management. There are several affordable configuration management tools on the market that can help automate the process.  A basic Configuration Management strategy would consist of three options.

Change notification-

Employing a tool that tells you when something has changed and by whom will eliminate the blame game. When network engineer's use Telnet or SSH to make changes to a remote device, you need to know. Having a notification process in place allows you to rollback the change if necessary. Some tools, such as NCM, will provide before and after config change details that can tell you who and or why the change was made, and in what context. NCM also allows you to schedule these change notifications be setup as real time change detection based on syslog traps.

Bulk changes

Use a tool that contains a bulk change mechanism. This helps eliminate CLI typos, which all humans are susceptible to making. When making bulk changes to many devices, logging is crucial. With NCM, all the commands are recorded so you can determine what went wrong when troubleshooting.

Best practices suggest you schedule the bulk changes during off hours, which is nice because you don't have to be stuck there doing it. NCM allows you to run changes on the fly as well. For example, you can make changes only to specific devices that contain a certain IOS version.

Inventory management

Do you know what devices you have out in the field? Sometimes users at remote sites may buy their own wireless access points and switches and add them.  Inventory management will help you learn if routers get moved from site to site, help with device failure swap outs, and monitor theft/loss prevention.

The NCM inventory reports will list important details which are critical for understanding device failures, such as which card or components are installed, what IOS version, etc... If devices are added frequently then you can schedule nightly network reports, which are customizable. Set it up to report about a group of devices (specific) or exclude certain things like IP Route table on your core routers.


Where these reports really come in handy is with maintenance renewals for your hardware. With Cisco devices, you'll need chassis ID, which can be pulled in any report.  Reports will also help you determine which devices are in commission or out of commission.

When you are tasked with managing routers, switches, firewalls, load balancers, VPN connectors and other network devices that typically have a text or menu based config, consider the three strategies to make the job easier.


We know from experience how hard it is to troubleshoot a computer or server that has crashed. Unlike simply troubleshooting software problems, troubleshooting computers in a crashed state can be a time intensive exercise that requires physical access to the target computer.  Remote hardware management is a growing trend within IT administration teams. Intel® Active Management Technology (AMT), a processor-based hardware and firmware technology, offers an effective and convenient solution for remotely managing and securing out-of-band PCs. This technology builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair them remotely. AMD® also offers a hardware management solution called Magic PacketTM which allows for end node management of networked PCs.


Here are some useful applications of these technologies in remote hardware management when used with remote support tools.


Remote Hardware Troubleshooting & Recovery

Remote support hardware management tools allow IT admins to discover assets even when computers and servers are powered off allowing them to remotely remediate and recover systems during OS failures. Using remote support tools, you can also remotely reboot/restart crashed servers and workstations from within the remote administration console.


Wake-on-LAN (WoL)

Unattended systems on the enterprise LAN can be woken up remotely by using WoL functionality. This allows you to wake up sleeping, hibernating, and powered off machines, power them on, and then perform IT tasks. All three of the most widely used operating systems support WoL.

  • Microsoft Windows – Modern versions of Microsoft Windows integrate WoL functionality into the Device Manager.
  • Mac hardware (OS X) – Modern Mac hardware features integrated WoL functionality, controlled via the OS X System Preferences Energy Saver panel, in the Options tab. Marking the ‘Wake for Network Access’ checkbox enables Wake-on-LAN.
  • Linux – WoL support may be changed using a sub-function of the ethtool command.


DameWare Remote Support (DRS) offers remote connectivity and support for all your IT troubleshooting and administrative tasks. The upcoming version 9 of DRS extends remote connectivity to Windows, Mac OS X and Linux operating systems, and support for Intel vPro/AMT and AMD Magic Packet technology.


Some other remote hardware management features offered by DRS include:


Remote Hardware Driver Installation

Physically walking up to each target server and workstation, and installing driver updates is not always an option for IT Admins especially when they are supporting users at multiple sites. File sharing using remote support tools can help you deliver hardware drivers immediately to target PCs.  The IT Admin can then install them from a console without leaving his/her desk..  In the event that a computer requires a hard reboot or driver rollback, you can access it via hardware management tools.



Remote Network Diagnostics & Hardware Properties

Native Windows system tools give a wealth of information on the connectivity and availability status of computers connected on the network. Remotely accessing system tools of multiple computers from one single centralized remote administration console empowers you to monitor the diagnostics of network connections with tools such as Ping, Trace Route and TCPIP Utilities.

Lightweight Directory Access Protocol (LDAP) is a protocol for accessing directory servers. In other words, LDAP is a directory, not a database. There are no rows or tables in LDAP’s directory and there are no relational links. This means LDAP is a simple yet structured directory design that is easy to navigate.


Every object in LDAP can contain one or more sub-objects, much like the folder and sub-folder relationship used in Windows operating systems. LDAP runs directly over TCP port 389 by default. It is used to store information about users, including the network privileges assigned to each user. Revoking or changing privileges can be done from one entry in the LDAP directory, rather than at many machines across the network. LDAP also supports SSL and TLS for security.


LDAP Key Terms and Components


Following is a list of key terms and components along with their respective definitions.


Distinguished Names

Distinguished Names (DNs) are a fundamental part of LDAP. It is the name that uniquely identifies an entry in the directory. LDAP uses path syntax to identify objects in the store.


Typical Windows path syntax:


DNs work in reverse order, meaning the most specific node is on the left of the path syntax.


Typical example of a DN:



This DN is composed of four Relative Distinguished Name (RDN) parts:


Each RDN is a child of the object whose RDN is to its right. The object deepest in the tree in this DN example is the object, CN=SomeUser.

Each RDN is made up of two parts: the name of the attribute that provides the primary name of the object, and the value of that attribute. In this example, CN, which stands for Common Name, is the name of the attribute that provides the primary name for objects of its class. SomeUser is the value of this attribute. There are also RDN attributes for OU (Organizational Unit) and DC (Domain Component).


Like any file system, the name for an object in an LDAP container must be unique. Thus, CN=Kate uniquely identifies this object within its container, OU=CustomerSupport. As a result, the entire DN uniquely identifies this particular object in the entire directory tree.


Search Operation

The most important operation in LDAP is the ability to search. This is how objects are found in the directory tree and how values are read. The syntax is somewhat different from more familiar query syntaxes such as SQL. However, LDAP is also much simpler than SQL with SQL's joins, sub-queries, ordering, and grouping. An LDAP query is composed of four basic parts: a search root, a search scope, a filter, and a list of attributes to return. There are more parameters and options, but these basic four are enough for most cases.

Search Root

The search root determines the place in the tree from which the search will start. This value is passed as a DN in string format. To search the entire directory, pass the DN of the object that is the root of the tree. To search lower in the hierarchy, specify a lower-level DN.

Search Filter

The search filter determines which objects will be returned in the query. It is analogous to the Where clause in a SQL statement. Each object in the scope of the query will be evaluated against the filter to determine whether or not it matches. Objects that do not meet the filter criteria are eliminated from the search.


The Network Is Down

Posted by LokiR Sep 18, 2012

The Scenario


Imagine yourself as a user.  You get in to work, login, and start preparing for the day. You open your browser to check the headlines, and bam - you get a network error.


Okay, no big deal, right? Maybe the bosses are cracking down on browsing at work and blocked the local news site. It's annoying, but livable.


People start to queue up outside; it looks like it's going to be a busy day.  You have five minutes before the flood gates let loose. You open the lifeblood of your job - some intranet site full of internal applications that are absolutely necessary to performing your job. You get a connection error.


You can feel the sudden tension in the room as each of your coworkers attempts to get to the intranet. You look out at the nascent mob of humanity, growing more restless by the moment.


Someone finally, tremulously, asks, "Can anyone connect to the Intranet?"


Error - Could not connect

This is a (over-the-top) dramatization of what users face when the network goes down, as has recently happened to a certain government department in California. If the users are lucky, IT can quickly identify and fix the problem. If everyone is unlucky, the users have to face the unhappy hordes of customers armed with whatever pre-network monitoring tools they have on hand for as long as it takes IT to fix the problem.


Frankly, I'm not sure if I'd rather face the angry customers or the frenetic bosses angered by the loss of revenue and reputation. It's a tough call.


The Network View


I'm going to now grossly over-simplify the IT side of this scenario.


In the lucky scenario, which is a relative term in these days of 99.9% uptime, you could quickly identify the problem device and get it working. If you were super lucky, you had a network monitoring tool or dedicated LAN monitoring software and were already resolving the problem when the call came in.


In the unlucky scenario, you were blind-sided by the outage and had to scramble to find the issue. You have one person on the line with your ISP trying to see if the problem is on their side. You have a couple of other people crawling through the network to find the offending device. If you are super unlucky, your network is a disorganized mass of multiple technologies and topologies you've inherited from many other network personages that you're still trying to untangle.


Notice that in the overly simplified "lucky" example, the hypothetical network team was using a network monitoring tool.


The Case for Network Monitoring


Recent, news-worthy network outages once again emphasize how important it is to monitor your network. From stock markets to governments to small businesses, network outages are painful, expensive, and have an increasingly large economic impact.


If the network team in the "unlucky" example used a monitoring tool, they'd be able to quickly see

  • which device is down
  • who is affected by the outage
  • what is affect by the outage


Network monitoring tools can do more, of course. But this short list is relevant to the scenario. You can take a look at SolarWinds' NPM if you want to find out more benefits to network monitoring.

Do you have a lot of money sitting around, gathering dust? You do? Can I come over to visit?


Really though, in these days of “tighten your belt” budgets, it’s difficult to justify spending many thousands of dollars for software, many more thousands to implement it, and even more each year in maintenance. So if you’re considering HP SiteScope, you might take a look at SolarWinds Server & Application Monitor, the effective server monitoring tool and see just how far your budget can go. Spending wisely does not always mean sacrificing power and performance, sometimes it just means shopping at the right place.




SAM’s evaluation period is 30 days, while HP’s is only 10 – which can make it hard to get a full picture of how the software fits into your environment. Plus, SAM, server performance monitoring tool is so easy to use, you can implement it and start monitoring your hardware, servers, and apps in no time. See the full comparison of HP SiteScope and SolarWinds Server and Application Monitor here.


What is Compliance?

Posted by DanaeA Sep 17, 2012

Ensuring data security is vital in business, most especially in any business that stores and transmits credit cardholder data. Any company with access to cardholder information (financial institutions, retailers, credit card companies, etc.) must ensure that they are in compliance with the standards set by the Payment Card Industry Data Security Standard (PCI-DSS). If a company is found to be non-compliant, they may face large fines and even have their credit card processing abilities restricted. This is bad news for any company, because no money in equals no money out!


A company must meet six requirements to be compliant:

  1. Maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy



How Can Log Management Help?


Log data is a record of all the transactions and information that goes through your networks. Companies generate enormous amounts of log data every day. An online merchant can easily generate 500,000 or more logs a day easily. That is a lot of information to keep track of and store.

Use your event log analyzer reports to view or schedule fixed reports for compliance purposes and:

  • Produce compliance reports
  • View reports based on specific regulatory compliance initiatives
  • Provide proof that you are auditing log and event data to auditors
  • Schedule formatted reports for LEM Reports to run and export automatically


A good event log monitoring software also ensures PCI compliance by:

  • Providing network security coverage
  • Delivering prebuilt correlation rules that are specific to PCI compliance
  • Capturing a comprehensive picture of system and user events that make it easy to reconstruct a particular event and provide the automated audit trails mandated by PCI-DSS
  • Ensuring chain of custody by collecting data directly from the operating system in real time and then immediately encrypting it and storing it in a central database
  • Generating PCI compliance reports quickly using out-of-the-box templates
  • Storing data well beyond the requirements specified for PCI compliance


SolarWinds Log & Event Manager collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console.

Geeks speak about network monitoring a lot here at SolarWinds. And, in speaking geekily, we toss around a bunch of acronyms that have become so commonplace, as acronyms, that it's easy to assume that everyone know just what we're all getting so geeky about.


I want to take a step back and review some of the basics, just so we all know that network monitoring, though it can be pretty amazing, certainly doesn't happen by magic. Let's review a few basic concepts.


What so simple about the Simple Network Monitoring Protocol?

Most network monitoring and network management tools use the Simple Network Monitoring Protocol (SNMP) to get network monitoring done. There are other protocols (i.e. ICMP and WMI in particular) but SNMP is the big man on the network. Andy McBride has already told us a bit about SNMP and, specifically, the security of SNMPv3 in a previous post. I'd like to talk a bit more generally about what SNMP does, uh, simply: namely, network monitoring.

SNMP‑enabled network devices, including routers, switches, and PCs, host SNMP agents that maintain a virtual database of system status and performance information that is tied to specific Object Identifiers (OIDs). Each object refers to a specific piece of quantifiable data. This data can come in the form of counter readings, text-mapped numerical values, or strings, and this is the data that you really want, if network monitoring is your game.

Call in the MIB

These object identifiers, this virtual database of OIDs, has been standardized into what we call a Management Information Base (MIB). In other words, the MIB is the formal description of a set of objects that can be managed using SNMP. Each MIB object stores a value such as sysUpTime, bandwidth utilization, or sysContact that can be polled to provide current performance data for any selected device. For example, when polling your network for performance data, your network monitor sends an SNMP GET request to each network device to poll the specified MIB objects. Received responses can then be recorded and presented. SolarWinds Orion network management software, for example, store this information in a database and then publish it in Orion Web Console resources.

How about a simple example?

Think about your network as a classroom of kids. They've all got specific object identifiers with associated pieces of data. OIDs in a classroom would be things like first and last names, the row and column of the seats to which they've each been assigned, and each of their different assessments (i.e. quizzes, tests, and homework) they've been given. Each of these classroom kid-OIDs has a specific value that can be reported or manipulated, as in the determination of a test average or course grade. Your gradebook for this class is then both the MIB, defining all that is worth knowing about your classroom of kids, and a network monitor, recording and computing all that is worth knowing about your classroom of kids.

So, it is pretty simple: most anything worth knowing about any device on your network can either be represented as a single piece of OID-referenced data or be manipulated with other, similar pieces of OID-referenced data, to produce even more useful data. In a future post I'll discuss what you can do with all this simple data you didn't know you had.

For more information about SNMP, see the technical reference, "New to Networking Volume 4 - Introduction to SNMP".

Manage Engine recently wrote a response to our comparison post on Manage Engine’s Applications Monitor versus SolarWinds Server & Application Monitor (SAM).  They are spot on in their response that SolarWinds provides only conventional server and application monitoring capabilities.  The reason why we do this is because that is where the market is today.  Most businesses are not at the high standard of APM that Gartner holds dear; most are just trying to simply get basic monitoring up and running.  Many of the more advanced APM capabilities, like advanced analytics and transaction tracing, are great capabilities, but they are a bear to deploy, and expensive to boot.


Regarding Manage Engine’s statement that SolarWinds is a financially driven company, well that is true as well.  We believe that the path to success is through customer success and retention.  If our customers are happy, then we see the business benefits as well.  We provide customer satisfaction through our unique combination of usability, scalability, price and having all the important features that matters to our users, and we continue to deliver new value to existing customers through new product releases (for each product) twice a year.  The industry standard is a new release about every 18 months; you will also see the industry standard for software renewals is much lower than the SolarWinds standard.


So yes, we are proud of our server monitoring tool, SolarWinds Server & Application Monitor, the ideal server performance monitoring tool (and we guess the thousands of SAM users are as well).  Check out our on-line demo (go to Applications tab, and click manage applications) to see the 100’s of applications supported.  Or better yet, download SAM, “the real thing”, and make the comparison for yourself.  Download a free 30 day trial of SAM, server monitor here.


http://<iframe width="420" height="315" src="http//www.youtube.com/embed/xffOCZYX6F8" frameborder="0" allowfullscreen></iframe>

I was researching a feature for one of our products and I came across a familiar sight. The image was a picture of an Intel vPro sticker, which was directly related to the feature I was researching. Sure enough, I looked down and saw the same sticker on my PC.


Intel vPro lets you connect to a remote computer even when it's turned off!


So, What is vPro?

Intel vPro is a hardware technology that includes a feature called Active Management Technology (AMT). AMT allows users to turn on remote computers, and then connect to them with KVM control even while they're booting up. That's right -- remote power and KVM management, even from a powered-down state! If you don't know whether the computer you want to control uses vPro, just do what I did: Check the Intel sticker on the front of the box. If it say's "vPro" on it, you're golden.


Setting Up AMT

To get started, you have to set up AMT on the vPro machine. This is a fairly complex process, so I won't go into it here; but I found a great article on howtogeek.com that explains it really well:   How to Remotely Control Your PC (Even When it Crashes) - How-To Geek. After the computer is AMT-enabled, use a VNC viewer to connect.


Remote Connection and Power Options

As the How-to Geek article mentions, Intel provides some free tools for managing and connecting to vPro machines. But any VNC viewer will work. For example, DameWare Remote Support (previously NT Utilities) and DameWare Mini Remote Control both now support vPro technology for remote power and KVM management. With DRS, you can remotely power on, power off, and reboot vPro machines as long as they're plugged into power and the network. With MRC, you can view the vPro machine, even while it's booting up. That means you can manipulate BIOS settings or even re-install the OS -- all remotely.


To test this out for yourself, download the free trial of DameWare Remote Support, which includes both DRS for the power options, and MRC for the KVM options.

The performance of applications across the WAN are faced with many issues, such as latency, congestion, and low bandwidth. Your approach to determine how to troubleshoot the issues will vary based primarily on your budget.


For those on a limited budget, consider the following lost cost monitoring and troubleshooting options. If your network is slow then use the Netflow that comes embedded within the IOS of your router. Netflow can tell you things like the number and destination of packets coming from the interfaces of a router, as well its amount of packet load traffic. The statistics you collect will allow you to create a baseline for your network. It is from this baseline you can begin to learn when and where your bandwidth issues occur. Netflow is easy to setup and generally consists of a few lines of configuration to enable it. You can easily check to see if your Cisco devices support Netflow by going to here a performing a technology search.


Keep in mind that vendors use different types of flow technologies.

  • Netflow- Cisco, Adtran
  • Jflow – Juniper
  • sFlow – HP, Foundry, Extreme.  (sFlow is summarized, where as Netflow is detailed)
  • IPFIX – next generation


If you are monitoring remote site performance then consider setting up Cisco IP SLA. Cisco IP SLA is also embedded in various routers and switches and can be enabled depending on the IOS. In fully meshed or Ethernet style networks, IP SLA will give you an understanding from a remote perspective. IP SLA statistics can be viewed from a command line or leveraged using a free tool.  From the free SolarWinds IP SLA Monitor tool you can assign thresholds for up to five operation types. Define your warning and critical thresholds per operation and the tool will then go out to the router to perform queries. The results are pulled directly from the router of your operations and presented in a dashboard. With data from multiple operations, such as UDP echo, ICMP path echo (ping), TCP connect time, DNS resolution, and HTTP response, you can begin to troubleshoot your remote routers and prioritize bandwidth.


Another avenue to consider would be CBQOS. CBQoS (Class Based Quality of Service) is a Cisco feature set that is part of the IOS 12.4(4)T and above. This will provide data about the QoS policies applied and traffic patterns within your network. CBQoS can make network performance and bandwidth utilization more effective.


Use the network monitoring tools within your existing routers, such as Netflow, to monitor core CPU's , traffic over major links. Or a simple NetFlow analyzer tool can help you analyze the flow packets and monitor network traffic.


In the case of Cisco devices, use IPSLA, CBQOS, Netflow to help you monitor and troubleshoot network issues.


Too many apps for that

Posted by LokiR Sep 14, 2012

"There's an app for that" is one of my favorite slogans. Do you want to look up a famous quote? Count your consumed calories? Look up a reference on regular expressions? There's an app for that. There are probably several hundred apps for that.


Do you need to remotely manage your network? Restart your servers? Manage user access? There are apps for that too.


Now, which platforms or technologies do you use? What devices? Oh, how about which version? There are apps for all of that too.


App Proliferation


Ignoring the irony of getting a palmtop computer some decade after the first consumer push fizzled out, I like to use my not-PDA to do fun stuff.


I've got a couple of screens of fun stuff - the dork around screen, the gaming screen, the news screen, etc. And then I have my work screen.


Except, it's not one screen. It's multiple screens. Email apps, office apps, schedulers, help desk apps, activity monitors, RDP apps, terminal apps, vendor specific apps (Cisco has more than 25 apps), network monitors - IT professionals have an entirely too large pool of applications that they need to have.


Let's not forget the multiple platforms - Android, Blackberry, iOS, Windows. Sometimes, you'll get an app for one platform and not the other.  That's a lot of platforms and a whole lot of apps for anybody.  And all these apps are very useful, especially if you're on call or some big project is coming due.  It's a far cry from carrying a pager everywhere and staying close to your office or home computer.  And, technically, it's better than a lugging around a (no doubt stylish and light-weight) laptop whenever you go out.


But, you know, you're on the go, you're doing something more interesting than work.  Getting a call or text while you're out relaxing is really annoying and can put the damper on anyone's day.  And then you flip to the work screen. And then you flip to the other work screen.  And sometimes you flip back and forth because you can't find that stupid app that you can use to fix the problem without getting up and going back to the office.


A Single Solution


Wouldn't it be nice to have a single app for all that? Or at least an app that could interface with multiple products so you don't have as many apps?  Funnily enough, there are apps for that too.


SolarWinds has a solution, Mobile Admin, that supports a slew of technologies from a single app, and that app is available on the major platforms. You can even manage Domino servers with it. It's client-server based, so the app doesn't have a large footprint. You connect to the server through your mobile device and the server takes care of the heavy lifting.  Check out this whitepaper for more information on how Mobile Admin works.

For those of you who are unfortunate enough to have to continue to monitor Windows 2000 systems, despite the fact the OS is long out of Microsoft support, I thought I'd share an insight that was recently shared with me. LGarvin, our resident Microsoft WSUS MVP, shared with me last week that you can continue to monitor Windows 2000 systems for patch compliance in WSUS, but it takes some extra configuration. Basically, what you do is set up a stand-alone WSUS server running a down-level version to monitor just the Windows 2000 boxes. The reason for the down-level version is because Windows 2000 systems can no longer connect to WSUS server running versions higher than 3.2.7600.226. For more detailed information about how to set something like this up, see the following article on the SolarWinds knowledge base: How to monitor Windows 2000 clients with a down-level WSUS server.


See supported and unsupported operating systems all in one place

One of the concerns in the scenario I just described is that of monitoring several WSUS environments at once. Since the down-level WSUS server would not be part of the production publishing environment, you would typically need to monitor both environments in separate consoles. With a patch management product like SolarWinds Patch Manager, the ideal patch management software, you can monitor multiple WSUS servers, regardless of whether or not they are related to one another. As mentioned in the KB article, Patch Manager no longer supports Windows 2000 clients, but that shouldn't stop you from leveraging it to make your life a bit easier. Will you be able to publish patches for the Windows 2000 systems from Patch Manager? No. But at least you'll be able to see everything in one place.


For additional information about what Patch Manager, patch management solution can do for your WSUS environment, check out the Patch Manager product page. Patch management, simplified!

Have you ever heard that it’s best to never put anything in an email that you wouldn’t want your entire company to read? It’s a good rule to keep in mind when sending an email, an instant message, or a phone message over any network, even a secure network like the one you have at work.


Your data may be secure from hackers and others in the outside world, but who really owns the information in those messages? Does your company own the e-mails you sent your mother over your work e-mail account? Or do you? Or does your mom? The answer may depend on your company's electronic communications policy.


Chances are, your company is not even interested in the e-mail conversation between you and your mom. And who owns those communications is probably not an issue. But knowing your company’s electronic communications policy can help ensure you don’t run into any compliance issues and that your private data stays private.


If you’d like to find out more about ensuring data privacy on your network, check out the SolarWinds webcast, Three Strategies for Data Privacy Compliance: Securing Your Sensitive Data. The webcast features information on how one company uses the SolarWinds Log and Event Manager (LEM) to collect, analyze, and correlate event log data essential for data security and compliance.

In part one I talked about the first goal of a NOC, network management visibility. As I said in that post, if you can't see it, you can't manage it. Once you have achieved network management visibility breadth and depth, we need to look at how we approach management. This leads us to our second goal.


Goal 2 - Network Fault Management

Some might argue that security management trumps fault management, but remember that we are talking about NOC operations. Typically, security management is handled outside the NOC. Fault management wins out over performance management because of the following: It does not matter how fast your network devices are if they are unavailable. In my opinion, and in that of other folks who have designed NOC processes, fault management is a two pronged effort. One effort is purely reactive; find and fix outages. The other effort is proactive fault prevention. Fault prevention saves the time and money required to mitigate a failed system. Let's consider a real-world fault and how prevention would have saved a lot of time and money.


The fault I am using in this example first showed up as a performance issue. We noticed in the NOC WAN monitoring screen that several T1 links saturated in the middle of the night. User calls about poor application performance flooded the call center as soon as the business day began. Keep in mind that this was before the days of NetFlow, so isolating the traffic culprit meant going to the data center with a Y cable and a sniffer. When we were able to analyze the WAN traffic using the Sniffer, we saw that a database replication application was making sync requests every few milliseconds to several remote database servers. What we found when we looked into the server is that one of the hard drives essential to the application had failed, causing the application to spew sync requests endlessly. All of this was from a rogue system, placed on the network without adding it to the NOC systems.

This entire episode cost four hours time from three network engineers and a half day of lost productivity for about 400 network users. An automated alert and service ticket for a failed drive would have completely avoided the issue.


The lesson here is to use as much automation in fault management as you can. While it is true the detection of the drive fault is reactive, the results if the failure was quickly detected, would have been proactively avoiding a much larger network issue.


If you want to make sure you are doing all you can to find and manage network issues, check out this Technical Reference on alerts and this one on groups and dependencies.


Stay tuned for Part Three - Performance Management

In the first post of this series I discussed the use of flow collection and NetFlow analyzer tools to meet challenges of bandwidth management. In the second post I addressed the need to filter flow data at collection time so that your traffic monitoring dashboard efficiently receives and displays the most important information.

In this third post, using a Cisco device as a point of reference, I call your attention to a common mistake in setting up a flow export and collection. The sequence of commands to configure a Cisco device to export flow data looks like this:

ip flow-export source <interface><interface_num>

ip flow-export version 5

ip flow-export destination <collector_IP_address> <port>

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

While all of these commands are important, the one that seems to trip up IT teams is the first one, with which you give the device an specific interface to use for exporting flow data--identifying the interface both by name and by index number.

So far there would seem to be little ambiguity; and in fact that is true. The ambiguity and source of error comes when the member of the team--who may not be the same one who assigned the flow export interface--readies the collector to receive the exported data.

Since, besides receiving flow data, a collector also monitors the network devices from which it collects data, the collector facilitates monitoring by performing automatic discovery of network devices within a specified IP address range; and the interface on the device that replies to ping is the one that the collector associates with the device, which often is not the interface that has been assigned for exports of flow data. And in such cases you have a setup error: though the network device is correctly setup to send flow data to the collector (ip flow-export destination <collector_ip_address><port>), the collector itself is monitoring the wrong interface on the network device. As a result, the collector does not display the traffic information contained in the flow data received from the device.

Trouble-shooting Flow Collection


An intelligent collector, when it receives flow data from an unknown device, posts an alert somewhere on the console. This is your best indication that a network device is not being properly monitored within the collector.

For example, see how the flow collector SolarWinds Network Traffic Analyzer (NTA) is an effective network traffic monitor that provides information in its console about flow data received from an unmonitored interfaces, and also makes it very easy to start monitoring the interface; resolving exactly the misconfiguration that many IT engineers encounter in managing different parts of a flow setup workflow. In fact, some IT engineers use the Unknown Traffic Events resource in NTA as a method for adding flow sources to NTA. After you configure NTA as an export target for the network device, and enter the device's SNMP community string in NTA node settings, then the device's interface IP address shows up either in NetFlow Sources or on the Unknown Traffic Events resource--where it can be added as a flow source with a simple click.

The Network Configuration Manager v7.1 is now available for download in your customer portal.


The major features and enhancements include:

  • Additional poller support
  • NCM settings moved from Win32 NCM application to Web
  • i18n backend changes
  • Performance enhancements to website and inventory engine
  • Better database purging and default maintenance jobs
  • Native device support for Alaxala, Apresia
  • Real Time Change detection (RTCD) configuration guidance
  • String manipulation enhances Config Change Template scripting
  • Inventory reports for Juniper devices


Details can be found in NCM 7.1 Release Candidate Available.

In case you were wondering, here it is, by the numbers. All data was provided by respondents to a SolarWinds survey.


How Mobile Apps are Changing the Way IT Pros Work_Infographic.jpg


Interested in adding more mobile administration power to your life? Mobile Admin by SolarWinds puts 40+ IT technologies into your mobile device. Learn more and download a free trial at www.roveit.com.

Today, SolarWinds introduces DameWare Remote Support, formerly NT Utilities, version 9.  This latest release adds some exciting new features that enhance DameWare’s already powerful remote support tools.



What is Remote Support?



Remote support can be broken down into two categories: remote administration and remote control.



Remote Administration


Remote administration can be defined as any task that a system administrator performs on a remote machine without actually taking it over and controlling it remotely.  Some examples of this are starting and stopping services, viewing event logs, and monitoring system performance.


Consider the following scenario.   A system administrator receives a phone call from a user who is complaining about slow system performance.  Normally, the sys admin would need to go to the user’s desk and troubleshoot the problem directly on the computer or worse, guide the user through some troubleshooting steps over the phone.  With remote administration tools, the sys admin can simply troubleshoot the problem without leaving his/her desk.  In this case, the sys admin might want to look at the processes running on the user’s computer to see if one is taking up a large amount of memory or CPU time.  If the sys admin were helping the user by phone, he/she would have to guide the user through the steps of discovering what the process is and then perhaps stopping it.  With remote administration tools, the sys admin simply finds the runaway process, determines what it is, and stops it if necessary.




Now remote administration includes advanced Wake-on-LAN (WoL) features as well.  DameWare Remote Support version 9 incorporates Intel’s Advanced Management Technology (AMT) into its suite of remote administration tools.  With these new features, system administrators can turn on computers that are either sleeping or powered off.  They can also reboot computers that are crashed or non-responsive.  So, if a system administrator receives a call from a user who is complaining about a non-responsive computer, the computer can simply be restarted right from a software console at the sys admin’s desk.


DRS_Wake On Lan.png



Remote Control


Remote control is a feature that allows a system administrator to take control of a remote computer and use it as if he/she was sitting at its keyboard.  DameWare Remote Support now allows you to remotely control Mac OS X and Linux computers in addition to Windows computers opening up the realms of remote support for Mac and remote support for Linux to DameWare users.


This is an especially handy feature when troubleshooting software problems on a user’s computer that is located across a building or at another site altogether.  Imagine a situation in which a user is having a problem with software installed on a computer running Mac OS X in a remote location.  With remote control software, a system administrator can logon to the user’s computer and control it from a console on his/her own computer.




DameWare Remote Support combines remote administration tools with remote control tools to help system administrators support mixed-OS environments without ever leaving their desks.  To see a list of the new features included in DameWare Remote Support version 9, check out the following link:  http://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog/2012/09/11/dameware-90--almost-here

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

Today's topic is an overview of SolarWinds NetFlow Traffic Analyzer.

SolarWinds NetFlow Analyzer (NTA) monitors network traffic by capturing flow data from network devices, including Cisco® NetFlow v5 or v9, Juniper® J-Flow, IPFIX, sFlow®, and Huawei NetStream™, and identifies which users, applications, and protocols are consuming the most bandwidth and highlights the IP addresses of the top talkers.


SolarWinds NTA is an effective network traffic monitoring software that helps you capture Cisco NetFlow (v5 or v9) data from continuous streams of network traffic passing through NetFlow-enabled network devices and convert the raw metrics of the Export Packet into easy-to-interpret charts and tables that quantify exactly how, by whom, and for what purpose the corporate network is being used.


NTA NetFlow Collector.png


Intelligent and Intuitive Dashboards


You can view key metrics in ‘summary’ or in ‘detail’ in the following categories:

  • Applications
  • Conversations
  • Countries
  • Endpoints
  • IP Address Groups
  • Protocols
  • Receivers
  • Types of Service
  • Transmitters
  • Border Gateway Protocol (BGP)


You can also access the data most critical to your network instantly by setting up Cisco NetFlow (v5 or v9) network traffic views.

Alerting and Reporting in SolarWinds NTA


  • Set pre-defined thresholds and customize how you want to receive alerts, when and by what condition or threshold
  • You can automate scheduling reports and leverage the reports available out of the box for instant use. SolarWinds NTA includes out-of-the-box reports for:
    • Top 100 Applications
    • Top 100 Conversations
    • Top 100 Conversations including applications
    • Top 20 Traffic Destinations By Domain
    • Top 20 Traffic Sources By Domain
    • Top 5 Protocols
    • Top 5 Traffic Destinations By IP Address Group
    • Top 5 Traffic Sources By IP Address Group
    • Top 50 Endpoints
    • Top 50 Endpoints by Unique Partners
    • Top 50 Receivers
    • Top 50 Receivers by Unique Partners
    • Top 50 Transmitters
    • Top 50 Transmitters by Unique Partners


  NTA Dashboard Screenshot:

Screen Shot 2012-09-05 at 11.01.22 AM.png

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

For a detailed overview and specification on NetFlow you can visit this Cisco NetFlow Version 9 Flow-Record Format page.


Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo, or download a free fully functional 30-day trial.



Someone in your organization is downloading high bandwidth material. You are aware of unusual spikes in bandwidth consumption, and have experience reading traffic monitoring statistics provided by your flow collection and analysis system. So you will eventually become bothered enough to dig deeply and correlate data from varous logs to determine if there’s a clear pattern and if so how to address—essentially, by managing bandwidth to satisfy legitimate consumptions or by shutting-down prohibited consumptions.


In this case, though, you don't have the luxury of reaching your threshold of being bothered. Instead you discover the problem through cease and desist warnings issued by copy-right holders based on the Digital Millennium Copyright Act (DMCA). In short, the internal downloader is pulling down copy-righted material through torrent sites.


Not only is the downloader flouting company policy explicitly disallowing bandwidth-intensive downloads unrelated to business purposes and practices, but he is also exposing your company to industry policing heat that might require billable hours for the company's legal counsel to manage.


Our bandwidth pirate is smart enough to know a current blindspot in the IT team's monitoring system: that flow collection and analysis tools by themselves, even though they provide clear indications of the endpoints involved in the bandwidth-intensive network conversations, cannot tell you unambiguously what user is behind those sessions.


Consider why collecting and analyzing flow data are needed to monitor any network with critical bandwidth constraints, despite the blindspot we are currently examining in this context; and keep in mind this important consideration related to setting up flow monitoring. Finessing flow data magagement becomes important as traffic grows faster than network resources.


Matching Users, Connections, and Endpoint Traffic


Let's assume—as is often enough the case—that for business reasons you cannot simply use the firewall to block all torrent-related traffic on your network.


To actually find your pirate, you need to know what users are behind specific network activity. And so you need a tool that correlates user login data and MAC/IP address bindings with traffic activity.


SolarWinds User Device Tracker (UDT) is a tool that offers exactly these correlations on a network that uses a Active Directory domain controller to manage user access. Explore UDT's resources in this live demo; and see the administrator's guide for detailed information on how to get things done with UDT.

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

As of the publication of this article, this table represents a list of Cisco devices, the IOS version, and the version of NetFlow supported.  It is not intended to be a comprehensive or final list and should be used for reference only.  Please refer to your specific Cisco model for the latest updates.


IOS Family

IOS Version

Supported NetFlow Versions

Supported Cisco Models

Cisco Release Notes

12.0 Family


V5, V9

7000 Series, 7200 Series, 7500 Series, 10000 Series, 10720 Internet Router, 12000 Series



V5, V9

7200 Series, 7500 Series, 10000 Series, 10720, 12000 Series



V1, V5

1400, 1600, 1720, 2500, 2600, 3600, 4500, 4700, AS5300, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX 8800 RPM, BPX 8600



V1, V5



12.2 Family


V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, Catalyst 4K, 4500 Series, Catlayst 5K, AS5320, AS5400, AS5800, 7000 Family, uBR7200 Series




Catalyst 5K



V5, V9

7200 Series, 7301, 7304, 7400 Series, 7500 Series



V5, V9

7200 Series, 7301, 7304, 10000 Series



V5, V9

7200 Series, 7301, 7304, 7600, 10000 Series



V5, V9

Catalyst 6000



V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, 3700 Series, Catlayst 4000, Catalyst 4224, 4500 Series, AS5300, AS5320, AS5350, AS5400, AS5800, AS5850, 6400 Family, 7000 Family, uBR7200 Series, ICS 7750


12.3 Family


V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, 3700 Series, Catalyst 4224, Catalyst 4500, AS5300, AS5350, AS5400, AS5800, AS5850, 6400 Family, 7000 Family, ICS 7750



V5, V9

800 Series, 1700 Series, 1900 Series, IAD2430, 2600XM Series, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, Catalyst 4500, AS5350/5350XM, AS5400/5400XM, AS5850, Catalyst 6000, Catalyst 6500, 7000 Family


12.4 Family


V5, V9

800 Series, 1700 Series, 1800 Series. 1900 Series, IAD2430, 2600XM Series, 2691, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, Catalyst 4500, AS5350/5350XM, AS5400/5400XM, AS5850, Catalyst 6000, Catalyst 6500, 7000 Family



V5, V9

800 Series, 1700 Series, 1800 Series, IAD2430, 2600XM Series, 2691, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, AS5350/5350XM, AS5400/5400XM, AS5850/5850-ERSC, Catalyst 6000, 7000 Family


XE Family

Release 2

V5, V9

ASR 1002, ASR 1002-F, ASR 1004, ASR 1006


Release 3S

V5, V9

ASR 903, ASR 1001, ASR 1002, ASR 1002-F, ASR 1004, ASR 1006, ASR 1013


Release 3SG

V5, V9

Catlyst 4500E


15 Family


V5, V9

800 Series, 1800 Series, 1900 Series, 2800 Series, 2900 Series, 3200 Series, 3800 Series, 3900 Series, 7000 Family, AS5350, AS5400



V5, V9

7600 Series



V5, V9

6500 Series running Supervisor Engine 2T



V5, V9

7200 Series, 7301, 7600 Series



V5, V9

800 Series, 1800 Series, 1900 Series, 2800 Series, 2900 Series, 3800 Series, 3900 Series, 7000 Family, AS5350, AS5400




Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 7 - SolarWinds NetFlow Traffic Analyzer


For a detailed overview and specification you can visit this Cisco NetFlow Version 9 Flow-Record Format page.


Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.




Think you’re too busy to regularly maintain your database? You might want to think about that again. As different users access the database, files can become fragmented, misplaced, and degraded. Security may become an issue. As a result, the database can become painfully slow or even corrupted.


Running maintenance on your database does the following:


  • Summarizes data – Gathers all the collected network data for a defined period of time, calculate statistics from the data, and then discard the data and keep the statistics.
  • Cleans up data – Removes corrupted files, duplicate items, and data related to deleted records.
  • Discovers fragmented indexes – Identifies fragmented indexes so you can rebuild and/or defragment them.
  • Checks for security issues – Pinpoints issues that could compromise database security so you can fix them and avoid further problems.

All of these actions help your database run more efficiently. Summarizing and cleaning up data make your database smaller. Highly fragmented indexes really degrade database performance, so when you know you’ve got a fragmented index, you can defragment it. And knowing that you’ve got security issues means that you can tighten up your security settings.

To find out more about Orion database maintenance, check out the SolarWinds Product Blog and the SolarWinds Technical Reference: Best Practices for Managing the Orion Platform Database. For answers to specific issues, see the SolarWinds Knowledge Base, for articles like NetFlow Database Maintenance or Critical Index Fragmentation Detected During Database Maintenance.

Hardware Health and You.

Posted by Bronx Sep 10, 2012

Hardware Health and You.

Ok, you've installed Server and Application Monitor (SAM), got it up and running, and are now monitoring the health of your hardware. A quick glance at the web console and you notice all is well with your hardware. Hold on, what's that? You discover a fan on a server in Austin is in a critical state. How does SAM , your effective server monitoring tool know this when you haven't even set a single threshold?

Behold, the Home of the Threshold.

The thresholds SAM uses to monitor your hardware do not come from within SAM directly. Rather, these hardware thresholds are pre-programmed by the hardware monitoring agent software that generally comes with your hardware. In order for SAM to monitor hardware at all, this software must already be installed. This software is what SAM,  application monitor uses to report back to you.

You Want to Change These Thresholds? Slow Down.

That's fine as far as SAM's concerned. However, the hardware monitoring agent software may have something to say about it. The hardware monitoring agent software is written by the manufacturer, therefore, if they say it's okay to change the thresholds, change away. If not, then sorry, tough toodles.

What Am I Looking for?

You're looking for something that looks like this:

In this case, the hardware monitoring agent software is Dell's OpenManage Server Administrator. Poking around here may allow you to set and change certain thresholds for Dell servers. Once changed and saved, SAM, your ideal server performance monitoring tool will adjust its readings accordingly.

For more information, see this very helpful section of the Administrator's Guide.

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

Today's topic is the NetFlow v9 Options Template.

The Options Template is a special type of template record used to communicate the format of data related to the NetFlow process.


NetFlow v9 Options Template.png


The Options Data Record is a special type of data record (based on an options template) with a reserved template ID that, rather than supplying information about IP flows, is used to supply "meta-data" about the NetFlow process itself.


NetFlow v9 Options Data Record.png



FlowSet ID = 1

The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID which is greater than 255.


This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

Template ID

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID. The Template ID is greater than 255. Template IDs inferior to 255 are reserved.

Option Scope Length

This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below).

Options Length

This field gives the length (in bytes) of any Options field definitions contained in this options template.

Scope Field 1 Type

This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:

  • 0x0001 System
  • 0x0002 Interface
  • 0x0003 Line Card
  • 0x0004 NetFlow Cache
  • 0x0005 Template

For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record was reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).

Scope Field 1 Length

This field gives the length (in bytes) of the Scope field, as it would appear in an options record.

Option Field 1 Type

This numeric value represents the type of the field that appears in the options record. Possible values are detailed in Table 6 above.

Option Field 1 Length

This number is the length (in bytes) of the field, as it would appear in an options record.


Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.



NetFlow v9 Sample Options Template Data.png




Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems


Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer


Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.




Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

Today's topic is the NetFlow v9 Data FlowSet.

The Data FlowSet is a collection of one or more data records that have been grouped together in an export packet. Data records provide information about an IP flow that exists on the device that produced an export packet. Each group of data records (that is, each data FlowSet) references a previously transmitted template ID, which can be used to parse the data contained within the records.

NetFlow v9 Data FlowSet Format

Data FlowSet.png


FlowSet ID = Template ID

A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template ID. The collector and display applications should use the FlowSet ID to map the appropriate type and length to any field values that follow.


This field gives the length of the data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of any included data records.

Record N - Field N

The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the FlowSet ID/template ID.


Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.




When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.

Sample Data FlowSet:

NetFlow v9 Sample Data FlowSet.png


Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems


Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer


Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.



Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

Today topic is NetFlow v9 Template FlowSet

Following the packet header, the FlowSet is an export packet containing information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet.


There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.


  • Template FlowSet is a collection of one or more template records that have been grouped together in an export packet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within a NetFlow data record that match a template ID.
  • Template Record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.
  • Template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.

NetFlow v9 Template FlowSet Format

Template Flowset.png


FlowSet ID

The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID in the range of 0-255. Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID greater than 255.


Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

Template ID

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID.

Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.

Field Count

This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.

Field Type

This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.

At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.

The currently defined field types are detailed in Table 6.

Field Length

This number gives the length of the above-defined field, in bytes.




  • Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
  • Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways.
  • A template can be resent every N number of export packets.
  • A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.

Sample Template FlowSet Data

Sample Template FlowSet Data.png


Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems


Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer



Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.



With an ever increasing number of users telecommuting and connecting remotely to enterprise systems from different locations, IT admins are faced with a continual challenge of providing 24x7 support to these remote users. On a daily basis, IT staff deal with complaints from employees regarding remote connectivity issues and are required to ensure remote users have seamless and secure remote connectivity.




Here are some of the key challenges that IT personnel face when supporting remote users:



Increased troubleshooting time: Supporting remote users by telephone or e-mail is challenging for support personnel. Since they are unable to see what’s going on and rely on the user to describe every action he or she takes, troubleshooting time increases. With e-mail, the back-and-forth communication becomes difficult and tedious as remote-users have to wait for the troubleshooting instructions of the support staff.  This lag in communication could affect the productivity of the employees as well as help desk personnel.

Security risks: Off-site workers trying to connect to office networks from unsecure devices pose a huge threat as they can expose the network to malicious programs and potential hackers. Also, storing sensitive information on unsecure systems could lead to data breaches.

Increasing Costs: When connectivity problems arise at different off-site locations, deploying a full time on-site technician to every remote site is expensive and time-consuming. If problems require sending systems back to a central IT department for repair or updating, the day-to-day activities of remote users are affected resulting in lost productivity.



Remote assistance programs like remote desktop control address the above challenges and enable IT admins to provide constant support to remote end-users. Some of the benefits of providing remote support using remote control include:



  • IT personnel can quickly take complete control of the remote users’ systems, immediately identify the issues, and resolve them easily. The ability to instantly chat with remote users during troubleshooting helps eliminate communication problems between the IT department and the off-site workers and cuts down support call times
  • Authenticating users with Multifactor Authentication, such as smart card authentication, provides an additional level of protection against unauthorized access and makes it difficult for hackers to break in. Encrypting the data transmitted between the local and remote systems minimizes the risk of data breaches
  • The ability to connect to and monitor remote user systems at different locations right from a central location eliminates the need to deploy an on-site technician at each remote site, reducing support related costs



DameWare Mini Remote Control's (MRC) rich feature set offers solutions to each of these challenges.  Features like screen sharing, file transfer, smart card authentication, chat, and many more are all available from one easy-to-use console.  With DameWare's MRC, IT Admins can provide fast and effective remote support to end-users.  Learn how DameWare's powerful and affordable remote assistance software simplifies remote support.

Many network and systems monitoring tools these days offer both client-based and agentless options to monitor managed clients, such as servers and workstations. The question in these cases is, "Which do I pick?" There are pros and cons to both options, and which one you pick has everything to do with how you weigh these factors.


Agentless Monitoring


Agentless monitoring can refer to several different types of solutions. For example, it can refer to a solution that monitors hardware, like your network devices, that do not allow third-party software. Conversely, it can refer to a solution that monitors remote clients from a centralized hub without any extra third-party software on the client itself. In the first example, an agentless solution, such as SolarWinds NPM, is really the only way to go since you typically wouldn't install software on a switch. In the second example, agentless options are often the easiest and most convenient, but there can also be some drawbacks:

  • You're limited on what you can and cannot see
  • You have little or no remote management capabilities
  • It may be difficult to differentiate between critical and non-critical systems


In many cases, these limitations are likely to outweigh the convenience of monitoring remote clients solely from a centralized hub.


Client-based Monitoring


While going agentless might be tempting, going with the client-based option for your managed clients comes with several perks:

  • Client-based solutions typically collect more detailed information than agentless monitoring
  • Client-based solutions provide remote management options, such as active response and configuration management
  • Some client-based solutions report in real time, limiting bandwidth requirements
  • Some client-based solutions can queue data locally, which is helpful in the case of a network outage


On the other hand, agents also require occasional maintenance, such as:

  • You have to configure firewalls and client settings to allow communication between your clients and the central tool
  • You have to install software directly on your clients
  • You may have to upgrade the client-side software periodically
  • There may be additional steps if you decommission a remote system


So, what's the verdict?


Again, whether you go with the agentless or agent-based option for your managed clients is totally up to you. The good news is that choice is becoming evermore flexible.


Two examples of SolarWinds products that allow both types of configurations are Log and Event Manager (LEM), and Patch Manager. In both cases, you have the option to use just the central monitoring functions built into the products, or deploy additional software to clients for more coverage.


For our SIEM tool LEM, deploying the LEM agent provides a high level of detail and control in your monitoring. You can see all the logs from the clients, and even monitor third-party products such as anti-virus software. You also have the ability to take action on the clients both manually and automatically. For example, if a user plugs a USB device into a locked-down system, the LEM agent can automatically detach it and send you and email.


When it comes to patch management, the client-side solution for Patch Manager is similar in that it provides more detailed reporting and some configuration management capabilities, but it's not implemented as an agent. Rather, Patch Manager, the ideal patch management software deploys WMI Providers to managed clients, which only run when needed -- no service, no application. Basically, the WMI Providers allow Patch Manager to interface with client systems using native Windows Management Instrumentation (WMI). With the WMI Providers in place, you can perform a long list of configuration management tasks, such as deploying software updates to managed clients on demand, or rebooting the client. With the right patch management solution, patch management is never a complex affair.


For additional information about what client-based monitoring does for these products, see:

The Basics of MAPI.

Posted by Bronx Sep 7, 2012

Need to know the basics of MAPI? Read on.


Messaging Application Programming Interface (MAPI) is a Microsoft Windows API that enables you to send email from within a Windows application. Programs that use MAPI include word processors, spreadsheets, and graphics applications. For example, programmers who are using Microsoft's Active Server Page (ASP) technology access MAPI by using Microsoft's Collaboration Data Objects (CDO). The CDO library comes with Microsoft's Internet Information Server (IIS). MAPI functions can be accessed by programmers using a host of different programming languages.


A MAPI "session" is a specific connection between the client and the MAPI program. MAPI defines the following three services:


  • Address book: A database that contains addressing information.
  • Transport: Supports communication between different devices.
  • Message store: Stores messages that consists folders and subfolders.


Simple MAPI is a subset of 12 functions which enable developers to add basic messaging functionality. Extended MAPI allows complete control over the email system. SolarWinds SAM , server monitoring tool has a built-in MAPI User experience monitor that can send an email from your SMTP mail server to your Microsoft Exchange Server Mailbox, thus, measuring the time it takes to complete the trip. You can use this component monitor to measure the performance of Outlook making you a exchange monitoring expert.


Now you know more about MAPI than you did 30 seconds ago! Happy exchange peformance monitoring. :-)

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today's topic is the NetFlow v9 Packet Header.

The NetFlow Packet Header provides basic information about the packet such as the NetFlow version, number of records contained within the packet, and sequence numbering, so that lost packets can be detected. All NetFlow packets begin with version-dependent header that contains at least these fields:


  • Version number (v5, v8, v9, v10)
  • Sequence number to detect loss and duplication
  • Timestamps at the moment of export, as system uptime or absolute time.
  • Number of records (v5 or v8) or list of templates and records (v9)


The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. The combination of packet header, and one or more template and data FlowSets is called an Export Packet. Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows) .


NetFlow v9 Export Packet.png


NetFlow v9 Packet Header Format


NetFlow v9 Packet Header.png




The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009


Number of FlowSet records (both template and data) contained within this packet

System Uptime

Time in milliseconds since this device was first booted

UNIX Seconds

Seconds since 0000 Coordinated Universal Time (UTC) 1970

Sequence Number

Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed

Note: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows."

Source ID

The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.


Sample Packet Header Data


NetFlow v9 Sample Packet Header Data.png



Part 1:  NetFlow Overview

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer


Portions of this document are excerpted from Cisco, “NetFlow Version 9 Flow Record Format”. Available at http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html



Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo, or, view this video:  How to Configure NetFlow on Cisco Routers.




(Malware) Prevention is better than cure


The National Institute of Standards and Technology (NIST) just drafted its Guide to Malware Incident Prevention and Handling for Desktops and Laptops. It's a supplement to another guide, so we can't shake our heads (much) at the speediness. Most of the information is old hat for the folks in the field, but I’d like to discuss what the NIST recommends to lessen your network’s vulnerability.


The NIST recommends five broad areas of prevention:

  • Policy
  • Awareness
  • Vulnerability Mitigation
  • Threat Mitigation
  • Defensive Architecture


While having good policies and procedures in place to prevent malware infections is wonderful, as is teaching your fellow employees how not to click on that executable Kodak Moment(tm) from someone they don't know, let's skip to vulnerability mitigation.


Vulnerability Mitigation

Basically the NIST recommends a combination of patch management and configuration management and host hardening. Well, technically they recommend "security automation technologies with OS and application configuration checklists" and "sound host hardening principles".


For host hardening, they recommend following the least privilege principle, which is to only grant the necessary privileges to users, processors, and hosts. You should also harden applications that are frequently targeted by malware, like email clients and browsers, and disable or restrict macros and browser plug-ins.


These recommendations are either standard operating procedure or on your wish list for most places. If they are on a wish list, perhaps you could get some movement on it by pointing to the NIST recommendations?


Threat Mitigation

The NIST recommendations around threat mitigation are fairly standard and not particularly exciting.  Highlights include:

  • Deploy antivirus software with all the bells and whistles, like boot-disk scanning and browser, email, and chat monitoring
  • Deploy host- and network-based antivirus scanners
  • Use multiple products on key hosts
  • Deploy network- and host-based firewalls
  • Filter delivered content for suspicious file extensions
  • Whitelist applications
  • Deploy network-based intrusion prevention systems (IPS)


Actually, the NIST has a fairly long, in-depth section on IPS products (pages 11-12 in the guide). It's worth reading if you have either the time or inclination.


Defensive Architecture

Their recommendations for defensive architecture do not strike me as easy to deploy for more organizations. The NIST recommends sandboxing, browser separation, and segregation through virtualization.


Sandboxing - running applications in a restricted environment (think emaciated guest accounts) - can be useful in a large organization, but usually breaks down quickly in IT or developer environments. In several companies I've worked for, we only end up sandboxed if we've downloaded a couple of viruses for our IT department's enjoyment.


The browser segregation recommendation is for a specific browser to navigate corporate sites and a different browser to navigate the wilds of the web. It seems excessive for most small to medium organizations.


Segregation through virtualization sounds interesting but impractical. From the examples NIST cites, it looks as if they're recommending people use different virtualized OS instances for different activities.  I'm not entirely sure how practical that currently is-it might be more practical in the future.


With the exception of some parts of defensive architecture, these recommendations are already industry best practices. Keep in mind that some of their recommendations may change.  I think that they should have included mobile platforms in the recommendations, but they might have a separate set of recommendations elsewhere on their site.  Just so you know, SolarWinds has a couple of products that are useful for vulnerability and threat mitigation, the ideal patch management software, Patch Manager, to take care of all your patch management worries and Log and Event Manager.

In a previous post I discussed the imperative for bandwidth monitoring and management on networks with business-critical purposes and contention for resources due to popular, bandwidth-intensive streaming services—YouTube being the reigning giant.


In this post I want to address a common need to efficiently manage the flow data that is being made available to your traffic monitoring system.


Let's assume that you already have flow-enabled network devices sending data to a flow collector. And, you use the flow data, and the traffic trends they reveal, to monitor network traffic, and to establish QoS priorities for how packets make there way to endpoints on your network.


You may already be faced with a common workflow problem. The collector that is receiving flow data from your routing devices also processes that data for display in some dashboard or console; and the collector is doing its double duty against the same database--into which flow data is loaded and then served up for purposes of statistical calculation.


During peak network use, a firehose of flow data comes into the collector in 1-5 minute bursts. Soon data packets are sitting in a queue as the collector's software processes share CPU cycles to handle their different work. Good collectors are designed to trade-off access to system resources in a way that shorts neither loading nor retrieval of data enough to impact the overall performance of the system, so that the timeliness and accuracy of the information a user sees in the monitoring console are not compromised.


Filtering Flow Data


Only so much collected flow data can be queued for loading into the database before the traffic statistics in the console begin to degrade in accuracy. If the queue holds 15 minutes worth of flow data, for example, then certain views of the data (especially slices of the past hour) become erroneous.


There are solutions to this problem. First, you can architect a flow collection and monitoring system that fully satisfies the CPU and input-output operations per second (IOPS) required to handle peak workload. An Oracle-based system, for example, would cost 60K per CPU to provision.


For most IT shops such cost for a traffic monitoring system is unjustifiable to management. This majority of users need a collector and monitoring system that makes the intelligent trade-offs necessary to allow the console to display reliably accurate information on traffic of the highest importance. If at peak network use you can see timely information on top conversations, then you would settle for not seeing some other things.


SolarWinds Network Traffic Analyzer is an effective NetFlow analyzer, for example, uses a data aggregation strategy to ensure that current information on top conversations, endpoints, and applications is always available in the monitoring console.

Some files within your storage environment can obviously be discarded, but how do you know which files to keep?

How do you know what kinds of files are being stored, their ages, and who owns them, so that you can clean out your storage space?


You could use a feature within Storage Manger , the storage performance monitoring software, called File Analysis. File analysis lets you determine the age, type, and ownership of the files stored across all your servers, virtual machines (VM), and network-attached storage (NAS). You can setup rules for file analysis on physical servers and have it run on a scheduled basis. The output provides reports which can then be shared with others. Storage monitoring simplified!


When File Analysis runs, it will look at the meta data of the file and not the contents.  It can place a load on the system while it runs, generally 15-20% of CPU, so generally it’s best to run file analysis at night outside of any backup window.

After file analysis runs, you can review from the summary file analysis all the files on that server. By default, you will get summary by file type, file age and owner. You can then drill-down from the array, server, or VM to a single file to find more information. File Analysis will also locate orphan files, files created in the last 24hours, and identify your largest files.

Here in the example below you can see all the MP3 audio files.


So with this information you can summarize your files and find specific ones you might want to take an action on.  Some common use cases:

  • Find all MP3 or any other unwanted files
  • Find all files over 1MB and not accessed in 1 year
  • Find all PST files
  • Find all Justin Bieber music files. This can be done using RegEx expressions to locate any files of interest.


In summary the File Analysis feature in Storage Manager provides analysis of file type, size, age, and owner. After you have this data, you have the ability to reclaim storage by removing old or unwanted files, storage performance monitoring has never been this easy. You can also enforce company file policies by identifying MP3 files or mpg, etc…

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted.


Let’s take a quick tour on the basics of NetFlow technology in this first part of the Knowledge Series.

What is NetFlow?


NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information and monitoring network traffic.  While the term NetFlow has become a de-facto industry standard many other manufacturers support alternative flow technologies including; Juniper (Jflow); 3Com/HP, Dell and Netgear (s-flow); Huawei (NetStream); Alcatel-Lucent (Cflow); and Ericsson (Rflow).


Routers and switches that support NetFlow collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector – typically a server that does the actual traffic analysis. The NetFlow collector then processes the data to perform the traffic analysis and presentation in a user-friendly format.  NetFlow collectors can take the form of hardware based collectors or probes, or software based collectors. SolarWinds NetFlow Traffic Analyzer(NTA) is an example of a software based NetFlow collector that collects traffic data, correlates it into a useable format, and then presents it to the user in a web based interface for monitoring network traffic.



History of NetFlow


NetFlow v1 was originally introduced in 1990 and has since evolved to NetFlow version 9.  Today, the most common versions are v5 and v9.






First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers).


Cisco internal version, never released.


Cisco internal version, never released.


Cisco internal version, never released.


Most common version, available (as of 2009) on many routers from different brands, but restricted to IPv4 flows.


No longer supported by Cisco. Encapsulation information.


Like version 5 with a source router field. Used on Cisco Catalyst switches.


Several aggregation form, but only for information that is already present in version 5 records


Template Based, available (as of 2009) on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.


aka IPFIX, IETF Standardized NetFlow 9 with several extensions like Enterprise-defined fields types, and variable length fields.























Benefits of Using NetFlow Technology for Monitoring Network Traffic


Monitoring and analyzing NetFlow will help obtain valuable information about network users and applications, peak usage times, and traffic routing.  In contrast with traditional SNMP-dependent systems, NetFlow-based network traffic monitoring has the ability to characterize traffic from applications and users, understand the traffic patterns, provide a holistic view for monitoring network bandwidth utilization and WAN traffic, support CBQoS validation and performance monitoring, be used for network traffic forensics, and aid in compliance reporting.

Understanding the Datagram


The NetFlow Export datagram consists of a header and a sequence of flow records. The header contains information such as sequence number, record count, and sysuptime.  The flow record contains flow information such as IP addresses, ports, and routing information.


Below is a simple datagram for NetFlow v9 that we will use throughout this knowledge series to provide a detailed breakdown of the details of the NetFlow Export Packet format.


NetFlow v9 Datagram.png


Part 2:  NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer


Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems


Learn more about how SolarWinds NetFlow Traffic Analyzer can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring, see for yourself with SolarWinds live on-line demo. or view this video:  How to Configure NetFlow on Cisco Routers.




If you think of the way that traditional IT software is bought, sold, and implemented, the end user has precious little to do with the decision-making process or the implemented result. When SolarWinds came along, we turned a lot of this process on its head:



Traditional IT Management SoftwareSolarWinds IT Management Software
Purchase processPowerful, expensive software purchased by C-level personnel/upper managementPowerful, affordable software purchased by the practitioner/end user
EvaluationProof of concept, including heavy vendor involvement (and perhaps having the vendor onsite)Free trial, downloaded and implemented by the customer
ImplementationRequires a project and professional servicesRequires one person with an hour or so to spend

Requires classes

Often does not even require the manual

To achieve this model, SolarWinds software has to be different by nature. Our software must be easy to download, install, configure, and use, or the end user will not have a positive evaluation experience and will not want to use the software. And, in direct opposition to the  world of traditional software, where the end-user’s opinion has very little to do with the actual purchase, with SolarWinds, what the end user thinks makes all the difference in the world.


A Different Worldview

Because we look at the world differently, SolarWinds also looks at our investment in UX differently. Far from a “nice to have,” a good user experience is vital to the whole way we develop, distribute, and market our software. As a result, we invest heavily in UX, and have a great department staffed with top people whose whole focus is on making SolarWinds products easier to evaluate and use. From the start of every dev cycle, and in longer ongoing projects, the UX team works to bring the SolarWinds products to a higher level with every new release.


How is this done? One important way is to focus on creating UIs that follow a SolarWinds “standard.” Two examples of well-known SolarWinds UI standards are Getting Started flows in Orion products, and dashboards that provide immediate what’s good/what’s bad feedback with the ability to drill down for more details. 


getting started 1.png

Geteting Started 2.png


Two “Getting Started” screens from the Orion product family.



SolarWinds software provides out-of-the-box dashboards to fit common use cases.


Standards allow the user to quickly establish “product knowledge” and recognize how things will function elsewhere in the current product, or in another SolarWinds product. This can help reduce the time it takes the user to learn something new—reducing time to value and support costs--and no one has to crack open the manual.


Another principle is to give UX attention to the product components every user will encounter: these include areas like the “getting started” and initial configuration screens. We’re also focused on streamlining the setup process by doing things like ensuring products have good initial defaults, creating instantly useful dashboards for the 80% case, and ensuring advanced features are accessible to power users but more hidden from novices.


A Virtuous Circle

We found a really easy way to determine the best user experience for SolarWinds customers: we ask them directly. Usability research is a cornerstone of our product development process, and we take it very seriously. We depend on our customers and prospects to tell us what works best, what’s not working, and why. Without this input – we would be losing a vital source of data regarding our customers’ requirements.


Regardless of what type of project the UX team is working on, their goal is to engage end users to make sure we are headed down the right path.  This usually happens in 60-90 minute sessions using remote meeting software. In these meetings the UX team will share designs and ask the users to walk through key flows, giving their thoughts on each step along the way.  We also do a lot of informal “show us how you use it” sessions,  where we just follow along in a remote meeting as you walk and talk us through how you do things on your software, in your own environment.  This second technique is especially useful for products SolarWinds acquires, where we really want to learn how the newest members of the SolarWinds family are using a given product. 


Participants in user research benefit, too.  They get to see sneak peeks of new products or new features before anyone else, and they walk away with the knowledge that the comments and feedback they’ve given will impact SolarWinds software.  They also get goodies like our famous “usabili-buddy” t-shirts, SolarWinds baseball caps, and other swag.


ux circle.PNG


Interested in Participating? Please Do!

So, how can you be part of this process?—Easy!  Just email kellie.mecham@solarwinds.com  with the following information and you’ll get put into our UX database to be contacted for upcoming research (the database is not shared with anyone outside of the UX department).


o   your name

o   a short description of your role and responsibilities

o   the product(s) you use, if any OR if you are a non-user of SolarWinds products

o   any special interests or considerations you think we need to know about you.


Tune in next week where we’ll look at some real life changes that were made to SolarWinds software as a result of user feedback.


Have you ever participated in a user experience study? Did you find it useful? What did you like or not like about it? We’d love to hear your thoughts either in the comments or email us directly.


Read next post in this series.

A quick Google search tells us that YouTube uses as much or more bandwidth worldwide than all other sites combined. And while YouTube uses optical carrier for long-haul and metro-link delivery of content, the endpoints requesting the content from within most company networks depend on shared T1 lines that handle all traffic on those networks.


So there is a big mismatch in what YouTube can send to us and what we can afford to receive without impacting other business-critical applications that use network bandwidth. In other words, all it takes are a specific number of endpoints on a network to concurrently request YouTube streams and overall throughput on the network can noticeably decrease.


If YouTube were just a service for recreational entertainment—as are online versions of multiplayer games—IT teams could simply black-list the YouTube domain. But many businesses—SolarWinds included—rely on YouTube both to provide information to their customers in the form of video tutorials and to get similar information on third-party products that could enhance efficiency or productivity in achieving strategic business goals. So IT teams must figure out how to manage the use of YouTube on their networks in a way that reserves bandwidth for all other important business purposes.


Getting Essential Information on Bandwidth Usage


Figuring out how to manage available bandwidth on a LAN requires first getting information on how bandwidth is being consumed. For this, first, you need to constantly monitor bandwidth consumption. Since no IT team has time to piece together an overview of traffic trends from wire-sniffed snapshots, using flow-enabled network devices from which to collect traffic statistics has become an indispensable feature of network monitoring. Cisco’s NetFlow, Juniper’s J-Flow, and the multi-vendor IPFIX and sFlow standards all provide statistics on the data—and its characteristics—handled by a routing or switching device.


Collecting flow data requires a monitoring application to which network devices can regularly export data. A flow collector tells you the top talkers on the network during a specified period, the highest bandwidth consuming conversations, and various kinds of information from an endpoint-centric perspective—correlating endpoints with the conversations, protocols, IP Address Groups, and applications involved in their bandwidth usage.


Beyond tables, charts, and graphs showing current data, a good flow collector or NetFlow analyzer offers a set of historical reports and support for creating customized reports of your own.


Defining Bandwidth Usage Policies


Having detailed flow information creates an opportunity to define routing policies that better guarantee bandwidth for strategic business purposes. Cisco’s CBQOS technology, for example, defines specific classes of traffic and assigns them routing priorities to enforce a match between bandwidth use and business purpose especially at times of contention for limited resources.


Your flow collection application should also have the intelligence to monitor network traffic, and show you how CBQOS policies are being enforced and the results, ultimately, in terms of dropped packets. It is a strange ideal but an ideal nonetheless that when there is contention on your network for limited bandwidth—requiring that some packets be dropped—the least critical packets are the ones dropped.


SolarWinds Network Traffic Analyzer is a flow collector with support for different flow formats, many reports on traffic within different periods, and detailed information on the results of the CBQOS policies being applied to classes of traffic. You can also run an online demo for this product.


Capacity Planning and You

Posted by LokiR Sep 5, 2012

Say you get handed a lab full of virtual machines and hosts.  You are now responsible for everything to do with that lab. People will vilify you when they have problems and ignore you when they don't.


What's your first move?  Are you going to ignore it?  Hope no one notices who is now responsible? Dogmatically reassure yourself that it's fine - everything is just fine?


Probably not, or at least not for long.


One of the first things I'd do would be figure out how well the lab is currently performing; what, if any, changes need to happen so the lab can continue to perform with its current capacity and load; and project when that capacity will run out.


What is Capacity Planning?


Capacity planning in virtual infrastructure terms basically means to determine the amount of computing power is available, the amount of computing power that is used, and how that load is distributed.  If you have the historical records, you then plot how consumption of computing power has increased or decreased over time to predict when you will need to expand your resources.


I personally think that a hidden side of capacity planning involves talking to users. The software/machine-driven side of capacity planning doesn't necessarily take into account the human experience. For example, your threshold for an overloaded host might be set higher than the threshold of the people using the VMs on that host. If you talk to them, you can readjust your thresholds before they can complain or you can both readjust your thresholds.


So how do you figure out the amount of computing power that is available?


Manual Capacity Planning


If you don't have a tool, this is a painful, thankless process.


First you need to calculate the current capacity of your virtual infrastructure.  This doesn't sound terribly hard, right? You need to record your CPU speeds, number of CPUs, total memory, etc. per host or cluster. Then you have to do the same per VM.


Then you calculate your used capacity by first determining the peak hours per host. And then you have to record the utilization data per VM, host, and cluster during peak usage. And then you should probably discount the observer effect, or consider that some minor overhead.


By the time you peak usage time is over, you might have recorded half the data you need, if you have a small-ish lab.  Plus, you need to do this frequently so you can accrue metrics towards your future needs and discount statistical outliers.


After you gather that data, then you can determine how well the computing load is distributed and make changes as necessary.


What this boils down to is a lot of work, educated guesses, and spreadsheets that are rarely updated.


What Do Tools Do for Me?


If you are the VMware capacity planner, you would understand how manual capacity planning is a lot of time and effort.  Thankfully software companies, such as SolarWinds, have made this process easier with capacity planning tools. While the tools don't take all of the effort out of capacity planning, they do most of the heavy lifting. The tools are able to profile your VMs and hosts and associate the VMs to the correct host.  They can record usage history, CPU utilization, memory utilization, configuration details, and other juicy, hard to get at and tally data. Tools can also keep track of historical data related to potential capacity woes, such as latency, I/O, and storage usage.


In addition to the automated, heavy data collection, capacity planning tools indicate your current capacity and use historical data to predict when you will run out of capacity with your current infrastructure. They should also predict when you will run out of capacity based on new information, like extra memory or a new host.


For more information, see this SolarWinds video on capacity planning with our Virtualization Manager for VMware monitoring and become an expert on vmware capacity management.

In a previous post, I wrote about using SNMP traps to get status information from the devices on your network. Traps are great because they don't require any active polling on your part: you configure your devices to send a trap to your network monitoring application when any of a number of fault conditions arises, and you know almost instantaneously when something has gone awry.


Easy network monitoring. Sweet. But traps aren't the only game in town. Let's talk syslog.


What is Syslog?

Without going too deeply into the History of the Internet, syslog started as a Unix-based, status messaging format. Over time, it has been widely adopted by a variety of device types for status communications. Like SNMP traps, syslog messages originate at the device. Syslog is also largely OS-agnostic, so it is relatively easily implemented. If a device is on your network, it is probably syslog-capable.


What does Syslog communicate?

In its most basic, standard form, as presented in RFC 5424, syslog communicates device status in a packet of information, the most useful piece of which is the syslog priority. The priority value is calculated from a combination of any of 8 defined status types, or severities, for any of 24 types of network messages, or facilities. Eight of the 24 facilities are completely open to be defined locally to the syslog-capable device. The rest do have default values that can, however, be used as you see fit for your network and devices. Any syslog-capable network element is able to send a message consisting of a facility and a severity. With 24 facilities, each capable of reporting 8 severities, syslog provides 192 unique messages, some custom and some pre-defined, for network monitoring. Each of these unique facility and severity combinations is encoded as a syslog priority.


So, what exactly are syslog facilites, severities, and priorities? That is an excellent question.


What is a syslog facility?

According to RFC 5424, syslog facilities are defined as follows:


Numerical CodeFacility
0kernel messages
1user-level messages
2mail system
3system daemons
4security/authorization messages
5messages generated internally by syslogd
6line printer subsystem
7network news subsystem
8UUCP subsystem
9clock daemon
10security/authorization messages
11FTP daemon
12NTP subsystem
13log audit
14log alert
15clock daemon (note 2)
16local use 0  (local0)
17local use 1  (local1)
18local use 2  (local2)
19local use 3  (local3)
20local use 4  (local4)
21local use 5  (local5)
22local use 6  (local6)
23local use 7  (local7)


Facilities 16 through 23 may be mapped to local properties of the device sending the syslog message.


What is a syslog severity?

RFC 5424 has formalized potential states for network elements as follows:


Numerical CodeSeverity
0Emergency: system is unusable
1Alert: action must be taken immediately
2Critical: critical conditions
3Error: error conditions
4Warning: warning conditions
5Notice: normal but significant condition
6Informational: informational messages
7Debug: debug-level messages


Notice the slight but important differences among the different severities. These can, of course, be translated in your own way in your own IT environment. In other words, your network may not be large enough to require the differentiation of issues into Alert, Critical, and Error; you might just think of them all as 'broken'. That's OK. Syslog can go with that.


Putting it all together with syslog priority

Syslog priority is a calculated value that is simply defined as follows:

  Priority = (8 x Facility) + Severity

This formula gives you 192 distinct messages, each communicating a status for a specific component or element of a monitored device. For example, if a device sends a syslog message with a priority of 35 you know the device is experiencing an authorization error, as 35 = 8 x Facility(4) + Severity(3). This priority value, with the other basic system info in the syslog packet, gives you an instant reading of device status, delivered when the device needs it delivered.


Getting the message

As soon as you get syslog set up on a monitored device, point the syslog sender on that device to either a syslog-capable log reader or a network management platform to parse the messages your devices are sending. For more information about what SolarWinds Orion applications can do with syslog messages, see "Monitoring Syslog Messages" in the SolarWinds Orion NPM Administrator Guide.

Syslog is a pretty simple massaging format, and it is also fairly flexible. There is a lot you can communicate in a syslog packet. For more information about syslog, as a technology, see RFC 5424.

I have seen a lot of the "flavor of the month" network management ideas go the way of the dodo, but there is one that has withstood the test of time, the Network Operations Center. The NOC is a collection of tools, process and people with a clear set of common goals. Here's the first of three blogs addressing my take on the Network Operations Center (NOC) goals and priorities.


Goal 1 - Network Management Visibility

It's as simple as this, you cannot manage what you cannot see. This may seem too basic to be a main goal for a NOC, but that depends on how you define visibility. If you set up a network management software to ping all the devices on your network, you could say you have 100% visibility. The problem here is that the visibility is in breadth only; there is no depth to this type of network monitoring. The only information I get using ping is that here is an interface responding to an echo request. To add depth you could enable SNMP on the devices and poll them from your network management system. Now you can see a lot about the devices and how they are interacting with the network. There are thousands of SNMP objects to tell you how well a device is performing and how the device is configured.


Although you now have a great microscope for inspecting devices in detail, you lack visibility into how the network is delivering data. You can see where interfaces are saturated using SNMP, but you cannot see what is causing the saturation. That is where NetFlow comes in.


NetFlow examines the IP headers and tells you who and what are using the interface. This is great information, but you can look even deeper into the network. The piece of the visibility puzzle that is still missing is Quality of Service (QoS) visibility. How is the excess traffic impacting the network performance? For this, you would add a synthetic traffic modeling tool, such as Cisco's IP SLA.


IP SLA sends specific types of test traffic from a source device to a target device. The source device stores the results of the test in a MIB for network management system retrieval using SNMP. Now you have network management visibility breadth and depth, and hopefully some really big NOC displays to show it off!


In part two I'll discuss Goal 2 - Network Fault Management in the NOC.

Group Policy is a Microsoft Windows feature that has significant importance in controlling the working environments of user accounts in enterprise computers. Whether it’s enforcing a password policy, preventing unidentified remote users to connect to a network share, restricting access to folders, Group Policy provides the centralized management and configuration to set policies in the Active Directory environment. A Group Policy Object (GPO) is a collection of settings that determine what a system will look like and how it will behave for a defined group of users. GPOs are associated with selected Active Directory containers such as sites, domains, or Organizational Units (OUs).


Microsoft provides native Group Policy editing tools within the Windows operating system.

• Group Policy Edit tool was originally integrated with Microsoft Management Console (MMC) snap-in

• It is now available as a separate snap-in called Group Policy Management Console (GPMC) which is now a user component in Windows Server 2008 and Windows Server 2008 R2.

• GPMC is also provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.


Facing the need to set policies in hundreds of end-user computers, IT admins are having to individually log into each system to add/modify/delete GPOs. With such a daunting uphill task at hand, the options to have these executed are NOT so benefitting in terms of manual effort and time spent.


Physically logging into every system from the end-users’ desktops is not an option anymore. And native Windows Group Policy editing tools (above) do not make the process practically simpler. Using a remote administration software to work on GPOs from a centralized command interface can be the best option.


DameWare NT Utilities, an easy-to-use remote access software, provides out-of-the-box a Group Policy Object Editor and Group Policy Browser for all your Group Policy management and administration needs within the Active Directory.


Group Policy Browser can help in quickly reviewing what policies are in place on the local system, site, domain, or OU level.

Group Policy Object Editor helps you manage your GPOs and Organizational Units (OUs) from multiple systems within a single centralized console. You can add, delete or edit the GPOs without remote controlling to your domain controller.




Group Policy Browser




Launch Group Policy Editor from within the DameWare NT Utilities Console


This saves a ton of time for a busy IT admin like you who’s inundated in a heap of administrative chores. And Group Policy management is not one to be sidetracked as it has critical application in registry-based policy definitions, security settings, and role-based user access. Remote controlling your way into Group Policy Management could make you the smart IT admin you always wanted to be!

According to the 2012 Aflac WorkForces Report, nearly half of US workers are somewhat likely to look for a job this year.  These are the good employees, too. In this survey, they overwhelmingly self-described themselves as:

  1. Hard workers
  2. High achievers
  3. Highly educated
  4. Ambitious


So as an employer, manager, or individual contributor, what is it that a company can do to retain these workers (or in other words… you!)? What is it that they are looking for? Overwhelmingly, the key seems to be flexibility. Another recent OfficeTeam survey listed some of the top requested employee perks:


1.     Flexible schedules

2.     Leave early on Fridays

3.     Activities such as a company picnic or potluck

4.     More relaxed dress code


#1 and #2 are all about flexibility. #3 is too when you think about what “dress code” actually means (freedom to choose).  I think this goes a long way toward explaining the BYOD buzz. BYOD puts a lot of power back in the hands of the employee. When you bring your own device, you get to choose how and when to work (because these are portable devices), and even what form factor in which to do the work… basically… it’s about flexibility.


So let’s dive into BYOD from a IT professional’s perspective. If you are in technology, especially IT, your life is pretty much confined to sitting in front of a screen.  But, if you can take that screen and shrink it down to a tablet or phone, then you can go about living your life while keeping an eye on work things. A IT pro’s work is never done, but at least going mobile gives you the ability to decouple yourself from your desk and get out into the real world.


Why is going mobile imperative for you job satisfaction?


You can fix problems with the device you always have in your hand.

Having the ability to work from your mobile device allows you integrate your work and life schedules. If you need to check on something while your kid is at the playground, you can do that. If you need to check on something while you’re in a meeting, you can do that too. You become the owner of your schedule when you are freed from your desk. 


Work from wherever, whenever. 

Emergency or not, being able to solve issues without going back to your desk or even starting up your laptop is a real time saver and de-stresser.  You can never be sure when “work” will happen. It is so much easier to triage from your mobile device—the device that’s always with you— than it is to start up your laptop or even worse,  go into the office!


Turn any time into productive time.

Productivity tools are not just tools that allow you to work more; they also allow you to do work on your own terms.  This is about freedom, not about working every waking moment. By turning idle time into productive time, you’re really using your time wisely. For example – the time you are waiting in line at the grocery, or at the car wash, or whatever, you can check on things, do some routine tasks, and make sure all is well.


Don’t wonder – know.

Wonder if that server is up now? Did that help desk ticket get taken care of?  Find out. Don’t spend time worrying about work.  Focus on your life.


Address problems before they escalate.

Handling things immediately makes you look like a superhero. Before users notice or your boss even knows there was a problem, issues are vanquished. This proactive way of working is also a heck of a lot less stressful than the old pager days where you’d get alerted after a user reported a problem and something was already down and costing your company money. You don’t have to live that way.


Going mobile delivers a vital productivity, peace of mind, and general job satisfaction. To find the right mobile app, simply ensure the  tasks you do the most are available on your mobile device—the 70/30 rule is a good one to follow. Can I do 70% of the most urgent tasks from this mobile app? If I have to go to my desk 30% of the time, that’s probably a fair ratio. If you can get higher than that – awesome. If you have to go a bit lower, that’s fine too as long as you feel the app is useful.  As you learn the application or applications, you might find it brings a whole new dimension to your work and how you structure your time. One app you might consider is Mobile Admin  - it integrates with the Orion platform, as well as several other key 3rd party apps.





I’m eager to hear your comments on how going mobile is working for you in your current role.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.