For the majority of us, online shopping has become the norm. A recent Cisco research study found that 78% of all U.S. shoppers use the Internet to research to purchase products and services.

Cisco's study also includes a cool infographic that shows the growing ways in which consumers use the Internet to shop. As this digital trend continues, retailers will require higher availability of Web applications that facilitate and encourage online shopping. This trend also means that there will be a growing need to monitor these Web applications, especially with concerns over hacking and cyber-security on the rise.

Let’s quickly look at a couple of advantages of website monitoring:

  • It identifies and isolates the cause of latency in online purchasing transactions.
  • It helps ensure the security of online transactions.

A good Website performance monitoring solution should be able to test a site's Web applications and security on a regular basis from different locations, to ensure site visitors have an engaging experience. This will reduce potential downtime for the site, which otherwise would annoy site visitors and ultimately lose business and profits.


The ideal Web page performance monitoring solution will allow you to:

  • Continuously monitor your end-users’ experience
  • Monitor any Web application, whether internal (behind the firewall), external (customer-facing), or cloud-based
  • Monitor each Web page in a transaction
  • See the historical availability for each page in the transaction
  • Quickly identify all pages with problems
  • Receive alerts & notifications on incomplete or slow transactions & pages
  • Receive notifications in many different ways, including email & text
  • Drill down to determine why pages are slow by viewing page load times in a waterfall chart




Measure the latency of each Web page in a transaction to accelerate troubleshooting



  Set custom thresholds for transactions and discrete steps


Your Web applications are critical to your business. Downtime could lead to loss in productivity, dissatisfied customers, lost revenue, and other disastrous results. By proactively monitoring Web applications from the end user’s point-of-view, you’ll always be able to maintain secure transactions and website uptime.

I attended Austin BSides on March 20.  What a great event for security practitioners.  I learned more in the one day for the princely sum of $10 than many $3000 RSA trips!!


BSides is dominated by security practitioners sharing their expertise, rather than vendors tirelessly (and tiresomely) plugging products.


bsides.JPGHere is a photo from 10AM.  Note, beer has not yet been served. 

You can just feel the excitement and anticipation.


Some Highlights from BSides Austin:

  • HD Moore, from Rapid7 and of Metasploit fame, delivered the Keynote.  He presented the results of his recent study, which involved probing the internet.  Yes, the whole internet.  The vulnerabilities he found were shocking.  As an aside, he showed some of the correspondence he received as a result of his probes.  Long story short, there were people who wanted him in handcuffs, until he explained the research value of his project.  Even then, it sounded like some people were still in favor of handcuffs..


  • Samuel Shapiro of Digital Defense covered Your Printer is why you got owned, which was a really fun talk backed up by a lot of experience and interesting stories..  Samuel nailed it: printers are just computers on the network.  Just because they talk to paper too doesn't mean they are not a target capable of being compromised, breached and used to get to other assets on the network.


  • At lunch, Max Westbrook, a Private Investigator, talked about his job, what he does on a daily basis and how he attained his PI license, and told us about some cases he had recently worked.


  • Michael Gough and Ian Robertson did a talk on the Malware Management Framework they are building.  They talked about malware (affectionately called "maulware" attacks) and how they have defeated them, without having to call out for reinforcements.  Michael has a fun and educational blog called HackerHurricane.


  • There was a great panel on Emerging Threats. Marcus Carey was a popular panelist, with his military and NSA experience and, but I do have to note he was drinking Diet Pepsi whereas the other panelists were drinking beer.  Actually after about an hour, the panel became a bit more like a drinking game than a stodgy security panel, with anything from "PCI" to "Emerging Threats" becoming words demanding that all panelists drink.  Michael was the moderator and he was pretty militant enforcing that rule.



The Emerging Threats Panel.  Note: Beer has indeed been served.  Marcus is at the far left, nursing a Diet Pepsi as Michael enforces strict mandatory drinking requirements.

Interesting security comments / observations:

  • Unfortunately, Prevention is dead.  Total Fail.
  • When under attack and you've found the culprit, DO NOT show you hand.  Protect your assets, but let the guy think you still don't know   Force him into a small area and keep an eye on him.
  • Security practitioners tend to believe the following are threats: users, IT, management, outsiders, insiders, 4 year old children, other countries, and everyone else.  The group could not agree on any group, or anyone, to trust.

Clare Nelson of ClearMark Consulting summed it up nicely, "When I compare my RSA trip last month, the content pales in comparison with BSides. Michael did another spectacular job directing BSides Austin to make it a truly valuable learning experience. For an RSA presentation to be accepted, all of the good stuff (failure of a product to function, war stories, etc) gets filtered out! This is truly a disservice, because no one in cybersecurity can afford to buy products that don't work."


All in all, it was a remarkable event.  Watch out for local BSides meetings coming up in your area - they are pretty awesome.  In the meantime, you could check out our SIEM, Log & Event Manager, with a free full-function 30 day trial..

There’s a great article over on TechTarget on an interesting change to the CCNA specialist certification program.  Net-net, Cisco is eliminating the CCNA prerequisite requirement from CCNA Voice, CCNA Security and CCNA Wireless.  Certifications for these specializations will now require two tests instead of three.


My first reaction might be typical of anyone who came up the hard way, and I considered that the loss of a fundamental network touchstone a lousy idea.  CCNAs are comrades, and it’s especially meaningful for non-network admins like application specialists wanting to get to know networking for real, or as the first step and encouragement on the road to CCIE.   After reflection however, in a time of growing specialization it actually encourages more opportunity for specialists we’ve come to rely on.


First of all, it doesn’t eliminate the CCNA, but instead replaces it with a specialist version.  Certification will still require demonstrated routing and switching knowledge, but focused on those aspects which apply.  My assumption is they’ll actually see more questions on those particular areas of networking than in the CCNA.  You’re not going to have to explain ARP tables to your WiFi tamer.


I’ve never had a specialist directly say they were being held back by the CCNA, but I have known some outstanding home-grown voice and wireless wizards who should have their CCNA Voice or CCNA Wireless, but don’t because they don’t have time to study for them.  This is especially good if you’re a VoIP, Security or WLAN admin because you’ll be able to be recognized more quickly for your expertise on those systems.  And, haven’t we all needed to be able to find someone to come untangle Call Manager while we worry about the core?

Activities are rolling ahead for this year’s Microsoft Management Summit (MMS), which will be held at the Mandalay Bay in Las Vegas from April 7th through April 12th. For those of you with a bend for country music, you might also be aware that the Association of Country Music awards are taking place on the opening day of the conference in the MGM Grand in Las Vegas. (I’m still trying to figure a way to take advantage of that!)

What is Microsoft Management Summit?

Microsoft Management Summit is an annual conference dedicated to IT management. It offers five days of hands-on-labs, presentations, and community events with Microsoft staff, Microsoft MVPs, and other industry experts. If you’re involved in any aspect of systems management, including configuration, operations, virtualization and help desk, this conference is likely to have something of interest to you. If you’ve not yet registered, it’s not too late (although you will have to arrange your own hotel accommodations).

This year, sessions are being presented in eight different technical tracks:

  • Access & Information Protection
  • Application Management
  • Desktop Client
  • Desktop Virtualization
  • Infrastructure Monitoring & Management
  • Service Delivery & Automation
  • Unified Device Management
  • Windows Server & Azure Infrastructure

As you might expect, that content will be heavily wrapped around Windows Server 2012 and System Center 2012.

MMS Content Online

If you can’t attend, don’t worry, because all of the session content is also published online. MMS 2012 offered over 160 sessions, and you can review any of the session content from MMS 2012 online today with just a social networking logon (WindowsID, LinkedIn, Twitter, or Facebook). The 2013 content will be available online shortly after the conference ends, and there are currently 305 sessions listed in the content catalog.

MMS Presentation

I will be co-presenting a session with Kent Agerlund titled Managing Third-Party Updates with System Center 2012 Configuration Manager SP1. Kent is a Senior Consultant with Coretech A/S in Denmark and a Microsoft MVP. He blogs on the Coretech blog and recently authored a must-read book about implementing Configuration Manager 2012 in small- and medium-sized organizations. In our presentation, we’ll be talking about the various ways Configuration Manager can be used to manage and deploy third-party updates. The presentation is currently scheduled for Sunday, April 7th at 5:00pm PDT. (Which should get me out in time to go party with my ACM friends, eh?)

SolarWinds Booth #712

SolarWinds will also have a booth in the Expo Hall, so come by and say Hi! We’d love to meet you, chat with you, show you some products you don’t yet have, or help you answer any questions about the ones you do have. You’ll find us in Booth 712.

Webcast with Wally Mead

To kick off that week’s worth of festivities, this Thursday (March 28th) at 11:00am CDT, SolarWinds is hosting a webcast with Wally Mead. Wally is a well-known expert in all things related to Configuration Manager. He and I are going to chat (well, he’s going to chat, I’m just going to ask questions and listen) about:

  • Service Pack 1 enhancements in Configuration Manager 2012 (and there are a LOT of cool enhancements!)
  • Using Microsoft Intune with Configuration Manager for mobile device management
  • The educational opportunities at MMS2013, including presentations and the hands-on-labs.

Plus a special bonus: Questions from the viewers! If you register now for the webcast, you’ll have an opportunity to submit a question of your own for Wally. We’re going to pick the best of the best tomorrow (Wednesday), and Wally will answer those questions live in the webcast Thursday. Hope to see you all there!

When managing your Cisco DHCP, ASA devices, and Windows DHCP servers with IPAM,  you may encounter errors that refer to DHCP connection errors. Generally speaking, most of these errors are easy to address.


IPAM uses Windows RPC calls to retrieve the list of scopes, leases, and reservations. Since IPAM runs within a local service, IPAM requires a Windows username and password to authenticate with the remote DHCP Server. IPAM will first impersonate the provided user on the Orion NPM box, and then proceed with using RPC calls. The following are some common errors and suggestions for troubleshooting.


IPAM Reports “Bad username or password

1) This error can occur when the valid user account on the Orion host has no meaning to the DHCP Server. Verify the account used is valid on the DHCP Server.

2) This error can also occur when the provided password is not correct on the DHCP Server. Verify that the provided account and password is both identical and functional on both the Orion host and DHCP Server.


IPAM Reports “The RPC Server is Unavailable

1) This error can occur when the DHCP Server is unable to receive or respond to RPC Requests. Verify there is no firewall preventing the Orion host from performing RPC calls. A simple method is to verify with Administrator accounts that windows file sharing is possible. An alternate way to verify this is a telnet to the IP address provided in the Orion node on port 445. If the connection is not rejected, it is likely something else.

2) If this occurs intermittently, verify that the DHCP server has enough client access licenses.


IPAM Reports “Insufficient permissions”

1) Verify that the provided user account is part of the “DHCP Users” group on the DHCP Server.


If you do not yet own IPAM and you are tasked with managing DHCP servers, check out the following overview pages to learn what IPAM can do for you.




Add new DHCP Server



Add new DHCP Scope



Add new Found DHCP Scope



DHCP Split Scopes



DHCP Reservations

In the world of software development, the developers and user interface designers are the ones who get all the praise when a new or improved product sets sail. The technical writers are almost always left behind on the dock, silently watching their ship sail without them. The sad truth is that you'll never hear a user say, "Wow, this new manual is great and chock full of useful information! Long live the technical writers!" (Although I must admit, it did happen to me only once.)


Who are we?

We are grammatical surgeons, verbal marksmen, and technological gymnasts. We flout the laws of fashion, consider personal grooming optional, and, for our own amusement, we dangle participles. (See what I did there?) We are philosophically spotless in our own minds (and as you may have guessed, a little weird).


Most people in the world would consider themselves lucky if they had only one passion in life. Technical writers have at least two: writing, and technology. If you're an expert in these two disciplines, you my friend, can be a technical writer! (But would you want to be?) We are the people who sit in a dark corner, illuminated only by the glow of our four computer monitors, tirelessly researching and typing away so you, the user, will have no need to call to the other unsung heroes of the software development world, Technical Support. This li'l cartoon helped me verify my occupation as being worthwhile:


What do we do?

  • We create the help files for all of our software
  • We contemplate every word of every sentence
  • We simplify the complex
  • We add the informative language used in interface messages (as opposed to the comical ones I would prefer )
  • We create documents separate from the help files designed to educate the user. Take a look here for my SAM contributions
  • We create knowledge base articles for quick fixes
  • We provide interactive help here on thwack
  • We write these blog articles


Why are we unsung heroes?

Well, I think we're kind of like the news. You never turn on ye old TV and expect to hear good news all the time. Bad or unexpected news is much more dramatic. That said, if we as technical writers miss something, that misstep is pointed out posthaste by the user. So by default, we're "unsung," as it were. Really, look at all the praise we don't get around the world. Sadly, an absence of complaints is our praise. No one notices you when people aren't complaining, and I suspect that's true for most of the working world (although this guy really likes us)!

I guess we've just been sung.

If you rely on a Huawei router or firewall configuration, you can use Kiwi Syslog Server to monitor and archive network activity.  Read on to learn how. 


What is Syslog Again?

Syslog is a standard used to log and route messages like router connection messages and firewall warnings in an IP network. The syslog standard promotes efficient management of enterprise systems by integrating log data of events occurring on computer systems like UNIX and Linux collected from a wide array of sources, including network devices, routers, and firewalls.  Each computer involved will send small text-based messages known as syslog messages to a dedicated syslog server every time an event is generated. The syslog server then saves the received messages in a log file. Because syslog is supported by a wide variety of routers, firewalls, applications and operating systems, syslog servers are often used to collect, monitor and archive logs from many different machines - often the entire network! 

What Makes Kiwi Syslog Special? 

Kiwi Syslog Server provides an easy-to-install, easy-to-maintain solution for collecting, monitoring and archiving syslog messages, SNMP Traps and Windows event log messages.  It installs on a Windows machine and runs as a service for unattended 24/7 operation.  It can listen to almost all types of syslog traffic from basic UDP messages to secure TCP streams.  Upon receiving messages, it can display them to a local GUI or (in the commercial version) to a Web console.  It can also read incoming messages and react to them.  Finally, it can write incoming messages to disk and will then automatically manage (i.e., "age" or "grandfather") the resulting log files. 

More to the point, Kiwi is often installed by sysadmins who need to "just store the logs" for auditors or corporate requirements, and who then want to get notified of certain events or when certain routers make noise.

How Do I Configure My Huawei Router to Send Logs Via Syslog?

Huawei offers two different router series: AR and NE routers. The AR router series is designed to meet the demands of a wide variety of industries, with high flexibility, agility, security and reliability. These are lower network cost routers that are easy to maintain. The NE series routers are high-end solutions meant for telecom data communication networks, and can be deployed as a P/PE router in IP core and metro networks.

After authenticating to a typical Huawei NE router, just two commands are generally needed to start logging to a remote syslog server.  The first turns logging on.  The second tells the router where to send the logs, which "facility" to use, and which language to use.

info-center enable

info-center loghost facility local4 language english

You should plan to change the IP address - set that to the machine running Kiwi Syslog.  You may also want to change your "facility" value, shown as "local4" above.  (It's common for firewalls to use "local4" and routers to use "local7," but you may set these values as you wish.) 

How Do I Configure My Kiwi Syslog Server to Receive Huawei Syslog Messages? 

After you download and install Kiwi Syslog, its default settings will begin looking for syslog messages that are sent to UDP port 514.  As long as you entered the IP or hostname of your Kiwi Syslog server in your Huawei router, you should be able to receive Syslog messages immediately.  (If you cannot see any messages, make sure there are no firewalls, routers or OS-level firewalls blocking Syslog access between your Huawei router and your Kiwi Syslog server.)

The Kiwi Syslog server features advanced collection options and specific security options such as TCP. The server also provides advanced options for monitoring and archiving, including the ability to write each router's logs to their own files and implement automatic clean-up after a period of X days. 

Get even more specific Kiwi Syslog tips in the Kiwi Syslog Space on thwack, SolarWinds' community and forum.

So, did you get your bracket done this year? Yeah, I have to admit, I was surprised Wintermute lost to HAL in the first round, too. Oh, right, you didn't think I was talking about the SolarWinds Sci-Fi Bracket Battle.




Let's talk about that other bracket, the one for the NCAA Men's Division I basketball tournament because, apparently, the tourney is a pretty big deal, especially if you're managing a network for rabid college basketball fans that have to stay at their desks:

Traffic to popular college basketball Web sites like and increased more than 10,000% during last year’s tournament, according to numbers from ScanSafe. The security vendor looked at 240 billion Web requests performed on behalf of its corporate clients in 80 countries.


“The amount of corporate bandwidth used to view these basketball games during work hours is astonishing,” said Spencer Parker, ScanSafe director of product management, in a statement. “Most employees don't know the bandwidth impact of these streaming sessions. Companies are literally losing millions of dollars to college basketball in March.” (emphasis added) [source]


What are you going to do about it? Do you need to do anything? According to a recent survey, only about a third of you will "take some action to prepare for March Madness, including banning March Madness video, throttling video feeds or blocking content altogether...48% of respondents say their company already takes action to block, throttle or ban the streaming of all non-work related content in the workplace." [source]


It's a question that comes up every year, but the answer is pretty much always the same. As Ann Bednarz, at, states:

Companies with solid bandwidth management technologies in place can sit back and relax, while those without such measures are left to wonder how much network performance will suffer once employees start viewing live NCAA games at work (just as they did during the 2008 Olympic Games in Beijing). (emphasis added) [source]

And, as sure as some 15th seed from a school no one has ever heard of breaks everyone's bracket in the first round, I'll bring you around to where you can get the "solid bandwidth management technologies" you need, so you too "can sit back and relax" for the rest of March: start with some SolarWinds Network Performance Monitor and follow-it up with SolarWinds NetFlow Traffic Analyzer. You can get them both together in the SolarWinds Network Bandwidth Analyzer Pack. It's a one-two combo as sweet as Hakeem and Clyde (Phi Slama Jama) or Webber and Rose (The Fab Five). As Dickie V. would say, "It's serendipity, Baby!"

I interviewed Stefan Gustafsson who works at a large software development company.  He recently deployed Server & Application Monitor (SAM) v5.5 and within a minute SAM identified a failing power supply in his blade chassis that had six production blades.


JK:  What SolarWinds products do you use to monitor your environment?

SG:  We have a single instance of Network Performance Monitor (NPM), Server & Application Monitor, NetFlow Traffic Analyzer and Virtualization Manager and are looking at purchasing Web Performance Monitor and other SolarWinds products.  Our global (20 offices) monitoring solution covers 1,100 nodes with 17,000 component monitors spanning applications, servers and network environments in our production environment.


We started off with NPM and quite quickly realized we wanted more functionality for monitoring applications.  We did a trial of Server & Application Monitor 5.0 in July last year and started using it to monitor our Exchange and SQL environments.  Quite quickly we started using some of the advanced functionality for process monitoring and we are also using it to monitor various web components by means of WMI, SNMP or whatever is needed.


With the introduction of hardware monitoring in 5.2, we realized we were up against a bit of a challenge because almost none of our servers were running the vendor management tools and it took some scripting to install these vendor management tools to get hardware monitoring functioning.  Hardware monitoring opened our eyes to what was really going on in our environment.


We also monitor in-house and 3rd party applications by creating our own templates based on processes we discover in the Real Time Process Explorer.  We use all the built in application monitors  but use just as many custom monitors.  Sometimes we download from thwack and customize to our needs.


JK:  What did you do before you purchased Server & Application Monitor?

SG:  We used IBM Director, Dell Management Tools, and things like the hardware monitoring in VCenter, and remote management tools (DRAC/iLO/RAC) for each server and the audio-visuals in the datacenter –beeping of the datacenter and flashing of lights.


For node, site & process/protocol monitoring, we used OpenNMS which is not very user friendly.  We can do things now in NPM and SAM that would have taken 2 weeks in change controls and hacking XML files using NMS.  For instance, I needed to monitor some HP application sets and it took me 10 minutes to create a custom process monitor and set a custom owner property field so one guy gets the alert.  It would have taken me a week to do that in OpenNMS; nothing is straightforward in OpenNMS.


JK:  Before switching to SolarWinds, how long did it take to get all these tools up and running and troubleshoot problems with these disparate tools?

SG:  It easily took twice as long as it does now.  Adding things to monitoring systems, installing different bits and bolts, updating firmware every 5 minutes because something is not compatible, educating people – it took a lot of time with the old tools.


With SolarWinds' application and server monitoring software I’m quite quickly able to spot issues in our environment.  We find things 3 to 4 times a week that we investigate and prevent problems - so it’s very useful.  We are definitely stretching the boundaries of the product and are very keen to explore new features.  For example we deployed v5.5 a week before it made general release.  We’ve done a lot with hardware monitoring and I’ve started doing VM host performance monitoring  by querying VMware ESXi host stats that you can’t get out of SNMP.


Check out SAM's multi-vendor hardware support in this short video.

by Jennifer Kuvlesky

How many people have heard of Claude Chappe? What about semaphore? No? I'm sure everyone's heard of telegraphs and telecommunications though.




Way back in the late 1700s, this Chappe person took the age-old question of "how can I quickly communicate over large distances" and created the first practical telecommunication system. Instead of having riders going around with messages, Chappe's system used a series of towers to transmit messages. These messages weren't simple signals, such as those famously popularized in the US by Paul Revere's ride (a prearranged signal to indicate if the British were going over land or by sea). These towers could transmit complex messages by using a system of moving arms. The position of the arms represented a letter or number.


So, if back in the 1700s, Chappe invented a way to cut out the guy riding a horse, (thus saving time, reducing costs, and increasing security), why do we sometimes still use the modern equivalent of a post rider to get IT going?


Slowly Entering the Information Age


You may have worked there. You may still work there. You know, places where they use dead trees to get things done. Need more toner? Submit form 146A to the secretary on the fourth floor and pray you haven't horribly offended them. Computer slow? Submit form 1924-C to the circular file and don't hold your breath.  Looking for another printer? Check the book to see what's available and where.


Why do we still do this to ourselves? Even when the paper systems go away, they are usually replaced with the same kind of system, just in electronic format. Instead of submitting a form, you send an email. Instead of thumbing through a book, you search through a spreadsheet. Other than saving trees, is this really an improvement?


Digital Automation


Now that we have computers and complex programming, why don't we take a leaf out of Chappe's book and revolutionize that system when we convert it to digital bits? Instead of sending messages or forms to a black hole, send them to an automated system that can direct the requests to the right people or correct queue? Such a system could even let people know when their ticket was being worked or if it was received at all. Instead of using an electronic spreadsheet, you could put your asset information into a database so you could get the data more easily. All this, and more, could lie at your fingertips if we'd follow Chappe's example and just stop beating that dead postal horse.

Should the CatTools built-in activities not suffice your requirements, you can create your own custom activities and script activities.




A reasonable understanding or experience of Visual Basic Scripting is assumed in order to successfully add custom scripts to CatTools.

However, the help file documentation and comments within the example code template files found in the /Templates sub folder of the CatTools root directory, should provide a reasonable level of assistance for a technically competent novice to follow.




To add support for a custom activity in CatTools, four files are required.  Three activity files and one custom device file:


Activity files:


1)  The activity type file (.ini file), which defines the following:


activity name,



activity ID,



activity main script filename (associated with the activity),



activity client script filename (associated with the activity),



the user interface field values and defaults which are displayed in the activity form Options tab when adding or editing an activity.



2)  The activity main script file (.txt file), which contains code to read the activity options from the CatTools database, prepare folders and files to store output data, set variables, marshal the CatTools Client threads and do any post processing of results in order to create reports or send messages to the CatTools main program.


3)  The activity client script file (.txt file), which contains a number of common function calls to the device scripts, i.e. the scripts that send device specific commands in order to get the device to log in, issue the commands required to perform the activity, then log out of the device again.


Device file:


4) The device script file (.custom file), which contains device type specific code for the custom activity, for example, the commands to send to the device and any parsing of the data before sending the results back to the client activity script.



The activity client and main script files also contains function calls and references to variables within the internal CatTools program code.  These are prefixed with 'cl.' in the client script and 'ct.' in the main script.    A list of these cl. and ct. functions and variables have also been made available within this chapter to help assist in the development of your custom activity scripts.


To learn more about Network Configuration Management from your desktop see: Configuration Management and Network Automation | Kiwi CatTools

SolarWinds Log & Event Manager (LEM) is a powerful SIEM tool that allows you to be proactive with your network needs. It provides functionality where you can monitor your antivirus software to track whether or not your antivirus solution is able to fully clean the viruses it detects.


To create a LEM Rule to track when viruses are not cleaned, you need to clone and enable the Virus Attack – Bad State rule to track the state of virus attacks reported by your antivirus software. The Bad Virus State User-Defined Group defines a bad state as any virus that has not been fully cleaned by your antivirus software. That is, any virus that has been left alone, quarantined, or renamed. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.


The following is how you can configure your antivirus software to log to your SolarWinds LEM appliance and set up the appropriate tool on your SolarWinds LEM Manager.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click Default Rules on the Refine Results pane (left).
  4. Enter Virus Attack – Bad State in the search box at the top of the Refine Results pane.
  5. Click the gear button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.

Google_Drive_All_Your_Files_Are_Belong_To_Us.gifEnd users' attraction to Google Drive is built on one key concept: "I can access my files from anywhere."  End users who have been paying attention in your security training also like the fact that all connections to Google Drive are secured with HTTPS.


However, Google Drive, er, drives IT administrators nuts because it encourages people to send critical business documents to an untrusted provider.  This isn't just paranoia - it's actually baked into Google's terms of service (TOS).


According to the TOS, Google will not take away any "intellectual property rights" your business claims on its own files.  However, the same TOS permits Google to "use...reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute such content."  $100 says that's not the same policy you offer on your SAN storage.


SolarWinds Alternative to Google Drive



1) Install Serv-U MFT in your data center, private cloud, or other system under IT's control.  (Did we mention it can run on Windows or Linux?)

2) Point Serv-U MFT to your Active Directory.  This allows your employees and contractors to authenticate using their existing credentials and saves you the trouble of having to duplicate their accounts on Serv-U.  (You can also create additional Serv-U accounts for customers and partners without accounts on Serv-U.)

3) Point Serv-U MFT to your primary NAS or other shared storage (often, wherever you keep your users' home folders or corporate documents).  This allows people to securely access the same material they would in the office from anywhere in the world.

4) Instruct your users to connect to "https://yourserver/" using the browser, tablet or mobile device of their choice.  After they sign on with their usual credentials, your users will be able to work with the same files they use in the office.


If this makes sense (and Google Docs drives you nuts too), find sanity by downloading a Serv-U trial or trying out the interface online now.

In yesterday's Dark Reading, security researcher Bruce Schneier took a swipe at security training:


"If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in."


It's not every day that I disagree with the author of Blowfish, but this is one of those days.


Not Every Lapse Is Fatal


The result of a security lapse is often a mass send to an address book, the installation of a "crapware" toolbar, or another annoying but non-fatal result.   Several factors help explain why this is.

  • AV Filters Many Generalized Attacks: Installation of generalized malware such as trojan horses and keyloggers will usually be detected by signature or heuristic-based anti-virus packages.  If these attacks aren''t stopped by your email server's AV, they will often be stopped by your desktop AV. 
  • Targeting Your Company Exposes the Attacker: Attacks directed specifically against your company (think disgruntled employees or competitors) often have a "social" component that identifies the perpetrator, exposing them to civil or criminal penalties if detected.
  • "Need to Know" Already Protects the Crown Jewels: Senior company officials with access to the most sensitive materials will often already have better-than-average security awareness, such the ability to pick up on a suspicious inbound phone call that's part of a social engineering hack.


People Want a "Fast Computer"


What do end users complain about constantly?  "My desktop/Internet/laptop/network is S-L-O-W!"  My suggestion?  The next time you remote in and "fix the slowness" by undoing their security mistakes, show them how keeping their computer free of crapware and toolbars (which they get from questionable sites and emails) will keep things running well. 


In a classroom setting, advice like this may go in one ear and out the other.  But a one-on-one while you're fixing a relatively minor problem may keep that user from being "that guy" who clicks on the link that introduces a virus or trojan down the line.


No One Wants to Be "That Guy"


Let's face it: no one wants to be "that guy," and a great way to become "that guy" is to have your email used for a spam campaign, have a NSFW toolbar added to your browser, or lose control of your home page.  If someone in your department/floor/team becomes "that guy", office gossip alone alone encourages self-education (e.g., "how can I avoid what was he doing?") because no one else wants to be "the next guy."  This means that if you've trained ANY percentage of your users, you'll already have local experts on teams working to train their fearful coworkers whenever a local (and usually non-fatal) security lapse occurs.


Conclusion: "Mostly Trained" Beats "Not Trained"


In the binary world of bits and bytes, it's tempting to strive for zero-tolerance policies like "train them all or nothing is safe."   But the whole concept of risk-based security is based on the simple fact that an organization can never be completely secure.  Like AV, regular patching, and network monitoring, user training remains one of the best practices organizations can use to mitigate risk.  More training is better, but failing to reach a handful of users should not be fatal as long as you've implemented additional security controls.


Your Thoughts?


What do you think - is security training worthless if you only reach 4 out of 5 people?  (Tell us in the comments below!)

jeff13_250pix.jpgJeff Schertz is a Lync / Unified communications guru presently based in Chicago, IL. He has been a Microsoft MVP since 2008, and has made voluminous contributions to the Microsoft Technet forums, and the community at large via his blog. Jeff has been in IT for upwards of 15 years and has followed the time-honored progression from helpdesk->Sysadmin->ninja. Currently he is a Microsoft Solutions Architect for Polycom, and spends his days designing and integrating Microsoft UC solutions for large clients.


Jeff was gracious enough to spend a few minutes of his time with us to answer some questions.


How did you get involved blogging?


It really just started with tips or notes from the field. Over time I just got more into it, more in depth, less about a specific issue and more about best practices. I’m now trying to concentrate more now on things that may be unclear in the new Lync 2013 documentation.


Where do you get your topics from?


A lot of stuff comes up from Technet in the forums. There’s a lot of involvement in the forums now, but I still find interesting items that I may spend 30 minutes on in the lab and knock out real quick. Sometimes with these quick hits I scratch the surface on the topic, and find out there won’t be much documentation, and I’ll pull out wireshark and document the behavior for other people to look at as well. Because someone else out there will probably find value from that. The other topics come from stuff that comes directly to us, a lot of which is specific to the audio / video equipment I’m dealing with now. I write a lot of how-to articles / integration articles many of which are video-specific. There aren’t many folks who know the interop side of video, so I find myself writing a lot on these topics because there is not a lot out there.


What IT topics are you watching these days, and what trends do you see?


Well, the big thing really is bandwidth management. Especially in my position where we’re talking to people about ubiquitous usage of video. Video’s moving from something that would be neat, to something that executives would use, to something that everyone is going to use. Along the way, we’ve made significant advances in video resolution. Back in the day people were making CIF encoded video calls over low-quality systems. These days, everything is all about HD. Protocols and codecs, they can certainly compress some of that, but there is still a cost to it.




Follow Jeff on:

Twitter: @jdscher

His blog: Jeff Schertz's Blog: Lync Server MVP


All blog spotlights

What are the things that can go wrong with your Exchange Server?  First, there are basic resources that need to be monitored to include:


CPU Utilization:  Monitor at the host and the virtual machine level and also monitor % ready to ensure your host is not too busy.
Available virtual memory:  Monitoring for this will let you know when you are about to run out of virtual memory – this can cause a lot of problems to include shutting down the Exchange server.
Disk Space: This is a critical metric to keep a watch on as problems can result in mail store corruption that can take hours to repair.
Hardware health: A problem with the hardware can cause an application failure.  Monitor key components like fan speeds, temperature, and power supply/CPU/memory status.


Monitor Exchange Performance Metrics

You also need to monitor Exchange application performance.  Here are a few of the Exchange Performance Metrics you should keep an eye on.  Monitoring Exchange server performance helps you to:


Keep mobile devices in sync. The average number of active sync requests per second allows you to verify if your mobile workforce devices, such as Windows, iPhones & Androids remain in sync with the Exchange server. 
Schedule maintenance when it’s least likely to impact users.  Monitor current connections to quickly determine the number of people using Exchange at a given time so you can schedule maintenance at the most optimal time.
Determine when the mail service is slow.  Average response time measures how long users have been waiting for information they have requested.  The slower the service, the more phone calls you will see in the help desk.
Determine if mail is actually being sent.  Messages delivered/sent per second validates that messages are actually being sent.  You can also simulate an email round trip to test the ability of your SMTP server to receive and distribute email, and the ability of your users to retrieve email through the Exchange Web Service.
Ensure security.  Monitoring mail flow will assure you that your Exchange server is not being used as a mail relay or that your users’ workstations aren’t compromised by botnets.
• Pinpoint Active Directory Issues.  Monitoring failed LDAP searches indicates there is something wrong with AD that could negatively impact Exchange.  LDAP searches time out per minute lets you know that you have an issue right away.


Monitor Critical Processes and Services

Monitor for specific Windows services to be alerted when they stop.  There are also several Microsoft Exchange services you should monitor to ensure Exchange availability.  These include the Active Directory Topology Service, File Distribution Service, IMPA4 Service, POP3 Service, and the Exchange Service Host service.  Many of these services are dependent upon one another.

When CPU or memory spikes, look at the processes that are causing high consumption of resources.

For more information on Exchange Monitoring, check out this short video or go to this on-line demo to see what can be monitored with Server & Application Monitor.


Today’s IT Blogger Spotlight is on Derek Schauland. Derek’s blog is Technically Speaking, and he is an IT Manager for a small organization in Wisconsin in the food services business. He's been working with technology since the days of Windows NT. Derek also posts on the Microsoft TechNet IT Management blog and


Recently Derek and I attended the Microsoft MVP Summit together, and we had an opportunity to chat about his blog.

LG: Tell me about your blog.

DS: The blog started as a way to share tips, tricks, and problem solutions with others.


LG: What are your most popular blog posts?

DS: The product reviews seem to be the most popular.


LG: Who are some of your other favorite bloggers?

DS: I read a lot of Ed Bott (,, and TechNet Blogs.


LG: You recently completed your first book. Training Guide: Configuring Windows® 8. How was the book writing experience? Would you do it again?

DS: Writing a book was certainly an interesting challenge.  Articles and blog posts are quick and easy most of the time, but the book proved to be a much bigger challenge.  It was definitely a worthwhile experience and I would consider doing it again, but I’ll need some time to recuperate first.


LG: What do you do when you’re not doing IT? (and "sleep" doesn’t count!)

DS: That’s it.  I.T. and sleep.  Just kidding.  Although I am doing a ton of IT-related things outside of my job, including running a not-for-profit training organization ( with a couple of friends. The idea behind the project is to help other IT pros network and learn about technology.  Maybe they get a chance to meet someone like Lawrence from SolarWinds or someone else in the industry they might not have otherwise met, but that is still IT.


LG: Okay, let me try another way. What would you do if there was an eight-day week and you could only work seven of them?

DS: Photography! I’ve always had a passion for the creative art of photography.


LG: What are some of your favorite SolarWinds products and why?

DS: Lately the favorite products are the smaller ones:

  • Mobile Admin because I can get alerts and correct issues from my iOS devices if I am not in the office
  • Web Help Desk because I am getting my co-workers used to the idea of tickets to help manage their issues
  • DameWare Remote Support for the huge number of features available for working with/troubleshooting issues on the local network

Follow Derek on:

Twitter: @webjunkie

His blog: Technically Speaking



More IT Blogger Profiles:

Scott Lowe

Bob Plankers of Lone SysAdmin

Matt Simmons of The Standalone SysAdmin

All blog spotlights

In an earlier blog, we said we couldn’t stop at just 5 tips for choosing the right help desk solution. Here’s a quick recap of what to look for:



  1. Easy-to-use help desk software with ticketing automation to reduce manual efforts to simplify ticketing management
  2. Simple & intuitive Web-based interface for both technicians & end-users
  3. Automatic conversion of email service requests to help desk tickets
  4. Built-in Knowledge Base to provide self-resolution options to your users
  5. Robust performance reporting to monitor technician performance & overall help desk management


Beyond these 5 features and functions, you also need to check for compatibility and security customizations based on your specific use.


  • Database: Your help desk software must be database-driven so that you stay in control of your data for management, back-up, and export purposes. Check if the help desk application and back-end database are required to run on the same server or OS, so you have the option to mix and match platforms that best suit your needs. This is possible in an on-premise help desk software. But, in a SaaS-based help desk model, you don’t own your data and lose this edge as the database is controlled by the cloud vendor.



  • Security: A safe, secure, and encrypted help desk is essential. Because passwords and log-in credentials are often shared via help desk tickets, having your help desk software secure this type of sensitive data is recommended for organizations of any size.



  • Operating System: Look for help desk software that can deploy in multiple operating systems, such as Windows®, Mac OS X®, and Linux® environments, so you can support every end-user.



  • Data Import: You have many sources and types of data that feed into your help desk—customer details, asset and inventory information, FAQs, purchase orders etc. Make sure your help desk software accommodates all of these with simple data import options such as .xls, .csv, and .tsv files.



  • Customization for Different Languages: If your help desk supports end-users in foreign countries, you need to be equipped with help desk software that accommodates those users with support for multiple languages and the ability to customize fields and labels in service request forms.



  • Customer Surveys & Feedback: Ultimately, IT help desks provide customer service. The ability to get feedback from your end-users will give you the opportunity to identify areas lacking in performance, as well as those that have room for improvement. Make sure your help desk solution has the functionality to build surveys and distribute questionnaires to collect feedback from your customers.



  • Affordability: You don’t have to invest in expensive help desk software to get excellent quality and a solid ROI. Avoid software that comes with a slew of add-ons that raise the base price and unnecessarily complicate the essential ticketing management functions. Free tools, on the contrary, may lack the automation, reporting, and support capabilities your help desk needs.




Choose help desk software that’s affordable, easy-to-use, and puts you in control with simplicity and automation.

You are the decision-maker responsible for making the best selection to justify your help desk investment, so always remember to evaluate the product to its fullest functionality before purchasing it.


SolarWinds Help Desk Survey

Take this short survey and let us know what your help desk challenges are and what you look for in an ideal help desk solution. Completing the survey will enter you in a drawing* to win a $50 Amazon® gift card.


Take the Survey

*Terms & Conditions: You can read the T&Cs for the survey here.



Posted by einsigestern Mar 18, 2013

In a previous post, I posed the question, "Are printed manuals still necessary?" More to the point, do users really want a printed software manual. In this installment, we look at some of the different methods used to deliver documentation (help).


"Embedded help" is installed with the software. One of the advantages of embedded help is that no internet connection is required to use it. For someone who works in a sensitive environment, where communication breaches or file corruption could constitute a significant risk, access to online information might be prohibited. In this situation, typically called a "black box," embedded help might be a critical requirement. Another desireable feature of embedded help is that the information it contains applies to the specific version of software you are using. The downside is that embedded help, like  printed manuals, is out-of-date even before the product is released. This is just a fact of software development.


"Web-based help" is user documentation delivered via a Web server. The Help button directs you to the software company's site. This method of delivery has many advantages over printed or embedded help. Web-based documentation is, under ideal conditions, continuously updated, massively cross-referenced, available wherever you have an internet connection, and sometimes even interactive. Screen captures, diagrams, and other graphic elements can be zoomed to display specific components.


Each of these two methods of delivery enable the development of context-sensitive documentation. This simply means that the link you click, the little question mark or Help button, takes you directly to the topic that is specific to your current task or location (context) in the software. Done properly, context-sensitive help is a fast, efficient way to get the correct information you need to complete your task.-el

In the Time Before Remote Support Tools


In the early days of information technology before remote support software existed, IT pros had to travel from computer to computer in order to support them.  While this was great for socializing, it wasn’t exactly the most efficient method of support delivery.  And who could forget IT support by phone?!  It is certainly more efficient than walking the halls, but taxes both tech and end-user, increasing frustration on both ends of the call.  Conversations held during a phone IT support session sound something like, "Click on XYZ and then tell me what happens," which is inevitably followed by prolonged periods of silence while the user attempts to follow a technician's instructions and report back.


Fortunately, the ways in which remote support can be delivered has evolved significantly over the years.  Let’s take a look at how remote support tools have evolved over time.


Early Remote Support Tools


Command Line Support


Humankind’s first foray into the area of remote support involved simple command line protocols.  Telnet is a protocol that dates back to 1969 and is still used today to provide option negotiation between a client and the server. According to the THINK protocols team, Steve Crocker wrote RFC 1 in April 1969, documenting the broader goal of "finding a host level protocol capable of facilitating a connection between two hosts, where the remote host acts as if the user were sitting directly at that terminal." Crocker further outlined the collective desire for "the use of a TTY-like connection and a file-like connection in order to facilitate a complete connection between two hosts and the need for error checking."


Secure Shell, or SSH is another network protocol that emerged early on for remote support. It uses a secure channel to exchange data between two networked devices. In earlier years, both Telnet and SSH were found to be better used by network administrators.




Remote Control Tools


Early Licensed Remote Control Tools


In a response to the market demand for remote support tools, DameWare emerged and Symantec created a suite of computer programs known as pcAnywhere. These remote control tools enable techs to share screens with end-users and improve the quality of the support they were able to provide.  Both used proprietary protocols and both required agents to be installed on host machines.


The emergence of remote control software heralded the streamlined delivery of remote support from centralized locations and dramatically decreased the time needed to troubleshoot a remote computer.  It also eased the transition of housing servers in-house to their placement in colocation facilities.  In short, sys admins were able to reliably support and operate their servers from remote locations.


Free Tools Hit the Scene


The next tools to arrive on the remote support scene were the RDP protocol and open source remote support software VNC. RDP was created by Microsoft for Microsoft operating systems. It has been a part of every business or professional series OS delivered by Microsoft since XP.  While it is a great tool for administering Windows servers, it has some limitations that prevent it from being a pure remote support tool.  The most important of these limitations is lack of support for screen sharing.   Another limitation is that it only works for Microsoft OSs leaving those who support mixed-OS environments searching for another tool for their Linux and Mac computers.


As a remote support tool, VNC probably represents a better option.  VNC has some advantages over RDP like screen-sharing with end-users and the ability to support mixed-OS environments, but like RDP, has serious limitations preventing it from being a true enterprise-class remote support tool.  Large-scale deployment of VNC is not a simple process and as an open-source tool, it is likely that organizations requiring robust security will steer clear of VNC as their remote support tool of choice.


Remote Support Redefined


DameWare - Remote Control and Remote Administration


Today, remote support has evolved even further and can be broken down into two categories:  remote control and remote administration.  Remote control tools simply allow IT pros to operate computers remotely.  Tools like RDP and VNC fall squarely into this category.  Remote administration is a more holistic approach to remote support.  With remote administration software, sys admins can perform many of their daily tasks from one software console.




As remote support has evolved over time, so too has DameWare. DameWare’s flagship product, DameWare Remote Support (DRS), is a comprehensive remote support solution.  DRS includes a remote control solution for mixed-OS environments and is capable of remotely controlling Windows, Mac OS X, and Linux computers all from one console.  On the remote administration side, DRS can manage multiple Active Directory domains allowing techs to manage AD objects and edit Group Policies.  DameWare also allows sys admins to perform administration tasks on remote computers without having to initiate full remote control sessions.  From the DRS console, sys admins can troubleshoot remote computers by viewing event logs, restarting services and processes, and managing disks and peripherals.  The latest version of DRS even includes support for Intel vPro AMT which allows sys admins to interact with computers regardless of the state of their operating systems.


DameWare Remote Support is an affordable, attractive option for providing remote support, saving time with administrative tasks and quickly troubleshooting problems.  Download a 14-day free trial today to discover all its benefits for yourself.

How does your company deal with IT issues today? Like toothaches, IT issues have less impact and are easier to deal with when they’re resolved quickly. Let’s face it, IT problems do not get better if you wait for them to take care of themselves. Really. What does it usually mean when you have a toothache that goes away on its own? (Think root canal.) You just don’t want to go there – with your teeth or your IT department, right? You need a plan, a schedule, effective communication, and resolution.


So what does your company do now to make sure IT problem resolution? How do you find out about issues? How do you prioritize which issues to fix first? And how do you ensure the information about the IT problems even gets to the people who can fix them?


Web Help Desk and Alert Central are two new SolarWinds products that can help you get those IT tickets resolved faster. Automating trouble ticketing and alert management positively impact your company’s bottom line by tracking issues and assets and ensuring issues are routed to the person most able to solve them, as quickly as possible.


SolarWinds Web Help Desk is a cross-platform, web-based solution that automates and simplifies complex tasks, with customizable ticketing, change management, asset management, and knowledge base functionality. Web Help Desk helps IT teams overcome the everyday challenges of managing IT operations and supporting end-users.


SolarWinds Alert Central is a FREE, centralized IT alert management software that easily integrates with Web Help Desk. Alert Central automatically manages the on call and escalation side of resolving trouble tickets, and streamlining on-call scheduling and alert management for your entire IT organization. It consolidates and manages IT alerts, alert escalation, and on-call scheduling to help ensure all your alerts get to the right people, in the right groups, at the right time. And SolarWinds Alert Central uses a simple set-up wizard to walk you through the process.


When IT staff isn’t spending time tracking down lost trouble tickets or assets, or on routine scheduling and routing processes, they can be busy preventing IT issues. Or providing in-depth support for really demanding IT issue resolution, should the need occur. For more information on Web Help Desk and Alert Central, see and

If you've been running SAM with additional pollers, you're no doubt aware that you had a choice between the Poller-Bound option, or the Local-Only option.


SAM 5.5 Removed the Local-Only Option - (Yes, this option is no more, but fear not.)

Normally, an administrator would use the Local-Only mode to control which ports are open between SAM and the managed nodes (a security feature of sorts).  Selecting this option also allowed you to more evenly balance the load of the additional pollers. The Poller-Bound option meant SAM would need to be installed on every polling engine.

What Does this Mean for You?

Nothing if you don't use additional pollers, or have been using the Poller-Bound option all along. However, if you are in the minority and want to preserve the effect of local polling provided by earlier versions of SAM, you will need to migrate all nodes with applications assigned to them to the primary SAM server. (We made it easy for you.) Simply follow the instructions in this article and run the attached report. (I know, sometimes change sucks, but we're here to help.)

Have you been seeing some suspicious URLs appear in your reports? You can now set a rule to track that activity with SolarWinds Log & Event Manager (LEM). LEM has many configured rules built into it for your ease of use. For this particular procedure, you can clone and enable the Known Spyware Site Traffic rule to track when users attempt to access suspicious websites by partial or complete URL addresses. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.

Before enabling this rule, ensure your proxy server transmits complete URL addresses to your SolarWinds LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.


To clone and enable the Known Spyware Site Traffic rule:

  1. Open theSolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click NATO5 Rules on the Refine Results pane (left).
  4. Enter Known Spyware Site Traffic in the search box at the top of the Refine Results pane.
  5. Click the gear  button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.

I attended the Austin ISSA-sponsored Advanced Splunk Training session on March 6.  As always, the ISSA chapter delivered meaty technical training, and it was free!  The event was co-sponsored by BSides and Splunk.


While all kinds of interesting Splunk technical info was presented, for me, the most interesting part was hearing from Michael Gough and some other security practitioners at the event about what people really monitor.  As a technology provider, we are not always privy to what people are really doing with our tools, so it was an eye-opener for me.

Splunk training.JPG


Here are some of the things security guys monitor.  Of course they monitor other stuff too, but this is what we can share in mixed company

  • Administrators / Root logins, successful or failed.  "Power corrupts, total power corrupts totally” - even IT administrators.
  • Login attempts to disabled accounts.  Makes sense - there's usually a pretty good reason they're disabled.
  • Successful logins for certain accounts, such as those with elevated privileges, or accounts given to partner personnel
  • https accesses, especially to weirdly long URLs, which can be SQL injections
  • FTP from servers and workstations
  • Group membership changes and elevation of privilege
  • Database alerts
  • Suspicious files being executed
  • VPN logins
  • Outlook Web App (OWA)  and Remote Desktop Protocol (RDP) logins – looking for suspicious remote access
  • Servers downloading .exes from the internet.  They look for admins surfing for open source tools to keep an eye that malware hasn’t been downloaded
  • Share drive accesses at workstations and at servers; access to particular, sensitive shares.  They watch for shares being seen and crawled inappropriately.
  • Net.exe use to map and unmap network drives in Windows
  • Cscript.exe use. Cscript.exe lets you run scripts via command line and can be used in exploits
  • Services being installed from servers; noisy workstations


And if you are a Security Guy, please check out our SIEM, SolarWinds Log & Event Manager.  It's an understated, affordable, full-function SIEM that can help you pwn the bad guys.

In my last blog, I wrote about what network management is and why it is such a large field. It does require a wide range of functions and in order to understand these functions better, people group them into categories, knows as FCAPS. FCAPS is an ISO model and stands for the Fault, Configuration, Accounting, Performance and Security functions that are required to manage a network. Let us explore this model further.


Figure showing network management functions categorized using the FCAPS model.

Reference: J Parker, white paper mentioned below.

F is for Fault

A fault is an event that shows a problem in the network. The aim of fault management is to detect, isolate, correct and log faults that occur in the network. It also includes trend analysis to predict errors so that the network always provides the service it intends to. In order to manage faults, we need a system to monitor the network and raise alarms. A basic alarm management system provides a list of alarms of alarms based on the network topology. Once the alarms are raised or network users face a problem, a ticketing system is required to manage the workload and priorities associated with the faults. An alarm only shows the symptom of a problem, a troubleshooting system is required to gather more information about potential causes that lead to the fault. This includes gathering more information about all devices involved in the path where the fault has occurred. Better fault management can be achieved by proactively keeping track of the network and predicting when a fault can occur. This can be done by injecting tests into the network to find a fault. It can also be done by analyzing historical fault data.


C is for configuration

For the network to do what it is supposed to do, it needs to be told what needs to be done in the first place. This is known as the network configuration function. The goals of network configuration management are to gather and store configurations from network devices (this can be done locally or remotely), to simplify the configuration of the device, to track changes that are made to the configuration, to provision circuits or paths through non-switched networks and to plan for future expansion and scaling. Often the network does not remain static, you may need to add or remove devices. Auto-discovery of network components and network topology building is helpful in such a case. One of the common problems that arises in a large network is managing and configuring IP addresses.

A is for Accounting / Administration

Accounting is also known as billing management. This is mostly for network service providers. The goal is to gather usage data and based on this a bill is generated. For non-billed networks, the A stands for administrative tasks such as user permission management

P is for performance management

Network performance management deals with efficiency of the network. The network performance function, addresses the throughput, percentage utilization, error rates and response times areas. Collecting and analyzing performance data helps in meeting SLAs and to do capacity planning. Like in fault management, one needs to analyze historical performance data to take care of capacity or reliability issues before they affect service requirement. One of the common problems is to monitor bandwidth to understand whether it is utilized prudently. Sometimes one needs to configure policies to give bandwidth priority to certain types of traffic such as VoIP calls. Once this is done VoIP monitoring can help ensure the calls meet the desired quality of service.

S is for Security

Security management involves managing the security of the network. One of its major goals is to manage security threats like hacker attacks, denial of service attacks, viruses and spam. In addition, security management consists of intrusion detection through monitoring traffic on the network, application of policies that limit the traffic or differentiates between different types of traffic and gives them different privileges, blacklisting ports with suspicious traffic and placing honey-pots in the network to attract attackers. Often firewall troubleshooting is required to resolve a security breach or threat.

In conclusion, I found FCAPS to be very useful in understanding various network management functions. However, we need to keep in mind that FCAPS is just a framework that helps us understand better. It does not drive product functionality or user need. These are based on the type and size of the network and the type of business. Many types of user needs may be solved using a single product functionality which may fall under different categories. For example, one of the functionalities is to test the functionality of a certain service. This can be used for troubleshooting. It can also be used for validating provisioning or to take performance measurements. This is exactly the reason why sometimes the same network management product offers functionalities that fall under different FCAPS categories.




Clemm, A. (2007). Network management fundamentals. Indianapolis, IN: Cisco Press.
Parker, J. (2005). FCAPS, TMN, & ITIL: three key ingredients to effective it     management. [White paper].

I just read a story on on Microsoft’s recent online service outages.  On March 12th, a few of Microsoft’s services went down –, SkyDrive, Hotmail and Calendar.  The cause was a rapid temperature spike which was the result of a firmware update failure.  Was this failure preventable?  Yes, with the proper monitoring and reporting, it could have been prevented.  Here is how:


When patching updates, you should report on whether the update was successful or not. This can be done with patch management tools that report on success or failure of your patch deployment.

patch updates.png


Monitor server hardware.  With the right server monitoring tool, it’s quite easy to monitor hardware across your server vendors.  Just yesterday I was speaking with a customer who just installed blade chassis monitoring and immediately discovered that a power supply was about to fail.  Without monitoring, you have no visibility into temperature spikes, hard drive issues, power supply problems or memory status.

SAM_5.5_Dell M1000e_base_en.png




















Checkout this on-line demo to explore how these tools work.



by Jennifer Kuvlesky

Blog_NTM_AC_CatTools.pngJust in case you missed it, March was a busy, busy month at SolarWinds. We released two new products: Alert Central to coordinate the handling of notifications from your many systems, and Network Topology Mapper to help you see what's on your network. (And maybe find a few things you didn't expect!)


On top of that, we also released a new version of Kiwi CatTools, our reliable router configuration management tool. Like other releases, CatTools version 3.9 fixes a number of bugs and adds device support (especially for MicroTik). This release also updates CatTools with SolarWinds licensing so you can manage your CatTools licenses using the same portals and procedures as you use to manage all your other SolarWinds licenses.


Other Kiwi Development


Even as we continue to develop Kiwi CatTools, work continues on Kiwi Syslog Server as well. Expect some additional announcements about this popular log collection, monitor, and archive utility product in April.

VDI Storage

VDI workloads have made virtual and storage admins look for storage technologies that have higher I/O rates and better performance. While solid state drives (SSD) can be a viable solution to increase storage performance as a whole, administrators still worry about TCO and ROI over the long run. This can ultimately lead to rejection of SSD and selection of cheaper mechanical disks that may not meet the VDI performance requirements and cause bottlenecks.

Matching physical desktop IOPS with mechanical disk is one of the biggest roadblocks in VDI deployment. Let us compare the IOPS performance and cost for different types of hard disk.


Enterprise Mainstream

Performance SSD



Performance SSD

(Kingston SSDNow E100 400GB)

10K SAS Drive

(Western Digital Velocity Raptor)

Drive Interface    

6Gb/s SAS


6Gb/s SAS

Maximum Read Transfer Rate

510 MB/s

535 MB/s

200 MB/s

Write Transfer Rate               

230 MB/s

500 MB/s

200 MB/s


Read - 90000 IOPS

Write –17000 IOPS

Read - 52000 IOPS

Write – 37000 IOPS


Target Storage and Server

Mid-High Range

Low-Mid Range








4K Read.png

Storage Read IOPS/Queue Depth


4K Write.png

Storage Write IOPS/Queue Depth

The Price/GB comparison shows us the price of a mainstream SSD to be approximately 10 times the price of a mechanical hard disk. But the catch here is the read/write IOPS for SSD is 20 folds more than a mechanical hard disk. Hence using the right storage type for the right purpose is the key for a good storage investment.

For instance let us assume your enterprise has 100 clients on a host, and the hard disks are on RAID1 configurations.

  • For Windows 7 clients to run smoothly the read/write ratio is 40/60 and the IOPS needed is 10 per VM
  • Based on this for 100 VMs we need 1000 IOPS of which 400 is used for read and 600 for write.


Storage Cost Calculation (10K SAS drive in RAID1 vs. Enterprise Mainstream Performance SSD_

For RAID1 the IOPS is 50-60 for read, and 150-160 for write. That implies:

  • (400/60) + (600/160) = 10.41 so that’s approx. 11 disks for 100 VMs
  • 11 (disks) * 245 (price of 10K SAS) = $ 2,675 for hosting 100 VMs on 4,400 GB of storage

On the other hand, a single enterprise SSD can handle all the IOPS needed by the 100 VMs, costing about 3000USD having an IOPS rate of 90k for read, and 17k for write operations. But, on the flipside, you are left with 400GB of storage which is just 10% of what 10K SAS offers.  For a larger environment that would use all more of the SSD IOPs capacity, a combination of SSD and SAS drive can provide the most cost effective combination of IOPs and storage space.  By itself this makes SSDs more expensive, especially if you are looking for storage space and NOT performance. From there it is fairly simple math to calculate TCO and ROI for each hard disk type once you know your VDI infrastructure, the number of VMs and VDI usage and possibly the current IOPs identified with virtualization management software.

Storage administration in VDI is all about managing storage capacity and IOPS demand. Balancing this with keeping cost in mind is key for TCO and ROI. Otherwise, the whole purpose of deploying VDI to save IT cost may tend to fail.

A few points on how to maximize your storage performance and ROI are provided below.

  • Use the Right Storage Device: To address this capacity vs. IOPS issue we can adapt the process of adding SSDs to handle I/O operations while using mechanical disks for back-end capacity
  • Thin Provisioning to Save Storage: Thin provisioning of VMs on faster storage can save space on SSD hard disk. This allows more VMs per disk (but remember to monitor storage capacity as exceeding physical capacity can shut down your VMs).
  • Memory Swapping: Having memory swapping occur on a SSD will allow applications that use swap memory to run faster while the actual processing is done on mechanical hard disks
  • Segregate Based on Usage: You can segregate the usage of VM based on usage or departments. For example, for a department developing and testing VMs requiring faster I/O can run on a SSD while the marketing and sales that needs less IOPs performance can run on mechanical disk
  • Moving the Snapshots: Non-active snapshots can be moved to a backup mechanical hard disk so it provides more average I/O for active snapshots
  • Storage Tiering: Storage tiering is the process where the software determines the data based on type, usage and provisions it on mechanical or SSD disk automatically.
  • Boot Storm Management: Boot storm occurs when all virtual desktops are turned on at the same time causing a spike on storage I/O usage. Timed boots or aligning storage arrays based on power on time can avoid boot storms.

Last week I had the pleasure of interviewing Brian Lemoine, Senior System Administrator at Guaranty Bank & Trust.  Guaranty Bank is a community bank in South Louisiana with 5 locations, 70 computers, servers, virtual server and ~45 users.


JK:  How long have you used SolarWinds Patch Manager, and what applications do you patch today?

BL:  Our bank has been using Patch Manager for 3 months.  We patch all the Windows applications - Office, Server.  Now that we have Patch Manager, we patch Flash Player, Java, Adobe Reader, Firefox, and we also publish the Dell driver updates.


JK: Before you started using Patch Manager, how were you patching?

BL:  We had a WSUS server but that didn’t work very well.  It was cumbersome and a pain to fool with. We had some applications that did not get updated at all.  Flash and Java were updated on an as-needed basis if someone called in with a problem.  We had some people who were running Adobe Reader 8, some with Adobe Reader 10 and everything in between.  It was kind of a mess and there was no way to keep up without going to each machine.


JK:  How long did it take you to patch your environment using WSUS?

BL:  It was a never-ending process.  Pretty much all my free time was devoted to patching.  Since I’m a one man band, I don’t have much time to begin with.  Being a bank, we have really busy machines and these would hardly get updated at all.


JK:  What was the straw that broke the camel’s back that caused you to start searching for a more robust patch management solution?

BL:  In October last year, we had a state regulatory agency IT audit from the OFI (Office of Financial Institutions).  One of the recommendations was to get patch management under control – it was not up to snuff.  At that time, I also worked after-hours for a private school and we were using DameWare for remote administration, which worked really well.  That is how I found out about SolarWinds and Patch Manager.

In addition to Patch Manager, we looked at Kaseya, which our consultant recommended, and we also looked at Microsoft System Center Configuration Manager.  We tried out all 3 products and the reason we chose Patch Manager was that it just worked – it was easy to set up, easy to understand - it just worked!  The others were difficult to set up and get going.

Kaseya was too slow because the patch client was on each computer, and we would connect through the Internet to the server at our consultant.  Our consultant has a managed service offering using Kaseya.


JK:  How much time does it take to patch your environment with Patch Manager?

BL:  It (Patch Manager) cut it down next to nothing.  I can schedule it to do everything and anything.  For example, today I deployed IE 10 for Windows 7 which came out on Tuesday.  I set up a schedule to deploy the patch and it only took me a couple of minutes.


JK:  You mentioned you had an IT audit recently.  How did it go?

BL:  Every year we hire an independent audit firm to perform an IT audit – all banks are required to do this (FDIC/OFI).  This last auditor was out of Texas, and he audits banks all over the country.  He was very, very impressed with Patch Manager.  He made a comment that he has audited banks that have purchased patch management software for $20,000 and it did not work half as well as Patch Manager.  We purchased Patch Manager for $700 – it was a steal.


The audit process was really easy.  The reports were already built in – like the update status on machines – and it took just a couple minutes to run the reports.  In the past I would spend hours on producing reports for the auditors.


For those of who have been reading my articles, you'll recognize that I like options, and hate tedious work. Automating tedious work will be the subject of today's rant.


To Automate or not to Automate? That is the Question.

Recently, the team of technical writers here at SolarWinds was given the directive to start submitting daily reports, as opposed to weekly. As you could well imagine, I grumbled. After huffing and puffing to myself for a few moments, I began the task of automating this banal task. The automation was fairly simple. I wrote a script that scans various folders and calendars within Outlook, in addition to some work folders on my dev box. The script searches for any file or task that matches the current date. I then had the script take all of that collected information and neatly order it into a pre-addressed email that was to be automatically sent to the higher-ups every day at 4:30 pm. Voila! Tedious work be gone!


Slow Down.

I thought I was clever by creating this script, then I thought again. Having an email automatically sent out on a daily basis to your boss without having reviewed it first seemed...let's just say, stupid. Suffice to say, 95% of my tedium has been defenestrated. (That's a $5 word you should look up .) I now have my report generated and sent only when I press the button and after having reviewed it first.


Automation is not a Substitute for Responsibility.

We all remember the movie, WarGames. In the opening scene, everything war related was automated up until the point nuclear warheads came into play. It was at this last stage that the human element was introduced to "turn the key." The plot focused on the removal of this human element and the potential consequences. (Think sending an unread, automatic email to your boss is bad? Sheesh!)


The Point

Yes, tedious work sucks. We know that. Automation is great. We know that too. The real point is (drum roll)...balance. "Lesson not just karate only, lesson for whole life. Whole life have a balance, everything be better. Understand?" - Mr. Miyagi (The Karate Kid).


SolarWinds and Balance

We have many products here that automate mundane tasks, and they can do almost anything. Let's take a look at SAM, for example. Once up and running, SAM can monitor your hardware, your applications, your logs, and so on. SAM also allows you to be alerted when something goes awry, and take action if this is your wish. The key here is that you are in control, not the machine. SAM has a wide array of features that help you automate your sysadmin world, not control it. Take a look at what it can do, with just a little help from you:



For the complete list click here.

jav1.jpgJavvad won “Most Entertaining Security Blogger” at RSA 2013.  We had to check that out!  Turns out, his security videos ROCK!  He explains really dry, boring and complicated security topics in a fun and completely palatable way.  Plus, with the videos, no pesky reading is involved 



JM: In the beginning, I viewed blogging more like therapy. This was when I used to blog anonymously and it felt very liberating to be able to get topics out there and realize there were many others out there who shared the same frustrations and observations. But after that, it became a great way for me to interact with my peers and learn from them.



JM: I’ve always been a TV / movie kind of person and always appreciated it. I’m also a big fan of youtube, and follow many vloggers. I found myself being drawn to the concept that if someone can make a highly entertaining 3 minute video on the latest Justin Beiber hair product, then surely someone can make an entertaining, yet informative video on an important topic like information security. I couldn’t really find anyone who operated in this space, so I dusted off my camera lens and thought I’d give it a go myself. Now, videos have become my preferred method of blogging.


KB: WHAT ARE YOUR FAVORITE TOPICS?  Can we get a sneak preview of some upcoming topics?

JM: I really enjoy it when I can take a technical concept and present it in a video that makes sense to a broad audience, for example the video I done illustrating the difference between encryption, hashing and salting ( was very well received, as was a recent video on SQL injection ( – over the year I plan to work through other such similar topics, i.e. the OWASP top 10.




JM: Not so much for a security reason, but I tend to stay away from topics that involve hacktivism or “state sponsored attacks”. I feel these kinds of political issues are best suited for those people who actually have some expertise in intelligence or politics. I have experience in neither, so like to keep my opinions restricted to those topics that I actually do understand. I don’t want to be that firewall admin who ends up on CNN talking about how country x is using cyber-warfare to build nuclear warheads.




JM: The core of the readership is security professionals. My videos do have a slightly wider reach though, being popular with those new to security or having an interest in security.



JM: The SQL injection video was quite popular, as was a video I done on the cookie law ( – oh and the continuing story of santa getting hacked every Christmas is always popular



JM: Nothing of note really. I own some exercise equipment at home that serve as convenient places to hang clothes to dry, dread getting the kids ready for school in the morning, and dread the school holidays even more. I enjoy watching fictional movies but reading non-fictional books.

Related blogs:

Bill Brenner, Salted Hash

Matt Simmons, Standalone Sysadmin

Bob Plankers, The Lone SysAdmin

All IT  blog spotlights

Last November, my colleague Phil wrote an article in this blog about using the Patch Manager Update Management Wizard to deploy third-party updates. A similar capability also exists in the Update Management Wizard for deploying Microsoft Updates, but it requires use of a different option. For the third-party updates discussed in the previous article, the files for those updates are physically present on the SUP, so it is possible for the Windows Update Agent to download those update files.


A different situation exists for Microsoft updates, because the update files for Microsoft updates are never downloaded to a Software Update Point. The Good News, though, is that the Update Management tool and the Update Management Wizard tool both have an option to instruct the client to download updates directly from Microsoft Update.


Update Management Wizard - Use Microsoft Update option.png

There are a number of ways in which the actual update task can be invoked.


  1. The Computer Explorer | Windows Update Scan tool can be used to scan the client against the SUP catalog to determine which synchronized updates are installable, select the desired update(s) from the scan results, and then launch the Update Management task from the Computer Explorer to have the Windows Update Agent download and install the updates from MU.
  2. The Update Management tool can be used in conjunction with the "Select Updates" option to choose one or more updates from the list of updates synchronized on the SUP.
  3. One or more rules can be defined in the Update Management Wizard, and have all applicable updates matching that rule set pulled from MU. (Note that this methodology can result in the client obtaining updates that are not available via the SUP.)



Organizations of every size find themselves looking for the right help desk solution to meet their IT and end-user requirements. Some have not implemented any solution yet, and there are those not satisfied with their current solution and are in search of a better one.

Whichever of these categories you belong to, you will certainly find it demanding to make a choice given the plethora of help desk tools and software storming the market. So, where do you start and how do you go about it? Let us give you some tips and wise counsel (maybe more geeky than wise) to make your life easier with help desk and ticketing management.

#1 Simplify & Automate as Much as Possible

At the end of the day, it’s all about resolution of help desk tickets for an IT technician. The more you simplify the ticketing and management process, the more time you gain for troubleshooting and problem resolution. Look for a solution that makes ticket creation, assignment, escalation and management simple, and doesn’t require much manual effort. Both the technicians and the end-users should feel comfortable using the help desk. You need more options for creating tickets – quick tickets for common IT tasks, special assignment, and priority based on specific request conditions, running multi-stage tasks, etc.

#2 Look for Software with an Easy-to-Use Web Interface

For overall familiarity and less ramp-up time, Web-based help desk software is the best bet. The centralized Web interface gives the help desk support staff get more control, and it makes the team’s jobs easier by being able to log into just a single console to execute administrative tasks. A Web interface also makes a better end-user experience. With customizable ticket forms and dynamic ticket creation templates, it becomes easier to create a ticket, define priority and SLAs, and communicate with the assigned technician—all from a single interface.

#3 Accommodate Old-School Email Service Requests

Though it’s best to have an easy, consolidated Web interface for ticket creation, your help desk software should still be able to receive users’ IT requests via email and convert them into a service desk ticket dynamically. So, look for a Web-based solution that also converts in-bound emails into help desk tickets and allows you to send outbound emails to end-users and other support staff for status tracking and communication.

#4 Save Your End-Users From Themselves

A built-in knowledge base (KB) is incredibly useful for providing self-service options to the user who’s logging a ticket. Your help desk software should provide FAQs and tech tips at the time of ticket creation to help them with self-resolution on simple and common issues. KB content is also invaluable for help desk analysts when referring to frequently faced problems and who need detailed but quick resolution tips on-the-fly.

#5 Reporting is Your Friend

What you don’t know could hurt you—and your team. If you are in charge of your organization’s IT help desk, you need to be able to know how many tickets your technicians are handling, how quickly they are being resolved, how satisfied your end-customers are, what common issues need more attention, which problems often recur or cause additional issues, etc.


By measuring the performance of the help desk staff with robust reports and comprehensive ticket resolution statistics, you’ll be able to identify strengths and weaknesses, recognize patterns in help desk service issues, carve out plans for process improvements, improve your help desk’s service quality, and better manage your help desk team overall. In other words, metrics matter - a lot!


Here’s a quick checklist to help you make your decision on the right help desk software. Look for:

  • Easy-to-use help desk software with ticketing automation to reduce manual efforts and simplify ticketing management
  • Simple and intuitive Web help desk interface for both technicians and end-users
  • Automatic conversion of email service requests to help desk tickets
  • Built-in Knowledge Base to provide self-resolution options to your users
  • Robust performance reporting to monitor technician performance and overall help desk management


And remember to try before you buy. Evaluation will prove worthy for making the right choice. Stay tuned for more tips. We just cannot stop at 5 especially when we are geeks and we like sharing help desk love.


SolarWinds Help Desk Survey

Complete this short survey to enter in a drawing* and win a $50 Amazon® gift card.


Take the Survey

*Terms & Conditions: You can read the T&Cs for the survey here.

(Warning, I usually write about network topics that aren't necessarily related to our products, but I’m going to unashamedly promote a new product here because I kill with it everywhere I show it.  You should check it out.)


I’ve been a network software geek for a long time and done more than a few new software demos on the road. Still, whenever I show a brand new product to a room I’m a little nervous no matter how much I think it’s cool. I just flew back from Network Field Day 5 in San Jose, where I showed off SolarWinds new Network Topology Mapper and fortunately, it went over great.


Network Topology Mapper (NTM) builds on the strengths and years of expertise with LAN Surveyor, but it’s a clean-sheet design.  Its discovery engine makes quick work of integrating OSI Layer 2 & 3 data into a network map, probes with NMP, ICMP, WMI, CDP and VMware, sorts out ports, VLANs and subnets, and of course it spits out Visio and other network visualization software formats.  Best of all it now exports directly to the Orion platform Atlas mapping engine, so you can go direct from discovery, to layout, to live status display via NPM.  (Check out Glenn Gray's post for screenshots).


We presented so much content I only had about five minutes to do a live demo of NTM, but the audience was a crowd of network gurus who can net-out the value of a product quickly. Many had experience with LAN Surveyor. Even though I only had time to change some topology links, show the discovery wizard config and change the views around, I saw some telltale smiles and nods from a tough crowd.  I’m convinced everyone is really going to like this new network mapping product.

A recent survey asked one hundred IT administrators what "lunch out" meant. The top three answers were:

  • 55%: Something marketing and sales people get to do
  • 24%: Eating in the break room instead of at my desk
  • 21%: I get "out" - what's "lunch"?


OK, the survey's a fake, but too many of us still think that leaving the building during working hours is dangerous. Fortunately, there is a new generation of "mobile ready" (if not "mobile first") applications to help us with that.


One of those applications is SolarWinds' Serv-U MFT Server, which ships with an iPad-optimized administrative interface. This Web console launches using iPad's built-in Safari Web browser and lets us:

  • Reset passwords and unlock users
  • Monitor current activity with statistics and logs
  • Watch user activity in real time and drop specific sessions
  • Grant access to users, groups, blocks of IPs, or entire domains
  • Add and configure users, groups, folders, protocols, and other settings


...All on your secure file transfer server from anywhere, at any time. (And did I mention it uses firewall-friendly, secure HTTPS?)



Try It Yourself

  1. Make sure your iPad is running iOS v5 or greater. (how to check)
  2. Install Serv-U MFT Server.
  3. Connect to any HTTP or HTTPS Listener on Serv-U with the Safari Web browser on your iPad. (try TCP ports 80 or 443 on your Serv-U server)
  4. Sign on as an administrator to see the main screen of the Serv-U Management Console.

Ever wondered what would happen if Exchange services are suddenly stopped or rebooted? It could possibly corrupt mailbox stores. Sounds super scary, right? Well, read ahead for a situation that you could face in your wonder days as a SysAdmin.


Consider a Scenario
You are the overworked system admin and the lone ranger. Your Exchange server's CPU is running at 100% for a long time, and you’re getting alerts from your monitoring software. ALERT! ALERT!
After some initial troubleshooting, you decide to restart the Exchange services. The restart process fails, and the CPU continues to run at 100%. Ugh.


The Reboot Disaster
As the status remains the same, you decide to reboot, hoping this will resolve the issue. After 15 minutes, the server finally reboots and as it restarts, some of the mailbox stores do not mount.

The Bad News
The reboot corrupts several mailbox stores, and you discover that a shutdown or restart of the operating system does not necessarily wait for all services to stop. The Information Store service apparently did not stop completely and after a timed delay, Windows shut itself down. You know that the corruption happened because the Information Store was actively being written to when the service stopped.

When It’s Safe to Stop Exchange Services
When you perform maintenance on your Exchange servers, it’s always best to dismount all of the mailbox stores first. This will assure that all "in flight" transactions are completed before the service is stopped.
For example, to stop Exchange Server 2003 services, you must stop System Attendant, IIS Admin service, ExIFS, and SRS (if this service is running), and all dependent services first.

Service Control Manager: Remotely Start & Stop Services
SolarWinds Server & Application Monitor’s new feature, Service Control Manager, allows admins to see all services available on the host, their current state, start-up settings, as well as the services description from within. Stopping, starting, and restarting services instantly is a simple point-and-click affair, all from your Exchange server monitoring tool!

service control manager.png

                    The new Service Control Mangaer feature in SAM 5.5


The very same interface also provides a quick method for monitoring new or problematic services – it’s as easy as clicking a button! The service remediation for any Windows service currently monitored by SAM subtly changes and reduces mean time to resolution when application issues occur by ensuring what you need is readily at hand. So, keep a tab on all those critical Exchange services and control them at the click of a mouse.

component dets.jpg

SAM - The Next Frontier

Posted by Bronx Mar 11, 2013

Those of you who rely on SAM know just how quickly we add new features into every release. SAM 5.5 is no exception. That said, let's back up for just a minute.


SAM 5.0 introduced the Real Time Process Explorer, and many of you were pleased with the addition of this new feature. What is it? From the SAM Administrator's Guide: "This feature is similar to the Processes tab found in the Windows Task Manager. The advantage of the RTPE is that you no longer need to physically, or remotely, log in to a particular computer and run the Task Manager to retrieve that machine's vital statistics. Information for both monitored and unmonitored processes is displayed directly through SAM using the RTPE."



Enter the Service Control Manager, now available in SAM 5.5. The Service Control Manager is the next evolutionary step following the success of the Real Time Process Explorer. What is it? Again, from the SAM Administrator's Guide: "The Service Control Manager (SCM) is similar to the Real Time Process Explorer, with the main difference being that it allows you to manage the services of monitored Windows nodes, as opposed to processes. The advantage of the SCM is that you no longer need to physically, or remotely, log in to a particular Windows computer to view and control its services. Information for both running and stopped services is displayed directly through SAM using the Service Control Manager."


Granted, the description is rather dull (I can say that because I wrote it) but take a look at the screenshot below. Starting to get the picture? This new feature is rich with vital information, with the added ability to control remote services right from this window.



If you been with SAM through at least two releases, you can probably see where we're headed. Here's what I see from my perspective:

  • Monitor everything,
  • Take action on everything.
  • Solve everything.


This is only one of the new features in SAM 5.5. For a complete list of what's new, check out the release notes. Stay tuned for the next big thing!

In case you missed it last week, Evernote, the online note-taking app, was hacked, and, If you're an Evernote user, you've probably already changed your password. I wouldn't hold your breath waiting for the hacker(s) to complete your To-Do list, though.


Unfortunately, Evernote hasn't been the only high-profile victim, even this year. As CNET has it:

Evernote is just the latest company to suffer at the hands of hackers. Microsoft, Apple, Facebook, and Twitter have all been victimized recently. And of course there were the high profile hacks at The New York Times, The Washington Post, and The Wall Street Journal that helped prompt President Obama to sign an executive order on cybersecurity. [source]


Though it wasn't necessarily a network management failure in the Evernote case, it would be unreasonable or naive not to expect more stories of similarly high-profile, enterprise hacks to continue to break in the future, which should explain what ComputerWorld was also reporting last week:

Demand for information security experts in the United States is outstripping the available supply by a widening margin...A report from Burning Glass Technologies, which develops technologies designed to match people with jobs, shows that demand for cybersecurity professionals over the past five years grew 3.5 times faster than demand for other IT jobs and about 12 times faster than for all other jobs.

In 2012, there were more than 67,400 separate postings for cybersecurity-related jobs in a range of industries, including defense, financial services, retail, healthcare and professional services. The 2012 total is 73% higher than the number of security jobs posted in 2007, Burning Glass said...




The two most sought-after jobs by employers were information security engineers and security analysts. Close to one in three of all computer security jobs advertised last year were for information security engineers. Nearly 25% of the job postings were for security analysts. [source]


IT security is a big deal. Products, services, and information repositories that we could only imagine a couple decades or even years ago depend on increasingly expansive physical and virtual networks that require protection from more-and-more sophisticated potential threats. If your enterprise doesn't have a comprehensive IT security plan, let the high-profile hacks mentioned above be an inducement to develop one quickly. But how can you secure your network when you're understaffed and undersourced?


SolarWinds can help.


Check out our recently published SolarWinds Whitepaper, "IT Security Management Checklist: 9 Key Recommendations to Keep Your Network Safe" for network security insight and recommendations, and then check out the network management and log & security management products mentioned for quick and cost-effective IT security solutions .

How do you know when you're getting an error related to exceeding the number of certificates allowed?

If the number of certificates allowed is exceeded, Patch Manager displays an error message when you attempt to retrieve WSUS or computer information, run reports, or perform configuration management tasks. You might also see errors that indicate the "RPC Server is Too Busy," or installation errors due to too many certificates.

What causes certificate errors in Patch Manager?

This error is caused by having too many certificates in the Patch Manager server's Trusted Root Certification Authorities certificate store. If there are more than 200 certificates in this store, Microsoft's algorithm for searching and scanning the store fails. Patch Manager warns you during installation and upgrades if you are over this limit. However, it returns the previous error message if you add new certificates and exceed the limit after you have installed Patch Manager.

What are the error messages related to this issue?

Error messages related to "exceeding the number of certificates allowed" include:

  • ERROR: All management servers are unavailable for management group. 200 certificates.
  • Setup has detected that the certificate count in the ‘Trusted Root Certificate Authorities’ store exceeds 200.


How do I resolve certificate error issues?

The KB article, ERROR: All management servers are unavailable for management group. 200 certificates, provide detailed instructions on how to reduce the number of certificates on the Patch Manager server. Additional information is available from Microsoft in the article, SSL/TLS communication problems after you install KB 931125.


star trek.jpg


Let’s start with the easy stuff. Kirk, so emotional and brand-conscious -- he would buy Splunk for SIEM.  First, he would ask for the Splunk people to provide an alien chick to assist in the evaluation, but that is stuff for another blog.

Janeway would write her own SIEM, and fail wildly.  Tuvo
k would shrug it off as just another failure...  Chakotay would support Janeway in her wild failure, calmly saying some native stuff to soothe her.

But Picard, he would be likely to buy SolarWinds Log & Event Manager (LEM) for his SIEM.  Understated, full-function SIEM.  He would weigh the pros, the cons, and he would hate the hype and high prices other vendors demand for SIEM.


Spock would likewise choose LEM.  So would Data.  The logical guys would choose LEM.  They would likely create an Excel pivot table to prove this was the right decision.  Heck, Data could do SIEM himself, but that would distract him from achieving humanity.


Troy would intuit the failures of others, and feel the pain of ArcSight, and its 18 month deployment.  She would feel the pain of LogRhythm, being out there all alone.


Scotty would say, “Captain, it will take 48 months to implement SIEM with ArcSight, but I can do it in 18 months.”


Riker would say, “What is a SIEM?  Let's send Captain Picard to Raisa to get one!"


Q would say, “When will the human race figure out LEM is the obvious choice?   Let’s hold court.”

On the other hand, Worf would just phaser all the computers and be done with it...  An attractive option.  An extremely attractive option.   Since that is not an option for you,
please check out LEM. phaser.jpg

Ecce homo, behold the Mann.

For 30 years Steve Mann has been iterating the EyeTap computing system through which he lives his daily life. A prosthesis over one of Mann’s eyes, the EyeTap simultaneously sends every image—via a beam-splitter—to the eye’s retina and also to a high resolution video camera. The camera’s image stream passes into the EyeTap’s computer proper and is subject to filtering based on preferences Mann can adjust as needed. For example, in its usual configuration, the EyeTap filters out objects that its software identifies as advertisements, so that Mann simply doesn’t see them in his view.

Along with the processed image stream the EyeTap displays in Mann’s visual field icons (temperature display, etc.) and controls enabling him to interact with what he sees. He can make voice comments, for example, or reference other visual and textual resources (email, blueprints, drawings, pictures) in overlay. And yes, of course, the EyeTap accesses network resources wirelessly.

Mann's latest version of the EyeTap is fixed to his skull with titanium screws; yet a more unusual aspect of Mann’s existence as a cyborg is that he considers himself a Luddite—at least in spirit. Rather than destroying machines that threaten his livlihood, as the 19th century Luddites did, Mann uses his own machine as a way to mediate and control his experience as a human being in an increasingly computer-mediated environment.

Cyborgs and Civil Rights

In the coming era of ubiquitous computing, cyborgs like Mann seem to make inevitable a clash between laws that guarantee protection against unreasonable searches and seizures and those upholding rights of property owners. Simply put, in what Cory Doctorow describes as a coming war on general purpose computing, legal systems will have to adjudicate boundaries between the rights of users and the rights of owners. Balancing efforts to enforce and circumvent those laws poses a daunting challenge for any society with hopes of being workably civil.

Does a cyborg like Mann have the right to disrupt or deny interactions with the many sensors and systems that his EyeTap encounters? If so, which ones, when, and how? Will a cyborg's face permit devices to "recognize" it?

The Bits Go On

Ask yourself if Steve Mann is your BYOD nightmare or potentially your most responsible user. Is a cyborg just another endpoint on the network?

Wherever cyborgs travel, and as the tussle between users and owners of computing resources heats up, we in the IT tribe must keep our eyes on where and how the bits are flowing through our networks, to and from endpoints. Good tools for tracking users, watching bandwidth use, and analyzing traffic promise to become all the more important as we all morph into nodes.

zombie process.jpg

Being a SysAdmin, you might have to deal with unexpected requests and situations day in and day out, making your life quite challenging at times. In addition to dealing with haywire user requests, there are certain recurring system issues which do not help the situation. One issue you may have faced often is dealing with annoying zombie processes. So, what exactly are these so called zombies?

Zombie Processes are Not Flesh Eating Monsters
This might be old school but it doesn’t hurt to learn again. A zombie process is one that when finishing execution will have an exit status to report to its parent process. As a result, the process will remain in the operating system’s process table as a zombie process, indicating that it is not to be scheduled for further execution but cannot be completely removed until it has been determined that the exit status is no longer needed.
So basically, these zombie processes remain in the process tables even after they have fully executed and no longer use up processing power.

Zombies are Not Destructive, But…
Generally zombie processes don’t cause performance issues on the servers. These are just leftover bits of dead processes that haven’t been cleaned properly by their parent process (i.e. when these processes were killed, the parent process didn't correctly collect the processes exit information). That being said, if the number of zombie processes is exceedingly larger than the process limit on the server, serious problems can occur, such as:
• The application hangs and simply stops responding.
• You receive a warning from the OS that the application is unresponsive.
• Too many zombie processes would stall the system and lead to rebooting.

Going for the Kill
Some of these options can be tried to kill zombie processes:
• The first option is to wait. It is possible that the parent process is intentionally leaving the process in a zombie state to ensure that future children it may create will not receive the same PID (Process ID).
• The other option is to identify the parent process and kill it.

Monitoring & Managing Processes in Real Time
Keeping track of your server and application farm has never been this easy. With SolarWinds Server & Application Monitor’s Real Time Process Explorer (RTPE), you no longer need to physically or remotely log in to a particular machine and run the Task Manager to retrieve that machine's vital statistics. Information for both monitored and unmonitored processes is displayed directly through the RTPE and with the additional command line option, you exactly know from where the process is running.
You can kill rouge processes that are eating your server’s CPU and memory directly from the RTPE.  Check it out in the latest release (v5.5) of SolarWinds' server monitoring tool.

SAM_5.5_Remediation_Real-Time Process Explorer_base_en.png

                                SolarWinds all-in-one process monitoring & management tool

The future is so last millenium. The pace has quickened, your time is more precious, there are only 22 hours in a day, and people are releasing their pet pythons into the Everglades. We are now in the post-future era, folks. Things have changed and so have you.


Just as with engraved plates, and hand-set type, the day of the printed user manual may already be behind us, but we don't know. We, technical writers, just don't know...not for sure anyway...and we want to know: Do our customers still want a printed users manual? This question keeps us up nights.


A table of contents provides a visual representation of topics. An index offers a finer-grained method to find the information you seek. However, internet search engines have changed us; changed the way we look for information. Think "Google it." Even when we open PDF on our computer, the fastest path to the information we want is the little search box.

The printed manual question isn't the end, though. How do you like your information served. There's lots of technology available to produce many different content delivery methods. So tell us:


  • Printed Manual - yes or no; why
  • Embedded Videos - feature-specific, function-specific presentations in three minutes or less
  • Webinars - extended, instructional, topical, maybe serial

I joined SolarWinds a few weeks ago as a Product Marketing Manager. Though I had worked as a PMM earlier at AOL for Winamp, I still found that I have a lot to learn about the Network Management space (as well as how SolarWinds has remained so successful in it). In my usual fashion, I began gathering a list of sources to help me get started. Now, all of us approach learning a new topic in different ways. We have different questions that come to us at different points of time and in a different sequence. So as I embark on my path of learning I thought it would be helpful to share these questions I have, discuss the resources I am using to find answers, and get your insights into these topics along the way.  Who knows, maybe there are other newbies in the community that want to learn with me. 


So where did I start? Well, I figure it was best to understand what exactly is Network Management and why is it said to be such a large field?  I read Alexander Clemm’s book on Network Management Fundamentals. I found it very useful as it gives a good eagle’s eye view of everything that anybody related to this topic needs to know. It could be a network engineer, a VP or a product marketing manager. I highly recommend this book to newbees.


Alexander defines Network management as “activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems.” Specifically, it consists of the following tasks:

  • Operations: deals with making sure the network is up and running. It includes network performance monitoring and making sure all problems are resolved asap.
  • Administration: deals with making sure resources such as devices, equipment and network management software are assigned properly and a tab is kept on them
  • Maintenance: involves performing repairs and upgrades . This includes both corrective and preventive measures.
  • Provisioning: means configuring the resources to support the required services.


Now what does this really mean? I’ll give an example that Alexander has given in his book. Network management is analogous to throwing a party !


When you throw a party, depending on the number of people you want to invite, you decide what the menu would be and how much food will be required. This is based on the guests’ needs. Depending on the number of people and your own abilities, you decide whether to cook it yourself or hire a caterer. If you cook it yourself, what should the ingredients be and where would you buy them from? Depending on where you live, you need to decide whether to host it at home or hire a place. Depending on the season you need to figure where to keep the coats or the hats. As the party proceeds, you need to monitor if people need more drinks, if someone has had enough already. Is the heating / cooling fine? Is the music fine? And at the end of the party, you also need to do the entire cleanup.


Similarly when you want to manage a network, you have to first figure out who the network is for. How many people exist in the organization and what their needs are? What services need to be provided by the network and what should be the capacity of such services? What type of network traffic monitoring will you need? How many devices will you need and of what type? Is it your business’ core competence to manage networks? If not, who should you hire to plan and implement the network? Do you have space, if not, do you need to lease a data center in some geography which suits cost and tax related issues? Once it is up and running, how would you monitor it? Would you hire some organization / consultant to monitor it? If you do it yourself, what tools and human resources would you need? Over a period of time when devices need to be added, removed or upgraded, how would you do that? And when devices need to be decommissioned, what needs to be done? The goal of the network management party is for its users to feel as happy and have as much fun as the regular party you would want to throw for your friends.


Throw a partyManage a network
# of people# of users
Food: Menu, cook / catererServices, do it yourself / hire a consultant / consulting company
Place: home / party hallData center: own / hired, on premise / off premise
During the party: Does anyone need more soup, has someone had enough drinks already?Managing a network: Is the network down? Is the bandwidth enough?
After party lean upDecommissioning the network or its devices


So as you can see, there is a lot of work involved in Network Management and it is indeed a HUGE field. If you’re new to Network Management and have a question or you’re an “old pro” that can share additional insight or recommendations, we’d love to hear from you.  I’m certain I will be able to navigate this HUGE field with help from you, the SolarWinds community. Until next time…..Happy Navigating!



Verifying Data


Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your dataa and use the stand-alone LEM Reports application to report on your data.


Which Do I Pick?


Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:

  • Search your log data interactively
  • Search for specific variables, such as user names, IP addresses, or specific events
  • Perform root-cause analysis
  • Troubleshoot specific issues
  • Explore data and produce custom PDF reports


Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to:

  • Automate reporting
  • Produce compliance reports
  • View reports based on specific regulatory compliance initiatives
  • Provide proof that you are auditing log and event data to auditors
  • Schedule formatted reports for LEM Reports to run and export automatically


SolarWinds Log & Event Manager collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response.

Most of you will be happy to learn that our help system is in the process of being overhauled. Most certainly, life will be easier after the transition for everyone who reads our online help content. However, during the transition, for the tech writers here will be...hectic, suffice to say. In a nutshell, this transition from one system to another requires us to convert every document we have, without losing any of the links. A daunting copy and paste task, to say the least. I hate tedious work, so I took it upon myself to create a tool that does the work for me/us. What would have taken hundreds of hours to do now takes a few minutes. (I'll be expecting an "Adda Boy" in the coming weeks).


Fortunately for you, the user, tools are also created for you to make life easier. Take for instance the latest release of WPM (2.0.1). Bet you didn't know it now comes with a Domain Accounts configuration tool. Yup.

Why was this created? Well, we have a KB outlining how to do what this tool does manually, but that seemed like too much to ask of our valued customers. Hence, the Domain Accounts configuration tool was born. Where do we get our ideas for these tools? Well, you basically. The squeaky wheel gets the grease!

SolarWinds is pleased to announce the release of its latest network discovery and mapping tool, Network Topology Mapper (NTM).  NTM has a broad set of applications and use cases ranging from simple discovery of network devices to the maintenance of network diagrams to meet specific information security requirements.


Network Discovery


NTM is a robust network discovery tool that can be used on an unlimited number of networks.  This makes NTM the perfect tool for Managed Service Providers and IT Consultants that work with multiple clients.  Simply install NTM on a laptop, take it to clients’ locations, and use it to scan and map their networks.  You’ll quickly find all of the devices on a network and have them presented in an easy-to-use interface.


NTM’s network discovery feature gathers information about network nodes utilizing multiple polling methods.  These include ICMP, SNMP v1-v3, WMI, CDP, LLDP, and VMware.  Using these methods, NTM can create a comprehensive network map that shows you all of the devices on a network – even those that aren't supposed to be there.


Network Mapping


NTM uses the information it gathers from network scans to create highly accurate network maps.  Network maps created with NTM can be displayed in several ways to give you the most appropriate visible representation of your network topology depending on your needs.  Maps created with NTM contain a wealth of information about your network and the nodes on it including network speed between nodes, hardware type, subnets and VLANs.  NTM also contains a set of role classification filters that allow you to display devices based on their role or only show specific network segments.


Exporting network maps created with NTM is a snap!  NTM allows you to export your network maps to Microsoft® Visio® versions 2007-2013, PNG, and PDF formats.  It also allows you to export to SolarWinds Network Atlas format.  Maps exported to Network Atlas format can easily be imported into Orion and used by other SolarWinds products like Network Performance Monitor.




Meeting Specific Requirements of Information Security Standards


More and more, organizations are required to adhere to rules laid out by information security standards like PCI, HIPAA, SOX, and others.  Many of these information security standards require organizations to keep up-to-date diagrams of their networks.  NTM can help organizations meet these requirements with its scanning and mapping features.  NTM includes a scheduled scan feature that can be set to run scans of a network at intervals chosen by the organization.  Each new scan represents a picture of a network as it exists at that time.  These can be exported and archived to ensure an organization is meeting these network mapping requirements.


Additionally, new diagrams created at each scan show changes to network topology since the last scan.  In this way, NTM can be used to detect rogue devices or unauthorized changes to a network.


Check Out SolarWinds NTM


Like all other SolarWinds products, NTM is available for a free trial.  If you are an IT Consultant, work for an MSP, have to meet information security requirements, or just need to see what’s on your ever-growing network, NTM can help.

What is this "wireless crunch"?


People have been talking about the "wireless crunch" or "spectrum shortage" for a number of months, if not years. Within the past six months or so, there's been an even bigger push on this issue (or group of issues). But what impact does this nebulous wireless crunch have on you? Well, if you have used a wireless connection in a busy cafe, or have ever tried to use your data at the edge of your provider's range, you have had a taste of what may be in store for our future.


As our demand for wireless data increases, the amount of bandwidth available for that demand does not change and is predicted to run out (in the U.S.) within the next two years. As history has shown, such shortages lead to increased prices, decreased quality, and potential rationing (or throttling/capping). This ends up leading to unhappy people complaining about how slow their internet is.


The crux of the issue is that there is a small, finite radio band on which all wireless communications broadcast and a lot of people needing and wanting access to that band. (CNET has a good write up, if you want to read more about it.)


How are "we" solving the wireless crunch?


In the end, the only real solution is more bandwidth or finding a new way to transmit data outside of radio waves (hello, quantum networking). We can reduce the amount of data we put out on the selected spectrum via technological improvements and changes, but that's more of a short term solution.


Here's what's been happening so far (this is a mostly U.S.-centric):

  • The U.S. government made headlines mid-February when it finally passed legislation to allow the FCC to auction off some more of the wireless spectrum to carriers.
  • The U.S. government has been contemplating reallocating spectrum from the broadcast band, which might be what they're auctioning off.
  • The U.S. government is also thinking about finding a way to share military bands with commercial wireless needs.
  • Additions to the wireless standards, such as WiGig, to move specific needs, like peripheral communications, off the main wireless band.


How does this actually affect me?


Hopefully it won't affect you, but based on the speed of government and the speed of new technology adoption, it probably will.


Obviously, the use of mobile devices is what is behind this strain. As we are an increasingly mobile and connected society, (who really wants to go back to the pager ball and chain?), we're going to start running into lagging connections, unavailable signals, and dropped connections. This, in turn, starts to affect how we're able to work on the go. Instead of firing up your mobile administration app on the train, you might have to wait until you've stopped someplace with signal, or a five minute RDP session may end up taking double that time.

In the busy world that most IT admins live in, it can be pretty hard to carve out even twenty or thirty minutes to watch a training video. So when we sat down with some of our favorite bloggers to put together a couple comprehensive training videos that were a bit longer, we made sure we could also have a set of short form videos on very targeted topics.


We have a set of seven initial videos that I call our “Two-Minute Tutor” video series. Not being known for subtle naming, you probably already guessed that these videos are all about two minutes long and show you how to evaluate or troubleshoot common virtualization or storage issues.


The first two I’d like to highlight are focused on storage I/O analysis, which really go hand in hand. The first video “Storage I/O Latency Impact Analysis” focuses on management of a VMware datastore with high storage I/O latency and drilling down on that datastore to gather more details. However the focus of this video is how you can map that datastore to hosts, clusters, and VMs that are dependent on it. Once you have the environment map, it is easy to find related resources that are either causing the problem or being affected by the problem. Check out the video here:


Virtual Storage I/O Latency Impact Analysis

The second storage I/O latency video is “Storage I/O Throughput Analysis.” Given that you’ve mapped and understand the effects of a virtual storage I/O latency problem, this video walks you through the steps to identify the drivers of storage I/O for a datastore. After drilling down on the datastore, the video shows overlaying the VMs hitting that datastore so that you can see which VMs are driving storage I/O, spikes in I/O, etc.


Virtual Storage I/O Throughput Analysis




Other Two-Minute Tutor videos include:


We would appreciate feedback on the videos and the usefulness of their short format. We’d also like any input on other virtualization or storage topics you think would be useful.

Say what you will about Microsoft's new Windows 8 operating system, but when it comes to yet another desktop to manage, IT administrators always turn to DameWare.


Two interesting "DameWare on Windows 8" events happened recently so we thought we'd share.


#1: Windows 8 Downloads "Editor's Pick" Award


Yes, ANOTHER DameWare award.  Right after our fourth consecutive win as's best remote control software, we learned that checked our Windows 8 compatibility, and then awarded us their "Editor's Pick" award in the "Network & Internet > Remote Computing" category.


#2: YouTube of DameWare on Microsoft Surface Pro (Running Windows 8)


Last week mobile device enthusiast "jimmyyen101" put together a two-minute YouTube video showing DameWare in action on a Microsoft Surface Pro running Windows 8.



Your Experiences with DameWare on Windows 8


Have you worked with DameWare on Windows 8 yet?  If so, please tell us how it's going in the comments below.  If not, give it a try today.

This week we are going to discuss Monitoring, Events, and Filters. For the purpose of this blog, I will be using SolarWinds Log & Event Manager (LEM) as our monitoring software. LEM collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response.



Why do you need monitoring?


Network monitoring is necessary to maintain the integrity and safety of your internal network. Monitoring can determine if your network is overloaded, has crashed servers, network connection issues, or even if you are the target of an unauthorized access attempt. LEM monitors network activity by analyzing the log data collected, and then parsing the information with the use of out-of-the-box filters or custom filters.LEM displays the monitored events on your network in real time.


Events and Filters


Events are messages created from Agent, Manager, and network device log entries. These normalized (remember what this is? If not, then review this blog entry) events are sent from the Agent to the Manager for processing. At the Manager, the events are processed against your Rules, sent to your Database for archiving, and sent to the LEM Console for monitoring. On a busy network, there can be millions of events each day, so the LEM Console uses event filters to manage events.


A filter is a subset of your events that focuses on a particular type or group of events and hides all others. When configuring a filter, you can examine and use individual event properties to determine precisely which events are to appear in that filter. Filters also display events in real time. You can turn filters on and off, pause filters to sort or investigate their events, perform actions to respond to events, and configure filters to notify you when they capture a particular event


What kind of events necessitate a filter?

  • Change management events
  • High volume events
  • Events you want to monitor (user logon failures, etc)
  • Testing conditions for future rules

Kiwi CatTools can be installed as a standalone application or as a service on any Windows server.  Installing it as a service grants you the ability to schedule automated backups or config changes while you're away at your computer.

At the center of CatTools is a Batch processing machine. Once you have setup your network devices, such as, routers, switches, and firewalls, you can then have CatTools perform one of the many predefined activates against your devices. Some of these activities include sending commands directly to your device in normal or privilege mode, setting the password for your devices, either en masse or individually, testing connectivity, and backing up and restoring your running configurations.

Top Features

The first feature is the ability to mass backup the configuration of all your devices. If any configuration differences are found, you can then have them emailed to you.

Another excellent feature includes using activates to issue commands via telnet or SSH out to multiple devices at once. You can also change the configuration of devices at scheduled times. Another example would be to pull the IOS version you're running across multiple devices.

You can also compare two different configuration files in the Compare tab. This feature highlights the changes for you. You can even run a comparison between a network's current configurations to the startup configuration.

2-28-2013 6-33-39 PM.png

The Reporting tool provides you many options right at your fingertips. It allows you to run ARP table, or port, MAC, and version details reports. The ARP report automatically indexes MAC addresses against IP addresses and device interfaces, and then resolves their host names via DNS if required. By default  the table is updated with each run of the activity, so it provides a historical record of the devices attached to your network over time. Each entry is time stamped, and "First Seen" and "Last Seen" columns included in the report.

To see more of these features you can visit the CatTools website.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.