It’s just another typical day at the office. You know, one of those days where you switch gears from Help Desk Professional to Pest Control Expert… Sound like a horror story? Well deal with it, because it happens.


You probably didn’t plan on a career change today, but leave it to your beloved users to keep you on your toes. Have no fear! Web Help Desk software from SolarWinds helps you deal with even the most obnoxious end-users—and gives you a chance to win a giant, wild-eyed wall cling to protect your lair from stupid questions, bad suggestions, and annoying requests.


Case in point: Ever meet that certain special user who prides herself on working through lunch every day at her desk? The last time she called you for help, you saw her version of 'tough love' and 'hands-on' troubleshooting. Today, it turns out she’s not the only one who’s been using her machine. All those working lunches have invited some expected guests… that YOU now have to take care of. Congratulations on your new title of Pest Control Expert!


Turn this horror story into a success story with Web Help Desksimple yet powerful Web-based help desk software that streamlines your ticketing, asset management, knowledge base, and IT changes so you can focus on the task at hand. Whatever worst case scenario is waiting for you, Web Help Desk has you covered.

Check out the Help Desk Confessions videos in the SolarWinds Big Hairy Sweepstakes to cast your vote for the most obnoxious end-user. Once you vote for your favorite video, you’ll be automatically entered for a chance to win your very own limited-edition, big, hairy beast! Vote Now!


Did you know that you can use Kiwi Syslog Server from SolarWinds to archive your Windows Event Logs?  (Handy if you need to meet regulatory requirements such as SOX, HIPAA or PCI-DSS.)


This video shows how SolarWinds Log Forwarder for Windows can be configured to send some or all your logs to one or more syslog servers. From there, Kiwi Syslog Server can be used to archive, compress and eventually purge your logs as your retention policy dictates.


How to Get SolarWinds Log Forwarder for Windows


You can download Log Forwarder for Windows from here. And it is also included as part of your Kiwi Syslog Server download file.



After you install the software, a Windows service will automatically start, but you need to configure the utility before it will forward Windows Event Logs. Start by opening the configuration utility from your Start Menu.  Then set up at least one Syslog Server (IP address and port number) and one "subscription" (which defines which event logs you want to forward).


Monitoring Hardware HealthMonitoring Hardware HealthMonitoring Hardware HealthCreating AlertsApplications DefinedGlossary of TermsComponent Monitor LibraryTroubleshootingSAM Template LibraryManaging the Web ConsoleHow Does SAM Work?Creating and Viewing ReportsCreating and Viewing ReportsManaging Groups and DependenciesThreshold TypesThreshold TypesThreshold TypesSAMManaging SolarWinds SAM Polling EnginesManaging SolarWinds SAM Polling EnginesManaging SolarWinds SAM Polling EnginesManaging SolarWinds SAM Polling EnginesManaging the SolarWinds SAM DatabaseAll Applications TreeManaging the Display of Group StatusThe AdministratorNetwork Sonar DiscoveryApplication DiscoveryComponent Monitor WizardAcknowledging Advanced Alerts in the Web ConsoleDial Paging or SMS Service Advanced Alerts in the Web ConsoleBossAcknowledging Advanced Alerts in the Web Console

Deploying SolarWinds® Log & Event Manager (LEM) is a cinch! Watch this short video by LEM subject matter expert Rob Johnson to help you walk through the deployment process.


LEM Virtual Appliance

LEM is packaged as a virtual appliance that can be deployed using VMware or Hyper-V™ platforms. LEM virtual appliance consists of all moving parts required for the installation including the operating system and database. This eliminates the user requirement to have any of these components installed separately.


Just follow the simple steps given below for quick, do-it-yourself LEM deployment.


Import LEM OVA File into VMware vSphere™

  • After downloading LEM, deploy the “Deploy First – LEM Virtual Appliance.ova” file using VMware vSphere™ version 4.0 or above.
  • Then, power on the virtual machine (VM) named “SolarWinds Log & Event Manager” that shows up on your vSphere client.
  • Assign a dynamic IP for the deployed VM either using a DHCP server, or assign a static IP address manually. (Refer to this KB article for some quick tips and how-to guidelines for assigning a static IP.)


Deploy SolarWinds LEM from Web Console

Now, you can launch a browser (latest version of Internet Explorer®, Chrome™, or Firefox®) and use the IP address assigned to the VM to connect to LEM web console and start monitoring logs from your network devices, security appliances, workstations, servers, VMs and more.



You can also choose to install LEM Desktop Console (from the downloaded installer package containing the OVA file) on your Windows® machines.


Download LEM and deploy it using VMware in a few minutes. Start monitoring your IT environment for simple and effective log management and analysis, real-time event correlation, incident response, regulatory compliance, and more!


Here’s a quick tutorial to deploy SolarWinds LEM using Microsoft® Hyper-V.

"To upgrade, or not to upgrade, that is the question:

Whether 'tis Nobler in the mind to suffer

The Slings and Arrows of outrageous license upgrade fees,

Or to take Arms against a Sea of troubles (i.e. slow PCs and poor performance) 

And by upgrading everything end them..."

                               - Spamlet, an IT guy in Denmark


According to Andy Patrizio, the Microsoft Explorer at NetworkWorld, some of you IT pros out there may be holding out on upgrades of mission-critical software because license upgrade fees are simply too steep for your enterprise. In his article, Patrizio relates that, on a recent trip to the doctor, he noticed she was still running her office on Windows XP:

"...she is still using an XP machine that is quite old. When you can watch windows redraw as they open and close, you know your PC is slow.


The problem wasn't getting a new PC, she could swing that. The problem was that the specialty software she uses that had been upgraded for Windows 7 required an upgrade fee of close to $10,000." [source]

That $10,000 upgrade fee for medical software was keeping his doctor from upgrading her dinosaur of an office PC. Reading this, I got to wondering how big a problem this might actually be in the realm of network management. Hopefully, of course, it isn't, because you're running best-in-class solutions from SolarWinds at a price point that simply can't be beat, so you can afford to keep everything running tip-top. And, if you're not, may I direct your attention to our IT management solution finder?


A few of the comments to Patrizio's article provided some potentially workable solutions for his doctor, mostly along the lines of improving performance by upgrading her hardware, with her OS upgrading in the process, and saving money by running a virtual machine for the specialty software. That, or something similar, might actually work, but it is, of course, far from ideal.


So, I'm curious, and I want to hear from you, esteemed IT pro: How often and how long have you delayed an upgrade due to its prohibitive expense? Is the case Patrizio encountered common? What could be done to address the issue?

It’s inevitable. Every now and then, you’re bound to come across a Mr. Know-it-all—the user who’s convinced he knows as much – or more – than you. And while you may not be able to deal with him, you can deal with his technical problems as long as you have reliable Web Help Desk Software from SolarWinds… (and lots and lots of patience).


Mr. Know-it-all, here, is a power-user—of course. That means you can expect an enlightening one-way conversation full of his suggestions on how you should go about doing your job of solving his problem. We’re here to let you know it’s going to be okay. Just remember to breathe. And maybe count to 10 as he casually mentions his salary, again, which happens to be twice as much as yours.


Before you officially see red, stop! And remember you don’t have to go into battle alone. What better way to protect your lair from end-users with annoying questions, unnecessary suggestions and over-the-top requests, than with a larger than life, big, hairy, wild-eyed wall cling to put Mr. Know-it-all in his place.


As you know, obnoxious end-users come in all types, so check out the SolarWinds Big Hairy Sweepstakes to cast your vote for your favorite end-user video. Once you submit your entry form, you’ll be automatically entered for a chance to win your very own limited-edition beast! Vote Now!


It's always good to stay grounded and get back to the basics once in a while. Being in the world of security information and event management (SIEM), we keep hearing of so many securitythreats and breaches, and this was one such thing with which the week started. A Security Week report said some suspected Chinese hackers defaced the website of the Philippines News Agency, a possible repeat of cyber-attacks last year also blamed on China during a territorial row.

So, why are organizations prone to attacks all the time? For this we need to understand the possibilities of security threats followed by a proper network security audit. We all know that security in a network or a system is strongly related to the notion of dependability. The bottom line is that we need to ensure we can protect business services and data against possible security threats.


So what are threats?

In simple terms, a threat is a potential, unauthorized danger on corporate IT infrastructure that can exploit a vulnerability to breach security and cause problems. Businesses face many external and internal threats that can corrupt hardware and compromise data. Today's security threats are more sophisticated than ever, and they’re growing at an unprecedented rate.


You can classify security threats into two major groups based on the threat sources – external and internal.


External Threats:

Anyone or anything outside your organization that attempts to gain unauthorized access to your organization networks using the Internet or any other networks qualifies as an external threat. According to a DTI (Department of Trade and Industry) survey, 72% of all companies received infected e-mails or files last year, and for larger companies this figure rose to 83%.


Let discuss some types of external security threats which have always been the issues that IT leaders claim as their prime concern.

  • Malware: It is a code or software that is specifically designed to damage, disrupt and inflict some illegitimate action on data, hosts, or networks. Viruses, worms, Trojans, and bots classify under this category.
  • Hacking: It’s all about exploiting the vulnerabilities in your network.
  • Spam: All unwanted online communications belong to this category.
  • Phishing attempts: These are about all possible fraudulent attempts to breach into the system and access data.


Internal Threats:

Alright, let’s move on to internal threats. Believe me, you can never write off internal threats, the most significant threats an enterprise faces come from within. Let me quickly give you a couple of scenarios:

  • Data Leakage: Insiders are those who set up and maintain critical databases, network segments and web portals. They might quietly move sensitive data off a network by using USB devices, especially when there is no USB protection. Also, data leakage happens via many other means.
  • SQL injection: This type of attack forces a database to yield otherwise secure information by causing it to confuse classified data, such as passwords or blueprints with information that is available for public consumption, such as product details or contacts.

For more on each kind of threats, stay tuned with us. There’s more coming!!

Given the nature of today’s dynamic networks, it should be no surprise that firewall administrators have their hands full trying to keep their networks secure while also maintaining the highest levels of performance and uptime. So, when something goes wrong, time is of the essence to get it fixed!


Fortunately, there’s a tool for that. It’s called Packet Tracer and it's part of SolarWinds Firewall Security Manager (FSM). Packet Tracer gives you visibility into how firewall rules and routing tables control traffic across your network.  The two main use cases for Packet Tracer are:

  • Testing – Test configuration changes without actually implementing them in your production environment.
  • Troubleshooting – Identify all devices and the device policies along the network path to see why a packet cannot reach its destination.

How Does Packet Tracer Work?

Packet Tracer utilizes a two-step approach to tracing the path of a packet. First, it finds all routable paths to the packet destination, taking into account NATing along the path. Next, on a routable path it evaluates the ACL on each device along the path to check if the device allows or drops the packet.


Packet Tracer uses virtual packets to determine reachability so you can test changes beforehand without touching (or bringing down) the production environment, as well as quickly troubleshoot traffic flow issues by identifying all devices and rules that act upon a specific packet.


Simply input a source IP address, a destination IP address, and a service (protocol and destination port number) and click Run.


Once the virtual packet is successfully traced through the network (no actual packet is being injected in the network), a Packet Tracer Report is generated. This report provides a summary of the results obtained from the trace and the path details.



The Trace Results Detail is a detailed description of a path. It contains the following data:

  1. A description of the path
  2. The entering device and entering interface of the packet
  3. The real destination IP address (which may be different from the packet destination IP address, due to NATing)
  4. The trace result for the path
  5. The trace results by device, which shows the effect of each device along the path on the packet.


Path Description: Paths are labeled path1, path2, etc. The path description lists the sequence of devices along the path using the following format: Source network name-> entering interface-> device name-> exiting interface-> network name, etc.



The Trace Result for the path identifies one of the following four possible outcomes:

  1. A routable path is found and all devices along the path allow the packet to reach its intended destination network.
  2. A routable path is found that ends in the packet destination, but one or more devices' ACL or NAT rules block the packet at some point along the path.
  3. There is no routable path for the packet to the destination because of:
    • a routing conflict
    • no default route in a device along the path
    • routing to a disabled interface
    • a routing loop
  1. There is no routable path for the packet to the destination because of a missing gateway.


In the Trace Results by Device section, the rows of the table are ordered by the sequence of devices along the path traced. The last column, Trace Result, shows the action (allow or deny) of the devices' ACL, NAT, and route rules on the packet passing through the device. Hyperlinks to devices in the Path Details worksheet show details of individual rules that impact the packet flow.



The Benefits of Packet Tracer

In short, the Packet Tracer feature in SolarWinds Firewall Security Manager helps you understand how your network processes traffic. You get critical insight into how firewall rules and routing tables affect traffic flow. The end result is significantly reduced configuration errors and troubleshooting time.



Experience the power of Packet Tracer for yourself by downloading a free, fully-functional trial of SolarWinds Firewall Security Manager (FSM).

Long ago, after the earth cooled, the dinosaurs died, and DARPA invented the Web, someone cooked-up cookies. At first, they smelled so grandma had just pulled them out of the oven, and she had let you watch her make them and lick the spoon. Now they were all gooey, hot, and new. Well, wake up and smell the coffee, cowboys and cowboyettes. These ain't your grandmother's cookies we're talkin' about.

Browser Cookies

The first cookies of any technological consequence were the browser cookies. These little bytes of bits stored mostly innocuous (This depends on how strictly you define the term.) information about a specific web site you visited. These bytes included some of your activity on the site: maybe the site you were on just before you got there, and your browser specifications, which almost always mentioned your platform specifics. Browser cookies were something convenient. They were chewy, delicious, and left a great taste in your mouth. They were n00bie ch0w in the vast vastness of the new interweb thingy and n00bs gobbled them up like a duck on a bug. You could return to a site weeks later and the cookie enabled the site to welcome grandma...and made your experience much less scary than the one Hansel and Gretel had. Flash forward...

Flash™ Cookies

Onward to the recent future. (Remember my blog about how the future is long gone? We're now in the Post-future Era.)

Adobe invented Flash. Flash enables all kinds of cool stuff...for the folks on the other end of the cookie chain, that is. Often, you land on a site that requires you to install Flash. So, you install Flash, maybe a Flash plugin for your browser, and suddenly your Web experience changes in ways you never imagined before; in ways you couldn't have imagined, because they were unimaginable to most low-info web users...present readership excepted, of course. With Flash cookies, you can play videos, you can view motion graphics, you can now interact with the web, plus, your laundry comes out fresh and clean-smelling as an Alpine breeze.

Many web cerfers (Google it.) never knew/know that Flash cookies are the evil twin of the cookies you were enamored with in your tech youth. Flash cookies, aka LSO (Local Shared Object) scarf-up a whole lot more than where you've been, what you're doing, and what you like. Somehow, Flash cookies are able to look into your very soul and replicate your essence...the thing that makes you you, you know? It's hard to top Ben Nell, Senior Security Engineer at Foreground Security, when it comes to a succinct description, "Flash cookies were designed to track user preferences in Flash applications, and their adoption as a mechanism to keep tabs on our browsing behavior is recent enough that tools that many consumers rely on to clear their cache of advertisers' cookies aren't even looking for them." Let that sink in a moment. With Flash cookies, marketeers have a method to write a file on your computer, and that file contains more about you than you want to know, AND, those rascals hide them in the dark corners of your hard drive; places you never go; places you would never look. A most disturbing aspect of Flash cookies is that they can be shared (Local Shared Objects) to be used by just about any site that wants to use them. From a Popular Mechanics article by John Herrman, "The main problem here—that sites can store and maintain data and tracking cookies through your Flash plug-in, regardless of your browser's privacy settings—is something Adobe is aware of and says will soon be addressed. The latest version of Flash (10.1) already supports the private browsing features of browsers like Firefox and Internet Explorer, which prevent data from being stored locally when activated. Additionally, Adobe says, the company is working with "major browser vendors to develop effective approaches that allow users to control local storage in Flash Player directly from their browser privacy settings"—a fix that could eliminate this problem entirely."


Enter the answer to every marketeer's dream and every users' nightmare, the Evercookie. This tasty, Javascript API morsel that hides copies of itself in several, yea many, places on your computer. Delete an Evercookie (if you can find it), and it recreates itself. As a matter of fact, attempt to delete one and it will actively circumvent your efforts. Evercookies not only make my blood sugar rise, they bump my blood pressure up a few points, too. Lest I risk someone kicking my soap box out from under me, have a look at Evercookie. Follow the resource links. Be afraid. Be very afraid, but not so afraid that you fail to check back when, next time, we'll talk about Zombie Cookies.

Recently Wally Mead joined us for a webcast about Configuration Manager 2012 SP1 and the Microsoft Management Summit. That webcast is now available for public viewing on YouTube. As often occurs in a webcast, we were unable to answer all of the questions presented. We thank all of the participants for their questions and I was able to follow-up with Wally after the webcast and get answers to the rest of those questions. Additional discussion on these questions is welcome in the comments section and I’ll be happy to provide additional assistance, or follow up with Wally if appropriate.


One question that we did answer during the webcast concerned assistance with upgrading an instance of SQL Server to SQL Server 2012, and I wanted to share this MSDN collection that should provide some additional assistance with that effort: Upgrade to SQL Server 2012



Q1.  I have a question about Task Sequences. When booted from media, I have the option to insert IP Address when OS is booted to WinPE, however, these static settings I set do not survive to the actual OS phase, DHCP settings have taken over … any thoughts on how to get this kind of scenario working?


LG: During the webcast I suggested to use DHCP Reservations, but I asked Wally if there was another option for this scenario.


WM: The suggestion is to use DHCP reservations. That’s the best way to handle it. However, a response from the [Product Group] PG was:


PG: When they set the IP in WinPE, it is applied on the fly and not saved as it may only be relevant to WinPE. If they want to persist that IP, then they’ll need to do a custom script to pull the addresses from the system in WinPE and set the task sequence variables so that it is used later by the Apply Network Settings task.



Q2. Can you go over OSD support with SCCM 2012 SP1 in terms of using the default wim files that are shipped on the OS install DVD?


WM: You simply browse to the Install.wim from the OS when adding the Operating System Image. Then you add a new TS variable to tell it to not restore to the same drive:

     D: issue - Add OSDPreserveDriveLetter=False allows the task sequence to auto-correct



Q3. Are there any known issues with setting up SQL Server Reporting Services with Configuration Manager 2012?


WM: You must install SRS on a SQL Server computer, then make sure that we have an account to use. That’s really about it.



[This question is a follow-on to the use of security roles to manually add nodes.]

Q4. If I have a security group listed as an administrative user, I can grant that user security roles, which correspond to security groups? If I grant this administrative user security roles which define it to have access to fully manage clients in their collection, but only manage the all systems collection to import computer information, I am not seeing a way to handle this because it seems to be a one-to-one relationship. So from the admin user group, what roles are they assigned on what collections? I don’t see a way to assign roles multiple times to say this role applies to this scope, while that role applies
to another scope.


WM: By default, when you add an administrative user (individually or via a security group), you designate the role(s), security scope(s), and collection(s) that this administrative user has. All actions for all roles are available to all objects with that same scope applied, to all members of the associated collections. If you want more granular control, such as specific actions (i.e. roles) applied to specific collections, and other roles applied to different collections, you go to the “Security Scopes” tab of the administrative user Properties dialog. Then select the bottom radio button “Associate assigned security roles with specific security scopes and collections”. That allows you to control which roles/scopes are associated with which collections.



Q5. There is more than Exchange that we would want to manage on mobile devices, like applications, policies for connections, etc. We need a complete MDM solution based on CM, not an external service – when is that coming? (and from the same participant, in the registration form): Why doesn’t CM support devices the same way Intune does without the added cost of Intune?


WM: Configuration Manager does not provide the same level of management of mobile devices as does Windows Intune. If you need more management than what Configuration Manager can provide when integrated with Exchange ActiveSync, then you’d have to go with the Windows Intune integration. There is no planned on-premise, full MDM solution other than what we have for Windows Mobile/Phone 6.1/6.5 and Nokia Symbian. Windows Intune, through the cloud, is our stated direction for this support.



Q6. We don’t want CM advertisements for VApps to have a countdown, is there still a countdown notification in CM2012 advertisements for VApps?


WM: If you are referring to the countdown before a deadline app, then you can disable all notifications if you want to. That’s done on a per deployment basis, on the User Experience tab.



Q7. What is your recommended strategy for cluster patching with SC2012 SP1?


WM: We have architected nothing specific in Configuration Manager to handle cluster patching scenarios. Most people I know of are using System Center Orchestrator to coordinate those activities. But nothing in Configuration Manager natively, and no integration with the cluster aware updating from the OS. Other than Orchestrator integration, it is a manual process.



LG: And finally, for those of you who were unable to attend the Microsoft Management Summit, all of the sessions presented (plus some bonus interviews) are now available for public viewing on Channel 9.

A large number of IT help desk tickets… A series of repetitive tasks... Many different support teams... Multiple workflow dependencies... A perfect recipe for a chaotic and underproductive work environment.


In situations like this one, the ability to manage all your tasks seamlessly with a single help desk solution is critical. One that not only helps with ticketing automation but also with scheduling and prioritizing the tickets, and assigning them to the right teams based on the workflow requirements.


Let’s take a closer look at some of the most common and recurring tasks in an IT environment, such as re-imaging hard disks every week, provisioning of IT services, new employee induction, and so on that can be managed most effectively with the right help desk tool.


Each of these tasks can be scheduled to run at a specified date and time, or triggered manually.

task mgmt.png

When tasks are created and assigned to the respective teams/personnel, your help desk system should automatically track the assigned ticket to log subsequent activity and the eventual outcome of the task or event.

Simplified Task Management


SolarWinds® Web Help Desk™ software streamlines IT ticketing and task management with user-friendly, customizable features allowing individual tasks to be defined by task elements and governed by event-based workflows. Web Help Desk is 100% Web-based and eliminates the need to install separate instances on clients’ or tech’s computers.


Customize multiple tasks using task Elements

If a single repetitive task involves multiple request types, it can be defined by task elements. Web Help Desk software gives the flexibility to customize each of the task elements, all of which can be executed in series or in parallel.

task elements.png

When these task elements are assigned to multiple teams, the technicians can start addressing the tickets in an organized manner, enabling an efficient and productive help desk environment.


Action Rules & Workflow Integration

Tasks can also be associated to a certain action rule, simplifying complex processes such as conditional ordering of task elements and approval workflow integration.

With Web Help Desk, you can set a priority for each action rule. When multiple criteria are met at the same time, these priorities kick in to determine the action rule that has to be triggered. This flexible customization of the action rule priority and criteria makes it easier for help desk professionals to define the best action item, which could be any one or all of the following:

  • Running a task
  • Assigning tickets
  • Changing ticket priority/status
  • Modifying a ticket
  • Sending email
  • Including approval process


So you see, task management can be streamlined and simplified with SolarWinds Web Help Desk software. Its well-designed features let you have complete control when automating a series of tasks, clearly taking into account all related dependencies.


Download the 30-day free trial right now!

j4vv4d.jpgWe had shared some excerpts from the candid chat that we had with Javvad Malik, and the “Most Entertaining Security Blogger” at RSA 2013 is back with another stunner this time around!!

He is a 451 Group Analyst, but does excellent video blogs on security topics on his own website. Believe me, he is one of those rare guys who can make complicated Security and Log management tips look funny, cool and easy!!

It's very unusual yet beneficial that a security analyst takes the time to help educate people about IT security. The best part – you don’t need to read a lot to understand
what he says.

Speaking of Log Management or SIEM, he feels it’s important to know what SIEM is, how it differs from Log Management, etc. For a cool high level view on log management, let’s see what he says:

Waking in the hospital after surgery, having lost both his legs in one of the bomb blasts last week in Boston, Jeff Bauman asked for pen and paper and with great effort wrote a note to communicate that a short time before the two explosions a man with a hooded sweatshirt had looked directly at him while dropping a bag.


That note led the FBI to review security video footage from stores near the two points of detonation. Analysts edited together one and a half minutes of video from store cameras at different places along the street near the site. And within twelve hours the suspect shown wearing a white hat in the video was identified on campus last Friday at MIT. By the end of that night one of two men in the security video was dead and the other was being pursued through a few fully cordoned blocks of the Watertown neighborhood in Boston.


It took a bit less than four days; from Jeff Bauman’s hospital room note to the release of still and video images of two suspects.


Had the bombing occurred in Manhattan it’s very likely police there would have had video images to circulate within hours thanks to NYPD's Domain Awareness System (DAS). One of the explicit purposes of that system is counter-terrorism; and to that end any alert within the system immediately makes available the last three minutes of surveillance video from any of the 3000 street-level cameras within 500 feet of the alert. Not only would images of the suspects have been seen within minutes of the explosions but, based on the cameras that captured the images, police would also have known the direction in which the suspects traveled after leaving the site; it’s even possible that some number of cameras would have provided images of the suspects along their entire escape route.


Though DAS would not necessarily have stopped the bombings in Boston from occurring, the system would excel in helping law enforcement contain and investigate such an incident. NYPD and Microsoft partnered to develop DAS as a pilot program in NYC and now offer the system as a product to other US police departments.


There is another aspect of the Domain Awareness System that I want to discuss next time. Here I just want to reiterate what everyone knows about IT systems: critical systems (especially those with life and death implications, for example, in hospitals or on airplanes) require available and reliable monitoring that regularly confirms those systems are working properly and quickly escalate alerts when they are not.

Ever want to dip your toes into the code pool but were just too intimidated? Here's your chance. The code below is fairly simple. All it really does, when placed within the body of a Windows Script Monitor, is tell you the number of days until your SSL Certificate will expire. Read through the code. Everything after the apostrophe (') is a user comment that explains that section of the code. Hopefully, this will give you a little more confidence when editing scripts.

BTW: SAM has an SSL Expiration Date Monitor which can be found here. The following example demonstrates a typical use case scenario using a Windows Script Monitor utilizing VB script.

Warning: The code below is user-submitted. Use at your own risk. SolarWinds is not responsible for the impact this code may have on your system. Exercise caution when executing any code with which you are not familiar.

Note: This is merely a demonstration of how you can use VB script with the Windows Script Monitor.

In order to calculate the number of days until an SSL certificate expires, a vbscript can be implemented with the Windows Script Monitor. This script relies on OpenSSL being installed on your SolarWinds server to check for the expiration date. The script below accepts one argument in the form of a URL, with the socket number, and returns the statistic in the number of days remaining until expiration. Before using this script you need to install OpenSSL, which is freely available on the internet. Ensure the path given below has the OpenSSL plug-in installed or change the path as per your OpenSSL plug-in. For each instance of the monitor, change the text file that the monitor writes to, (e.g.: cer1.txt, cer2.txt), otherwise the monitors may return a value of, "Unknown."


Installation: You will need to pass the argument site name plus the port number.



Simply copy and paste the code below into your Windows Script Monitor.


Option Explicit

Dim oShell
Dim ArgObj
Dim Fh
Dim Line
Dim Expiry
Dim DaysLeft
Dim ExpDate
Dim oExec
Dim cert
Dim tstream
Dim i
Dim str
Dim PluginPath
Dim CertFilePath
Dim char
Dim XString

Const ForReading = 1

CertFilePath = "C:\TMP\cert99.txt"
PluginPath = "C:\Program Files\Solarwinds\Common\OpenSSL\bin\"

Set FSO = CreateObject("Scripting.FileSystemObject")
Set tstream = FSO.createtextfile(CertFilePath, True)

ArgObj = wscript.Arguments(0)

Set oShell = wscript.CreateObject("WScript.Shell")

'Calling funtion to retieve the host
Set oExec = oShell.exec(PluginPath & "openssl.exe s_client -connect " & ArgObj)

'Write the certificate into a text file
Do Until oExec.StdOut.AtEndOfStream
    char = oExec.StdOut.Read(1)
    tstream.Write (char)

    If Len(XString) < 20 Then
XString = XString & char
    ElseIf XString = "END CERTIFICATE-----" Then

Exit Do

XString = Mid(XString, 2, 19)
XString = XString & char
    End If



'Read SSL certificate for start date and end date
Set oExec = oShell.exec(PluginPath & "openssl.exe x509 -noout -in " & CertFilePath & " -dates")

'Return start date and end date of the certificate
Line = oExec.StdOut.Readall

'Get the expiration date of the certificate
Expiry = (Mid(Line, Len(Line) - 24, 24))
ExpDate = ConvertDate(Expiry)

'Calculating number of days
DaysLeft = DateDiff("d", Now(), ExpDate)

'Display the number of days remaining until expiration
wscript.echo "Statistic: " & DaysLeft
wscript.echo "Message: Number of days remaning of expiry for SSL certificate are " & DaysLeft

'Object Closing code
Set oShell = Nothing
Set oExec = Nothing

'This function converts the date into the required format
Function ConvertDate(DateStr)

Dim Components
Dim Month
Dim Day
Dim Year

Components = Split(DateStr)

Select Case Components(0)
    Case "Jan", "January"
    Month = 1

    Case "Feb", "February"
    Month = 2

    Case "Mar", "March"
    Month = 3

    Case "Apr", "April"
    Month = 4

    Case "May"
    Month = 5

    Case "Jun", "June"
    Month = 6

    Case "Jul", "July"
    Month = 7

    Case "Aug", "August"
    Month = 8

    Case "Sep", "Sept", "September"
    Month = 9

    Case "Oct", "October"
    Month = 10

    Case "Nov", "November"
    Month = 11

    Case "Dec", "December"
    Month = 12

Case Else

    Month = 1

End Select

    Day = Components(1)
    Year = Components(3)

If UBound(Components) = 5 Then
    Day = Components(2)
    Year = Components(4)
    Day = Components(1)
    Year = Components(3)
End If

ConvertDate = CDate(Day & "/" & Month & "/" & Year)

End Function

If you have been following the headlines in the last one week, you’d know there have been 2 major security attacks on website and web services of popular trading companies.


Breach Incident #1: Mt. Gox Servers were Compromised with Massive DDOS Attacks


Mt. Gox is one of the world's largest bitcoin exchange that trades decentralized digital currency known as bitcoins.


  • What Happened: Trading platform couldn’t be accessed. The exchange was subjected to a massive distributed denial of service (DDOS) attack on its Web servers.
  • The Impact: The attacks have caused its worst trading lags ever and caused error pages to be displayed to traders.

  Mt. Gox.png
Breach Incident #2: Instawallet was Hacked, and Bitcoin Wallet Database was Illegally Accessed

InstaWallet is an online system for instant money transfers between customers' accounts.


  • What Happened: Instawallet database was fraudulently accessed, and hackers have supposedly gained access to the private keys that authorize bitcoin transactions
  • The Impact: Instawallet has claimed bitcoins were stolen and its service is suspended indefinitely until it can develop an alternative database architecture



So, What Did We Learn From All This?


These were major security breaches leading to detrimental impact on the victim organizations. Security was breached, IT assets were compromised, and business services were interrupted with malicious intent.


Hard Learnt Lessons: We need to be more proactive in our preparation against security attacks, and reactive in thwarting threats.

  1. Know what’s happening on the network round the clock
  2. Monitor all servers, workstations, network devices and security systems 24x7.
  3. Prevent non-compliant services and processes from intruding into the corporate firewall.
  4. Gain real-time access to all system and device logs, correlate them in-memory for speedy and meaningful incident awareness.


Log management and security information and event management (SIEM) systems will help monitor, identify security events on your enterprise network. It helps you take preventive actions to mitigate security threats in real time.

It’s high time to start preparing your IT infrastructure to face security threats. If you need a solution right away, download SolarWinds Log & Event Manager for advanced and effective log management, real-time network event correlation, and log analysis.


Prevention is unquestionably better than cure..!!

According to the Institute of Asset Management (IAM), “...the management of (primarily) physical assets (their selection, maintenance, inspection and renewal) plays a key role in determining the operational performance and profitability of industries that operate assets as part of their core business.”


Asset Management Has Always Been Important


Ever since people have been capable of counting and recording, asset management has been helping ensure not only their survival, but their advancement. How could you, for example, make it through the winter if you didn't have enough food put away? And how did folks know how much was enough? They probably had to track their supplies and use of them over a number of winters to find out. What about the ancient Romans, building all those roads? Considering how much they built – roads, sewers, buildings – it’s hard to imagine they built without an inventory of bricks, cobblestones, etc. It’s a good bet the Romans were up to their ears in asset records.


We Still Need Asset Management


Today, we still use asset management to ensure we have what we need– often on a global scale. In business, asset management can be especially effective when it’s tied in with an IT help desk solution.


SolarWinds’ Web Help Desk streamlines service  ticketing and hardware and software asset management processes. The web-based IT help desk and asset management system makes it easy to manage company assets, by:


  • Defining and tracking asset types, status, locations, manufacturers, and models to a specific location or room
  • Establishing parent-child relationships for visibility into ripple effects caused by asset incidents
  • Applying detailed hardware and software data to help desk tickets, for immediate reference and background for outstanding issues
  • Allowing end-users to request specific times and date ranges for reserving assets
  • Preventing  lost or stolen assets with the overdue alert feature
  • Using simple rules-based queries with multiple condition search options to locate IT assets
  • Syncing asset data from SolarWinds Network Performance Monitor
  • Easily importing existing asset data using .csv, .tsv, or .xls formats

There are long, exhaustive lists of best practices for creating master images. In this post, I have compressed them down to three major areas.  So sit back, fiddle with that fancy fob watch, and read about a couple of things to consider before creating master images.




While storage space is fairly cheap now, it's still a commodity. Do you really want to waste storage space that can be used elsewhere? Moreover, do you want to waste time searching through fifty images?


When you create the master images, it is easy to go overboard and make too many images.  Try to create a basic master image and then a couple of images based on the number of users per software package, frequency of requests, or the difficulty level of an install.


For example, most users need some sort of office suite, but if a significant number of users need a specific piece of specialty software, then you should probably make a master image for them. if you support a department with a lot of turnover, you might want to create an image specifically for that department. If you support software engineers, you might want to create an image for them so you don't have to waste time installing and configuring the development environment, version control software, and so forth.


Image Optimization


Optimization goes hand in hand with storage restrictions. You want the image as trimmed as possible but have all of the appropriate patches, service releases, and software. Most vendors recommend that you uninstall any unnecessary programs and disable unnecessary services. On a VDI platform, you should probably disable automatic updates from the virtual desktop and manage updates yourself to prevent performance and network hits.


When building your images, don't forget to add trusted sites and intranet links, map printers or other shared network devices, install drivers and virus scanners, and apply all approved software updates.


Clean Up


This is the part that I usually forget about and then pat myself on the back when I remember it. After you have created your lovely new master images, remember to remove all the installers, empty the trash, and defrag the hard drive. You should probably check the hard drive for errors and run the virus scanner before making the image.

In a previous post, we discussed the top 5 reasons why IT admins should automate the network configuration and change management (NCCM) process. So, now that the need is clearly understood, let’s look at the various options available for NCCM automation, along with their pros and cons to help you choose the right fit for your network and business requirements.

1. Automation with In-house Scripts and Macros

Within the LAN, IT pros can write their own scripts and macros to automate some simple and repetitive change management processes which are typically time-consuming (and a bit mind-numbing), such as updating port settings, changing administrative passwords, or adjusting access control. These automation scripts can then be fed into those network products which support it using the command line interface available via telnet or SSH.


This process may be simple and quick to implement, but it depends on the scripting knowledge of the IT administrators to get the best automation benefit.


  • Pros: No upfront licensing fee. This will suit the need of smaller businesses that don’t have thousands of network changes happening each day.
  • Cons: The knowledge of the script will lie only with the IT admin who built it. This may complicate the process in a growing team with multiple admins. And, you must also consider the possibility that the script savvy admin could leave the organization.


2. Automation with Open Source Tools

There are many of open source tools and automation scripts on the Internet that can be used to address enterprise LAN network change and configuration needs. With no upfront licensing costs, smaller organizations with lacking budget can make use of the open source tools as an entry-level NCCM solution.


Although open source automation cannot meet all NCCM requirements within the organization, the portability and repeatability of these tools and scripts can solve the problem of “knowledge lock-in” with the IT administrators.


  • Pros: Easily available and knowledge not restricted to a few IT pros. An entry-level automation option available gratis.
  • Cons: No support except for posts and discussion threads on open source communities. And, even though it might be free from licensing fees, it can still add up with regard to total cost of ownership. Not an ideal long-term solution.


3. Vendor-Sourced Automation Solution

For organizations whose network hardware is primarily obtained from a single vendor, it might make sense to go for an automation solution that’s offered by that same vendor. It’s more likely that this solution has better compatibility with existing hardware and integrates well to manage changes and configurations. Support around this solution should also be good since it’s from the same vendor.


  • Pros: Better integration with network hardware from the same vendor. Support and maintenance will always be available from the vendor.
  • Cons: This is not very feasible in a growing heterogeneous network (as most networks are) since one vendor’s proprietary solution will not support other vendors’ network hardware. Additionally, pricing can again be a deterrent for SMBs since vendor-sourced solutions are targeted toward enterprise-level customers with enterprise-level budgets.


4. Third-party NCCM Automation Tools

This could be the most feasible automation solution for a network infrastructure that is growing both in size and complexity. Third-party NCCM solutions take a vendor-neutral stance when it comes to implementation in a heterogeneous environment. And, being commercial products, support, maintenance and upgrades will come fair for the price paid.


Scalable and robust to suit a growing network, compatible with devices from multiple vendors—a third-party NCCM automation tool could be just the solution for enterprise and SMB customers alike.


  • Pros: Ideally-suited for heterogeneous networks. Scalable and flexible to meet the requirements of any size of network.
  • Cons: Could be pricey if you’re looking at the wrong shop.


When you're evaluating NCCM solutions, be sure to look for one that is scalable, flexible, and easy to deploy and use. Also, look for key functionality that addresses the needs of today’s increasingly complex enterprise networks like real-time network change notification and compliance management and reporting.



SolarWinds Network Configuration Manager (NCM) provides automated network configuration and change management geared toward companies of all sizes. Check it out for yourself with the live online demo and see how SolarWinds NCM can help.

SAM monitors hardware by polling nodes and utilizing the Hardware Monitoring Agent software provided by the hardware manufacturer. SAM can monitor hardware from VMware hosts, HP ProLiant, Dell PowerEdge, and the IBM X-Series using this software. Hardware monitoring is achieved by polling via SNMP or WMI, depending upon the node. For SNMP and WMI nodes, hardware monitoring must be enabled manually through SAM's web console.

If you run a scheduled Network Sonar Discovery of your existing servers, SAM will automatically collect any servers that support hardware health information the next time the discovery runs.
Note: Only SAM administrators can enable hardware health monitoring.


Hardware Prerequisite Checklist

If the following conditions cannot be met, the Hardware Health resources will not be displayed. To monitor hardware in SAM, the following must be true:

  • The monitored node must be HP Proliant, Dell PoweEdge, IBM X-Series, HP C7000, HP C3000, or Dell M1000e.
  • The node must be monitored using one of the following protocols:
    • SNMP
    • WMI
    • ICMP nodes are allowed for VMWare when the Poll for VMware option is selected.
  • The Hardware Monitoring Agent software, (provided by the vendor), is installed on the remote server. This applies for both SNMP and WMI.
  • For VMware, the minimum requirements are as follows: ESX server version 3.5, 4.0, 4.1, ESXi version 5.0, vCenter version 4.0, 4.1, 5.0.


The following systems have been verified to work properly with SAM's hardware monitoring features.
Other systems may work as well.

  • Dell PowerEdge M610, R210, R610, R710, R900, 1950, 2850, 2950, 2970, 6850
  • HP ProLiant DL320 G4, DL360 G3, DL360 G4, DL380 G4, DL380 G6, ML570 G3
  • IBM IBM System x3550, System x3550 M2, System x3550 M3, System x3650, System x3650 M2, System x3650 M3, x3850, eServer 306m
  • HP C7000, HP C3000
  • Dell M1000e.


Note: IBM's ServeRAID Manager software must be installed on IBM X-Series servers for storage hardware health information to be displayed in SolarWinds SAM. HP’s WBEM providers are required for HP servers polled via WMI.


Hardware Troubleshooting Flowchart


Troubleshooting an SNMP Node

The most common issue customers face is that hardware information is not available via SNMP because the Hardware Monitoring Agent software was installed before SNMP was installed. This means MIBs were never installed and/or configured correctly. The easiest solution is to uninstall and then re-install the Hardware Monitoring Agent software after installing SNMP on the server. If this is not the case, follow the troubleshooting steps as outlined below:


  1. Verify the node was successfully added using SNMP.



   2. Verify the Hardware Monitoring Agent software is installed on the remote server and running.

   3. Determine if SNMP responds for the proper OID. Below are the correct OIDS for each vendor:


For HP:

For Dell:

For IBM:


  • To determine if the remote server responds to the correct OID, you can use the MIB browser from SolarWinds Engineer’s Toolset, which can be downloaded from Additionally, you can use other applications capable of making SNMP requests.

If you do not have a tool for checking OIDs on the remote server, you can create an SNMP walk by using the SNMPWalk.exe installed with SAM, normally located at C:\Program Files (x86)\SolarWinds\Orion\SnmpWalk.exe. SNMPWalk.exe will be used in this demonstration.


Using SNMPWalk.exe:


  1. Start SNMPWalk.exe  and type in the IP address of the remote server and the community string for SNMP.
  2. Click Scan.
  3. After completing the scan, save the SNMP walk in a text file.
  4. Open the text file and manually search for the OIDs.
  5. If the Remote Server does not respond on this OID, the Hardware Monitoring Agent software may not be properly configured. Check to see if the Hardware Monitoring Agent software has imported the correct MIBs as outlined in the following table.



Troubleshooting a WMI Node

The following conditions must be met before you can proceed troubleshooting WMI nodes:

  • The node has successfully been added via WMI.
  • WMI is working properly on the remote server.
  • The Hardware Monitoring Agent software is installed on the remote server and running.


Using Wbemtest.exe to troubleshoot WMI:

  1. Open wbemtest.exe, usually located at C:\Windows\System32\wbem\wbemtest.exe.
  2. Connect from the problematic node (either the SAM server or the additional poller server) to the remote server using wbemtest.exe.
  3. Click Connect.
  4. In the Namespace field enter:

For IBM and HP enter: \\RemoteServerIpAddress\root
For Dell enter: \\RemoteServerIpAddress\root\cimv2


   5. Enter Administrator credentials

   6. Click Connect.

   7. Once connected, click Query… from the main screen. The Query dialog appears.

   8. Enter: select * from __Namespace


Replace Namespace with the following:

  • For HP nodes, replace Namespace with HPQ
  • For Dell nodes replace Namespace with Dell
  • For IBM nodes replace Namespace with IBMSD

  9.   If the proper Namespace is found, connect to this Namespace.

  • \\RemoteServerIpAddress\root\IBMSD for IBM.
  • \\RemoteServerIpAddress\root\HPQ for HP.
  • \\RemoteServerIpAddress\root\cimv2\Dell for Dell.


   10. Run a Query for specific information.

        Select Manufacturer, Model, Serial Number from CIM Chassis

  • If the test was not successful, re-install the platform or Hardware Monitoring on the remote server with the latest release.


Troubleshooting a VMWare Node


VMWare nodes can be polled for Hardware information either through the vCenter or directly by using the CIM protocol. Polling through the vCenter uses VMWare's native API interface. Polling the ESX server directly uses the CIM protocol to get Hardware information.

To determine if a node is polled through the vCenter or directly:


  1. From the web console, navigate to Settings > Virtualization Settings
  2. Listed will be table of all the currently polled VMWare nodes. This table contains the Polling Through column. Note: This column may be hidden. If the column is hidden, unhide it by clicking the dropdown menu of an adjacent column and check the Polling Through option:
  3. Use the illustration below to determine how your VMWare is being polled.


Interested in a companion to Microsoft SCCM that improves the way you support your far-flung users and machines?



What does SCCM do?


Windows Administrators use System Center Configuration Manager (SCCM, previously ConfigMgr or SMS) to manage dozens or hundreds of remote desktops, laptops, and servers far-throughout their network. In addition, SCCM offers some remote control, access, and support features above and beyond what's offered by simple RDP and command-line controls.


What does SolarWinds offer that's better?


Like SCCM, SolarWinds' DameWare offers remote control, access, and support capabilities. However, DameWare adds functionality that helps SCCM users save time and do more with less.

  • Adds convenient built-in chat, file transfer & one-click screenshot utilities
  • Adds the ability to delegate levels of access other than "full" and "read-only" to help desks & junior technicians
  • Adds the ability to quickly roll out or shut down services & scheduled tasks on dozens or hundreds of machines at once


Though built-in VNC capabilities, DameWare ALSO allows you to control your Linux and Mac machines from the same console you use to control Windows machines.


Where can I learn more?


Check out our new comparison of SCCM and DameWare. Or try DameWare for yourself in your own environment by downloading the full-featured 30-day free trial.

Intuitively, IT help desk software is designed to register issues faced by the end-users (clients) and enable the tech support team to approach the problem systematically, eventually providing the solution. In a generalized IT environment, there will be hundreds of repetitive instances requiring the same set of ‘fixes.’ This is where knowledge base management, built into the help desk software, matters the most.


End-User Benefits

  1. Ability to readily find a fix, without waiting for the tech personnel
  2. Improved service efficiency from reduced downtime, owing to faster problem fixes


Tech Support Advantages

  1. Shorter turnaround-time and reduced load on help desk staff allows them to focus on other challenges
  2. Reduced costs by self-servicing and possible elimination of phone support
  3. Fewer number of IT support tickets


End-users wouldn’t appreciate a colossal amount of ‘fixes’ thrown at them, if the information is cluttered and unorganized. It also becomes cumbersome for the help desk staff, if the knowledge base is not classified by problem, made searchable, and categorized.


Knowledge Base Management Made Simple


SolarWinds® Web Help Desk™ offers simple yet fully featured knowledge base management. Web Help Desk is 100% Web-based and eliminates the need to install separately on clients’/tech’s computers.

Suggested FAQ Articles

When a user tries to place a help desk request, relevant FAQs are suggested proactively based on the request type (e.g. IT, non-IT), and sub-type (e.g. hardware, software, etc.).

Knowledge Base Categorization – Extend or Restrict

External Knowledge Base: Searchable content, enabling the end-users to effectively find the solution.

Internal Knowledge Base: Confidential knowledge base articles and proprietary information can be made accessible just to the technical team, hidden from external users.

Knowledge Approval Management

When the IT team comes across a new set of repetitive issues with a common solution, they can submit an article (aligned to the respective service request and solution) to the knowledge base. An approver can review the article before making it available to the public or restricting it to a group.

Importing Knowledge Base Articles

The help desk team can import their existing knowledge base FAQs via the built-in import tool, and merge the content. This is yet another feature of Web Help Desk that simplifies the management of knowledge base articles.


Now, creating and managing the knowledge base need not be viewed as complicated and expensive. Web Help Desk not only offers knowledge base ease and simplicity, but also streamlined service request fulfillment, email communication, help desk management, account management, asset management, survey management, task management, reporting, and SLA management.

Ever heard of a hospital administrator killed by a computer virus? It’s one of those great problem examples that came our way, and our forensic geeks, Patrick Hubbard and Lawrence Garvin, cracked the case.


The story involves a midsize hospital with ~1,000 workstations, 100 servers, and a few campuses, and many dependencies on outsourced services like diagnostic imaging, web-based patient care services, offsite billing and telepresence. Basic network monitoring revealed their firewall CPU was hammered and though they were doing some flow analysis, they couldn’t quickly isolate the contagion.


Here’s the 10,000ft view of their environment looked when it came to us:



The firewall was locked up, the network was busy with random, unknown traffic and user workstations had become unusable. There was a whole bunch of traffic coming in two different waves:

  • ICMP traffic randomly scanning subnets
  • TCP attempts to connect to external addresses


There were simply too many connections through the firewall that it filled its memory and overwhelmed its ability to serve.  It was code blue at the SonicWALL. We brought in the firewall logs crash cart and discovered a spreading virus: virulent, stealthy and overlooked by antivirus sanitation protocols.


As a first step, they checked the logs and looked back at the original waves of the ping traffic, identifying the first machine to be affected.  Next, they hacked a custom patch to clean individual workstations, but reinfection soon began again, exponentially as before.


So, what was the final fix? Tune in to see how the Geeks healed the patient and helped the hospital IT team get better visibility on their entire IT security infrastructure.



IT departments are the heart of most corporations. If there is an IT failure, most companies are dead in the water. No internet = no sales orders. Which is not a good thing for most companies!


Most IT departments use the method where issues are responded to based on the order in which they are received. If a higher priority issue is received, then it jumps to the top of the heap. What ends up happening is that the lower priority requests go unresolved since they seem to be placed at the bottom of the stack. If your network is running cleanly and smoothly, there is time to finish your other tasks.


Unfortunately, according to a 2012 report from Gartner, more than 60% of an IT department’s time is spent focusing on day-to-day operations and not strategic projects that contribute to the growth of the company. SolarWinds  Engineer’s Toolset includes the necessary solutions that work simply and precisely, providing the diagnostic, performance, and bandwidth measurements you want. SolarWinds was founded by network professionals and continues to design tools for the network professional.


  • Cut troubleshooting time in half using the LaunchPad, which puts the tools you need for common situations at your fingertips.
  • Monitor and alert in real time on network availability and health with tools including Real- Time Interface Monitor, SNMP Real-Time Graph, and Advanced CPU Load.
  • Perform robust network diagnostics for troubleshooting and quickly resolving complex network issues with tools such as Ping Sweep, DNS Analyzer, and Trace Route.
  • Deploy an array of network discovery tools including Port Scanner, Switch Port Mapper, and Advanced Subnet Calculator.
  • Manage Cisco® devices with specialized tools including Real-time NetFlow Analyzer, Config Downloader, and Config Compare.

Tax day got you down?  Here's a free offering that ought to cheer you up: after a short hiatus an all-new Free Edition of our popular Kiwi Syslog Server will be returning next week!




As in previous releases, the Free Edition will allow you to collect syslog messages and SNMP traps from multiple devices.  It can write the collected logs to disk, split by priority or time of day, or display them in one of up to ten different viewers.  Message statistics will be available in the management console and may be sent in a summary email once a day.  A source limit of five devices will be placed on the Free Edition, but these five sources can be of any type that sends syslog messages via UDP or TCP, or emits SNMP traps.


The Commercial Edition will be an unlimited edition that will add monitoring, retention, automation and web administration functionality.  It will improve log organization by allowing you to split up your logs by device, functional role or message contents, and then will help you implement your log retention policy with automatic grandfathering and clean-up rules.


Learn More and Download


The link below will take you to the all-new Free Edition. This link will go live by 5:00 PM (CDT) on April 23, 2013.

(Hint: click the link - may be a 404 - but then BOOKMARK it for next week!)

Need to transfer files securely from your Mac?  All you really need is Safari and the web transfer interface on a Serv-U Server.  That lets anyone sign on with a web browser to upload and download files. In addition, Serv-U supports non-Safari browsers, built-in file transfer utilities, and third-party FTP clients on Mac OS X.  Read on to learn more!



How to Transfer Files with a Web Browser

Your favorite Mac OS X web browser can be used to transfer files as well as to work with and edit files and folders.


Web browsers can even be used to run the Serv-U web-based management console without needing to install additional plug-ins by simply enabling JavaScript and cookies. The following major browsers are supported with the basic web client and web administration are:

  • Microsoft Internet Explorer 6.0+
  • Mozilla Firefox 2.0+
  • Opera 9+
  • Apple Safari 3+
  • Google Chrome 1+

How to Transfer Files with Native Mac OS X Applications

Using Mac OS X's FTP/S Finder Support

  1. Go to Finder on the Mac desktop, and click on "Go"
  2. At the bottom of the menu that opens up underneath "Go," click on "Connect to Server," or hit command + K on the keyboard
  3. In the text box that appears, type in either "ftp://" (for FTP) or "ftps://" (for FTPS), and then the IP address or hostname of Serv-U FTP_Mac_Finder.png
  4. Click "Connect"
  5. You will then be connected to the server in your finder window
  6. Click on any folders that appear in the text box, and download whichever files you would like by dragging them to your desktop, where you'll be able to open and edit these files

Using Mac OS X'x SFTP Command-Line Client

  1. Open a terminal window
  2. type "sftp username@host_server" where "username" is your username on Serv-U and "host_server" is the IP or hostname of Serv-U
  3. If prompted to accept the remote server's key, select "yes" ("OK" or accept the key)
  4. Enter your password when prompted


Ready to Try It?


Download the Serv-U FTP Server free for 30 days with our free trial, or head over to our Serv-U online demonstrations server to try Serv-U's web, FTP, FTPS or SFTP interfaces without installing Serv-U.

Yesterday I had the good fortune to interview Kevin Small.  Kevin is a system administrator for a large bank.


JK: Kevin, why did you decide to use SolarWinds for your server monitoring needs?
KS:  In December 2011 I joined the team and was tasked with updating network monitoring.  At that time the bank was using CA Spectrum for server and network monitoring.  Before I joined the team, my predecessor decided to move from CA Spectrum to What’s Up Gold.  I spent a month trying to get it working.  What WUG said it would do, it wouldn’t do.  I finally got a hold of a technical architect at WUG and he said that our company was just too big for them to support.


Around the same time I discovered that the network team was using SolarWinds Network Performance Manager to do inventory reporting.  The version they were using was very out of date, but if I wanted to take on the task of updating it, they said I could use it for my network monitoring needs.  So, I got it up to latest version, and now I have 3 pollers, and have set up custom SQL alerts and reports.  The team was doing all their inventory reporting in excel, and now they save 4 hours a week by having SolarWinds automatically email reports to the people who need them.  With SolarWinds the dashboards are out of box, and you can customize with some SQL tweaking, and the reports are very good.  The dashboards are intuitive and you can put reports into the dashboards.


In April or May last year we wanted to monitor all our URLs so we purchased the cheapest license of SolarWinds Server & Application Monitor (SAM) just to monitor whether HTTP was http up/down.  Around that same time, the bank was in the process of moving from CA Spectrum to Gomez Server Monitoring.


JK:  How was that decision made?
KS:  No one is really clear how that decision was made but the person who made the decision left the bank shortly after signing the contract.


Compuware’s product is so cumbersome that you need to have the vendor on site to get it working properly.  We were not able to get what we needed out of Gomez Server Monitoring so we started using SolarWinds’ server management tool to report on our 30 UNIX servers.  We tried for months a bunch of workarounds in Gomez to get this level of visibility that came out-of-the-box with SAM.  Gomez couldn’t even decently monitor RHEL.


One of the other disadvantages with Gomez is that if you needed to make a rule change, you would have to go to each polling engine(Control Server).  With SAM, you make the change one place, and it is distributed to your entire environment.  Also, with Gomez, we were unable to provide reports to customers or dashboards that were readily understandable.  With SAM, I can bring one of my customers over to look at my screen and they can immediately figure out what it’s telling them.  Orion Reports are intuitive and straight forward.


We now have an unlimited license of SAM with 3 pollers to monitor our infrastructure and applications.  We continue to use Gomez Dynatrace to do deep level code troubleshooting like method tracing.  We integrate Dynatrace alerts into SolarWinds alert viewer to get a consolidated view.  For infrastructure and application monitoring, SolarWinds is just light years better – upgrades are easier, administration is easier, it’s a very intuitive piece of software.  SolarWinds has allowed us to unify monitoring across our entire organization.


Here is the table I used with my management to convince them to move to SolarWinds.

FeatureGomez Server Monitoring (formerly named Vantage
for Server Monitoring)
SolarWinds SAM
ReportingReporting is crap, cumbersome and not user friendly

Reporting is intuitive, out of the box yet customizable and offers drill down.

DashboardsGomez required us to hire a developer to set upSolarWinds is out of the box, intuitive, Dashboards can be converted to reports and reports can be made dashboards.



Requires tasks and reporting by control server 

Tasks, alerts, rules and reporting are setup regardless of control server across the board 1 time

Community SupportNone

SolarWinds has dynamic community of users, support and developer that answer questions and make enhancements

Alert ViewerRequired hiring developer to integrate the product         

Free Alert viewer that integrates to all SolarWinds products as well as all 3rd party software

UpdatesFew and far between and cumbersome to implement SolarWinds offers updates about once a quarter and they take approximately 30 minutes to apply across the whole foot print.



by Jennifer Kuvlesky

As a SysAdmin, you probably ask yourself if your servers need to be routinely rebooted, and if so, how frequently? Once a week? Once a month? Should they be allowed to run as long as possible to achieve maximum uptime?


You’ll be happy to know that regular rebooting of servers is not a bad idea when done correctly. With proper planning and execution, it can actually be incredibly valuable.


Beware of 24/7 Uptime

Some businesses running critical systems have no allotment for downtime and must be available 24x7. Such systems cannot be rebooted in a routine manner. However, if an application is so business-critical that it can never go down, then the situation should trigger a red flag that this system represents a single point of failure. Regardless of operational requirements or SLAs, every IT organization must have a server performance monitoring plan in place for handling server downtime, as not all downtime is planned or foreseen.

Uptime is highly regarded highly in IT: How long can a system run without restarting? However, business is not concerned with how long a server has been available—just that the server is available for business-critical applications and services.

As a rule of thumb, servers need to be rebooted at regular, consistent intervals. This can be daily, weekly, or monthly. It’s rare that a server is actually in use around the clock without exception.


Why Reboot?

There are two main reasons to reboot servers on a regular basis:

  1. To apply patches that cannot be applied without rebooting
  2. To verify the ability of the server to reboot successfully


Applying patches is an important aspect of rebooting. Almost all operating systems receive regular updates that require rebooting in order to take effect. As most patches are released for security and stability purposes, especially those requiring a reboot, the importance of applying them is rather high. Making a server unnecessarily vulnerable just to maintain uptime is not sensible.


Testing a server's ability to reboot successfully is also key. Most corporate servers are subject to changes on a regular basis. These changes might include patches, new applications, configuration changes, updates, etc. If the server is never rebooted intentionally, you will never know if it can reboot successfully—especially with an increasing number of changes that have piled up since the last reboot.


This is very tricky situation. A server that has never been rebooted on schedule may reboot unintentionally, causing a failed reboot that might occur while in active use, causing a service disruption.


Regular rebooting serves to protect the business from outages and downtime. SolarWinds Server & Application Monitor provides comprehensive server management in a single monitoring tool, to simplify and safeguard the rebooting process. With visibility into all processes running at any point in time, Server & Application Monitor lets you reboot servers safely and regularly with the click of a button. So go ahead and reboot with ease..!!

Server Reboot.PNG


Brainwave Biometrics

Posted by LokiR Apr 12, 2013

I have heard a lot about biometrics - granted, almost everything I know about biometrics comes from action-packed spy movies and T.V. series - but I've only been one place that uses any form of biometric security. Thank you, Disney World, for using biometric finger scanners to get into your parks. You make my life complete in so many unintentional ways.


For all intents and purposes, biometrics is still in that scary, futuristic niche of rigorous governmental or corporate information control. Fingerprint scanners, retina scans, and voice recognition, while secure, suffer from multiple problems, such as expense and speed, which prevent the widespread use of biometrics. Plus, using biometric information is creepy, invasive, and brings out privacy advocates faster than Google or Facebook. It's safe to say that this is a niche industry and most people won't encounter full-fledged biometrics unless they're working in a high-security area or law enforcement.


You would think that brainwave readers would be even more problematic. However, as you may have guessed, this may not be the case anymore. New innovations in consumer-grade biosensor technology might catapult brainwave "passthoughts" to the head of the biometric industry.


You may have seen the brainwave-controlled cat ears before or heard about the brainwave-controlled tail. Both of those products have made the blog rounds, and the cat ears are available on ThinkGeek. ThinkGeek also sells the base headset that can be used, among other things, to control robots.


The geniuses over at UC Berkley's School of Information took this readily available headset and started to run experiments to see if the headsets could be used for computer authentication, which it could.


Using customized thought tasks, the researchers reduced errors to below 1%. This is a better rate than I have typing out passwords. According to the research team, the best way to use a brainwave authentication system is to pick out thought tasks that are relatively easy but not too boring, like mentally counting a number of objects in a certain color or focusing on their breathing. If the biosenor technology firms start making their sensors smaller and less cumbersome, these might even start replacing smart cards or bank PINs.


One avenue of research that they haven't broached yet is how to authenticate when under stress, which I think will probably be a key area in high-security law enforcement or military use. Of course, they might just be concentrating on the areas where biometric security has not been a viable option.


In any case, computer security might be taking on a very different outlook in the next few years.



A reasonable understanding or experience of Visual Basic Scripting is assumed in order to successfully add custom scripts to CatTools.

There are example code template files found in the /Templates sub folder of the CatTools root directory, that can help provide a reasonable level of assistance.




Suppose that you would like to create a simple version report for a Cisco Router device. Custom activities in CatTools can accomplish this.

Four files are required.  Three activity files and one custom device file:


Activity files:


1)  The activity type file (.ini file), which defines the following:


activity name,



activity ID,



activity main script filename (associated with the activity),



activity client script filename (associated with the activity),



the user interface field values and defaults which are displayed in the activity form Options tab when adding or editing an activity.



2)  The activity main script file (.txt file), which contains code to read the activity options from the CatTools database, prepare folders and files to store output data, set variables, marshal the CatTools Client threads and do any post processing of results in order to create reports or send messages to the CatTools main program.


3)  The activity client script file (.txt file), which contains a number of common function calls to the device scripts, i.e. the scripts that send device specific commands in order to get the device to log in, issue the commands required to perform the activity, then log out of the device again.


Device file:


4) The device script file (.custom file), which contains device type specific code for the custom activity, for example, the commands to send to the device and any parsing of the data before sending the results back to the client activity script.



The activity client and main script files also contains function calls and references to variables within the internal CatTools program code.  These are prefixed with 'cl.' in the client script and 'ct.' in the main script.    A list of these cl. and ct. functions and variables have also been made available within this chapter to help assist in the development of your custom activity scripts.




How to create a custom activity - a simple step-by-step guide on how to create a custom activity



The custom activity type file (.ini)  -  information and how to create the custom activity type file



The custom activity main script file (.txt)  -  information and how to create the custom activity main script file



The custom activity client script file (.txt)  -  information and how to create the custom activity client script file



The custom activity device script file (.custom) - information and how to create the custom activity device script file



cl. / ct. variables and functions - information on the CatTools internal variables and functions exposed to the custom activity script files



Testing your custom activity  - help and tips on testing your custom activity


For more information on what CatTools can do for you visit: Configuration Management and Network Automation | Kiwi CatTools

A recent SolarWinds survey on IPv6 transition revealed that two-thirds of respondents comprising of network administrators and engineers are considering, planning to, or already have migrated from IPv4 to IPv6. With the migration trend going up, another notable indication was that 47% said they are “not at all confident” that their company has an actionable IPv6 adoption plan in place.



The aforementioned statistic is a big red flag and a call for serious concern.  It’s imperative that network administrators are fully educated on the various IPv6 transition techniques and the factors that could potentially impact the enterprise network because not knowing could be detrimental. 

So let’s dive in to understand how a dual-stack architecture that utilizes the Dual Stack Transition Mechanism (DSTM) can be a feasible approach to IPv6 migration.

What is a Dual IP Stack?

Dual-stack is one of the most widely adopted techniques for IPv6 migration. It helps to establish communication between your IPv6 network and the native IPv4 hosts and applications. A dual-stack node has support for both protocol versions and is referred to as an IPv6/IPv4 node. IPv6/IPv4 nodes may have a ‘configuration switch’ to enable or disable one of the stacks, which means they can have three modes of operation:

  • IPv4 only - IPv4 stack enabled and IPv6 stack disabled
  • IPv6 only - IPv6 stack enabled and IPv4 stack disabled
  • Both IPv4 and IPv6 stacks enabled


Dual Stack Transition Mechanism

Dual Stack Transition Mechanism (DSTM) is a transition mechanism based on the usage of IPv4-over-IPv6 tunnels to facilitate interoperability between newly deployed IPv6 networks and existing IPv4 networks. DSTM is best-suited for IPv6 dominant environments where hosts still need to exchange information with legacy IPv4 hosts or applications.

Significant Advantages:

  • Transparent to the network and to the application
  • Legacy IPv4 applications can be run over IPv6-only networks without modification
  • IPv4 addresses are dynamically allocated as needed and then reclaimed
  • Based on standard protocols


How does DSTM work?

The DSTM architecture consists of three major parts.

  • DSTM Client - dual-stack node running the DSTM client software which requests the IPv4 address from the DSTM server; allows host on the IPv6 network to communicate with IPv4 applications or hosts.
  • DSTM Server - a dual-stack node running the DSTM server software which provides IPv4 address allocation along with the IPv6 address of the DSTM Gateway / TEP.
  • DSTM Gateway or Tunnel End Point (TEP) - performs the encapsulation and decapsulation of tunneled packets.


When a host in the IPv6-only domain needs to communicate in IPv4, it queries the DSTM server for a temporary IPv4 address. The DSTM server provides a temporary IPv4 address for the host from the address pool, including its validity time, along with the IPv6 TEP address. Following this, the host (DSTM client) builds its IPv4 packet with the allocated address information and forwards to the TEP. The TEP then decapsulates the packet and forwards it to the destination. All the IPv4 packets coming from the client are tunneled to the TEP to perform encapsulation and decapsulation of the IPv4 packets. The TEP stores the mappings between the IPv4 and IPv6 addresses.


It's crucial that network administrators fully understand the different approaches to IPv6 to know which one is right for their network. The Dual Stack Transition Mechanism (DSTM) can be an ideal approach for early adopters of IPv6 with an IPv6 dominant environment that still need to communicate with legacy IPv4 nodes.

Regardless of the migration strategy chosen, the most important aspect is planning ahead. Migration to IPv6 doesn’t have to be complex as long as you understand your requirements and have a well-thought-out plan. Even better, you don’t have to go it alone. Equipping yourself with the right IP address management tool can help ensure a smooth transition and provide easy ongoing management of your dual-stack network.

In the early part of this series I discussed face recognition technology, Big Data storage and findability, privacy protection and encryption with reference to the movie Minority Report.


Let’s return to the future in Minority Report as a way to understand some implications of NYPD's Domain Awareness System (DAS).


You may remember that in Minority Report Tom Cruise’s character heads a “PreCrime” pilot program that is about to be expanded nationally. The PreCrime system so accurately predicts crimes before they are comitted that the future perpetrators are apprehended and prosecuted based on the system’s evidence. The story’s denouement involves a senior manager hacking the PreCrime system to frame Cruise’s character for a murder the manager intends to commit.


The movie highlights the risk of a powerful tool being used as a weapon; and suggests the risk is highest with those who best understand and control the most powerful and complex of tools. In the case of NYPD’s DAS, those who enforce the law in the biggest city in the United States can now in real-time, for example, “search for suspects using advanced technologies such as [over 3000 street level] smart cameras and license plate readers” and track unfolding events in overlay on detailed city maps.


Rogue IT Agents

I’ll talk about the “counterterrorism” emphasis of the DAS program in the next article. Here I want to point out that our safeguards against hackers within IT systems can also protect against rogue activity from occurring within the system. For example, if you have a good config change approval system, you can lock-down or significantly limit direct access to your most critical switches and routers. This reduces the potential for both accidental and deliberate damage. Austin, anyway, in 2014...


So, Google disagrees somewhat with this guy:

[Austin’s] a mecca for creativity and entrepreneurialism, with thriving artistic and tech communities, as well as the University of Texas and its new medical research hospital. We’re sure these folks will do amazing things with gigabit access, and we feel very privileged to have been welcomed to their community. [source]

The word on the web is that Google is bringing Gigabit fiber to homes, schools, and other public facilities in Austin in 2014. Those of us who get to work at SolarWinds HQ, here in Austin, are, understandably, pretty stoked about it. My kids are pretty stoked, too: the talking blue train and the brunette adventurer can be beamed to our living rooms, superfast!!




But will this blessed bit delivery from the web gurus in Mountain View be the bandwidth management panacea we have all been seeking for so long?


Unfortunately, probably not, because, first, Google Fiber is set to only go, at least initially, to residences and public institutions. Austin should follow the Kansas City model, where Fiber service is available for homes in designated "fiberhoods", that are determined on the basis of expressed customer demand. Expansion to businesses is expected to follow, even though it hasn't yet in Kansas City and they've had service since last year. Second, it's not going in until mid-2014. Even if you're in Austin in 2014, you've got bandwidth issues, wherever you are, now. A firefighter's fatter hose next week in the next town over doesn't help the guy fighting a fire with a garden hose at your house today. That's right: you're that guy, with the garden hose, fighting a fire at your house, today.


Of course, we can help you. We may not be able to get you a fatter hose, but our network management solutions, namely SolarWinds NPM and SolarWinds NTA, can help you quickly identify network hotspots and bust up bandwidth bottlenecks. Yes, the Gigabits are coming to Kansas City, Austin, and, ultimately, elsewhere, but you've got plenty of Megabits and machines to manage now.  Let's get to it.

IT teams face the rigmarole of change management each day for various IT requests. And being part of the IT world, we understand the frustration that goes along with that. Change management involves granular procedures and tons of documentation to satisfy auditors and to track, follow up, and execute requests. In other words, there’s much more administrative paperwork than actual IT execution.


Understanding Change Management


Change management is a common organizational practice that ensures changes to systems or processes are introduced in a controlled and coordinated manner, in order to avoid creating negative effects of change in the IT workflow.

IT teams employ standardized governance processes to ensure changes made in the IT system—be it giving access permissions, provisioning new assets, or adjusting security configuration—does not affect the compliance and IT security protocols within the organization.


Easier said than done. Implementing change management is painful unless you figure out a smart approach to simplify the process.


As you work out sound change management plans, procedures, and processes per your business needs, keep in mind the importance of approval workflow. When change has to be governed, there must be proper sign-offs and communication between these stakeholders:

  • End-users (who requests the change)
  • Approvers (who approves the change)
  • IT staff (that ensures the outcome of the approval decision is executed accordingly)

Relationships with these parties may look simple at first glance, but, in reality, IT teams face many complexities in establishing good communication with each of them, following up on time-sensitive requests, escalating to the next level of approvals, etc.


Simplifying Change Management

IT teams need a medium to easily facilitate the approval workflow—a tool to simplify manual efforts and time spent executing these tasks.


SolarWinds® Web Help Desk™ offers both simplicity and flexibility to automate the change management process and approval workflow by associating them with service request types. Web Help Desk also notifies end-users that approval is required for their service request, while they are submitting the request.


Approval Means & Options:

  • Approving or denying service requests is possible via both the Web Help Desk interface or via email
  • A Yes/No approval option directly in the email makes for quick & easy decision-making


Notification & Communication:

  • Notify approvers via email regarding new ticket requests
  • Notify end-users via email or the Web Help Desk interface that approval was granted or denied
  • Approvers can opt to include reasons for denial or approval, for communication to IT teams & the end-user as needed


For Time-Sensitive Requests:

  • Set reminders for approvers
  • Auto-escalate to next level of approver(s) if current approver is delayed or unavailable


Track Approval History:

  • View a detailed record of previous requests & approval paths for audit trail purposes


Voting by Panel & Advisory Boards:

  • Dynamically designate approving managers & Change Advisory Boards (CABs) based on the requester’s location, department & type of request submitted for approval
  • Web Help Desk then automatically routes the approved service request to IT techs for execution


Change Managment Simplified 2.PNG


Change management doesn’t have to be a painful process when requests and approval workflows are simplified and automated with Web Help Desk. Whether your business entails simple one-step sign-off or complex multi-layered approvals, Web Help Desk gives you the means to execute it with simplicity and ease.

Almost every year since Security Information & Event Management (SIEM) became a relatively mature technology, SC Magazine has done one of their Group Tests with SIEM products. All sorts of SIEM and log management vendors are invited to put their products to the test in SC Magazine's lab environment, where the reviewers have spent a lot of time deploying, implementing, and testing all manner of security products. The reviewers not only test core SIEM product features and functionality, but also evaluate the whole package - what about technical support? Documentation? Knowledge base? What is the actual price? Is this a solid, reliable vendor? If I were in the customer's shoes, what would I need to know to make a decision on this product? Many products enter, but few leave without a few dents and dings in their armor (some more than that).


The SolarWinds (and previously TriGeo) Log & Event Manager team has elected to participate in SC Magazine's review process each year, and each year we wait with great anticipation as the results are tallied. This year's reviews were released on April 1 and, no foolin', LEM was awarded 5 stars in every category!


I don't want to spoil the details of the review for you, so go read SC Magazine's review of Log & Event Manager in the SIEM Group Test for yourself. You can also view the context for the Group Test, more information about SIEM, and the other reviews on the main Group Test information page.


LEM is also one of few fully-functional SIEM products in the SC Magazine Group Test (or anywhere, really) where you can download and evaluate the product for 30 days on your own network. They don't give stars for that, but they do polish our stars with a little extra shine.



20% of Desktop PCs Still Run Windows XP


Microsoft's official "end of support" date for Windows XP is coming up on April 8, 2014 - just one year from today.  Meanwhile, the percentage of computers running Windows XP continues to drop, but is still about 20% of all desktops and laptops, according to StatCounter.


Source: StatCounter Global Stats - Operating System Market Share


If you count yourself among the Windows administrators and help desk professionals responsible for supporting Windows XP computers or end users running Windows XP, you may want to take a quick look at SolarWinds's DameWare software.  DameWare's Remote Support edition provides both unattended remote system access and end user screen sharing in a single package.  It can use RDP, but also offers its own optional single-port protocol that is often useful if your environment runs firewalls between the computers and end users you need to support.  Unlike native Remote Console capabilities which vary between operating systems, DameWare also behaves consistently on Windows XP, Windows 7 or any other Windows OS, providing universal support for multiple monitors, simultaneous sharing sessions and other "must have" features in a remote access package.

Alright, here’s the thing. Everyone in the IT security arena is talking about how to effectively shield your organization from threats. I recently saw researchers publishing their findings on security flaws with cheeky titles like “Did your HTTPs break?” Well, let’s get this straight – you can never be 100% secure.

Say you identify a vulnerability, then you deep-dive into it to determine if any security breach has happened. Depending up on the severity and criticality of the breach, you may decide to take security measures. But as organizations embrace new technologies, threats continue to proliferate. Add to that BYOD, and your security woes multiply.

Resilience through a proactive game plan

Chances for configuration errors and human errors occurring every now and then are very high and some security incidents can prove fatal to your business. To avoid such catastrophes, you need to be well equipped in advance and have proper plan in place.

Looking into managing vulnerabilities from Gartner’s eyes:


Policy definitions – baseline the environment for vulnerabilities – prioritize mitigation activities – shield the environment – eliminate the root cause – maintain and continually monitor for deviations.




To minimize damages, you need to detect and respond to events that threaten your IT infrastructure right when they happen, not hours or days later. This is where Security Information Event Management (SIEM) can come in handy. It is advisable to use a SIEM security software, as humans would find it virtually impossible to read all of the events occurring in IT and be able to analyze and correlate activity across the various components of IT.  Also it makes utmost sense if it uses active responses to respond to critical events, and shuts down threats immediately. Some useful built-responses include:

  • Enable and disable accounts
  • Send incident alerts, emails, pop-up messages, or SNMP traps
  • Add or remove users from groups
  • Block an IP address
  • Detach USB devices
  • Kill processes by ID or name


Event correlations need to be executed in memory and in real time. Having a good event log analyzer, will help you automate alerts and trigger actions based on what is happening in your network and systems. This lets you effectively identify and respond to threats in real time, rather than being reactive. To make the analysis more efficient, you need to collect and consolidate log data across the IT environment, and correlate events from multiple devices in real-time.

Stay proactive, stay vigilant!!


Posted by Bronx Apr 8, 2013

I would love nothing better than to explain the virtues of Lever 2000 (Original), or discuss the 1970's sitcom, but alas, this rant will be about the computer version of SOAP.


What is SOAP?

From Wikipedia, "SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) for its message format, and usually relies on other Application Layer protocols, most notably Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission."


In English

SOAP is something used so that multiple computers can talk to one another and exchange information.


What are SOAP's characteristics?

From Wikipedia, "SOAP can form the foundation layer of a web services protocol stack, providing a basic messaging framework upon which web services can be built. This XML based protocol consists of three parts: an envelope, which defines what is in the message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing procedure calls and responses. SOAP has three major characteristics: Extensibility (security and WS-routing are among the extensions under development), Neutrality (SOAP can be used over any transport protocol such as HTTP, SMTP, TCP, or JMS) and Independence (SOAP allows for any programming model). As an example of how SOAP procedures can be used, a SOAP message could be sent to a web site that has web services enabled, such as a real-estate price database, with the parameters needed for a search. The site would then return an XML-formatted document with the resulting data, e.g., prices, location, features. With the data being returned in a standardized machine-parsable format, it can then be integrated directly into a third-party web site or application."

In English

SOAP is like an HTML-based communication system that delivers and receives messages/instructions.


SOAP Example

From Wikipedia:

POST /InStock HTTP/1.1


Content-Type: application/soap+xml; charset=utf-8

Content-Length: 299

SOAPAction: ""


<?xml version="1.0"?>

<soap:Envelope xmlns:soap="">




  <m:GetStockPrice xmlns:m="">





In English

The following header of the example gives instructions on where to go and how to get there:

POST /InStock HTTP/1.1 - What are we doing and how are we going to get somewhere? (POSTing using HTTP).

Host: - Where we're going. (

Content-Type: application/soap+xml; charset=utf-8 - What format will the content be in? (XML).

Content-Length: 299 - How large is the content? 299.

SOAPAction: "" - The action SOAP is based on.


The body. Essentially, this XML snippet is going to a website that provides stock prices and is getting the price of IBM, as shown between the BODY tags.

<?xml version="1.0"?>

<soap:Envelope xmlns:soap="">




  <m:GetStockPrice xmlns:m="">





Alert Central packs a lot into a free package, enabling you to know what issues are going on when with your systems. To accomplish this feat, SolarWinds Alert Central uses icons showing alert status – that is, how close the alert’s issue is to being resolved.


Out of the box, the Alert Central Alerts dashboard displays four different types of alerts, in the following order:

  1. Triggered – A Triggered alert uses the red icon with an exclamation point Triggered Icon.png. This icon indicates an alert brand that’s new to Alert Central. A triggered alert does not match any existing sources in Alert Central and has not yet been accepted into the system. At this point, the Alert Central System Administrator can acknowledge the alert and add its source to Alert Central.
  2. Acknowledged – An Acknowledged alert uses a blue icon showing a person at work Acknowledged Alert.png. This icon means that the Alert Central Administrator has accepted this alert into Alert Central. To accept the alert into the system, the Administrator must enter the alert’s source (system that created the alert in the first place) into Alert Central . The Alert Central Administrator also defines whether Alert Central assigns or trashes alerts from this source.
  3. Notified – A Notified alert uses an orange icon with a flame in it Notified Icon.png. This icon shows that an individual or group has received an email or text SMS about this alert and is working towards resolution right now.
  4. Closed – A Closed alert uses an icon with a gray X inside it Closed Alert.png. This icon indicates the alert’s issue is resolved. The alert is no longer active in Alert Central. A Closed alert can, however, be reopened if needed.


Alerts are just part of Alert Central’s functionality. Other functions include on-call scheduling, at-a-glance alert status, and automated alert escalation. For more information on how Alert Central can help you prioritize, assign, and resolve system issues, see the Alert Central website.f

Many times during the evaluation process, we are asked if we can provide any kind of help with the financial justification of an investment in Network Performance Monitor. Companies of all sizes can build a strong business case for investing in network management and monitoring software while experiencing a strong return-on-investment (ROI), improved data analysis and reporting, and reduced network downtime.


As a result of these requests, we have built an easy-to-use ROI calculator that allows you to enter information specific to your infrastructure and then generate a custom ROI report that even your CFO will love.


Here’s how it works:


Network Overview


Simply enter your total number of interfaces, nodes, and volumes that you wish to monitor.  The calculator will automatically select the correct NPM license.


Annual Cost of Network Management


Here you will tell the calculator how many IT employees you have focused on network management, what their average annual loaded cost is, and how much of their time is dedicated to network monitoring.  This information will provide the salary cost of your network management and monitoring.


Annual Cost of Network Downtime


Tell it what the average monthly downtime is, the percent of employees that are affected by system downtime, what the impact to those affected employees’ productivity is, and lastly if there is any impact of network downtime on revenue.  You may see this last one if you rely heavily on e-commerce or have a sales floor that would be negatively impacted by network downtime.


Annual Savings from Productivity Improvements by Deploying NPM


Estimate what you think your productivity improvement will be by implementing a network management system as well as the estimated percentage reduction in network downtime.


Company Information


This is the basic information about your company that will allow the calculator to estimate the ROI:  annual revenue, number of employees, total yearly business hours, effective tax rate, and your weighted average cost of capital.




The ROI calculator will automatically graph an estimated cost benefit analysis based on your information and the projected cost of your implementation.  It will even create a table with your discounted cumulative net cost savings, net present value, internal rate of return, and payback period.


If you like what you see, then you can download the free report along with a formal quotation and an overview of NPM that can be used as part of your business justification to your manager.


You can check out the ROI calculator for yourself here.

We are overloaded: Overloaded with information, heavy workloads, and complicated home lives. We mean well but often find ourselves distracted, depleted, and frustrated. We know what we want but often lack the insight into how to get it or when to act. Of all the options for helping us deal with our overload, I find meditation the most powerful and effective tool for dealing with the demands of our modern day world.


Meditation offers many powerful benefits

  • Decrease stress
  • Help regulate emotions
  • Improve ability to learn new behaviors or change old habits
  • Increase ability to resist impulses and distractions
  • Increase calm and focus


Personal testimony and scientific study confirms the value of meditation. So, why doesn't everyone meditate? The most common excuse is not enough time. But in reality, meditating just 5 minutes a day can reap tremendous benefit.


Simple 5 minute meditation

Set your timer for 5 minutes. Sit in a position where you can be comfortable and still for 5 minutes.Close your eyes and begin focusing on your breath. Try to increase the inhale and the exhale. Let your body relax. Keep watching your breath. If your mind wanders, bring your attention back to the breath.If you have an urge to move or scratch, stay still and bring your attention back to the breath. When your timer goes off, take a deep inhale and exhale, and slowly open your eyes.


Just do it!

Don't think you can meditate once and get all the goodies. Meditation is a practice, and your ability to stay calm and focused increases over time. Just sitting still for 5 minutes a day can be a tremendous challenge. The key to success is consistency! The amount of time you take to meditate or the quality of your meditation doesn't matter nearly as much as doing it every day. Consistently training your mind and body to stay calm and focused is the key to success when it comes to meditation. No matter what, just meditate for 5 minutes every day.


Reap the benefits

When we face our challenges with stronger will, deeper focus, and increased calm, we can better know what needs to be done and how to do it. We are less distracted and waste less time on irrelevant or diversionary tasks leaving more time and energy to face our challenges and deadlines. Try a 30-day challenge. There is nothing to lose and great benefit to gain.


Network overload

Now, maintaining an uncluttered mind takes personal conviction and daily practice, but cluttered networks are more easily addressed with network monitoring tools.

How to enable file auditing in Windows

After you have installed and configured you SolarWinds Log & Event Manager Agents, optimize your SolarWinds LEM deployment by tuning Windows to log the specific events you want to see in your SolarWinds LEM Console and store on your SolarWinds LEM database. Use the recommendations below to get started with this tuning process.


  1. Open Administrative Tools > Local Security Policy.
  2. Expand Local Policies and click Audit Policy in the left pane.
  3. Select Audit object access in the right pane, and then click Action > Properties.
  4. Select Success and Failure.
  5. Click OK.
  6. Close the Local Security Policy window.



To enable file auditing on a file or folder in Windows:

  1. Locate the file or folder you want to audit in Windows Explorer.
  2. Right-click the file or folder and then click Properties.
  3. Click the Security tab.
  4. Click Advanced.
  5. Click the Auditing tab.
  6. If you are using Windows Server 2008, click Edit.
  7. Click Add.
  8. Enter the name of a user or group you want to audit for the selected file or folder, and click Check Names to validate your entry. For example, enter Everyone.
  9. Click OK.
  10. Select Success and Failure next to Full control to audit everything for the selected file or folder.
  11. Optionally, clear Success and Failure for unwanted events, such as:
    • Read attributes
    • Read extended attributes
    • Write extended attributes
    • Read permissions
  12. Click OK in each window until you are back at the Windows Explorer window.
  13. Repeat these steps for all files or folders you want to audit.

Web application up-time is critical to any organization. Regardless of the applications being accessed from inside or outside the firewall, they need to be up and running all the time. So, it is critical to proactively monitor the availability and response time from one or more locations at all times, and isolate issues before your users do.

So, how do you do that? With the right monitoring software in place to:


  • Test Web app performance after a change is made
  • Determine when Website performance is trending poorly
  • Pinpoint Web app performance bottlenecks


It’s also imperative to monitor the availability and responsiveness of websites and Web applications from inside the firewall or external-facing applications from multiple locations.


Finding the Root Cause of a Slow Transaction

Let’s take the example of a website that’s experiencing delays or is slow to load or respond. How do we find the source of this issue?


Step 1: You need to be able to receive real-time alerts on website response time. Set up a high-level alert like: 

  • Web page is not loading
  • Website transaction has failed
  • Slow response time



Then you can drill down to find more specific conditions that triggered the alert. Alerts tell you there is a problem.


Step 2: Compare the scenario of the alert with predefined baseline performance.

For successful website monitoring, you should first define baseline performance metrics so that when there’s a problem, you can compare poor performance against the baseline to gauge severity and isolate the fault. Use baseline metrics to locate the problem.



Step 3: Look at historical performance of the Web page to identify which of the page elements – HTML, script, images, CSS, etc. – have deviation from the standard performance. Analyzing the individual page elements and identifying the one causing the delay will give you the source or root cause of your issue. Analyze historical performance to identify the source of the issue.

Web Performance Monitoring.png


The buck doesn’t stop here. You also need to test the effects of changes to your website from the end-user’s perspective, as well as from multiple locations. This will let you measure performance as experienced by end-users in different locations.


Website performance monitoring is easy with the right tools.Try  a free 30-day trial of SolarWinds Web Performance Monitor to easily track and monitor response time for all of your websites and Web applications, while proactively monitoring performance from the your end-users’ point of view.

Download free evaluation today!



Hosting providers, like OrcsWeb, have multiple global clients who require updates at discrete times.  For example, many of OrcsWeb’s clients have web farms and SQL clusters that need to be patched on a staggered basis. “When you’re patching hundreds of servers, it’s important to spread servers across the maintenance window to reduce the workload on the backend infrastructure. Patching everything at once could lead to a boot storm or similar situation,” said Jeff Graves, Director of Technology, OrcsWeb. “We could have tried to manage this with group policy, but Active Directory and our Organizational Unit structure make it difficult to manage patching,” Graves said.


OrcsWeb was using Shavlik’s patch product, now part of VMware, but were not successful in deploying updates to certain servers and there were a lot of false positives using the VMware product.  There were also problems with timing of reboots which was due to the Shavlik scheduler.  For instance, a patch would be deployed on a Saturday and then on Monday the server would be rebooted.  When Shavlik was acquired by VMware, the price of the product went up by 50% and after 18 months of using Shavlik, OrcsWeb chose to use SolarWinds managed service provider software for their patching needs.


Now OrcsWeb can patch 200 servers per hour with SolarWinds Patch Manger.  OrcsWeb chose SolarWinds for its ability to centrally deploy updates at discrete times.  Updates are scheduled the Saturday after patch Tuesday, with a second maintenance windows on Sunday between 3 and 8 a.m.

by Jennifer Kuvlesky

The first of its kind in a US municipality, the Domain Awareness System (DAS) is a pilot program (operational since 2012) that adapts high availability enterprise computing and the Network Operations Center Model (NOC) to city law enforcement. All the technology is from Microsoft.


Each 911 call in the city automatically sends an alert to NYPD officers in the vicinity, activates any of the thousands of street-level cameras that are within 500 feet of the alert, and displays footage from each relevant camera's last 30 seconds on screen(s) in a wall-size command center events board. Responding and command center officers access maps, city and state records on crime patterns and any other needed data in real-time from integrated city databases. As Associated Press describes it,"The system uses hundreds of thousands of pieces of information. Security camera footage can be rewound five minutes so that officers can see suspects who may have fled. Sensors pick up whether a bag has been left sitting for a while. When an emergency call comes in, officers can check prior 911 calls from that address to see what they might be up against."


In a typical enterprise system the technical components of the customer-facing services are tied into integrated alerting and monitoring components. Activity within the overall system simultaneously meets the needs of end users and tells operators when something goes wrong.


DAS is a double NOC: it tells on duty police officers when and where something is going wrong in the city while also telling technical personnel when and where something is going wrong with the system itself.


Integrating your Monitoring Systems

I’ll say more about DAS and its implications in another article. Here I want to point out the importance of an integrated approach to monitoring the critical components of your production systems. Ideally, your view of one component (for example, storage) would be one facet of an overall integrated view.


The key to integrated monitoring is choosing tools that integrate with each other and interoperate well. Within network monitoring, for example, you might need to see all the nodes on your network, what users are connected through which switches and to which endpoints, and how those connections help explain current trouble with traffic flow you are analyzing. SolarWinds networking products provide both the type and granularity of monitoring you would need to do those things.

Storage Manager lists the ports required to monitor and maintain your storage environment. Checking port availability before using Storage Manager can help save time and aggravation.


Checking if required ports are available


The example below shows how to investigate availability for port 162.


1. Open administrators command line.

2. Use command: netstat -ano | find "162"

3. If port 162 or 10162 is in use, you will find the process ID in the last column.

4. Open Task Manager, go to processes list, sort list by PID's (if not available: add from View, Select Columns).

5. Check which process is using the port and resolve the conflict.

Many ports used by Storage manager are configurable.Check the ports requirements page for details.


If you see the following error message in your Storage Manager log files, you might have a port conflict:,

ERROR [TrapsRunnable] [SnmpTrapsCollector.<init>] - Unrecognized Windows Sockets error: 0: Cannot bind Unrecognized Windows Sockets error: 0: Cannot bind

This error presented when no Events were received for all agents. The error message was found in the Event Receiver log and indicates a conflict on port 162. Port 162 is used by the Event Receiver service. See the KB article, Events Not Showing for All Agents for details and resolution.

Working closely with IT security admins, I sense that almost everyone wants to ensure confidentiality, integrity and security. But why? More and more organizations are realizing that they are vulnerable to disruption in security operations and confidential information breaches. Of course, not to miss out on the ever-growing task of managing compliance!!

But certain times, compliance is seen just as another specification to consider. It’s like saying my primary job at work is just to be present. Feels a little exaggerated? That’s ok, as long as you understand that there’s more to it. Irrespective of the size of the organization, managing compliance is critical across various industries ranging from healthcare, financial services government and so on. Being in line with IT compliance regulations such as PCI DSS, GLBA, SOX, NERC CIP, and HIPAA require businesses to protect, track, and control access to and usage of sensitive information.

Alright, so this is how it looks. Say, you want to ensure SOX compliance, then your internal audit committee needs readily available log information on certain sections. SOX Sections 302, 404, and 409 require monitoring and logging of network, account, user and database activities. Now, if you need to be PCI DSS compliant, it means that your systems are deemed secure by a third party, and customers can trust you with their sensitive payment card information. The PCI DSS contains 12 requirements grouped into six areas: build and maintain a secure network, protect cardholders, maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy.

Similarly, the core of HIPAA compliance is to ensure protection of patient and employee data, while giving access to the right persons at the right times to do their day-to-day tasks.  Failure to comply with new regulations carries serious consequences for healthcare providers, including criminal sanctions, civil sanctions, financial fines and even possible prison sentences. The guidelines on violations include up to $1.5 million in penalties for breaches.

So, does it mean your source of threats are completely internal? Well, internal threats are just one side of the coin. You have to guard against external threats as well. For instance, databases are increasingly becoming targets for hackers which has resulted in information security compliance management becoming one of the most important drivers for security investments. You need to have visibility and protection over security & compliance, and protection of your data. To ensure this, you need to collect and consolidate log data across the IT environment and correlate events from multiple devices in real-time.

With the help of event logs, a typical Security Information and Event Management (SIEM) tool will help you monitor the activities from different applications or devices for internal & external threats and assist in fraud detection. But vulnerability still exists.


For more comprehensive SIEM capabilities, you should check out SolarWinds Log and Event Manager (LEM). It combines real-time log analysis, event correlation, and a groundbreaking approach to IT search to deliver the visibility, security, and control you need to overcome everyday compliance challenges.

Comments Needed!

Posted by Bronx Apr 2, 2013

If you've been a SolarWinds customer, even for a short time, then you've no doubt realized that we move at breakneck speed while continuing to evolve. Our Help system is no exception to this fast paced evolution. Currently, the InfoDev team, including myself, is exploring various new methods of providing documentation to you, the user. (It's not as boring as it sounds.)


Help with Help

My little team down here in the dungeon has come up with some interesting ideas to make life easier for you. Although I cannot promise anything, some improvements may include the following:

  • A more responsive Help system
  • Graphics that better illustrate where things are
  • Videos that demonstrate key tasks
  • A place for users to provide visible feedback on each Help page so they in turn can help other users
  • A "How To..." section that demonstrates real world examples of how to actually do something useful

That last bullet point is where you come in. To keep the pace running smoothly in eighth gear, I have some questions for you. The following are example questions. Feel free to answer any or all of them. Go off-roading and answer your own questions if you like! The bottom line is, we're looking for "How To..." questions and answers. Below are just some examples, but add to the list if you can.


Customizing SAM:

  • How have you customized SAM to make your job easier?
    • Creating a Custom View that works for you. What makes your approach efficient/unique?
    • Custom scripts – how you’ve implemented them and why. How does your custom script simplify your life? What does it do?
    • Do you use SAM to trigger third-party apps? If so, which ones and why? How does this help in your environment?
    • Do you use Groups? If so, how are objects grouped in your environment and why?
    • What other SW products do you integrate SAM with and how do you use them together?


The more questions we get with answers, the more valuable the next version of Help will be. And, if it's alright with you, we'll stick'm in the Admin Guides. (You'll be famous! - in a geeky sorta way.)

There is a lot of hype about Big Data and it helps to develop some perspective. This blog talks about why  Big Data is happening, should Network Managers care and what should be done. Interestingly, it is the network management tool  that will help you.

Here's a myth: Big Data is an uncontrollable monster that has popped suddenly out of no where and no one knows what to do about it. Its like people said a few decades ago, " oh my, TV will have 400 channels !! what will we do !!". Sigh.

The truth: Big data is a reality that stems from the technical advances we have made since the 1960s. Moore's law states that hardware power (including CPU processing power, hard disk storage) has been doubling every 18 months and this is likely to continue till 2020. This means a computer which had a memory of 1 KB, now has a memory of 1 GB. As more resources are getting available, we are generating more and more data to fill the space - Parkinson's law. No wonder data creation is doubling 18 months. And technology should be able to deal with it and get the most out of it. There is no need to panic, Solarwinds will help you solve your problem and as always, we will not make a huge noise about it.

Why should Network Managers care

Data and hardware are only doubling, but network capacity and complexity are almost tripling every 18 months. This is because as hardware power doubles, network capacity and complexity needs to more than double to keep up with the usage. Know that if your network capacity today is 50 Mbps, it will be 150 Mbps in the next 18 months and 4500 Mbps after 18 more months. It is the network management tool that becomes a bottleneck, not the hardware and certainly not the data creation ability. One of the secret sauces to your Big Data recipe is a network management tool that scales in a very short period of time.

nw mgmt and moore's law.jpg

Reference: Network Management Fundamentals, Alexander Clemm Phd, Cisco Press

Network management tool selection criteria

Let us see what are the parameters you need to keep in mind while investing in a network management product. I have given examples of how we at Solarwinds, built Orion, NPM to deal with scale in a very short span of time. All you need to do is buy more polling engines and NPM will do the rest for you. I strongly encourage you to look at other competitors to see if they can give you the right scale in the right time for the right price.


First, will the tool be able to scale three times its current size in 18 months? Some tools need large sales, configuration and training cycles spanning many months.

Second, do the scale related features of the tool support the following?

Scaling aspects

Analogy to the party example from earlier blog

What it means

Example: How NPM does it

Operational concurrency

Serving different items on the menu simultaneously instead of one after the other

Maximizing communication concurrency to maximize management operations throughput e.g. sending requests and responses simultaneously

Parallel processing of input data

Event propagation

Quick response time to fill a glass when the drink is over

Allowing events to propagate and update the system as quick as possible

The summary page is auto refreshed and the message center allows searching and filtering of events


Using a larger tray to serve drinks

Access and manipulate large chunks of data

Bulk response collection

Distribution and addressing

Using multiple trays to serve drinks simultaneously by more helpers

Allow processing to be distributed across multiple servers

Uses multiple parallel polling engines

Table: Aspects to consider in a Network Management software to catch up with Moore’s law

And third, how does the tool define the scale it can handle. For example: what does it mean to supports millions of objects? What is an object? Is it a device, an interface, a Boolean state? How often will these objects be synchronized with the network resources? What type of hardware does the application need to run? Here are some basic questions we need to consider:

  1. Management operations throughput: What type of operation can be performed, of what complexity, on which type of object per unit time?
  2. Event throughput: What is the maximum throughput that can be achieved per unit time in which scenario (receipt of events, processing of data)?
    • NPM has an event throughput of 700-1000 messages per second
  3. Network synchronization capacity: How many network objects can the application synchronize with per unit of time?
    • NPM process up to 12K elements within two minutes of standard polling interval and 10 minutes of statistics data collection



In conclusion, it is important to know how exactly your network will scale in future and how soon. Just having a general idea that it will scale is not enough. Big Data is not a sudden reality. As Network Managers we need to prepare for it and we need to be very careful about choosing the right network management tool, else it will become a bottleneck. We at Solarwinds, love to hear about your thoughts. Tell us about other scaling parameters that you considered while buying NPM or any other tool. Why were they important to you?

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.