1 2 3 Previous Next

Product Blog

752 posts

We’re excited to introduce our Network Insight™ for Palo Alto firewalls! This is the fourth Network Insight feature, and we’re building these in direct response to your feedback about the most popularly deployed devices and the most common operational tasks you manage.

 

Network Insight features are designed to give you tools specific to the more complex and expensive special-purpose devices in your network infrastructure. While the bulk of your network consists of routing and switching devices, the more specialized equipment at the edge requires monitoring and visibility beyond the standard SNMP modeled metrics we’re all familiar with.

 

So, what kinds of visibility are we talking about for Palo Alto firewalls?

 

The Palo Alto firewall is zone-based, with security policies that describe the allowed or denied connectivity between zones. So, we’ll show you how we capture and present those security policies. We’ll show you how we can help you visualize application traffic conversations between zones, to help you understand how policy changes can affect your clients. Another critical feature of the Palo Alto firewall is to secure communications between sites, and to provide secure remote access to clients. We’ll show you how to see your site-to-site VPN tunnels, and to manage GlobalProtect client connections.

 

Managing Security Policies

 

Palo Alto firewalls live and die on the effectiveness of their security policies to control how they handle network traffic. Policies ensure business processes remain unaffected and perform optimally, but unintentional or poorly implemented policies can cause widespread network disruption. It’s critical for administrators to monitor not only the performance of the firewall, but the effect and accuracy of the policy configuration as well. As these policies are living entities, continually being modified and adjusted as network needs evolve, the impact and context of a change may be missed and difficult to recover. This is why in Network Insight for Palo Alto, Network Configuration Manager (NCM) brings some powerful features to overcome these pitfalls.

  • Comprehensive list view of security policies
  • Detailed view into each policy and its change history
  • Usage of a policy across other Palo Alto nodes managed by NCM
  • Policy configuration snippets
  • Interface configuration snippets
  • Information on applications, addresses, and services

 

Once the Palo Alto config is downloaded and parsed, the policy information will populate the Policies List View page. This page is intended to make it easier to search through and identify the right security policy from a potentially long list, using configurable filtering and searching. The list view provides each policy’s name, action, zones, and last change. Once the correct policy is identified, users can drill down into each one to see the composition and performance of each policy.

 

The policy details page summarizes the most critical information and simplifies the workflow to understand if a policy is configured and working as intended. You can review the basic policy details, as well as the policy configuration snippet and review the object groups composed into the policy. Admins will be able to quickly analyze if additional action is required to resolve an issue or optimize the given policy.

 

 

Some policies are meant to extend across multiple firewalls and without a view to see this, it’s easy to lose context about the effectiveness of your policy. Network insight for Palo Alto analyzes the configuration of each firewall to identify common security policies and display their status. As an administrator, this lets you confirm if your policies are being correctly applied across the network and to take action if they’re not. If there’s a desire to provide more continuous monitoring of a policy standard, you can also leverage a policy configuration snippet as a baseline for all Palo Alto nodes.

 

 

With any configuration monitoring and management, it’s critically important to be able to provide some proof of compliance for your firewall’s configuration. With Network Insight, you can track and see the history of changes to a policy and provide tangible evidence of events that have occurred. Of course, this also supports the ability to immediately run a diff of the configs where this change took place, by simply clicking the “View diff” button.

 

 

VPN Tunnel Monitoring, Finally

 

How do you monitor your VPN tunnels today? We asked you guys this question a lot as we started to design this feature. The most common response was you’d ping something on the other end of the tunnel. That approach has a number of challenges. The device terminating the VPN tunnel rarely has an IP address included in the VPN tunnel’s interesting traffic that you can ping. You have to ping something past the VPN tunnel device, usually some server. Sometimes the company at the other end of the tunnel intentionally has strict security and doesn’t allow ping. If they do allow ping, you have to ask them to tell you what to ping. If that thing goes down, monitoring says the tunnel is down, but the device might be down, not the tunnel. All this adds work. It’s all manual, and companies can have hundreds, thousands, or more VPN tunnels. Worst of all, it doesn’t work very well. It’s just up/down status. When a tunnel is down, why is it down? How do you troubleshoot it? When a tunnel is up, how much traffic is it using? When’s the last time it went well?

 

This is a tough position to be in. VPN tunnels may be virtual, but today they’re used constantly as infrastructure connections and may be more important than some of your physical WAN connections. They’re commonly used to connect branch offices to each other, to HQ, or to data centers. They’re the most popular way to connect one company to another, or from your company to an IaaS provider like Amazon AWS or Microsoft Azure. VPN tunnels are critical and deserve better monitoring.

 

Once you enable Network Insight for Palo Alto, Network Performance Monitor (NPM) will automatically and continually discover VPN tunnels. A site-to-site VPN subview provides details on every tunnel.

 

 

There are a couple things going on here that may not be immediately obvious but are interesting—at least for network nerds like me.

 

All tunnels display the source and destination IP. If the destination IP is on a device we’re monitoring, like another Palo Alto firewall or an ASA, we’ll link that IP to that node in NPM. That’s why 192.168.100.10 is a blue hyperlink in the screenshot. If you’ve given the tunnel a name on the Palo Alto firewall, we’ll use that name as the primary way we identify the tunnel in the UI.

 

There’s different information for VPN tunnels that are up and VPN tunnels that are down. If the tunnel is down, you’ll see the date and time it went down. You’ll also, in most cases, see whether the VPN tunnel failed negotiation in phase 1 or phase 2. This is the first piece of data you need to start isolating the problem, and it’s displayed right in monitoring. If the tunnel is up, you’ll see the date and time it came up and the algorithms protecting your traffic, including privacy/encryption and hashing/authenticity.

 

The thing I’m most excited about is in the last two columns. BANDWIDTH! Since VPN tunnel traffic is all encrypted, getting bandwidth usage is a pain. Using a flow tool like NTA, you can find the bandwidth if you know both peer IPs and are exporting flow post encryption. It takes some manual work, and you can only see traffic quantities because of the encryption. You can’t tell what endpoints or applications are talking. If you export flow prior to encryption, you can see what endpoints are talking, but you have to construct a big filter to match interesting traffic, and then you have no guarantee that traffic makes it through the VPN tunnel. The traffic has the additional overhead of encapsulation added, so pre-encryption isn’t a good way to understand bandwidth usage on the WAN either. The worst part is that VPN tunnels transit your WAN—one of the most expensive monthly bills IT shops have.

 

Network Insight for Palo Alto monitors bandwidth of each tunnel. All the data is normalized, so you can report on it for capacity, alert on it to react quickly when a tunnel goes down, and inspect it in all the advanced visualization tools of the Orion® Platform–including the PerfStack™ dashboard.

 

 

GlobalProtect Client VPN Monitoring

 

Why does it always have to be the CEO or some other executive who has problems with the VPN client on their laptop? When I was a network engineer, I hated troubleshooting client VPN. You have so little data available to you. It’s very easy to look utterly incompetent when someone comes to you and tells you their VPN service isn’t working, and when it’s the CEO, that’s not good. Network Insight for Palo Alto monitors GlobalProtect client VPN and keeps a record of every user session.

 

 

This makes it easy to spot the most common problems. If you see the same user failing to connect over and over, but other users are successful, you know it’s something on that client’s end and would probably check if login credentials are right. “No, I’m sure you didn’t forget your password. Sometimes the system forgets. Let’s reset your password because that often fixes it.” If lots of people can’t connect, you may check for problems on the Palo Alto firewall and the connection to the authentication resource.

 

Traffic Visibility by Policy

 

In this release, NetFlow Traffic Analyzer (NTA) is contributing to our latest Network Insight through an integration with Network Configuration Manager. NCM users who manage Palo Alto firewalls will see top traffic conversations by security policy on the NCM Policy Details page. Examining traffic by policy helps answer the question, "Who might be affected as I make changes to my security policies?"

 

 

Let's look at how we find this view. We'll start at the Node Details page for this firewall.

 

 

We'll use the slide-out menu in this view to select "Policies." This will take us to a list view of all the policies configured for zones on this device.

 

 

Selecting a policy from this list brings us to the Policy Details page.

 

 

Policies define security controls between zones configured on the firewall. For a Palo Alto firewall, a zone can include one or more interfaces. In this view, we're looking at all the conversations based on applications defined in the policy. It's a very different way of looking at conversations; this isn't a view of all traffic through a node or interface. Rather, it's a view related to the policy definition—so the endpoints in these conversations are running over the applications your security rules are based on. The mechanism here is filtering; we’re looking at application traffic that references the application IDs in your security policy. The endpoints in those conversations may be from any zone where you’re using this policy.

 

For an administrator considering changes at the policy level, this is a valuable tool to understand how those rules apply immediately to production services and what kinds of impacts changes to them will have. For this feature, you'll need both NCM and NTA. NTA, of course, requires NPM. NCM provides the configuration information, including the policy definition and the applications definitions. NTA reads application IDs from the flow records we receive from the Palo Alto Firewall, and correlates those with the policy configuration to generate this view. With NTA, of course, you can also easily navigate to more conventional node or interface views of the traffic traversing the firewall, and we integrate traffic information seamlessly into the Node Details page in NPM as well.

 

User Device Tracker’s Cameo

 

For most devices supported by User Device Tracker (UDT), all that's necessary are the SNMP credentials. We’ll pick up information about devices attached to ports from the information modeled in SNMP. But for some devices—the Cisco Nexus 5K, 7K, and 9K series switches, or the Palo Alto firewall—a set of command-line interface (CLI) credentials are required. We’ll log in to the box periodically to pick up the attached devices.

 

To support device tracking on these devices, you’ll need to supply a command line login. You can configure devices in bulk or individually in the Port Management section of the User Device Tracker settings page. Select "Manage Ports" to see the list of what devices can be configured.

 

 

Select one or more of these devices, edit their properties, and you'll find a section for configuring SNMP polling.

 

 

You’ll also find a section for configuring command-line polling. For devices requiring CLI access for device tracking—currently the Nexus switches and the Palo Alto firewall—you should enable CLI polling, and configure and test credentials here.

 

 

Be sure to enable Layer 3 polling for this device in the UDT Node Properties section as well.

 

You’ll see attached devices for these ports in the Node Details page, in the Port Details resource.

 

 

How Do I Get This Goodness?

 

To see all the features of Network Insight for Palo Alto, you’ll want to have several modules installed and working together.

  • Network Performance Monitor discovers and polls your Palo Alto firewall and retrieves and displays your site-to-site VPN and GlobalProtect client VPN connection information.
  • Network Configuration Manager collects your device configuration and provides a list of your security policies for zone-to-zone communication. This module tracks configuration changes over time and provides the context for policies spanning multiple devices.
  • NetFlow Traffic Analyzer collects flow data from the firewall and maps the traffic to policies in the Policy Details page. You can also view traffic through the firewall, or through specific interfaces.
  • User Device Tracker collects directly connected devices and provides a history of connections to the ports on the device.

 

You can demo these products individually, or install or upgrade from any installer available in your Customer Portal.

I’m excited to announce the general availability of SolarWinds Service Desk, the newest member in the SolarWinds product family, following the acquisition of Samanage.

 

SolarWinds Service Desk (SWSD) is a cloud-based IT service management solution built to streamline the way IT provides support and delivers services to the rest of the organization. The solution includes an ITIL-certified Service Desk with Incident Management, Problem Management, Change Management, Service Catalog, and Release Management, complemented by an integrated Knowledge Base. It also includes Asset Management, Risk and Compliance modules, open APIs, dashboards, and reporting.

 

Core Service Desk

SWSD includes a configurable Employee Service Portal, allowing employees to make their service requests, open and track their tickets, and find quick solutions through the knowledge base. The portal’s look and feel can be customized to your branding needs, and configurable page layouts support your organization’s unique service management processes.

 

 

 

 

For IT pros working the service desk, we provide an integrated experience that brings together all related records (for example, assets or knowledge base articles related to an incident or change records related to a problem), so that the agent can see all the information available to expedite the resolution.

 


 

 

In order to help agents prioritize work, Service Level Management (SLM) helps build and manage SLA policies directly within the service desk, including auto-escalation rules.

 

 

IT pros often need to be on the go, or need to respond to urgent service requests and incidents after hours. The SWSD mobile app, available on both iOS and Android mobile devices, allows agents to work on records, make approvals, and track the status of their work queue at all times.

 

Process Automation

 

Driving automation throughout all aspects of service delivery helps service desk groups drive faster, affordable, and highly consistent services to the rest of the organization. Process automation in SWSD uses custom rules logic to route, assign, prioritize, and categorize inbound tickets, change requests, and releases. The Service Catalog allows you to define and publish IT services (such as VM provisioning or password reset) and non-IT services (such as employee on-boarding) through the Employee Service Portal. The catalog forms defining those services are dynamic and can be configured to fit specific use cases, with little to no coding required.

 

 

The other part of defining any Service Catalog item is automated fulfillment workflow.

 

 

IT Asset Management and CMDB

 

SWSD offers full asset lifecycle management starting with the management of IT and non-IT asset inventories and an audit history of changes. Compliance risk analysis helps expose unmanaged software or out of support software and devices. Where applicable, asset information incorporates contract, vendor, and procurement data to provide a full view on assets under management.

 

 

The Configuration Management Database (CMDB) populated by service supporting configuration items (CIs) plays a critical role in providing better change, problem, and release management services. Knowing what CIs support each service and the dependencies between them help IT pros to better assess the risks and impacts related to IT changes, driving better root cause analysis (RCA) in Problem Management, as well as being better prepared for new software releases.

 

Integrations

 

Many service desk processes can be integrated into other IT and business processes. SolarWinds Service Desk comes with hundreds of out-of-box integrations and an open REST API, allowing you to make it a part of the workflows you need.

 

 

We are releasing a brand new integration today with Dameware Remote Everywhere (DRE). The great synergy between  SWSD and Dameware’s remote support capabilities allow agents to initiate a DRE session directly from a SWSD incident record.

 

 

Artificial Intelligence (AI)

AI is embedded in a few different SWSD functions, introducing a new level of automation and an improved time to resolution. Our machine learning algorithms analyze large sets of historical data, identify patterns, and accelerate key service management processes. There is a “smart” pop-up within the employee service portal that auto-suggests the best corresponding knowledge base articles and service catalog items that related to the keyword(s) typed in the search bar.

 

 

For agents, AI helps with automatic routing and classification of incoming incidents, reducing the impact of misclassifications and human errors. It also offers “smart suggestions” agents can leverage when working on a ticket. Smart suggestions are made based on keyword matching from historical analysis of similar issues -- those suggestions offer knowledge base articles or similar incidents, advising the agent on the best actions to take next.

 

 

Reports and Dashboards

 

SolarWinds Service Desk comes with dozens of out-of-the-box reports that analyze and visualize the service desk’s KPIs, health, and performance. Those reports help agents, managers, and IT executives make data driven decisions through insights, including trend reports, incident throughput, customer satisfaction (CSAT) scores, and SLA breaches.

 

 

Dashboards provide a real time and dynamic view of the service desk. Dashboards are comprised from a set of widgets that can be added, removed, and configured to adjust to the individual needs of the agent, manager, or organization.

 

 

 

 

This has been pretty packed inaugural product blog for us. I hope you found it useful. We’d love to get your feedback and ideas. Feel free to comment below or visit the SolarWinds Service Desk product forum here; we're quickly building it out.

Security Event Manager (SEM) 6.7 is now available on your Customer Portal. You're probably wondering what exactly Security Event Manager is? It's the product formally known as Log and Event Manager (LEM). LEM has always been so much more than a tool for basic log collection and analysis. It offered so much more in terms of detecting and responding to cyberattacks as well as easing the burden of compliance reporting. SEM helps organizations across the globe to improve their security posture, and we believe the new name better reflects the capabilities of the tool.

 

FLASH - THE BEGINNING OF THE END

Moving away from Flash has been the top priority for SEM for some time. I'm excited to say that this release introduces a brand-new HTML5 user interface as the default interface for SEM. You can now perform most of your day-to-day tasks within this new interface, including searching, filtering and exporting logs, as well as configuring and managing correlation rules and nodes. The feedback on the new UI has been hugely positive thus far, with many users describing it as clean, modern and incredibly responsive. The Flash interface is still accessible and is required for tasks such as Group/User Management, E-Mail Templates and the Ops Center. However, we're by no means finished with the new user interface and will continue to make improvements and transition away from Flash.

 

 

CORRELATION RULES

Correlation is one of the key components of any effective SIEM tool. As vast amounts of data are fed into Security Event Manager, the correlation engine identifies, alerts on, and responds to

potential security weaknesses or cyberattacks by comparing sequences of activity against a set of rules. This release includes a brand new Rule Builder which enables you to easily build new rules and adjust existing rules. We've made some improvements including drop down menus (as well as the traditional drag-and-drop) to create rules, auto-enablement of the rule after saving, easier association of Event Names and Active Response actions and the removal of the Activate Rules button

 

 

 

FILE INTEGRITY MONITORING

FIM was originally introduced way back in LEM 6.0 and has provided users with great insight into access and modifications to files, directories and registry keys ever since. With users constantly creating, accessing and modifying files, a huge amount of log data is generated which is often associated with excessive noise. In order to better enable you to split the signal from the noise, we've introduced File Exclusions within our redesigned FIM interface. If a particular machine is generating excessive noise based on a particular file types (I'm looking at you tmp files), you can now easily exclude file types at the node level.

 

 

LOG EXPORT

When investigating a potential cyberattack or security incident, you'll often need to share share important log data with other teams, external vendors or attach the logs to a ticket/incident report. Exporting results to a CSV is now possible directly from the Events Console.

 

 

AWS DEPLOYMENT

As organizations shift workloads to the cloud to lower costs and reduce management overhead, they require the flexibility to deploy tools in the cloud. In additional to the Azure deployment support included in LEM 6.5, this release adds support for AWS Deployment. Deployment is done via a private Amazon Machine Image and therefore you need to contacts SolarWinds Sales (for evaluation users) or Technical Support (for existing users) in order to gain access to the AMI. Please note that your AWS Account ID will be required in order to grant access.

 

I really hope you like the direction we're going with Security Event Manager, especially the new user interface. We're already hard at work on the next version of SEM, as you can see in the What We're Working On post. As always, your feedback and ideas are always greatly appreciated so please continue to do so in the Feature Requests area.

SolarWinds® Access Rights Manager (ARM) 9.2 is available on the customer portalPlease refer to the release notes for a broad overview of this release.

 

Most of you are using cloud services in your IT environments today, living in and managing a hybrid world.

 

With the release of ARM 9.1 we already have taken this into consideration by complementing the existing access rights permission visibility into Active Directory, Exchange, and file servers by Microsoft® OneDrive and Microsoft® SharePoint Online.

Now with ARM 9.2 we round off our function set by introducing the ability to collect events from Microsoft® OneDrive and SharePoint Online allowing you to gain also visibility in activities within these platforms.

 

In addition to the functionality above, a lot of work was done under the hood to lay the foundation for coming features we will make available in the next releases.

 

What’s New in Access Rights Manager 9.2?

  • Microsoft OneDrive and SharePoint Online monitoring - Administrators need to be aware about certain events in their OneDrive and SharePoint Online infrastructure. ARM now enables the Administrator to retrieve events from the O365 environment and analyze them in reports.
  • UI - Design and layout optimizations to complete the SolarWinds look and feel.
  • Defect fixes - as with any release, we addressed product defects.

 

The SolarWinds product team is excited to make these features available to you.  We hope you enjoy them. 

Of course, please be sure to create new feature requests for any additional functionality you would like to see with ARM in general.

 

To help get you going quickly with this new version, below is a quick walk-through of the new monitoring capabilities for Microsoft® OneDrive and Microsoft® SharePoint Online.

 

Identify ACCESS to shared directories and files on OneDrive

OneDrive is an easy tool to let your employees share resources with each other and/or external users. ARM makes it easy for you to check which files an employee has shared internally or externally, and who actually accessed these.

 

Now let’s take a look how we can use OneDrive monitoring to answer the question “with whom outside the company do we share documents and files?” ARM allows you to easily generate a report for this.

 

1. Navigate to the Start screen in the ARM rich client and click on “OneDrive Logga Report” in the Security Monitoring section.

 

The configuration for the “OneDrive Logga Report“ opens.

2. Provide a title and comment that will be shown at the beginning of the report (optional). Select the time period analyzed for this report.

3. Click into “OneDrive Resources”

4. Select the target resources on the right side for this report by double clicking.

5. Click into “Operations”

6. As we are interested in who has shared the resources when and also if/what external users have accessed it we select the “AnonymousLinkCreated” and “AnonymousLinkUsed” operations on the right side for this report by double clicking.

7. Click on “Start” to create this report manually.

8. Click on “Show report” to view the report.

In the report created you get the information of who has invited external users when to access internal resources and if any external users have accessed these from what IP address.

Note: You can schedule this report to be sent periodically to your mailbox to stay on top what’s happening.

 

In the same way you can generate reports about the more than 180 other events available in SharePoint Online and OneDrive. Just follow the outlined steps and adapt in step 6 the operations to the ones you are interested in.

Other interesting events you might want to have a look at are file and folder related operations like FileDeleted/FolderDeleted or FileMoved/FolderMoved helping you with one of the classic use cases if employees complain about their disappearing files and folders.

 

On a side note, file/folder events on file servers are also captured in our monitoring and are available through the file server reports.

 

Conclusion

I hope that this quick summary gives you a good understanding of the new features in ARM and how you can utilize ARM to get better visibility and control over your hybrid IT environment. 

 

If you are reading this and not already using SolarWinds Access Rights Manager, we encourage you to check out the free download.  It’s free. It’s easy.  Give it a shot.

We are happy to announce the release of SolarWinds® Access Rights Auditor, a free tool, designed to scan your Active Directory and file system and evaluate possible security risks due to existing user access rights.

 

 

Ever hear of risks and threats due to unresolved SIDs, globally accessible directories, directories with direct access, or groups in recursion –  and wondered if you were affected?

 

Access Rights Auditor helps you answer this question by identifying use cases such as these and allows you to export the overall risk summary in an easy-to-understand PDF report to be shared.

 

Don’t know where to start?

 

Let’s walk through a typical use case assuming we want to check the permissions and risks associated with a sensitive folder from the Finance department.

We type the phrase “invoices” in the search box and press enter (1).

 

The “Search Results” view displays the search history and all hits of your current search in the different categories available like folders, users, and groups.

We select the folder we are interested in by clicking on “Invoices” (2).

 

Now we’re redirected to the “Folder Details” view and immediately get all “Folder Risks” displayed – in this example, three occurrences of “Unresolvable SIDs” and “Changed Access Permissions.”

But it doesn’t end here, because some risks are inherited by directories. For example, from inactive user accounts with continued access. These hidden risks are also listed here in the “Account Risks” section.

 

Now we validate who has access in the “User and groups” section below and realize that in our example the “System” account and the “Domain Admins” group have “full control” access on the folder.

To select members of the “Domain Admins” group, simply click on the group and you’ll be redirected to the “Group details” view.

 

 

Access Rights Auditor improves your visibility into permissions and risks with just a few clicks.

 

Can’t believe it’s free? Go ahead and give it a try.

 

For more detailed information, check the Quick Reference guide here on THWACK® at https://thwack.solarwinds.com/docs/DOC-204485.

Download SolarWinds Access Rights Auditor at https://www.solarwinds.com/free-tools/access-rights-auditor.

For those of you who didn’t know, Storage Resource Monitor 6.8 is currently available for download! This release continues our momentum of supporting new arrays that you all requested on THWACK® as well as deepening our already existing support for the most popular arrays.

 

Why don’t we go over some of what’s new in SRM with the 6.8 release?

 

NEW ARRAY SUPPORT - KAMINARIO®

We’re all really excited here about our newest supported array vendor: Kaminario®. With Kaminario® being an enterprise storage vendor that has a lot of exciting progress going on, we’re really excited to say that we now support their arrays, starting with K2 and K2.N devices. And we think that you will be to, if the voting in THWACK has anything to say about it.

 

Best of all, out of the box, this new support includes all the standard features you know and love: capacity utilization and forecasting, performance monitoring, end-to-end mapping in AppStack™, integrated performance troubleshooting in PerfStack™, and Hardware Health.

 

And, as always, we’re excited to share some screenshots.

 

Summary View

 

Hardware Health View

 

NEW HARDWARE HEALTH SUPPORT - DELL® COMPELLENT AND HPE 3PAR

Whether you’re a new customer to SRM or you’ve been a customer for a while, you know that there is a lot to be had when we extend support for an array to hardware health. With SRM 6.8, we focused on adding hardware health support to those arrays most popular with our customers. And so, we’re excited to announce hardware health support for Dell® Compellent and HPE 3PAR arrays. So now, starting in SRM 6.8, digging into these array types allows you to see details on fans, power supplies, batteries, and more.

 

A screenshot? Of course.

 

 

WHAT’S NEXT

Add in some bug fixes and smaller changes and you have SRM 6.8. We’re excited for you all to check it out.

 

If there are any other features that didn’t make it into SRM 6.8 but that you would like to see, make sure to add it to our Storage Manager (Storage Profiler) Feature Requests forum. But before you do, head over to the What We’re Working On page to see what the storage team already has in the works for upcoming releases.

 

And as always, comments welcome below.

 

- the SRM Team

I’m happy to announce the General Availability of Database Performance Analyzer (DPA) 12.1. This release focuses on deeper performance analysis and management of DPA through these cool new features:

  • Anomaly Detection Powered by Machine Learning
  • Management API
  • Upgraded Java
  • New Options Page
  • Alerting Improvements

Anomaly Detection Powered by Machine Learning

Users tend to log help desk tickets when things are running slower than normal, i.e., an anomaly. Those tickets often find their way to the database team’s inbox to check the database. DPA can be used to find issues when you have time to drill into the wait time data, but often, time is of the essence. Everyone wants answers immediately.

 

Tired of comparing the trends chart with previous days to decide what “normal” looks like? DPA 12.1 now does the work for you, using a machine learning algorithm to identify which hours are abnormal, and displays the information contextually on the trends page. Bonus! If DPA detects an anomaly in the last 60 minutes, it changes the wait time status on the home page, letting you quickly identify the database instances your users are waiting on.

 

The DPA wait meter on the home page is now powered by anomaly detection, and new correlation charts appear as you drill into an instance. For example, you may be reviewing the home page and suddenly see the wait meter turn red.

 

This is an indication the instance is having higher than normal wait times and may be having issues. Clicking on the wait meter takes you to a view of the last 24 hours, and the status of the last bar will match the wait meter.

 

Drilling into the last bar, we can start to unravel the root cause of the anomaly. In this example, we see heavy wait times on RESOURCE_SEMAPHORE_QUERY_COMPILE, usually an indication that one or more queries require more memory than is currently available. In our case, many queries were waiting on this wait type, indicating a potential memory shortfall on the database server, which is what we found to be the case. Without the anomaly detection feature, we may not have known about this problem.

 

For more about this story and others, see this feature post in the DPA Customer Success Center: DPA 12.1 feature: Anomaly detection - SolarWinds Worldwide, LLC. Help and Support .

Management API

DPA has many customers automating tasks within their database environments, and many of you have scripts that can deploy/destroy a database environment in minutes. The new REST API in DPA 12.1 can be used to further that automation to management of DPA itself as well as monitored instances. It can safely connect to DPA and issue calls to:

  • Add and remove instances
  • List, allocate, and deallocate licenses
  • Stop, start, and update passwords for monitors
  • Add, retrieve, and delete annotations
  • And more

 

DPA customers are already using the API to:

  • Create annotations when a new build of an application is installed
  • Add monitoring to a newly created database instance and allocate proper licenses
  • Stop and restart monitors before and after O/S patches

 

If you are using the DPA API to do cool things, reply to this post and let us know about it.

 

For more information about DPA’s Rest API, including an interface to try them out before building code around them, use the new Options page and the Management API Documentation link. Here’s a list of other useful pages when you are ready to put the API into action:

What Did You Find?

Our QA team uses DPA to help make sure our code performs well. The anomaly detection feature has helped them be more efficient when problems crop up. DPA pings them using anomaly detection alerts rather than a person being required to drill into every instance to find issues. They can then use the anomaly detection charts to quickly understand the issues. If you find interesting stories in your environment, let us know by leaving comments on this blog post.

 

We would love to hear feedback about the following:

  • Does anomaly detection improve your workflow for finding wait time issues?
  • Are there issues in your databases that DPA did not find, or flagged incorrectly?
  • Are you using the REST API? How much time does it save you? What processes are you automating?

What’s Next?

To learn more about the exciting DPA 12.1 new features, see the DPA Documentation library and visit your SolarWinds Customer Portal to get the new software.

 

If you don't see the features you've been wanting in this release, check out the What We Are Working On for DPA post for what our dedicated team of database nerds are already looking at. If you don't see everything you've been wishing for there, add it to the Database Performance Analyzer Feature Requests.

I'm very excited to announce that SolarWinds Server Configuration Monitor (SCM) 1.1 is now available for download! This release expands on SCM 1.0 capabilities, both giving more detail for each change detected, and adding a new data source that can be analyzed for changes:

 

  • Detect “Who made the change” for files and registry
  • Detect changes in near real-time
  • Deploy PowerShell scripts and track changes in the output (with links to additional example scripts)
  • Set baselines for multiple nodes at once

 

Who made the change? In near real-time

SCM 1.0 is good at detecting changes in your Windows files and registry, but it didn't tell you who made the change, leaving you to do some additional investigative work. SCM 1.1 adds "who made the change" by leveraging our File Integrity Monitoring (FIM) technology, which also detects changes in near real-time -- a double benefit. Near real-time allows us to catch changes almost as they happen, and gives us a separate record for each change, even if changes are happening in rapid succession.

 

Turning on "Who made the change"

After you install or upgrade to SCM 1.1, you can easily turn on the "Who Made the Change" feature for the servers you want to monitor via a wizard:

  • From the "Server Configuration Summary -> What's New Resource," click the Set Up "Who Made the Change" Detection button
  • From the "All Settings -> Server Configuration Monitor Settings -> Polling Settings Tab," click the Set Up Who Detection button

Either way, it starts the "Who Made the Change" wizard.

The first step tells you about what happens when you turn on "Who Made the Change" detection:

The second step allows you to define the server exclusion list and turn on the feature:

Once you press Enable Who Detection, SCM will push out FIM driver to the agent(s) and turn it on, so file and registry changes will be monitored in near real-time rather than polled once a minute as in SCM 1.0. You can always come back and change the exclusion list or turn off "Who Made the Change" later.

 

Where to see "Who made the change"

You can see who made the change (user and domain) in a number of places, represented by the person icon.

  • SCM Summary: Recent Configuration Changes resource
  • Node Summary: Configuration Details and Recent Configuration Changes resources
  • Node: Content comparison, note the time I added to the file matches the time SCM shows the file changed.

Alerting

When building an alert, you can filter on "Who made the change" and add it to the text of your alert.

 

Reporting

The out-of-the-box SCM report includes "Who made the change" data.

 

Deploy and monitor the output of PowerShell scripts

Everyone's environment is different, and SCM could never monitor everything you want to "out-of-the-box." So, we added the ability to deploy and execute PowerShell scripts and compare the output over time. Now, configuration monitoring is only limited by your imagination and scripting super powers.

 

Adding a new script

I created a new Profile for this test, but you can add scripts to your current Profiles too.

First, create a new Profile and click Add to add a new element.

To add a PowerShell script configuration element:

  1. Choose PowerShell script as your Element type.
  2. Paste your script into the box.
  3. Click Add to add the element to the profile, then add again to save the profile.

Deploy and enjoy!

Once your new (or modified Profile) is ready, you can deploy it to one or more agents. From Server Configuration Monitor Settings > Manage Profiles, select the profile and click assign, then pick the servers you want, and walk through the wizard. SCM will deploy the scripts and start executing them on schedule.

Comparing the output

Comparing the output of the script over time works like any other source (file, registry, asset info) in SCM. You can set baselines and see changes in the content comparison. As you can see, the entire output of the script is captured and stored.

Mix and match elements in profiles

Don't forget -- one of the great things about SCM is you can mix and match elements in a single profile. Mix and match registry setting, multiple files, and PowerShell scripts into a single profile to monitor interesting aspects of your configurations.

 

Check Out Some Cool PowerShell Examples by Kevin

SolarWinds' own Technical Community Manager KMSigma put together some awesome examples of what SCM can do: Manage and Monitor PowerShell Scripts

Keep a lookout in our SCM forums for more PowerShell script examples in the future, and feel free to post your scripts too.

 

Set/Reset baselines for multiple nodes at once

Our early customers in large environments were limited to setting/resetting baselines one node at time, which was very painful when the dozens or hundreds of servers were updated (like a Windows update), so we addressed it quickly in this release. Now from the Server Configuration Monitor Settings screen, you can pick multiple servers, see a quick summary of the number of baselines you'll be updating, and then reset the baselines to the current output -- easy as 1-2-3.

What's next?

Don't forget to read the SCM 1.1 Release Notes to see all the goodness now available.

 

If you don't see the features you've been waiting for, check out the What We're Working on for SCM post for a list of features our dedicated team of configuration nerds and code jockeys are already researching. If you don't see everything you've been wishing for, add it to the Server Configuration Monitor (SCM) Feature Requests.

I’m pleased to announce the General Availability of Log Analyzer (LA) 2.0 on the Customer Portal.  You may be wondering what Log Analyzer is. The artist formally known as Log Manager for Orion has undergone a transformation. It has evolved past its former life as a 1.0 product and become Log Analyzer 2.0. Log Analyzer was selected after extensive research to better understand what our users would call a product that solves the problems our tool solves based on our feature set. I hope you like the new name!

 

This release includes Windows Event Support, Log Export, Log Forwarding and Rule Improvements as well as other items listed in the Release Notes.

 

 

 

Windows Events

As a System Administrator, closely monitoring Windows Events is vital to ensuring your servers and applications are running as they should be. These events can also be hugely valuable when troubleshooting all sorts of Windows problems and determining the root cause of an issue or outage. While there are vast array of Windows Events categories, the three main categories you'll likely focus on when troubleshooting are the Application (events relating to Windows components), System (events related to programs installed on the system) and Security (security related events such as authentication attempts and resource access). Trawling through Windows Event Viewers to find the needle in the haystack on individual servers can be a laborious task. Having a tool such as Log Analyzer can be a real life saver when it comes to charting, searching and aggregating these Windows Events. Thanks to the tight integration with Orion, you can view your Windows Events alongside the performance data collected by other tools such as NPM and SAM. Worth noting that you can also add VMware Events into the mix, thanks to the latest Virtualization Manager (VMAN) release.

 

In order to start ingesting Windows Events with Log Analyzer, you need to install the Orion Agent on your Windows device. Windows Event Forwarding is also supported, so if you prefer to forward events from other nodes to a single node with the Orion agent installed, that's an option too. By default, we collect all Windows Application and System events, along with 70 of the most common Windows Security Events. You can view more information on setting up Windows Event Collection here.

 

Once you have the agent installed and added the node(s) to Log Analyzer, you'll see the Events within the Log Viewer. Events are automatically tagged with Application, System or Security tags. Predefined rules are also included out of the box which tag events such as Authentication Events, Event Logs Cleared, Account Creation/Lockout/Deletion, Unexpected Shutdowns, Application Crashes and more.

 

 

Windows Events are also supported in PerfStack, enabling you to correlate performance data with Windows Events. For example, you can see below there are memory spikes on a SQL Server, with some corresponding Windows Events and Orion Alerts. Drilling into the Windows Events you can clearly see there is insufficient system memory which is causing the Node Reboot and SQL Server Insufficient Resources alerts.

 

 

Log Forwarding

Log Analyzer shouldn't be seen as a dead end for your log data. There may be times when you need to forward import syslog/traps to another tool such as an Incident Management or SIEM for further processing/analysis. This release includes a new 'Forward Entry' rule action which enables you to forward syslog/traps to another application. You can keep the source IP of the entry intact or replace with Orion's IP address:

 

 

 

Log Export

When troubleshooting problems it's often necessary to share important log data with other team members, external vendors or attach to a helpdesk ticket. You can now do so thanks to the new Export option within the Log Viewer.

 

 

 

Rule Improvements

We've added some pre-populated dropdown menus for fields such as MachineType, EngineID, Severity, Vendor and more to make it even easier to create log rules. It is now also possible to adjust the processing order of the rules.

 

 

The team is already hard at work on the next version of LA, as you can see covered here in the What We're Working On post. Also, please keep the feedback coming on what you think and what you would like to see in the product in the Feature Requests section of the forum.

Virtualization Manager (VMAN) 8.4 is now available and can be downloaded from your customer portal. In recent releases, we brought you VMware vSAN monitoring, container support, and better centralized upgrades to your deployment overall.

 

 

VMware Event Monitoring, Correlation, and Alerting

 

As a virtualization admin, it's a primary concern to track the many changes that occur in dynamic and often automated virtualization environments. While many virtualization vendors tout that the simplicity of their solution alleviates the need for admins to worry, I err on the side of caution. With VMware event monitoring, you now have real-time access to alert and correlate VMware's alarms, health checks, events, and tasks to issues in your environment. Ephemeral events such as vMotions are now easily tracked, and if you also have Log Analyzer, you can tag them for future cataloging.

Looking at my VMware Events summary, there are quite a few warning and critical events in the last hour. Filtering down to the warning events to do deeper inspection, I can see four of them are warning me of a failed migration for virtual machine DENCLIENTAFF01v

Clicking on one of these events allows me to drill in to get more context. Clearly, I need to look at the configuration of my vMotion interface.

Clicking "Analyze Logs" allows me to have better filtering and is also where I would configure processing rules to start configuring real-time alerting on these VMware events. Yes, event collection is real-time, and as a result, your alerts configured on these events are also triggered in real-time. If you want to be alerted to host connection changes, or when vMotions are triggered when they aren't supposed to be, you now can be alerted immediately.

 

For those of you who have Log Analyzer, you have even more troubleshooting tools that play very nicely with this VMAN feature. Are you looking to visually see occurrences of this event over time? Easy. Click "Analyze Logs" to navigate to the Log Viewer. Your Log Viewer will differ in that you'll have a visual graph to see how many times this event has occurred over the specified time period. In the example below, I increased the time to two hours, and searched for "vMotion." In addition, I've used the tagging feature to tag all events like this with a "vMotion" tag.

So how do I correlate this to problems? By using PerfStack dashboard.

After troubleshooting your issues, simply save the PerfStack project and put that project on your NOC view for future visibility.

 

Deeper Dives and Other Features

 

For a more in depth look at the VMware events feature check out these documents. Let me know if you have use cases that require real time alerting, monitoring and reporting so we can consider putting them in as OOTB content.

 

For those of you who are curious what we have for those users who do not need VMware event visibility check out these documents for more details:

 

Next on the VMAN Roadmap

 

Don't see what you're looking for here? Check out the WHAT WE'RE WORKING ON FOR VIRTUALIZATION MANAGER (UPDATED June, 2019)  post for what our dedicated team of virtualization nerds and code jockeys are already looking at. If you don't see everything you've been wishing for there, add it to the Virtualization Manager Feature Requests

 

This version of VMAN is compatible with the legacy VMAN 8.1 appliance; however, all the newly available features are only on VMAN on the Orion Platform. If you're using the appliance on your production VMAN installation, I recommend that you consider retiring the appliance at your earliest convenience to reap all the benefits of the new features we are developing for VMAN on Orion. If you cannot retire the appliance for any reason, I'm very interested in your feedback and reasons, and would love to see them listed out in the comments below.

Helpful Links

Anyone who knows me knows that I’m a fan of PowerShell. “Fan” is a diminutive version of the word “fanatic,” and in this instance both are true. That’s why I was so excited to see that PowerShell script output is now supported in Server Configuration Monitor (SCM).

 

Since SCM’s release, I’ve always thought it was a great idea to monitor the directory where you store your scripts to make sure they didn’t vary and to validate changes over time, even going in and reverting them in case there was a change without approval. However, that part was available in the initial release of SCM. Using PowerShell with SCM, you can monitor your C:\Scripts\*.ps1 files and get notified when any deviate from their baselines.

 

Using PowerShell scripts to pull information from systems you’re monitoring is only limited by your scripting prowess. But let me say this plainly: You don’t need to be a scripting genius. The THWACK® members are here to be your resources. If you have something great you wrote, post about it. If you need help formatting output, post about it. If you can’t remember how to get a list of all the software installed on a system, post about it. Someone here has probably already done the work.

 

Monitoring the Server Roles

Windows now handles many of the “roles” of a machine (Web Server, Active Directory Server, etc.) based on the installed features. There never was a really nice way to understand what roles were installed on a machine outside the Server Manager. This is especially true if you’re running Windows Server Core because it has no Server Manager.

 

Now, you can just write yourself a small PowerShell script:

Get-WindowsFeature | Where-Object { $_.Installed } | Select-Object -Property Name, DisplayName | Sort-Object -Property Name

 

…and get the list of all features displayed for you.

 

Name                      DisplayName

----                      -----------

FileAndStorage-Services   File and Storage Services

File-Services             File and iSCSI Services

FS-Data-Deduplication     Data Deduplication

FS-FileServer             File Server

MSMQ                      Message Queuing

MSMQ-Server               Message Queuing Server

MSMQ-Services             Message Queuing Services

NET-Framework-45-ASPNET   ASP.NET 4.7

NET-Framework-45-Core     .NET Framework 4.7

NET-Framework-45-Features .NET Framework 4.7 Features

NET-WCF-Services45        WCF Services

NET-WCF-TCP-PortSharing45 TCP Port Sharing

PowerShell                Windows PowerShell 5.1

PowerShell-ISE            Windows PowerShell ISE

PowerShellRoot            Windows PowerShell

Storage-Services          Storage Services

System-DataArchiver       System Data Archiver

Web-App-Dev               Application Development

Web-Asp-Net45             ASP.NET 4.7

Web-Common-Http           Common HTTP Features

Web-Default-Doc           Default Document

Web-Dir-Browsing          Directory Browsing

Web-Dyn-Compression       Dynamic Content Compression

Web-Filtering             Request Filtering

Web-Health                Health and Diagnostics

Web-Http-Errors           HTTP Errors

Web-Http-Logging          HTTP Logging

Web-ISAPI-Ext             ISAPI Extensions

Web-ISAPI-Filter          ISAPI Filters

Web-Log-Libraries         Logging Tools

Web-Metabase              IIS 6 Metabase Compatibility

Web-Mgmt-Compat           IIS 6 Management Compatibility

Web-Mgmt-Console          IIS Management Console

Web-Mgmt-Tools            Management Tools

Web-Net-Ext45             .NET Extensibility 4.7

Web-Performance           Performance

Web-Request-Monitor       Request Monitor

Web-Security              Security

Web-Server                Web Server (IIS)

Web-Stat-Compression      Static Content Compression

Web-Static-Content        Static Content

Web-WebServer             Web Server

Web-Windows-Auth          Windows Authentication

Windows-Defender          Windows Defender Antivirus

WoW64-Support             WoW64 Support

XPS-Viewer                XPS Viewer

 

This is super simple. If someone adds or removes one of these features, you’ll know moments after it’s done because it would deviate from your baseline.

Monitoring Local Administrators

This got me thinking about all manner of other possible PowerShell script uses. One that came to mind immediately was local security. We all know the local administrator group is an easy way to have people circumvent security best practices, so knowing who is in that security group has proven difficult.

 

Now that we don’t have those limitations, let’s look at the local admins group and look at local users.

 

Get-LocalGroupMember -Group Administrators | Where-Object { $_.PrincipalSource -eq "Local" } | Sort-Object -Property Name

 

Now, you’ll get returned a list of all the local users in the Administrators group.

ObjectClass Name                         PrincipalSource
----------- ----                         ---------------
User        NOCKMSMPE01V\Administrator   Local
User        NOCKMSMPE01V\Automation-User Local

Now we’ll know if someone is added or deleted. You could extend this to know when someone is added to power users or any other group. If you really felt like going gang-busters, you could ask for all the groups, and then enumerate the members of each.

 

Local Certificates

These don’t have to be relegated to PowerShell one-liners either. You can have entire scripts that return a value that you can review.

 

Also, on the security front, it might be nice to know if random certificates start popping up everywhere. Doing this by hand would be excruciatingly slow. Thankfully it’s pretty easy in PowerShell.

 

$AllCertificates = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse

# Create an empty list to keep the results

$CertificateList = @()

ForEach ( $Certificate in $AllCertificates )

{

    # Check to see if this is a "folder" or a "certificate"

    if ( -not ( $Certificate.PSIsContainer ) )

    {

        # Certificates are *not* containers (folders)

        # Get the important details and add it to the $CertificateList

        $CertificateList += $Certificate | Select-Object -Property FriendlyName, Issuer, Subject, Thumbprint, NotBefore, NotAfter

    }

}

$CertificateList

 

As you can see, you aren’t required to stick with one-liners. Write whatever you need for your input. As long as there’s output, SCM will capture it and present it in a usable format for parsing.

FriendlyName : SolarWinds-Orion
Issuer       : CN=SolarWinds-Orion
Subject      : CN=SolarWinds-Orion
Thumbprint   : AF2A630F2458E0A3BE8D3EF332621A9DDF817502
NotBefore    : 10/12/2018 5:59:14 PM
NotAfter     : 12/31/2039 11:59:59 PM

 

FriendlyName :
Issuer       : CN=SolarWinds IPAM Engine
Subject      : CN=SolarWinds IPAM Engine
Thumbprint   : 4527E03262B268D2FCFE4B7B4203EF620B41854F
NotBefore    : 11/5/2018 7:13:34 PM
NotAfter     : 12/31/2039 11:59:59 PM

 

FriendlyName :
Issuer       : CN=SolarWinds-Orion
Subject      : CN=SolarWinds Agent Provision - cc10929c-47e1-473a-9357-a54052537795
Thumbprint   : 2570C476DF0E8C851DCE9AFC2A37AC4BDDF3BAD6
NotBefore    : 10/11/2018 6:46:29 PM
NotAfter     : 10/12/2048 6:46:28 PM

 

FriendlyName : SolarWinds-SEUM_PlaybackAgent
Issuer       : CN=SolarWinds-SEUM_PlaybackAgent
Subject      : CN=SolarWinds-SEUM_PlaybackAgent
Thumbprint   : 0603E7052293B77B89A3D545B43FC03287F56889
NotBefore    : 11/4/2018 12:00:00 AM
NotAfter     : 11/5/2048 12:00:00 AM

 

FriendlyName : SolarWinds-SEUM-AgentProxy
Issuer       : CN=SolarWinds-SEUM-AgentProxy
Subject      : CN=SolarWinds-SEUM-AgentProxy
Thumbprint   : 0488D26FD9576293C30BB5507489D96C3ED829B4
NotBefore    : 11/4/2018 12:00:00 AM
NotAfter     : 11/5/2048 12:00:00 AM

 

FriendlyName : WildcardCert_Demo.Lab
Issuer       : CN=demo-EASTROOTCA-CA, DC=demo, DC=lab
Subject      : CN=*.demo.lab, OU=Information Technology, O=SolarWinds Demo Lab, L=Austin, S=TX, C=US
Thumbprint   : 039828B433E38117B85E3E9C1FBFD5C1A1189C91
NotBefore    : 3/30/2018 4:37:41 PM
NotAfter     : 3/30/2020 4:47:41 PM

Antivirus Exclusions

How about your antivirus exclusions? I’m sure you really, really want to know if those change.

 

$WindowsDefenderDetails = Get-MpPreference

$WindowsDefenderExclusions = $WindowsDefenderDetails.ExclusionPath

$WindowsDefenderExclusions | Sort-Object

 

Now you’ll know if something is added to or removed from the antivirus exclusion list.

C:\inetpub\SolarWinds
C:\Program Files (x86)\Common Files\SolarWinds
C:\Program Files (x86)\SolarWinds
C:\ProgramData\SolarWinds
C:\ProgramData\SolarWindsAgentInstall

Trying to find this out by hand would be tedious, so let’s just have SCM do the work for you.

 

This is all just a sample of the power of PowerShell and SCM. We’d love to know what you’ve got in mind for your environment. So, download a trial or upgrade to the latest version of SCM. Be sure to share your excellent scripting adventure so the rest of us can join in the fun!

In part 2 of "What's New in SAM 6.8" we are going to discuss the improved Cisco UCS monitoring that is shipping with SAM 6.8

(If you were looking for part 1 it is over here: SAM 6.8 What's New Part 1 - AppInsight for Active Directory )

Those of you who have been using SAM with NPM for a while are probably already aware that some support for UCS monitoring is possible in Orion. UCS support has been re-written to be utilized by any combination or standalone deployment of SAM, VMAN or NPM Additionally we added a new overview resource that let's you visualize your UCS environment. We fleshed out the hardware health support to include all the pieces. Fabric Inter-connects, Chassis, Blades and any rack mount UCS servers that you have managed under UCS. Finally we added a widget to let you see native errors and failures from UCS via the API. If you are using Cisco UCS in a Hyper-converged (HCI) configuration or hosting your critical virtualization resources in UCS then the new monitoring we have added is going to be a big win for you!

 

Get started by adding your Cicso UCS Manager node. In the Add a node wizard, click  'Poll for UCS' and enter your credentials.

 

 

Once you are successfully polling the UCS Manager some new widgets will become available:

 

Overview and UCS Errors and Failures

 

Chassis Overview

 

 

Blade hardware health

 

 

New layer added in AppStack!

AppStack let's you see the relationship between your Cisco UCS resources and the VMs and Applications running on them.

See end to end status from containers and applications all the way to the storage at the foundation of your UCS stack!

 

Out of the box alerts and reports:

 

Hardware Alerts:

 

 

Cisco UCS Entity Report

 

 

That wraps up our quick tour of this great new feature in SAM 6.8... As always, if you like what you see or have a question or a comment please feel free to contribute below.

You can also submit a feature request Server & Application Monitor Feature Requests

If you are curious about what we are planning for future releases jump over to the public road map What We're Working On For Server & Application Monitor (Updated June, 2019)

 

Here are some additional useful links related to SAM:

SAM 6.8 is now available - Following up to our previously released AppInsight for SQL, Exchange and IIS... The latest installment of AppInsight is here and it wants to make your life easier when it comes to monitoring Active Directory. In addition to performance counters and event logs, detailed information about Replication, FSMO Roles and Sites is provided out-of-the-box

 

To get started there are a couple ways to get AppInsight for Active Directory applied to your domain controller nodes:

You can either use "List Resources" on a node you know to be a domain controller or you can run a network sonar discovery and we will find your DCs for you!.

 

 

 

Perf-counters and events are still here but we took the time to add some new ones and also improve the grouping presentation. User and Computer Events, System Events, Replication Events, Policy Events and Logon Events are all neatly grouped together to make it easy to find what you are looking for.

 

Click to EnlargeClick to EnlargeClick to Enlarge

 

Replication: If replication isn't working, your Active Directory isn't working. Keep an eye on replication and get alerted if anything goes wrong. In addition to status we are representing direction and site location. You can also expand any given DC to see more detail about it's configuration.

 

Click to EnlargeClick to Enlarge

 

FSMO Roles at a glance: When something is wrong with a particular DC it can be helpful to know what roles it holds. Hover over the pill to expand the role description. Filters are also available at the top of the resource to allow you to focus on servers of a particular type of role.

 

 

Site Details: This widget provides a detailed overview of your sites including a view into related Links and Subnets. The widget also allows for quick searching to zero in on a specific item.

 

 

Alerts objects specific to AppInsight for AD

 

 

So that wraps up our quick tour of this great new feature in SAM 6.8... Don't forget to check out part 2 of what's new in SAM 6.8 SAM 6.8 WHAT'S NEW PART 2 - Enhanced Support for Cisco UCS Monitoring

 

As always, if you like what you see or have a question or a comment please feel free to contribute below.

You can also submit a feature request Server & Application Monitor Feature Requests

 

If you are curious about what we are planning for future releases jump over to the public road map What We're Working On For Server & Application Monitor (Updated June, 2019)

 

Here are some additional useful links related to SAM:

 

Thanks for stopping by!

After four months, it is time again to write another article about another product.
As it happens, we’ve added a new toy to our portfolio:

SolarWinds Access Rights Manager (ARM)

Some of you may know it under its former name, 8MAN.

 

What exactly does ARM do? And who came up with this TLA?

The tool validates permissions within Active Directory®, Exchange™, SharePoint®, and file servers. So who has access to what, and where does the permission come from?

Users, groups, and effective permissions can be created, modified, or even deleted.

Reports and instant analysis complete the package.

Everything works out of an elegant user interface, and you can operate it—even if you aren’t a rocket scientist.

 

ARM will be installed on any member server and comes with minimal requirements.
The OS can be anything up from 2008SP1; give it two cores and four gigs of RAM, and you’re golden, even for some production environments. The data is stored on an SQL 2008 or later.

The install process is quick.

 

 

Once installed, the first step is to click the configuration icon on the right-hand side. The color is 04C9D7, and according to the internet, it is called “vivid arctic blue,” but let’s call it turquoise.
On that note, let me tell you: I am German and unable to pronounce turquoise, so I am calling it Türkis instead.

 

 

The next step is to create an AD and SQL® user and connect to the database:

 

 

ARM is now available, but not yet ready to use.

 

 

We need to define a data source, so let’s attach AD. The default settings will use the credentials already stored in ARM for directory access.

 

 

In my example, an automated search kicks off in the evening. When you set it up for the first time, I suggest clicking the arrow manually once to get some data to work with.
Attention: Don’t do this with 10,000 users in the early morning.

Alright, that’s it.


Now click the orange—sorry, F99D1C—icon to start the tool.

 

 

Login:

 

 

The first thing we see is the dashboard:

 

 

Let’s deal with the typical question, “Why was that punk able to access X at all?”
The main reason for this is probably a nested authorization, which isn’t obvious at first glance.
But now ARM comes into play.
Click on Accounts and enter Mr. Punk’s name into the search box above:


 

The result is a tree diagram showing the group memberships, and it is easy to see where the permission is coming from.

 

 

If you click on a random icon, you will see more details—give it a try.
You can also export the graphic as a picture.
On the right side, you will find AD attributes:

 

 

Now it is getting comfortable. It is possible to edit any record just from here:

 

 

Oh yes, I don’t trust vegetarians!

By the way, this box here is mandatory on any change, as proper change management requires the setting of notes.

 

 

And while we’re at it, right-click on an account:

 

 

Let’s walk from AD to file permissions. It’s only a short walk, I promise.
Click Show access rights to resources as seen above.

Now we need to select a file server:

 

 

On the right, we see the permissions in detail:

 

 

We ship ARM with a second GUI in addition to the client—a web interface accessible from anywhere, where you find tools for other tasks.

Typical risks are ready for your review out of the box. Just click on Risks. I know you want to do it:

 

 

You’ll find some interesting information, like inactive accounts:

 

 

Permanent passwords:

 

 

Or everybody’s darling, the popular “Everyone” permission on folders:

 

 

One does not simply “Minimize Risks,” but give it a try:

 

 

I could initiate changes directly from here – also in bulk.

 

By the way, any change made via ARM will be automatically logged.
The logbook is at the top of the local client, and we can generate and export reports:

 

You may have seen this above already, but you can find more predefined reports directly on the Start dashboard:

 

 

Let’s address one or two specific topics.

Since Server 2016, there is a new feature available called temporary group membership.
It can be quite useful; for example, in the case of an employee working in a project team who requires access to specific elements for the duration of the project. That additional authorization will expire automatically after whatever time has been set.

Practical, isn’t it?

 

But also consider this: Someone might have used an opportunity and given him- or herself temporary access to a resource with the understanding that the change of membership will disappear again, which makes the whole process difficult—if not impossible—to comprehend.

But not anymore! Here we go:

 

 

If you hover over this box here…

…you will find objects on the right side:

 

 

For this scenario, these two guys here might be interesting:

 

Unfortunately, in my lab, there’s nothing to see right now, so let’s move on.

 

ARM allows routine tasks to be performed right from the UI; for example, creating new users or groups, assigning or removing permissions, and much more.
This becomes even more interesting when templates, or profiles, are introduced.

Let’s change into the web client. Click the cogwheel on top, then choose Department Profiles:

 

 

At the right side, click Create New.

 

 

The profile needs a shiny name:

 

 

Always make sure people who operate microwaves receive proper training. But that’s a different story.

More buttons on the left side; I will save it for now:

 

 

Starting now, you can assign new hires to these profiles, and everything else is taken care of by the tool, like assigning group memberships or setting AD attributes.

 

Of course, these profiles are also baselines, and there is a predefined report available showing any deviations from the standard. Just click Analysis and User Accounts.

 

 

Select a profile and off you go:

 

 

Elyne is compliant; congratulations. But that’s hardly surprising, as she is the only employee in Marketing:

 

 

These are just a few features of ARM. Other interesting topics would be the integration of different sources, or scripts for more complex automation. This is food for future postings.

 

But you know what I like most about ARM, as a computer gamer?
You can click on just about anything.

Try this out; it’s at the left side of the Start dashboard:

 

 

Have fun exploring.

Woes of Flow

A poem for Joe

 

It uncovers source and destination

without hesitation.

Both port and address

to troubleshoot they will clearly assess.

Beware the bytes and packets

bundled in quintuplet jackets,

for they are accompanied by a wild hog

that will drown your network in a bog.

The hero boldly proclaims thrice,

sampling is not sacrifice!

He brings data to fight

but progress is slow in this plight.

 

Mav Turner

 

As network operators, one of the most common—and important—troubleshooting tasks revolves around tracking down bandwidth hogs consuming capacity in our network infrastructure. We have a wealth of data at our fingertips to accomplish this, but it’s sometimes challenging to reconcile into a clear picture.

 

Troubleshooting high utilization usually begins with an alert for exceeding a threshold. In the Orion Platform’s alerting facility, there are several conditions we can set up to identify these thresholds for action. The classic—and simple—approach is to set a threshold for utilization defined as a percentage of the available capacity. The Orion Platform also supports baselining utilization in a trailing window and setting adaptive thresholds. Next, you need to investigate to determine what’s driving utilization and decide what action to take.

 

Usually, the culprit is a particular application generating an unusual level of traffic. We can get some insights into application traffic volumes from a NetFlow analyzer tool like NetFlow Traffic Analyzer.

 

So, why don’t the volume measurements match exactly from these two sources of data? Aren’t interface utilization values the same as traffic volume data from NetFlow?

 

Let’s review the metrics we’re working with, and how this data comes to us.

 

Interface capacity—the rate at which we can move data through an interface—is modeled as an object in SNMP, and we pick that up from each interface as part of the discovery and import process into Network Performance Monitor network monitoring software. It can be overridden manually; some agents don’t populate that object in SNMP correctly.

 

Interface utilization is calculated from the difference in total data sent and received between polls, divided by the time interval between polls. The chipset provides a count of octets transmitted or received through the interface, and this value is exposed through SNMP. The Orion Platform polls it, then normalizes it to a rate at which the interface speed is expressed. That speed is usually “bits per second.”

 

SNMP Polled Utilization

 

The metrics reported by SNMP about data received or sent through the interface includes all traffic—layer two traffic that isn’t propagated beyond a router, as well as application traffic that is routed. Some of the data that flows through the interface isn’t application traffic. Examples include address resolution protocol traffic, some link-layer discovery protocols, some link-layer authentication protocols, some encapsulation protocols, some routing protocols, and some control/signaling protocols.

 

For a breakdown of application traffic, we look to flow technologies like NetFlow. Flow export and flow sampling technologies are normalized into a common flow record, which is populated with network and transport layer data. Basic NetFlow records include ICMP traffic, as well as TCP and UDP traffic. While it’s possible on some platforms to enable an extended template that includes metrics on layer 2 protocols, this is not the default behavior for NetFlow, or any of the other flow export protocols.

 

Top N Applications traffic volumes

 

The sFlow protocol takes samples from layer 2 frames, and forwards those. So, while it’s possible to parse out layer 2 protocols from sFlow sample packets, we generally normalize sFlow along with the flow export protocols to capture ICMP, TCP, and UDP traffic, and discard the layer 2 headers.

 

When we work with flow data, we’re focusing on the traffic that is generally most variable and represents the applications that most often drive that high utilization that we’re investigating. But you can see that in terms of the volumes represented, flow technologies are examining only a subset of the total utilization we see through SNMP polled values.

 

SNMP Polled versus application flow volumes

 

An additional consideration is timing. SNMP polling and NetFlow exports are designed to work on independent schedules and are not synchronized by design. Therefore, we may poll using SNMP every five minutes and average the rate of bandwidth utilization over that entire period. In the meantime, we may have NetFlow exports from our devices configured to send every minute, or we may be using sFlow and continuously receiving samples. Looking at the same one-minute period, we may see very different values at a particular interval for interface utilization and application traffic that is likely the main driver for our high utilization.

 

SNMP Polling and flow export over time intervals

 

If we’re using sFlow exclusively, our accuracy can be mathematically quantified. The accuracy of randomly sampled data—sFlow, or sampled NetFlow—depends solely on the number of samples arriving over a specific interval. For example, a sample arrival rate of ~1/sec for a 10G interface running at 35% utilization and sampling at 1:10000 yields an accuracy of +/-3.91% for one minute at a 98% confidence interval. That accuracy increases as utilization grows or over time as we receive a larger volume of samples. You can explore this in more detail using the sFlow Traffic Characterization Worksheet, available here: https://thwack.solarwinds.com/docs/DOC-203350

 

So, what’s the best way to think about the relationship between utilization and flow-reported application traffic?

 

  • Utilization is my leading indicator for interface capacity. This is the trigger for investigating bandwidth hogs.
  • Generally, utilization will alert me when there’s sustained traffic over my polling interval.
  • Application traffic volumes are almost always the driver for high utilization.
  • I should expect that the utilization metric and the application flow metrics will never be identical. The longer the time period, the closer they will track.
  • SNMP-based interface utilization provides the tools to answer the questions:
    • What is the capacity of the interface?
    • How much traffic is being sent or received over an interface?
    • How much of the capacity is being used?
  • Flow data provides the tools to answer the questions:
    • What application or applications?
    • How much, over what interval?
    • Where’s it coming from?
    • Where is it going?
    • What’s the trend over time?
    • How does this traffic compare to other applications?
    • How broadly am I seeing this application traffic in my network?

 

Where can I learn more about flow and utilization?

 

An Overview of Flow Technologies

https://www.youtube.com/watch?v=HJhQaMN1ddo

 

Visibility in the Data Center

https://thwack.solarwinds.com/community/thwackcamp-2018/visibility-in-the-data-center

 

Calculate interface bandwidth utilization

https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/Knowledgebase_Articles/Calculate_interface_bandwidth_utilization

 

sFlow Traffic Characterization Worksheet

https://thwack.solarwinds.com/docs/DOC-203350

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.