Many of you (a growing number) are reporting interest for compliance reporting.

NCM 6.1 delivered some great improvements in general and around compliance reporting in particular. What we're working on... the live edition: NCM Improved Policy Reports.

We now have a set of available compliance reports for the following industries:

  • CISP: Cardholder Information Security Program
  • HIPAA: Health Insurance Portability and Accountability Act
  • SOX: Sarbanes-Oxley

- clip_image002

With 6.1, we also delivered on, our vibrant community, a set of DISA STIG compliance reports (Defense Information Systems Agency Security Technical Implementation Guide).

Let’s face it. Most of the time, your interest comes from the fact that your company HAS TO provide evidence of compliance (depending on your industry: health insurance, DOD, …).

But don’t forget that those compliance checks, even if your organization is not subject to them and you don’t HAVE TO show evidence of compliance, are an EXCELLENT PRACTICE ANYWAY.

Those security rules are good for you. Checking them regularly, on all your configurations, ensures consistency across dozens, sometimes hundreds or thousands of device configurations. This can catch for you some pretty bad security holes and allow for simple and quick remediation.

Why do you need a product like NCM to do this? Obviously because you will rarely see something in your life, as boring as checking network configuration devices manually.

With NCM, you can do 1000’s of checks automatically (huge time saver), sometimes do remediation automatically (error reduction) and more importantly generate that PDF report that will show evidence that you are taking this seriously - and will keep that auditor busy and off your back for a while Smile (yes, another huge time saver) !

Now I’m sure you can’t wait to get started with compliance reporting. If HIPAA, DISA, SOX is what you need, help yourself, it’s already in the product or on Thwack.

If PCI is what you are dreaming about (some call it a nightmare), keep reading.

This blog is about leveraging our amazing community of Solarwind’s product users, to cover the Payment Card Industry compliance area: the PCI DSS compliance.

You may have noticed the CISP reports in the snapshots above, which are related. But these CISP reports are still limited and there is a difference between the two. A little bit of history on the difference:

  • The Payment Card Industry Data Security Standard (PCI DSS) has been created jointly by Visa, MasterCard, Discover and American Express because of the growing occurrences of credit card and identity theft, aiming at protecting credit card data.
  • The Cardholder Information Security Program (CISP) was mandated before, by Visa (2001), but was then incorporated into the PCI DSS, to become the industry-wide standards for card security.

PCI DSS is therefore wider and more recent, and this is why we will focus on it.

How are we going to organize, as a community, to generate this PCI DSS content? The methodology we propose is one that has proven effective for centuries: Divide and conquer!

In a nutshell what we propose is pretty simple:

  • We will propose a break-down of the PCI DSS standard by section
  • Ask NCM users to volunteer and “take” one section
  • Each “volunteer” will write the PCI rules that will check network configuration for this particular section
  • They will contribute their work on a dedicated Thwack content exchange area
  • It will be freely available to everyone to consume

I can already hear you thinking… wait a minute… this looks like quite some work, it is probably complicated, and I’m not a PCI compliance expert anyway (otherwise I would not have read that far).

Here is why it’s actually simpler than it seems:

  • Because some have already started and will share soon a great starting point that you can take, try and use as model.
  • Because many of these rules actually are the same.
    Sure HIPAA, SOX, DISA and PCI look fairly different when you read the standards, which are usually fairly high level written, but at the end of the day, when you try to apply the spirit of the standard to network device configuration checks, they all comes down to very similar checks.
  • Many of those checks are already implemented in the hundreds of rules that we have today in NCM
  • So this work is about:
    1. Reading a portion of the PCI standard (the one you want to contribute for)
    2. Leverage your knowledge of network configuration to understand how you can check what the standard asks for, in a device configuration.
      Just think you had an auditor in front of you: what would you show him/her in your configurations, that proves that you comply?
      That’s it, this is what you want to convert into an NCM rule!
    3. Write and test the rule
    4. Package it and upload it on Thwack, following the recommended packaging and naming structure

The first package is Interested to use or contribute to the PCI-Palooza? Start here!

And now, here is the real reason why, you will want to contribute.

Everyone who will contribute to the PCI-Palooza and upload PCI reports, will get free Solarwinds NCM tee shirts!



If you have questions or are interested, please reply to this blog, or send me directly an email and stay tuned for more instructions soon!

It has been a busy week and a half in the browser world with both IE9 and FF4 being released to the world.  Like myself, many of our customers either have already upgraded or want to upgrade their browsers to the latest and greatest, but have called us to see if we support them yet.


The formal answer is no, not with the shipping products today.  We plan to support them in versions later on this year depending on the product you are asking about (Orion, Profiler or Hyper9).  For Orion, we plan to add support for these two product versions in the next release of size, including dropping support for IE6.  I blogged about this a few weeks back and you can read Announcement of end of support for Internet Explorer (IE) 6 in next Orion NPM version. Also, when I say release of size, this does not mean a Service Pack or a Service Release. 


If you choose to brave out on your own and use these browser versions, there are a couple issues we know about.  The largest one is with Firefox 4, in which if you currently try to go to the Orion web browser from your PC, you will get the mobile view of Orion instead.  Here is a manual workaround to this.


On the Orion server, open <drive_installed_on>:\Inetpub\SolarWinds\bin\web_browsers_patch.xml  
Add section within Devices section:   
<!--  FireFox4 -->   
        <device user_agent="Mozilla/5.0 (rv:2.0b10) Gecko/20100101 Firefox/4.0" fall_back="firefox" id="firefox_4_0">   
            <group id="product_info">   
                <capability name="model_name" value="4.0" />   


That’s it, any questions, please feel free to let me know.

Last week, SolarWinds launched another great free tool: SNMP Enabler for Windows. If you haven't gotten a chance to check it out, you can read about it, watch a video to see it in action, and download it here. 

Here is a short overview of what the tool does: 


  • Remotely install, enable, and configure SNMP on any Windows server or workstation on your network
  • Simultaneously enable SNMP on multiple machines
  • Save time when deploying applications requiring SNMP
We hope you find this tool useful, and as always, please let us know what you think! The forum for this tool is located here

We added a feature back in Orion NPM 10, however, over time I have gotten this questions from folks and seen Parsing Trap Text For Alerting on thwack come up asking if you could do this in Orion and if so, how? 


Background on the problem people are trying to solve:


An SNMP Trap sent from a device is a general blob of data with some standard data followed by vendor defined information called variable bindings; see the example below for how this looks.


These traps have additional information sent with them called variable bindings. These extra variables contain information relating to the trap and ya’ll don’t want to have to visually parse each trap manually.  What you have asked for is some sort of variable notation allows the capability to format and display these variable bindings as needed.  


With this ability you can format an email notification with the separate variable bindings.  So instead of receiving an email with the block of text below in the example, you can get only the specific information you care about.


An example of of our community members posted on thwack was this.


What I want is the "apSvcTrapEventText" line with just "Service:test State:suspended" in the email.  How do I format the email text to get it?


When creating the email notification template in Orion, you can do something like this below, where ${vbdata3} equals the value associated with the third listed trap variable.




${Caption} - ${vbdata3}



03/08/2011 08:20 : ARROWPOINT-SVCEXT-MIB:apSvcTransitionTrap SNMP Trap  
Received Time:3/8/2011 8:20:32 AM  
Variable Bindings  
sysUpTime:= 2 days 13 hours 35 minutes 55.25 seconds (22175525)  
snmpTrapOID:= ARROWPOINT-SVCEXT-MIB:apSvcTransitionTrap (  
apSvcTrapEventText:= Service Transition - Service:test State:suspended  

Let’s walk through an example of this in the product.

  1. On the Orion server, open the SNMP Trap Viewer
  3. As you can see I have a specific trap, but I don’t want all the information included within it, I just want SysUpTime     
  5. Create a new trap rule in the SNMP Trap Viewer and define your filters to narrow down to the specific trap you are interested in.  In this example, I did it by IP Address.
  7. On the Alert Actions tab, select add a new alert action.  I chose log to a file, but this would work with the others as well, including email
  9. In the dialog “Message to Log File” I entered in three variable.     
    • Date/Time Stamp
    • Name of the first trap variable
    • Value of the first trap variable         
  11. In my text file I chose to log to, there is an entry for each trap I have received that matched this rule.  As you can see, instead of getting the entire trap message, I only get the value as defined by my variables in step #5 above.     

That’s it, pretty straight forward. 

Here at SolarWinds, we like to offer options to our customers. A good example of that is the multiple choices we offer for device tracking. We have the Switch Port Mapper which helps with troubleshooting and runs against a single switch. In Network Configuration Manager we implemented some basic device tracking. In User Device Tracker, a new product we are building, we really focus on solving the problems associated with tracking users by offering a dedicated product for device tracking.

For a quick overview of the problems these various solutions solve, refer to this chart. For more details, read on.

Find what port a computer is connected to/XX
Continuous scanning of all network devices XX
Find where a  computer was connected historically  X
Receive an alert when a computer connects to the network  X
Find ports where users have plugged in a hub or AP  X
See a report of how many ports are used on a switch  X
See historical information about port utilization on a switch  X
See a total view of port utilization for your entire environment  X


Most long time customers should be familiar with our Switch Port Mapper tool. It was one of our most popular tools in the Engineer’s Toolset. It was so popular, that we wanted to make it more available to our customers so now you can just buy Switch Port Mapper and don’t need the full Toolset! The Switch Port Mapper tool is exactly that, a tool. It is focused on troubleshooting and providing detailed information about a specific switch. You can launch it and run against a single switch to see what is connected to the device and retrieve basic configuration information about the ports (VLAN, Duplex, Speed, etc.). This tool is really helpful for seasoned network administrators as well as newbies who you don’t want to give CLI access to. You can just give them the read only string to a switch and they can get more information that could help in troubleshooting why a device is having drops, can’t connect to the right resource, or just finding what physical port it is connected to (while you’re at it, have your newbie admin clean up your closet, it’s a right of passage and will make everyone’s life better Smile ).

You can buy Switch Port Mapper here, or download a free evaluation of Engineer’s Toolset which includes Switch Port Mapper here.



In our discussions with customer about Network Configuration Change Management, they often requested the ability to search and find what port a device is connected to on the network. Because of this, we added basic tracking capabilities into SolarWinds Network Configuration Manager (NCM). The main use cases for NCM include: backing up and restoring device configurations, configuration compliance, bulk configuration changes, and inventory information. Because of the demand for device tracking, we added limited support for this directly into NCM. You can search for a MAC Address, IP Address, Hostname, and Port Description. The search results will include a report that includes information about where the end host is actively connected. To respond quickly to our customer’s requests, we leveraged certain functionality in NPM, therefore, the NCM User Tracking feature requires both NCM and NPM. For more information on how to use NCM's user tracking, see Leveraging NCM’s “Find Connected Port for End Host” feature.



For users who need advanced device tracking information as part of a dedicated product, we are building the SolarWinds User Device Tracker (UDT). UDT will be able to find currently connected devices and will store historical information so you can find where something has been connected in the past. Also, we are working on providing alerting and reporting around this data, but that’s not all. Based on how we do data collection, we can provide really good data for network capacity analysis and planning. These are just some of the features we are currently working on for the first release. We plan to continue building out great functionality on top of this base going forward.


Here is a look at searching for devices and the results page.





Also, if you want to use the normal drill drown approach to see what is connected to a specific port, simply use the All UDT Nodes resource on the UDT home page to find the switch and port you are interested in.



When you click a port, you will get more specific information about what is connected to it.



One of the cool new features is the Watch List. You can add a computer to the Watch List and easily see where the device is connected. This is helpful if you lost a device or have a specific device that causes problems (virus, zombie, high traffic) and you want to know where it is connected so you can quickly find it and take it off the network.



Capacity analysis will help you better understand how you are utilizing your environment. Need to add some users to a floor but you don’t really know if you have port capacity? Simply look at and see how many ports are being used. If you need to understand a high level view of your entire network, use the resources on the main UDT page and you can see how many total ports are being used as well as quickly highlighting the top used switches.





There is much more to come for UDT. After we get out the first release, we will look at the following: more integration with other SolarWinds products (for example: NTA and IPAM), providing Active Directory integration for User information, more wireless information to better identify which AP a user is connected to, device fingerprinting (based on OUI), more reporting and alerting, data center specific information, and advanced endpoint information (think IP phones). I can’t say that we will definitely add these features or when, but these are the types of enhancements we are looking at to solve more of your problems in this area.

In summary, Switch Port Mapper is a quick troubleshooting tool that helps you understand what is connected to a single switch. Network Configuration Manager is a configuration change management solution which includes basic Device Tracking. User Device Tracker is a product focused on providing full features of user and device tracking as well as network capacity analysis.

Hopefully this article helps you understand the difference between the Switch Port Mapper, NCM User Tracking feature, and the User Device Tracker product. We are still working on UDT but we have a Beta available that should help whet your appetite until we can finish it and get it released. If you are interested, take this survey and I will send you the Beta.

In the transition to private cloud computing, Chargeback is becoming one key property that differentiates a highly virtualized environment from one that offers a true private cloud.  Whether you plan to formally bill folks for their usage of the environment or simply perform some kind of “showback” or “shadow billing” (how much would it cost?), you need to be able to create dashboards that reflect those costs.


There are a few typical ways that we can potentially charge for computing resources:

  • Fixed – The most simple method is to charge some fixed cost per Virtual Machine, this approach is easy to understand, and likely most similar to any chargeback that may have occurred for physical servers.
  • Allocation – This method charges based on the resources allocated to a Virtual Machine such as the number of vCPUs, memory or storage space allocated.
  • Usage – The most sophisticated, charge based on the resources that are actually being used or consumed such as CPU cycles, memory and storage consumption, and/or network and storage IO.
  • Combo – An arbitrary combination of the previous 3 methods


Creating a Chargeback or Showback Dashboard


So how do you create widgets and dashboards in Virtualization Manager to track these costs?  Fortunately, since Virtualization Manager is built upon a search based platform, you have a tremendous amount of flexibility to model all of the above scenarios.


Let’s take a simple scenario – we want to charge based on the amount of memory allocated to a VM nd the amount of storage being used – note that the storage used by a VM could be different to what it has been allocated if you are using thin provisioning for example.  We’ll assume $25 per GB of memory and $10 per GB of storage space.  To do this, we’re going to use a feature called “Trends” – Trends are simply a search that runs on a schedule and plots the result on a graph.


To start with we search for all of our VMs and hit the “Trend” button – this will take us into the trend configuration screen



On the trend configuration screen, we want to plot out the cost based on allocated memory so we’ll select that we want this trend to be based on an attribute.  If we click on the find button, type in “memory” and the attribute we want should come right up, the memory configured/allocated for the VM.



Memory is stored in MB so we’ll need to divide by 1024 to get it into GB and multiply by $25 for each GB to get it into dollars (you can put any Xpath supported operation in here which is where the “div” for divide comes from) – we want to show the results in $ (units of “currency”)  and we’re going to get a total (aggregation function of “total”) across all VMs in our search.  At any point, you can hit the “preview” button to get a sanity check of your calculation.



Finally, let’s mix this up a bit.  In many companies, folks are using Folders and/or Resource Pools within vSphere to group VMs by owner, department, project, line of business etc….  Since Virtualization Manager collects the Folder and Resource Pool membership and makes them searchable, we can “segment” our trend, or get a cost by folder or resource pool.  We’ll break our cost down by resource pool and run that preview one more time.  Looks good – let’s save it.



Let’s go ahead and do the same thing for the storage space used – we’ll skip the intermediate steps.



Now we can add these trends to our dashboard and we’re good to go.  Don’t forget that any widget on the dashboard can be simply shared into a Sharepoint or other portal, simply right click on the top of the widget to get a URL.



EC2 Cloud Cost Estimator

Finally if you need some more examples, check out the EC2 Cloud Cost Estimator dashboard that estimates what it would cost to run your VMs on Amazon EC2.



Cloud Cost Estimator Dashboard

After delivering a pretty exciting new release of NCM (6.1) on Feb 1st of this year, here is what the NCM team is working on now:

User Interface

  • Single Unified Web Console
    For those of you who also own NPM and use the NPM integration module, the standalone website and integrated website will be merged into one
  • Improved configuration management of large lists of devices.
    The NCM web interface will support multi-level grouping of the devices, in the Configuration Management window, making it easier to navigate long list of devices to identify and select the devices which will be affected by the Configuration Management action.

Node management

  • Node Management improvement
    - NCM standalone users will be able to configure the discovery of their network via a Web interface, as well as benefit from feature-rich node management capabilities (grouping, properties)
    - Users of NCM integrated with NPM will also benefit from an easy to use and web-based way to keep their NPM and NCM managed node list synchronized.
    - NCM Web Summary page performance improvement.

Support Change Request Approval

  • Ability to request approval before making a sensitive change on devices
    Changes such as uploading configuration/executing script/executing configuration change template/rebooting device can be subject to approval by approver before they are executed by users who do not have sufficient credential for these changes (list non exhaustive)


  • Message, Event, Trap and Syslog tools (configuration and visualization) common with NPM
  • Active Directory integration improvement
    Definition of Active Directory users consistent with NPM, web-based and supporting groups.

PLEASE NOTE:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.


Rule Your Files

Posted by bmrad Employee Mar 16, 2011

Managing files has always been a challenge, and even in today's world of virtualization, automatic tiering and migration, finding out what files are really out there is still difficult - and even more important. In Profiler, file analysis rules allow you to find specific files across all your storage, local, SAN and NAS.  If you need a refresher before we get started, please read Files, Files, Everywhere... and File Analysis on NAS (NetApp, Celerra, etc.) and Virtual Machines.

Once you have file analysis turned on, Profiler will start telling you interesting summary reports like "You have 24.5 GB of mp3" or "17% of your disk space hasn't been accessed in a year".  If you are curious like me, those files immediately become "files of interest" that I want to track down.  Alas, Profiler only has the summary data by default, it does not store information about every file it encounters in the database.

That's where file analysis rules come in, they let you get all the details of those "files of interest" into the database so you can easily view them from the comfort of your browser.  Find that stash of MP3 that you can quickly go delete and reclaim that valuable storage for your virtualization environment. Identify old files that can be deleted or moved to another tier of storage.

Lets get started finding some files.   First, go to Settings > File Analysis Rules to see the list of current rules.  Click Add New Rule and click File Analysis Rules.

The page for defining rules is very long, so we will take it in sections.

  • Rule Name:  Simply the name of the rule.  Rule names need to be unique.

This next set of parameters allow you to set the criteria of size, file age and number of files to return.

  • Find: This allows you to filter how many files each rule will return (ex: 500) and how to rank those results (by age or size).
  • Size: Define the minimum, maximum or range of the size of the files.
  • Accessed Age: Define the minimum, maximum or range of the last accessed time.
  • Modified Age: Define the minimum, maximum or range of the last modified time.
  • Created Age: Define the minimum, maximum or range of the creation time (Windows only).

Profiler allows you to define the file path using regular expression, in case you want to limit your results to just certain directories (ex .*[Uu]sers?.* which should find "User", "user", "Users", "users").

  • File Path Regular Expression: Enter a regular expression to filter the path of the file.

You can also select file types as criteria.  The list of file types is generated from files previously encountered during file analysis in the environment.  Highly recommend using the file type regex filter, there can be tens of thousands of types here.

  • File Type: This filter allows you to pick the file types (file extensions).  Select one or more file types on the left and click the right arrow.

You can also select file owners as criteria. This list is generated from the owners previously encountered during file analysis in your environment.

  • File Owners:  This filter allows you to pick the owners you are interested in.   Select one or more owners on the left and click the right arrow.

Ok, you created your rule, what's next?  First, you have to apply the rule to a policy, go to Settings > Policies.  You have to apply your rule to each policy for it to be used during file analysis.  If you want it applied to your servers and VMs, use the OS policy.  Also, the agent doing the work should have file analysis turned on and scheduled, see the links at the beginning of the post for more details.

So select the rules and press the down arrow, then press save.  When you get back to the Policy page, press the Push button - that will push the configuration to the agent doing the work.

So lets look at specific example of an file analysis rule.  Lets say I want to find the largest files each user owns in their home directory (ex C:\Users\Brian or sharename/users/Matt).  I can build the following rule and apply to the desired policies.

Once I apply this to the OS policy, I get the following report:

An viola - I found a bunch of files that I can now go delete and reclaim space.

The file analysis is a really powerful feature of Profiler.  Its is harder to use than we would like (and we will make that better), but the results are worth it.


  • File Analysis works on local file systems on all agents, CIFS and NFS shares on NAS devices, and CIFS shares on Virtual Machines.
  • The number of files is limited in the rule to keep Profiler working well.  That being said, if you build a rule that is limited to 100 files, that is 100 files per target.  A target is a file system (C:\, D:\) or a share on a VM or NAS (C:\users$, /user/brian).  If you have 1000 targets, that means the rule would return information on up to 100,000 files. 
  • File analysis is driven by the schedule on the agent that the file analysis is assigned to.
  • If file analysis has previously been run, when you push out a new rule, it will be evaluated immediately on the historical data stored on the agent.
  • There are a few default file rules - Biggest files, oldest files, and new files.

As always, let us know your thoughts, suggestions and experiences with File Analysis.

When I talk with a customer and get the question, “how does Orion scale?” My answer is the customer can choose one of two ways to scale.

  1. By adding Orion Additional Pollers to scale horizontally
  2. By deploying multiple Orion instances and rolling up into the Enterprise Operations Console

In this post, we are going to discuss the Enterprise Operations Console or EOC for short.  EOC’s main functionality is to aggregate data from multiple Orion server installations and to display it in a similar fashion as the Orion Web Console.


Take the below first graphic, you have a worldwide network with teams responsible for managing their respective geographies, so an Orion installation resides in each North America, EMEA and APAC.  The global NOC and Management Team requires a single rollup of all servers into a single installation for status, alerting, reporting etc.

Orion EOC aggregates the current status of your Orion NPM servers and presents this data in the Orion EOC Web Console. Administrators can restrict what Orion NPM data each Orion EOC user is permitted to see. These restrictions can be set on an individual basis by customizing user settings and on a group basis by defining roles.



In the EOC web console, here is what you would see as illustrated in the second screenshot below.  One of the common misconceptions about EOC is that it pulls all the data from each of your Orion servers into the EOC database.  In actuality, EOC pulls high level information like current status, alerts, events, syslog and traps.  Any data beyond that, when you click on that item in the web console, you are seamless redirected behind the scenes to the Orion server that item resides on.  Let’s walk through an example.

  1. Looking at my EOC dashboard I see that under the “Global Nodes with Problems” resource, that Switch sales is down.
  2. I click on switch sales and am automatically redirected to the node details page for device Switch sales and logged into the Orion server Orion America as that is where that node resides for monitoring

I can now perform my investigation and go right back to my global EOC dashboard.


Now that we have gone through a high level of what EOC is an example use case, let’s get in deeper on how it works.  I have taken my first image from above, but broken it down to a “how it works” level.  EOC is comprised of 4 main components:

  1. Orion Poller
  2. Information Service
  3. Website
  4. Database.


EOC pulls the following type of data through the Orion Information Service:

  • Alerts, Events, Syslog, Traps (last 24 hours worth of data)
  • Node, Volume, and Interface data (no historical data)
  • APM data (no historical data)
  • NetFlow (no historical data)
  • IPSLA Manager (no historical data)
  • Wireless (no historical data)
  • NCM (no historical data)
  • UDT (no historical data)
  • IPAM (no historical data)
  • Support for displaying Orion Groups

The Information Service (IS) module will exist in both EOC and Orion products. The service will provide a single point of communication and a simple and efficient mechanism to query the servers.  All communication with the IS module is encrypted using SSL and is on port 17777.

The Communication module uses Windows Communication Foundation (WCF) as the basis of its communication mechanism which allows other applications, websites, scripts, and application modules to seamlessly communicate with it. WCF also provides secure, reliable, and several transport and encoding options. It will allow us to easily build several types of messaging protocols such as REST, SOAP, etc.

The IS module provides a simple query interface that allows the client to execute a read-only query written in SolarWinds Query Language (SWQL). SWQL is very similar to the commonly used SQL language with a few deviations.

When typically asked how does EOC scale or how many Orion server can EOC handle, as a typical rule of thumb I say a customer roll up 20-25 SLX’s into a single EOC instance.  With this being said, if they want to roll up more smaller installations, they can, as long as the total number of elements feeding into the EOC is not more than about 600k.

We also get frequently asked some rough ideas on how much traffic to anticipate between the Orion servers and EOC.  While this is very variable, the below chart can start to give you an idea of what to expect.


















625 KB









700 KB









822 KB









479 KB









1.183 MB






3 Apps, 37 Components

1 Source


1.277 MB

There you have it.  From high level what is is, down to how it works, hopefully this helps shed some light in one of the many different ways you can deploy the Orion family.

In two previous blog posts I have introduced the Failover Engine and walked through some common Q&A we received right after launching the Failover Engine last year.

In this blog I wanted to get down into the nuts and bolts of how the Failover Engine actually works under the covers.  When it comes to protecting an application, there is more to it than just watching the services. You need to watch and protect the entire Application stack.  On your Orion server, the following components exists:

  1. Services
  2. Registry Settings
  3. File System Structure
  4. Web Server (IIS)

We could just watch the Orion services and be done with it, but the problem with this is that you must then maintain your secondary failover server with the exact same configuration and settings manually.  If/when a failover condition occurs and your end users notice reports or setting changed or missing, then you are going to get a call.  Also, what if the problem is not with Orion itself, but something is going on with Microsoft IIS?  Since the Failover Engine is watching and protecting the four areas above, as also illustrated in the below image, you do not have to worry about these scenarios as they are covered.  




Let’s walk through each of these four areas in further detail.

  1. Services   
    As shown above the Heartbeat is checking periodically that all the services are up and running.  The Heartbeat portion of the application is responsible for the data replication, switchover and failover processes.  The protected service list is created dynamically by looking at a specific registry setting that we write to on product installs.  So as long as you have the appropriate license, if you install a new module then protection is automatically picked up. For the given services being monitored, within the Failover Management client you can specify behavior (you can define up to three steps per service), like which services are the most critical and when to initiate a failover. Example, SolarWinds Syslog Service:
    1. Service fails
    2. First attempt- restart the service
    3. Restart fails – second attempt restart the entire Orion application
    4. Syslog service still fails, then initiate a failover to the secondary server
  2. Registry Settings   
    As I discussed above, there are key critical registry settings the Failover Engine watches and replicates between the primary and secondary server (more details on replication below).  These include things like licensing info, SolarWinds directory locations and registered SolarWinds services.  This is the reason you don’t have to buy two copies of Orion.  Since only one copy Orion is running at any given time and the registry is in sync you don’t need two license keys.     
  3. File System Structure   
    With Orion most data is stored in the database, so why is this important?  There are files which are important to the use and operation of the product which need to be replicated across servers.  Examples include report template definitions as you may create a set of custom reports.  From a back end operational standpoint the service SolarWinds Job Engine has a small database we install that handles the job dispatching and processing, which is also very important to keep in sync.  Here are some key items to know about the replication portion of the Failover Engine
    • If for some reason the channel between the two servers is broken, the Failover Engine will queue up the replication changes .  When connection is re-established, we will restart replication to verify data sets are the same.
    • Near real-time byte level data replication is provided between the active and passive servers.  Byte level replication ensures that only file deltas are replicated and not whole files or transactions.
    • Near real-time byte level replication works within the Windows kernel to ensure that near real-time data changes are sent from the active to the passive (secondary) server and once the process is complete. Below is a basic overview of how this process works.
      1. Data change is requested
      2. Failover Engine Filter Driver intercepts the request at the I/O leve
      3. Failover Engine Filter Driver checks the replication settings to see if this change needs replicatin
      4. Failover Engine Filter Driver generates a unique sequence number for the replication reques
      5. Failover Engine Replicates the data and also sends the change on to the windows file syste
      6. Windows commits the data change and sends confirmation to the application laye
      7. Failover Engine Filter Driver intercepts the confirmation
      8. Failover Engine replicates the confirmation to the passive server if require
      9. Data change process is now complete
  4. Web Server (IIS)   
    Orion services can be up and running just fine, but users may be complaining that the web console does not come up or is slow.  Is IIS running?  Failover Engine watches IIS at a service level; you can also define checks & tests to ensure the website is up and responding within an acceptable period of time.

Let’s switch gears now to licensing/packaging. Since one of my previous Failover Engine posts, APM and IPAM have released new versions which can be deployed as a module (as you could always do), but now both can be installed standalone without requiring NPM as well.

We still license by what we call a “primary product” per server. Previously, what was classified as a primary product were Orion NPM, APM and NCM.  This is where the change comes in, prior to IPAM 2.0 you could only install IPAM as a module, we didn’t charge for protecting it.  If you still deploy it as a module, this remains true.  If you purchase IPAM and choose to deploy it standalone and desire Failover Engine protection, then you will need to purchase the Failover Engine for One Primary Product.  Now that we have release SolarWinds User Device Tracker or UDT, it also behaves the same way IPAM does here.

Let’s walk through two different examples.

  1. Orion NPM, IPAM and NTA – you will need Failover Engine for One Primary Product.  Since NPM is considered a primary product and IPAM is installed as a module, you get protection for IPAM for free.
  2. Orion IPAM only – you will need Failover Engine for One Primary Product.  Since you are deploying IPAM as a standalone you will need to purchase a license to protect it.

One last scenario with the release of UDT or User Device Tracker.  Since IPAM and UDT are not considered "primary products" as described above, what if I purchase UDT and IPAM and want to protect both of them with FoE, what do I need to buy?  The answer is you just need an FoE for One primary product in this scenario.

Any questions or comments, please post them.  As I have illustrated in this post and the two previous posts I referenced at the start of this post, the Failover Engine product is very feature rich and more than just High Availability/Disaster Recovery, but more about Application Availability.

We have some new Exchange templates posted to the Content Exchange on thwack that should be an improvement to your Exchange monitoring.  These templates are the first of many that we will be updating over the next few months.  We’ve received a great deal of feedback on how we could improve these, specifically on how we can provide better guidance on what you should monitor.  Anyone familiar with Exchange knows there are many, many things you can monitor, and it’s easy to get lost in terms of knowing what’s important to monitor and what’s not.  These new templates are an attempt at solving that problem.  These new templates are an improvement over the existing templates that currently ship with APM 4.0 for two reasons.  First, they include component monitors for things you should monitor versus things you could monitor.  Second, they include recommendations for when to use which template, AND recommendations for thresholds for specific performance counters.

You can find the new templates in a .zip file on the Content Exchange Updated Exchange Templates.  In the .zip you’ll find the new templates, as well as a .pdf that provides detailed documentation on each template and recommendations for thresholds on performance counters.  To use the templates, simply extract them from the .zip, then import them to APM. 


You can do this by going to the ‘Manage Templates’ page, then click Import.


Select the template you want to import, then click SUBMIT.  Once imported you’re ready to go!

We’d love to hear your feedback on these new templates.  Feel free to email me directly at, post a comment here, or start a thread on thwack.

March 14 – March 18, 2011, Orlando, Florida


This year's conference theme is "Celebrating a Decade of Cyber Security Training, Innovation, and Idea Sharing." 

Stop by SolarWinds booth #521 to learn how our IT management solutions are used throughout the FAA both nationally and regionally.  Whether its mission networks, engineering networks, or business networks, SolarWinds proactive monitoring solutions provide the visibility and the tools necessary to manage and troubleshoot issues.  Learn about SolarWinds Network Management Certification Program and how to take your skills to the next level.

Email to schedule a demo of our IT management solutions.  

We’ve got a new webinar for you.  It’s on-demand, so view it as your convenience.  Details below, if you’re interested in checking it out:


The traditional application server has been deconstructed and redefined. Components of today’s applications run on distributed systems which have been virtualized across clusters of physical hosts that sharing network bandwidth to storage and other resources. Additionally, today’s hyper-dense computing environments, made possible by innovations by companies such as Cisco, EMC, and VMware, have placed more servers per square foot in our data centers than ever before.


These changes cause us to revisit IT management philosophies and in many cases to re-tool ourselves for this generation of data center. Join SolarWinds Head Geek Josh Stephens as we discuss the changes that these trends have caused and how they affect application management best practices. Some of what he’ll cover will include:

  • Understanding today’s application server technologies
  • Best practices for managing next-gen application servers
  • Key elements of successful monitoring in hyper-dense computing environments
  • Management system recommendations and what to watch out for

Also during this webcast we’ll demonstrate key technologies from SolarWinds that help conquer these challenges and ensure application management success in these environments.



A long, long time ago in the year 2010 if you wanted to run Orion APM and IPAM you had to own Orion NPM.  With the launches of APM 4.0 and IPAM 2.0 earlier this year you can run either product as a module or standalone – that is, without installing NPM first.  To enable this we had to remove the dependency of requiring NPM.  So over the past year we have been making this separation into what we call “Orion Core”.


Obvious next question is “What is Orion Core?”  Orion Core is the base set of infrastructural functionality or services needed for a product to run standalone.  Examples include user authentication, syslog, traps, reporting, website, database etc.


Our goal was to make the concept of Orion Core as seamless and transparent to you, the end user, as possible.  As an example of this, let’s say you purchase APM.  What you download APM from the Customer Portal, it is one set of bits as you can see in the below screenshot.  After you download and as part of the installation process, we automatically figure out if you are installing on top of some other Orion product as a module or if this is a standalone installation.




So at the footer of the Orion web console, you now see the below screenshot in the latest versions.  Most users should never need to worry about Orion Core.  For a few of you, however, understanding what Orion Core is would be helpful, and specifically, those are the folks with Additional Pollers and Additional Web Consoles.




As many of you know, we only charge customers for the initial instance of an additional poller or additional website per Orion installation.  Since in the past everything in the Orion family required NPM in order to be run, you saw Orion NPM 10.0 Additional Polling Engine or Orion NPM 10.0 Additional Web Server in the customer portal.


Example from the past:  I have Orion NPM & APM on a single server.  I have purchased an additional polling engine.  I download my Orion NPM 10.0 Additional Polling Engine and install it and since APM supports an additional poller as well, I can install the APM additional poller at no additional cost to me.


Even though customers can now purchase APM standalone, this scenario is still valid and true.


The new scenario is I purchase Orion NPM, APM and a single Orion Additional Poller.  As outlined in the below diagram, I am going to install Orion NPM and APM on different servers since different teams will be responsible for using and managing their installation.  Both server installations each need an additional poller for scale.  Can I use the single Orion Additional Poller purchased on both servers?  The answer is no, the user will need to purchase one more Orion Additional Poller.




Below is what you now see in the customer portal for Orion Additional Polling Engine and Additional Web Server.  Since this is specific to the Orion Core version I discussed earlier we can’t put a normal product version on it like NPM 10.1 or APM 4.0 since it could be used on either.




Key takeaway from this thread is the following:

  • If you don’t own Orion Additional Pollers or Additional Web Servers, don’t worry about Orion Core
  • If you do own an Orion Additional Poller or Additional Web Server, make sure what you download and install matches what is in the web console for the Core version (aka 2010.2 or 2011.1 etc.)

The reality with most products is that customers will more often than not take an initial product concept, and extend and use a product in ways that were never imagined at the outset.  So it has been for Virtualization Manager.  As Thwack and many other online communities can attest to, the whole really is more than the sum of the parts!


Since Virtualization Manager is based on a data driven search based platform, “content” (such as a dashboard) created within Virtualization Manager can be exported from one instance and imported into another.  This has allowed the Virtualization Manager product to iterate very quickly in anticipation to market needs – many of the dashboards you see in the product today such as the “EC2 Cloud Cost Estimator” dashboard that estimate what it would cost to run your VMs on Amazon EC2, evolved out of sharing content this way with customers.

ScreenHunter_16 Mar. 07 17.04

The Cloud Cost Estimator Dashboard


Of course, the great part is that you are not limited to receiving content from SolarWinds – any Virtualization Manager customer can export the great content they’ve created and share it with other customers.

So what do we mean by “content” – what kind of things can be exported and imported? - some of the most important are:

  • Queries – or Searches – the building block for a lot of the Virtualization Manager content
  • Alert – Pretty much what you’d expect, really a search that is run on a schedule that meets certain conditions.
  • Trends – A search whose results are plotted over time, a powerful way to trend the performance and configuration of the environment.
  • Templates – A set of properties that can be used to generate a report
  • Dashboards – Export or import a complete dashboard with all the widgets!


Exporting or importing a dashboard in particular can be very effective since it will export all of the widgets on that dashboard.  So how do you export and import content in Virtualization Manager?


To Export Content

Firstly, navigate to the “content” part of the product that lists all of the different content known to Virtualization Manager – you can get there by clicking on the “content” link at the top of the screen:



Select the item you want to export (in this case, we’ll export the EC2 dashboard), select it and select export from the top right.



From here, you can save the file as an XML file to your computer (giving the file an .xml extension is helpful)



To Import Content

Importing content is just as easy – at the bottom right of the content screen, you’ll find an “Import Content” button – select it and you can choose the .xml content file to import.



That’s all there is to it – so what are you waiting for?  Let the sharing begin!

SolarWinds IP Address Manager 2.0 is officially here. Here is a link to the Release Notes. Below is a quick overview of some of the cool new features now available.

1. Standalone

IPAM no longer needs NPM. A lot of our customers enjoy the benefits of running IPAM and NPM side by side. For those of you who like the single pane of glass, nothing changes. For people who are interested in more complex deployment scenarios or only need an IP Management solution, you can purchase and install IPAM on its own server.

If you want to install IPAM 2.0 on the same server as NPM, you will need to be running the latest version of NPM, 10.1.2. If you have additional polling engines or websites, those servers will need to be upgraded to the latest version of NPM as well.

2. Historical Tracking

Want to know who had a specific address from a week ago? Maybe you have a NetFlow log with an IP of suspicious traffic but no hostname, or another product with a security event for an address at a certain time; simply search for the IP address and click View Assignment History to find out who (hostname or MAC address) had that address at that time .







Or, for full details about an address, click the View Details button (available on the search results page and Subnet Management page). This is a new view in IPAM 2.0 and gives you all the information you need to know about a specific IP address.



3. IPv6 Planning

Heard about the depletion of the IANA Free Pool and don’t know how that will impact you? Get informed and make a plan. With the new features in IPAM 2.0, you can create IPv6 address plans to deploy address schemes that make sense for your network. Whether you already have your global prefix or if you just need to get more  familiar with working in Hex instead of Decimal, we’ve got the tools to help you get started. Some customers will establish multiple subnets below one global prefix while others will carve out their address space using some of the bits for creating a hierarchy that include sites then subnets - either way, we’ve got you covered.



Here are the dialog boxes to add a Global Prefix, then a Site (optional), then a Subnet. In this example, I created a global prefix of 2001:DB80 /32 and added a site for State (Texas 2001:DB80:A000 /36) and used another site for City (Austin 2001:DB80:AA00 /40) and a final subnet for my specific building (2001:DB80:AAA0 /44). This is just an arbitrary example and not a recommendation on  how you should design your address plan. Although it would be good to consider staying on nibble boundaries (single characters, 4 bits) when creating these hierarchies (unless you just really enjoy doing binary math and in general making everyone’s life difficult Smile ).





For a great source of information on IPv6 deployment planning, see this slide deck by Shannon McFarland from Cisco.

4. Duplicate Subnets

Some customers want to be able to  manage overlapping or duplicate subnets (for example, MSPs managing customers who are each using the 10 /8 network). For customers who do not need to manage environments with overlapping addresses, we’ve introduced a new setting to allow you to turn off duplicate subnets. For new installs, duplicate subnets are disabled by default, for customers upgrading from a previous version of IPAM, you need to change this setting. For more information, see my previous blog post SNEAK PEAK–IPAM 2.0 and Duplicate Subnets.

5. UI Tweaks and Search

There are several other fixes and UI tweaks. For example, we removed the redundant tabs from the management page and added search to more places.

Before and After



Want more? Go What we are working on post IPAM 2.0 what we are already hard at work on next to make your job (life?) easier.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.