Skip navigation

With APM 4.2 officially out the door the APM development team is gearing up for the next major release. Below is the list of features the APM development team is working diligently to deliver in the next release of APM.

  • IPv6 Support
       
  • Server Hardware Health Status Monitoring
    • Hard Drive, Fan, Power Supply, Array Controller, etc.
              
  • Real-time Process Monitoring
    • CPU,Memory,Virtual Memory,Disk I/O statistics for both monitored and unmonitored processes
             
  • Improved Application Discovery 
    • Application Template accuracy assignment and performance improvements
       
  • Improved UI enhancements for template creation and editing 
    • Multi-Delete, Enable, Disable, Test and Assign Credentials to multiple components in a template easily
    • Re-order components within an application template
    • Improve overall template editing page rendering performance for templates that contain a large number of component monitors.
        
  • Printer Hardware Status Monitoring
    • Toner/Paper levels, Printer Errors: (Out of Paper, Paper Jam, etc.)

PLEASE NOTE:  We are working on these items based on this priority order, but this is NOT a commitment that all of these enhancements will make the next release.  We are working on a number of other smaller features in parallel.   If you have comments or questions on any of these items (e.g. how would it work?) or would like to be included in a preview demo, please let us know!

SolarWinds NetFlow Traffic Analyzer (NTA) 3.8 was released last month. In case you missed it, below is a quick overview of some of the cool new features now available. You can find the release notes here.

Features

  1. BGP Support
  2. Huawei NetStream
  3. Flow Navigator
  4. Endpoint Centric resources
  5. Unified UI (most NTA resources can be placed on most views)
  6. Search
  7. Performance Enhancements

Fixes

  1. Account limitations
  2. Service doesn't restart after database timeouts
  3. Export to PDF issues

 

BGP Support

NetFlow v5 and v9 include information in the flow about source and destination BGP Autonomous System (AS) fields. This is a feature for customers who need to track flows across multiple service providers. If you don’t have multiple service providers then you most likely don’t even need to worry about BGP. But if you do, then you are probably very interested in this feature. Here is a quick example of how to configure your router to include BGP information in the flow data(assuming you already have BGP and NetFlow configured on the router).

Router#configure terminal

Router(config)# ip flow-export version 9 origin-as

The origin-as command is saying to use record the AS that the traffic originated from. The other option is to use peer-as which will record the AS of the peer. I prefer recording the origin AS, but you’ll need to decide what information is the most useful in your network.

Adding the BGP AS data in to your flow data can have an impact on your router. I recommend monitoring the CPU of your device to make sure you don’t see any negative impacts after you enable this feature. Also, this should be enabled after hours or in your change management window instead of during the day. Once we are receiving the data, NTA includes two resources that will help you use this information; the Top 5 Autonomous Systems and the Top 5 Autonomous Systems Conversations resources.

image

 

Huawei NetStream

SolarWinds NTA now has full support for devices that use the  Huawei NetStream flow standard (ex: Quidway NetEngine 80 and 40 series routers). SolarWinds had support for other Huawei flow capable devices, but the NetEngine routers required special work to support. From a user perspective you monitor them just like any other flow enabled device in NTA:

  1. Add the device to NPM
  2. Monitor the source flow interfaces
  3. Configure the device to send flows to NTA
  4. The flows should be automatically picked up and added to NTA
  5. Enjoy your data!

 

 

Flow Navigator

Flow Navigator is an awesome new feature that makes finding specific traffic much easier. On all of the NTA pages, you will see a Flow Navigator icon on the upper left side of the page. If you click the chevrons (>>) then the Flow Navigator will fly out on the page and you can create a customized view of data. For example, if you want to see all web traffic from your site through a specific service provider, simply select port 80 on the Applications option and specify the appropriate BGP AS numbers. Here is a screenshot of the Flow Navigator expanded on to a page.

image

 

One other really handy feature is the “Save filtered view to menu bar” button. This allows you to quickly save your work so that you can re-use the view or make it available for other people. Simply click the button and provide a friendly name and the menu bar will be updated with your custom view.

 

Endpoint Centric Resources

Endpoint centric resources are essentially resources that have been added to your existing managed nodes so you can quickly see traffic information about that particular node. This can be particularly useful if you are trying to troubleshoot application and server issues because you will see the traffic being sent to and from that server on the same page where other pertinent application and performance data is displayed.

 

Enjoy!

Please join us for an exclusive training session on SolarWinds Network  Performance Monitor (NPM).

Thursday October 6, 2011 @ 11:00 AM CDT

 

During this 60 minute training session we’ll cover:   

- The basics of  monitoring technologies

- Understanding monitoring for routers, switches, servers, and other  infrastructure

- Alerts! Making the most of your performance and availability monitoring

- Optimizing NPM features

 

Registration Link  https://www1.gotomeeting.com/register/508636512

Quick Links

  A number of folks have started to deploy Virtual Desktop solutions in earnest.  Whether this is a solution from VMware, Citrix, or someone else – we often get asked how to drill down or provide a perspective on just the pieces of the virtual infrastructure supporting the Virtual Desktops (i.e. so we can understand CPU, memory, disk IO and network contention just on the subset supporting VDI) 

So how can we identify the Virtual Desktops in our environment?  One way is to look at the guest OS installed inside the VMs to infer whether this VM is a desktop (i.e. a desktop vs server OS).  If you visit VMware’s supported OS page here, and filter by OS type of “Desktop” for ESXi5 – you get 38 individual OS results.  In general, the majority are some flavor of Windows desktop OS (Windows XP, Windows 7 etc….)  We can narrow these 38 individual OSes down into 8 categories and get:

MS-DOS (yes – it’s true!); Windows 3.1; Windows 7; Windows 95; Windows 98; Windows Vista; Windows XP; SUSE Linux Enterprise Desktop

So how can we find these type of desktop OS VMs in Virtualization Manager?  We can leverage the power of search to find these VMs.  If we look in the query builder inside the product, we can quickly find the the property “vm.guestFullName” that we’re looking for:

 

It’s worth noting the description listed with this property – this attribute gives a pretty accurate description of the guest OS as reported by VM Tools (which should really be installed in your virtual desktops anyhow).  We can use the Editor Mode of the query builder to chain together (using “OR”) a list of the 8 OS categories we’re looking for, so something like:

vm.guestFullName:"MS-DOS" OR vm.guestFullName:"Windows 3.1" OR vm.guestFullName:"Windows 7" OR vm.guestFullName:"Windows 95" OR vm.guestFullName:"Windows 98" OR vm.guestFullName:"Windows Vista" OR vm.guestFullName:"Windows XP" OR vm.guestFullName:"Desktop"

which should match on VMs with a desktop OS property matching that particular phrase/string.  Let’s try it out:

 

A quick mouse over on “hits” from search results looks like it is bringing up the right VMs.  We can also look at a “facet” view (by clicking more->explore to the right of the search bar) to get a pie chart of how the desktop OS types break down in our environment.

One more quick concept – I am able to search “across” object relationships, so for example to find clusters that have VMs running Windows XP, I can do a cluster search for “cluster.vm.guestFullName:"Windows XP", similarly, to find datastores being used by Windows XP VMs, I can do a datastore search for “datastore.vm.guestFullName:"Windows XP”.

So let’s get back to our original premise – how can we use this search to give us a VDI perspective? 

Since almost all of the content (widgets) on a Virtualization Manager dashboard are backed by a search, we can leverage the desktop OS search above, and across object relationships, to create widgets that focus only on the subset of the VMs supporting VDI.

Let’s take one example – the Cluster Memory Utilization widget on the default “Administrator” dashboard. 

The standard search here is “* AND -cluster.memload.latest:0” (the second part filters out non zero results).  If we leverage our new desktop OS search, we get:

* AND -cluster.memload.latest:0 AND (cluster.vm.guestFullName:"MS-DOS" OR cluster.vm.guestFullName:"Windows 3.1" OR cluster.vm.guestFullName:"Windows 7" OR cluster.vm.guestFullName:"Windows 95" OR cluster.vm.guestFullName:"Windows 98" OR cluster.vm.guestFullName:"Windows Vista" OR cluster.vm.guestFullName:"Windows XP" OR cluster.vm.guestFullName:"Desktop")

We put this search query into the widget configuration above, and we’ve got ourselves a Cluster memory utilization widget, just for our VDI clusters (or strictly speaking, the clusters containing VMs with a desktop OS).

If we go ahead and do this for a number of widgets, we could get a (slightly updated) version of the administrator dashboard for example, focused only on our VDI/desktop OS infrastructure.

We could also do the inverse, to find the VMs NOT running one of the above 8 types of desktop OS (i.e. a search for our server OS VMs essentially), we can use a search like:

vm.name:* NOT(vm.guestFullName:"MS-DOS" OR vm.guestFullName:"Windows 3.1" OR vm.guestFullName:"Windows 7" OR vm.guestFullName:"Windows 95" OR vm.guestFullName:"Windows 98" OR vm.guestFullName:"Windows Vista" OR vm.guestFullName:"Windows XP" OR vm.guestFullName:"Desktop")

You can download these dashboards from the community content exchange

For the past several months the APM team has been hard at work developing APM 4.2 and delivering some outstanding new features and functionality to the product based on feedback from the community. Chief among these new features is APM’s ability to monitor Java applications natively using our new JMX component monitors. These JMX component monitors can be used to monitor any statistical information exposed as Java Managed Beans (Mbeans) that are part of the Java application server. APM fully supports the monitoring of all standard Java application servers such as:

The new JMX Explorer makes browsing, selecting, and monitoring your MBeans a simple and straightforward point and click affair.

JMX_Browser

 

Another huge feature of APM 4.2 is native support for Nagios scripts. You no longer need to convert the Nagios scripts you’re dependent on to have them run under APM. Simply copy and paste your existing Nagios scripts into APM’s new Nagios script component monitors and these scripts will run the same as they would under Nagios.

Nagios_Script

Because many existing Nagios scripts available online return multiple statistic values as part of a single script, we have included support for multiple value scripts as part of APM 4.2. All Nagios, PowerShell, Unix/Linux, and Windows script component monitors have been updated to allow for up to ten statistics and message pairs that can be returned as part of a single script, consuming only one component monitor license. You can further define individual warning and critical thresholds for each statistic that is collected as part of a multiple value script, as well as alerting and reporting on these values independently. Roll-up status for multiple value script component monitors can also be configured to show the best or worst status for the entirety of the component, (similar to how APM rolls-up multiple node status in the nested tree hierarchy, or how sub-maps are displayed in Network Atlas).

Multi-value_scripts

 

Over the years, many customers have asked for the ability to perform custom mathematical functions on the statistic data collected via APM, similar to transforms in the Universal Device Poller of NPM. APM 4.2 delivered! With these new transforms, you can truncate, round, or convert the collected statistic data to a standard format for alerting and reporting purposes. A couple of examples would be converting bits to bytes or Celsius to Fahrenheit.

conversion

All these new monitoring capabilities included in APM 4.2 are great, but they demand a new and improved way of visualizing all of this information. Enter the Multiple Object and Multiple Statistic chart resources.

APM-Multi-object-ChartMultiple_Statisic_Chart

While the Multiple Statistic Chart resource provides historical charting for all of your multiple value scripts, you can now combine multiple component monitors and component monitor types into a single chart resource using the Multi-Object chart resource providing unsurpassed visibility into the historical performance trends of your applications.

If you’ve just upgraded to 4.2, or are evaluating APM for the first time let us know what you think of these new features in the comments section below. 

The new set of NCM features, described What we are working on now: NCM a while back, will soon be available for beta.

If you are an NCM customer with active maintenance, I encourage you to sign-up here for the upcoming Release Candidate.

Signing-up is a short and easy process that will take you through a few questions about your environment.

As illustrated by the screenshots below, NCM 7.0 has exciting new capabilities such as the Change Request Approval feature but also new web-based node and account management screens and a tighter integration with Orion Core.

We hope to see many of you sign-up for this beta and are looking forward to reading your feedback, which is essential to preserve and improve NCM’s quality and usability.

  • Change approval request (one user submits the change request for approval by another user)

I have created a list of future Change Request Approval improvements that you can vote for Vote for the future improvements of NCM's Change Request Approval feature 

  • The requester view

image

  • The approver view

image

  • New web-based network discovery wizard

image

  • Import devices from Core

image

  • Keep Orion Core and NCM node list in sync

image

  • User management (NCM roles integrated to Orion Core’s account management, Active Directory integration)

image`

  • New user controls for Compliance report outcome (sortable node list and advanced controls on column/rules display)

image

Orion provides numerous preconfigured alert actions, but in today’s on-the-move world, we want to get text alerts on our mobile phones.

Phone alerts and Pager alerts can be very efficient for getting the real-time updates and alerts, sent as SMS/text messages while you are on the go. Orion can easily trigger alerts using 3rd party phone alert applications such as the popular NotePager Pro and PageGate products.

You can download an evaluation version of NotePager Pro from this link. When you install NotePager Pro on the Orion server, it automatically gets added to the Dial Paging or SMS service option listed under Alert Actions in the Orion Advanced Alerts Tool.

Now, it is time to configure the settings in NotePager Pro. This video tutorial link is a great source for answering questions on setup and shows step-by-step directions on configuring NotePager with different protocols. NotePage also has a dedicated page for “SolarWinds Orion Network Performance Monitor Integration”

The following diagram shows how an alert is triggered from Orion to mobile phones or pagers via applications like NotePager Pro.

 

In the diagram above, when an Alert is triggered from Orion, it tries to establish a connection with NotePager application and forward the alert information to it. Next, NotePager goes on to establish a connection with the carrier via one of the following protocols listed below using a Modem or the Internet.

· SMTP

· SNPP

· TAP

· WCTP

The carrier looks up for the SMTP address or SNPP address or WCTP address and validates if it is in the supported list, then directs the actual message to the carrier’s core network before delivering it to phones or pagers as alerts.

Out-of-band SMS alerting is also supported by NotePager Pro, allowing the administrator to employ out-of-band alerting via a modem. Even when the ISP connection or mail server goes down, out-of-band alerts still work. SNPP, SMTP, and WCTP protocols work using two-way communication, sending alerts from Orion to a mobile device and vice versa. However, to get this working, you need to get a PollerID/SenderID(usually the email address) from the carrier, either directly or from their website. Only after entering the PollerID/SenderID will the end user be able to retrieve the alert on their mobile phone and also use the two-way feature.

Here is a list of example PollerID/SenderIDs which can be used while configuring the recipient.

NotePager Pro runs as a desktop Win32 application requiring the administrator to be logged into the console at all times to receive alerts. Another application from NotePage called PageGate can run as a Windows service and offers a more powerful tool for communication.

Click this link to download the evaluation version of PageGate. After installing it on the Orion Server, along with the PageGate Admin and PageGate client, you should see the PageGate action in the list of Alert Actions in the Orion Advanced Alerts tool.

After successful installation, go to Start->PageGate->PageGate Admin and select Help. The help provides details on configuring every aspect of the PageGate tool. This application provides much more than will be utilized by Orion Alerts. Once the recipients and the carrier is setup on PageGate Admin tool, this alert will automatically add an action to the list on the Orion Advanced Alerts Tool. It should look something like the screenshot below.

clip_image006


Some say they can secure the unsecureable,
manage the unmanageable,
and that even Chuck Norris is forced to be compliant.

 

All we know is, they are called… the STIGs.

 

Updated June 29, 2015

 

The Department of Defense’s Defense Information Systems Agency (DISA) has a set of security regulations that help set a baseline standard for DoD networks, systems, and applications. If you’re responsible for a DoD network, these STIGs (Security Technical Implementation Guides) will help guide your network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and even physical security.

 

SolarWinds Log & Event Manager can help with DISA STIG compliance via our real-time monitoring of related events across systems, network devices, applications, and security tools. Use LEM to address DISA STIG requirements for both log analysis and broader network security.


For configuration auditing, be sure to check out The specified item was not found. about NCM’s DISA STIG resources as well.

 

At a high level related to STIGs, you can use SolarWinds Log & Event Manger to monitor and audit:

  • Logs relevant to STIG best practices auditing (across OS, applications, and devices)
  • Changes to device, system, and user account configuration settings
  • Installation of unapproved software
  • Access and changes to sensitive/classified files
  • Creation/deletion/modification of user accounts
  • Modifications to databases and possible attack indicators
  • Access and usage of USB storage (including file/process information) and USB network devices
  • Successful and failed authentication attempts
  • Authentication from unapproved guest/anonymous accounts
  • Authentication to/from unexpected accounts/locations/machines (or using unexpected authentication methods)
  • Network access via VPN and other remote access methods
  • Data from firewalls, routers, and intrusion detection systems that can indicate out of compliance protocols and ports are being accessed
  • Alerts from firewalls, anti-virus, intrusion detection systems, and other security monitoring tools that can indicate attacks, vulnerabilities, scans, and other network security issues
  • Vulnerability assessment tool reports

 

LEM includes out of the box reports and rules that directly address DISA STIGs. You can also customize your LEM Console to monitor different types of data in real-time, and use the Console to search for historical events.


Rules

 

Many of LEM’s out of the box rules can be used to address STIGs, especially anything related to monitoring for change activity and security events. You’ll need to create and customize copies specific to your environment; check out this video in the resource center about creating and using out of the box rules for more detail on how. It’s important to remember that LEM’s correlation engine is flexible, so just because you don’t see something you’re interested in doesn’t mean it can’t be done, as long as what you’re looking for is reported in the log data.

LEM-rule-templates.png


Specific rules and groups of rules of interest:

  • Compliance > DISA STIG: this category groups together STIG rules of interest into one easy category
  • Activity Types > Active Responses: these rules provide examples of automated detection and response.
  • Endpoint Monitoring: these rules include detection of issues on the workstation/server level using the LEM Agent. Most useful here will be security processes and USB device access.
  • Security > Vulnerability: these rules integrate with your vulnerability assessment reporting, to alert on new vulnerabilities/issues being found.
  • Authentication: these rules monitor authentication-related activity, including duplicate logons, logon failures to critical accounts, and unauthorized logons.
  • Change Management: these rules monitor for all kinds of change management activity (accounts, users, groups, policies) and include many rules specific to active directory. There are also reports that cover these same categories, so you’ll want to focus on what’s of most use to you in real time (generally, anything that’s operationally valuable like account lockouts, or high priority like device configuration changes).
  • Activity Types > Database Auditing: these rules will monitor certain types of database activity, including changes and errors. If you’re using a separate database activity monitoring tool, use these as examples of things to look for.
  • Activity Types > Network: these rules monitor every day network activity for anomalies, such as port scans, SQL injection, and suspicious network traffic.
  • Security > Malware : these rules monitor for traditional AV issues like left alone (uncleaned) viruses and AV update failures, along with worm detection from other network activity.


Reports

 

With LEM Reports, you can run reports interactively, schedule reports to run unattended, and open, filter, and save filtered reports (including saving a filtered report as a new custom report). For auditing, you’ll generally want to schedule reports, and use Rules and the Console to do most of your day to day time-sensitive monitoring.


We've created a Category of reports that will show only the STIG reports. To see reports most related to STIGs:

  1. Go to Manage > Categories
  2. Check off DISA STIG on the left (you'll see a preview of the included reports on the right)
  3. Click OK
  4. In the Category dropdown on the top right, select "Industry Reports" to filter your view only to the selected Categories (i.e. STIG).

 

LEM-industry-reports.png

 

Within the STIG industry category, you'll see these general categories and types of reports:

 

  • Event Summary reports. These statistical reports will help you identify anomalies more quickly, whether they be quantity or type of alert.
  • Incident, Inferred Alerts, and SolarWinds Actions. The Incident/Inferred reports are used to document events that you’ve chosen to escalate within the LEM correlation engine, and commonly used for reporting issues that need to be identified and tracked. The Actions report will document any responses you’ve taken, automatically or interactively.
  • Authentication master and/or associated detailed reports. These reports will show all authentication related events including logon, logoff, logon failure, guest account access, and access to LEM itself.  The Master report will include everything, but if you choose to run the detailed reports, be sure to include User Log On AND Log On Failure along with Guest Login. You may also want to create a customized version of these reports that only show administrative access accounts, to audit and monitor them separately.
  • Change Management reports. These reports break down change management events, with a lot of attention paid to specific Active Directory account/domain modifications. Almost everything here is relevant to the STIGs, including creation, deletion, enable, disable of accounts and groups. The Resource Configuration reports may be an all-encompassing alternative if you don’t want to see everything broken out individually.
  • File Audit Events master and/or detail reports. These reports will show file and object access, generally provided by Windows file auditing or host-based intrusion detection tools. If you choose not to run the master report (which is inclusive of all file access reported), you will definitely want to pay close attention to the File Audit, Delete, Move, Read, and Write reports. Since these reports can be quite large and file auditing quite noisy, you may also want to customize these reports to only monitor for access to specific sensitive or system files, accounts, or devices.
  • Machine Audit master and/or detail reports. These reports will show process and service tracking, along with software installation/updates, and system status information. If you choose not to run the master report, you’ll definitely want to run the software install/update, system status, USB-Defender, and File System Audit reports, and possibly the Service Audit reports.
  • Malicious Code master and/or detail reports. These reports will show activity primarily from anti-virus and anti-malware software. Since these should be limited, the master report is the simplest way to go.
  • Network Events master and/or detail reports. These reports will show security attack and scan-related activity. There are a lot of detailed reports, but you’ll especially want to run the Attack Behavior – Access, Attack Behavior – Denial/Relay, and Suspicious Behavior reports.
  • Network Traffic Audit master and/or detail reports. These reports will probably be your most noisy (next to Authentication), but will show all firewall/router ACL traffic, proxy/web server traffic, and potentially other traffic depending on sources. The Network Traffic Audit master report is going to be pretty busy, so if you choose to run detail reports, you may want to also create versions that audit for specific issues – unexpected ports, specific IP addresses, etc.
  • Resource Configuration master and/or detail reports. These reports will overlap with the Change Management Reports in many cases, so if you schedule those, these may be redundant for your needs. Here, you’ll find policy and change management oriented data.

 

If anything changes regarding DISA STIGs, this post will be updated.

Filter Blog

By date: By tag: