In case you missed it, the Log & Event Manager team has recently rolled out new pricing related to monitoring workstation nodes. The goal of this addition is to make it much more affordable for you to monitor workstations together with your servers and network devices in LEM - or even by themselves, if you're solely workstation-minded. It's still the same LEM with the same features and functionality, this just makes it much more possible for you to extend your investment.


So, what does that really mean? What would you want to monitor from workstations? And, how do you do that with LEM?


Issues Specific to Workstations

Traditionally we focus a lot on servers, but realistically workstations are both the entry point to the network from a security perspective and more systems that require maintenance. As you think about moving away from reactive network/systems/security management to proactive network/systems/security management, workstations are a critical part of our enterprises.



From a security perspective, workstations do give you an entry point to the network, and can serve as a gateway to a veritable feast of data. Helpful: your customers and users can access the network quickly and easily from their system to do their jobs well. Not helpful: they have access to so much information and systems that they can also do some serious damage.


Things to monitor:

  • Unexpected users logging on to workstations that are more likely to have sensitive information - C-level, VP, and IT administrators. Create a group of users that SHOULD have access to these systems and look for authentication activity (logons and failures) that are to those systems but not from those users.
  • Other forms of unexpected logon activity depending on your environment - logons to workstations after hours if you're in a fairly controlled environment, remote logons if you don't use VPN access or users don't use RDP
  • Changes (create, update, delete) to local accounts and groups, especially Local Admins and accounts that won't inherit your domain policies and settings
  • System changes, like installation of unexpected software and changes to local policies
  • Usage of removable USB disk and networking devices
  • Launch of prohibited applications (IM, games, etc)
  • Patterns of behavior that are not unusual in the one-off case but are in excess, like failed logons


Changes and Issues

Monitoring log data from workstations can also grant you insight into the state of the system - if a user calls and complains about something not working correctly, the event log and recent history of activity can provide a lot of useful data.


Things to monitor:

  • Software installation, successful and failed
  • Installation of Windows/OS updates, especially failed updates
  • Changes to system policies and configurations (enable/disable of Windows Firewall, enable/disable of audit policy)
  • Failures related to services starting/stopping
  • For Windows, "Critical", "Error", and "Warning" events in general in the System and Application logs


Active Responses & Workstations

Useful active responses and scenarios for workstations include:

  • Detecting suspicious (or unapproved) processes and killing them (by name or ID)
  • Disabling networking on a workstation after detecting a malware infection (to isolate from the network)
  • Detaching a USB device that's not approved - this one can be done whether the agent is connected or not with our USB local whitelisting policy
  • Detecting unexpected or inappropriate network, proxy, or file activity and sending a popup to the workstation notifying the user they've been spotted
  • Removing unapproved users from Local Admins automatically, or disabling local users if they are created


Combining Workstation and Network/Server Data

In some cases, data specific to workstations is actually centralized at the server or network device, but you might not have thought about specifics of things to look for for workstations or endpoint issues. There's also some cool things you can do if you correlate activity across multiple sources.


Centralized Events

  • Anti-Virus and DLP: It's most common for your anti-virus and DLP solutions to log centrally, rather than at the endpoint themselves. These events can provide critical insight into security issues directly at the workstation.
    • Look especially for viruses that are "left alone" (not cleaned, not quarantined) and unexpected data that has moved from the endpoint.
  • Look for Firewall/router data that indicates a workstation:
    • attempting to make outbound connections to unexpected ports
    • bypassing your proxy server for port 80 traffic
    • making excessive repeated outbound attempts to a single source/destination/port
  • If you have a web proxy, use that data to monitor repeated attempts to access blocked content, repeated download attempts for viruses or other suspicious content, downloads of executables
  • A fair amount of your domain controller and other server activity is related to access from workstations (since that's where your users are, after all). You can use this to extend your monitoring of certain types of logon activity that comes from clients and software solutions that are not directly logged at the workstation.
  • DHCP/DNS issues can surface at the DHCP/DNS server side, but indicate workstation problems. With DHCP, especially, you can track whether your server has seen a request for a lease and what the response actually was (before you break out the packet capturing tools to dig deeper).


Correlated Activity

  • Correlate authentication activity across servers and other workstations that indicates logon attempts from a single source, which can be symptomatic of an infection or exposure
  • If you monitor file access, monitor for excessive deletes or copies from a single system, and potentially correlate with the USB activity from the workstation itself to indicate files copied from a server all the way to a USB drive
  • Combine suspicious activity to create a more conclusive case that something's wrong - for example, combine excessive logon failures to multiple systems on the network with excessive outbound traffic or combine virus/malware activity with executable downloads


Where to go in LEM

If you want to be alerted when above activity occurs (via e-mail) or automatically respond to the workstation, you need to go to Rules (Build>Rules). Most of the items above are really good candidates for rules. Other areas to look in will be:


  • Rule Library/NATO5 Rules > Agent: Especially "Detach USB" rules, "Windows Disk Nearly Full", "Keylogger Process Launch", "Authentication Traffic but no Agent"
  • Rule Library/NATO5 Rules > Active Responses: Especially "Kill Suspicious Process", "Game Application Launch", "Remote Desktop After Business Hours", "Restart Stopped AV"
  • Rule Library/NATO5 Rules > Authentication: Especially "Logon Attempt outside of Time Restrictions", "User Logon After Hours", "User Logon but no Agent"
  • Rule Library/NATO5 Rules > Change Management: If you're interested in tracking workstation changes, many of the same rules apply here, or will indicate activity coming from workstations.
  • Rule Library/NATO5 Rules > Spyware
  • Rule Library/NATO5 Rules > Virus/Worm: Especially "AV Update Failure" and "Virus Attack - Bad State"



If you want to search for activity that has occurred based on a workstation's name and/or IP address, you want to go to nDepth (Explore>nDepth).

  • To search for any events that contain the workstation's name or IP, just type it in the search box - this searches globally.
  • To search for any events from a specific workstation, use the DetectionIP field (or InsertionIP, they'll usually be the same on workstations)
  • To search for any events that came from, were going to, or were created by, a workstation's name or IP,  use the combined IP Address field



If you want to monitor workstations in real time, you can use the widgets in Ops Center to view trends and anomalies, and you can use filters in Monitor to, well, monitor for different categories of activity. Good candidates for filters are things like:

  • Activity from high-profile workstations
    • Create a Tool/Connector Profile or a User-Defined Group with your workstations in it
    • Build a filter for Any Alert.DetectionIP = <group>
    • This will be fairly high-traffic depending on the number, so you might need to narrow the focus to specific types of events.
  • Logon failures only to workstations
    • Create a Tool/Connector Profile (or multiples) with your workstations grouped together
    • Build a filter for UserLogonFailure.DetectionIP = <group> (if you have more than one, OR them together)
    • If you want to look for workstations generating logon failures on other systems, use UserLogonFailure.SourceMachine = <group>
    • If you only want to monitor interactive logons (RDP or local), use UserLogonFailure.LogonType = *interactive*
  • Workstation change activity
    • Again, Create a Tool/Connector Profile (or multiples) with your workstations grouped together
    • Build a filter for [Change Management Events].DetectionIP = <group?> (if you have more than one, OR them together)




Tips for Managing Workstations in LEM

  1. Deploy agents many at a time using the remote agent installer, by deploying the agent with your workstation image, or by using the local installer in "silent" mode and using it with your software distribution tools.
    1. If you're using the remote agent installer and have remote sites, a helpful tip is to copy the installer to a system (e.g. server) local to that remote site, then push out from there.
    2. KBs: SolarWinds Knowledge Base :: How to include the LEM Agent in a Windows image, SolarWinds Knowledge Base :: Using the SolarWinds LEM Agent Installer non-interactively
  2. Use Tool/Connector Profiles to group agents together. This serves the purpose of grouping AND maintaining a standard configuration template. Configure a single agent, then create a new tool/connector profile and add all of the similar agents with it.
  3. If you have mixed Windows environments, look out for configuring the "wrong" connectors for the Windows Security Log. You'll see Internal alerts that suggest you should configure the opposite connector (there's one for XP/2003 and earlier, and one for Vista and later).
  4. The Manage>Nodes grid can be sorted, sliced, and diced, to take inventory of what's connected and not. The new "Node Health" widget in our upcoming release (RC info available here) will show the last time data was received from nodes, which is helpful. There's also a couple of agent health reports in LEM Reports that can help track down agent connectivity and events.


The recent thwackCamp 2012 presentation on the Top 10 Things Logs Can Do for You might have some additional ideas to help spark your creativity in monitoring workstations and your enterprise holistically with LEM.


What about you? Do you monitor workstations? Is there anything you'd like to monitor but aren't sure how? Haven't heard about LEM Workstation Edition and want to know more about what it means? Drop a comment here or feel free to start your own discussion thread over in the Security Event Manager (SEM) - Formerly Log & Event Manager space.


Shameless Plug: Other SolarWinds Products for Workstations

While we're on the topic, here's some other good stuff for workstations that will help extend what you get with LEM even further:

  • Patch Manager: not just help with managing your windows patches, but helping address third party patching issues. On top of the fact that Acrobat, Flash, and Java have had a ton of security issues, a lot of malware out there still exploits old holes that are fixed with patches. Keep it up to date from one place.
  • DameWare: DameWare is a handy remote management tool. Once you've identified a problem with LEM, if you want to investigate at the endpoint or respond beyond LEM's built-in active responses, DameWare can help.
  • NetFlow Traffic Analyzer: if you've got bandwidth problems with workstations, use NTA to track down who is consuming it. LEM can help on a time & frequency basis and can do some basic top talker stuff with NetFlow/sFlow, but NTA is all flow all the time.
  • User Device Tracker: UDT helps you determine what user owned an IP address/hostname/MAC address over time. If you've found a historical issue on LEM and want to trace that IP back to a user, UDT can tell you where they were.
  • LANsurveyor: map out your network and figure out the logistical layout of devices. If you've got workstations, chances are there's enough of them that you'd like to know what and where they are connected. LEM doesn't have built-in network diagrams itself, but this can help you make sense of what's out there.

It's been little more than two months since the official release of SolarWinds Server & Application Monitor v5.2. A release that was packed to the gills with tons of new features. It's hard to believe that in such a short period of time that we're here once again to kick off the next SAM Beta.


Being a Product Manager at SolarWinds allows me the opportunity to talk with IT folks from around the globe. Most of whom dream of a utopian world in which there was one single place where they can visualize problems as they're occurring, as well as react and resolve them in real time. The main objective of any good monitoring solution is to provide the user with actionable information. Your servers hard drive fails? Replace it. Your users hogging all the bandwidth watching YouTube? Slap a CBQoS policy on your router. Better yet, track them down and slap the offenders upside the head. On second thought, maybe not.

Got users disconnecting from Terminal Server and Citrix sessions, leaving rogue processes running amok in their wake? Services crashing on your critical application servers? Time to fire up a Remote Desktop, or better yet, a Dameware session to the afflicted server right?  Wrong!


Sure that might have been the way you did things yesterday, but times have changed. Now you can resolve these kinds of common issues from within the same web interface that alerted you to the problem in the first place. No more firing up the VPN, starting up your remote control application, just to launch Task Manager or the Services Control Panel to kill off a few processes or start those services back up. That power is now available to you right from within the SAM web console. Point, click, done. It's that simple. Don't believe me? Watch the videos below.



Terminate Processes with the Real-Time Process Explorer Server & Application Monitor Service Control Manager


The first video demonstrates SAM's ability to terminate processes from within the Real-Time Process Explorer. The video starts off with me killing off a single instance of FireFox.exe, but shortly thereafter you can see how the Real-Time Process Explorer allows you to terminate multiple processes simultaneously. Windows own Task Manager doesn't even allow you to do that!


The second video showcases SAMs new Service Control Manager. From within the Service Control Manager you can see all services available on this host, their current state, startup settings, as well as the services description. Stopping, starting, and restarting services instantly is a simple point and click affair, that's sure to have you and your applications back up and running quicker than ever.


These are just a couple of the new features we're working on for the next release. If you already own Server & Application Monitor and are currently under active maintenance, you can sign-up to download the beta today.

After the release of UDT v2.5 (and service release 2.5.1), here is what the UDT team is working on now, for the future of the product:

  • Access Monitoring
    • Define a device whitelist (based on MAC, IP, or hostname), i.e. list of devices that are allowed to connect.
    • Receive SNMP traps and syslog for updating connectivity information in “real-time”. An alert should be generated when a device is connected that is not on the whitelist.
    • Shut down a port (providing user has write access).
    • Users can be tracked in watch list.
    • Distinguish between ports that are administratively down and administratively up but disconnected.
  • IPAM Integration
    • Provide link to IPAM subnet information in the Endpoint Details resource
    • Business logic enhancements to enable integration from IPAM side.
  • Wizard to help users configure appropriate logging level on Windows servers to collect login information.
  • NTA Integration (Support NTA resources on Endpoint Details page.)
  • Windows Server 2012


Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are based on the product teams intentions, but those plans can change at any time.

After the release of NCM v7.1 (and service release 7.1.1), here is what the NCM team is working on now, for the future of the product:

  • Continue moving functionality from Win32 client to Web UI
    • Job management (Windows Task Scheduler not used anymore)
    • Config management (edit, delete, set baseline)
    • Possibility to test device login credentials
    • Import config from file
  • Provide End-of-Life/End-of-Support information for managed devices.
  • The execution of Config Change Templates can be scheduled.
  • Change Approval System enhancements
    • Approved requests to be executed at specified date/time
    • Approved requests to be returned to requester for execution
    • Requesters can see a history of what they requested and was approved
    • Approvers can see a history of what they approved
  • Multiple Global Connection Profiles
    • Define multiple connection profiles (device credentials, protocol, port etc.)
    • NCM will try which of the predefined connection profile works for a device (configurable pre device)
  • More native device support
  • Inventory for Brocade devices
  • Support of AES 256-bit encryption for SNMPv3
  • Make downloaded configurations searchable for IP addresses with FTS enabled.
  • Config Change Template Extensions: 'delay' command, string <-> number conversion
  • Security enhancements of the Web UI
  • Support for database encryption using MS SQL TDE.


Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are based on the product teams intentions, but those plans can change at any time.

I'm happy to announce that NPM 10.4 release is officially here. This version is literally packed with new features! All current NPM customers under active maintenance can download the upgrade from their customer portal.

In the past few months you could vote what features you would like to see in your favorite network monitoring software, NPM, vNext and we were listening. 10.4 comes with the most wanted ones:


Custom Property Enhancements

We migrated the custom property editor on web. Now it's part of the main Orion webconsole and accessible from NPM and other SolarWinds Orion family products. New intuitive wizard will take you through the process of creating new custom properties.You can also specify a list of pre-defined values to minimize entry errors.


Header  CPE.PNG 1Header 2CPE+4.png

Audit Tracking

Version 10.4 comes with user auditing feature. You can now monitor who made what action/change in NPM. New auditing functionality is fully automated, you don't need to set up rules or policies it works immediately after installing 10.4. All information is available through Message Center where you can filter, sort and see all the details. You can also see a new Top 10 resource on summary page:auditing1.png


Hardware Health Monitoring for your network devices

SAM users know how useful is the hardware health of their servers. NPM users didn't have out of the box support for that (they had to use custom pollers) to monitor critical hardware parts of routers or switches like Fan speeds, temperature sensors or health of power supplies.


NPM 10.4 now allows you to prevent hardware malfunctions by monitoring your hardware with more details. We added support for Cisco, Juniper, HP, BigIP F5 and Dell networking devices. You can also set an alert to be notified if some sensor exceeds a threshold and you can track historical data




Looking at the hardware health historical chart reminds me that NPM network monitor has been completely migrated to the new "drag & drop" chart engine so you may use interactive features like zoom-in or switching on/off chart data on every single chart now.


Out of the box support for BigIP F5 devices


BigIP devices are widely used and they are bit special compared to other networking hardware. CPU and memory polling is not enough for F5 effective troubleshooting. The important highlevel metrics are Throughput  Connections (SSL, opened) and Failover status. If you are interested to see more details NPM can provide you with the list of Virtual Servers, Pools and Nodes. All these lists carry information about IP address and element status.






A lot of cool network management stuff don't you think? But that's not all there is decent set of another features waiting for you.


UI improvements - Subviews


We know that it's hard to make everyone happy with how we categorize and group items in our NPM webconsole menus. Sometimes you need better granularity and possibility to group particular data into some kind of tab or bookmark. NPM 10.4 now supports concept of "Subviews". This UI enhancement is there mainly for better organization of your views and gives you freedom for creating your own categories on website. It also speeds up the web by allowing you to focus on the resources you really need to load instead of loading every resource every time. Subviews are displayed as a left navigation menu that allows you to quickly go to different views for a node. You can enable Subviews by clicking Customize Page then the "Enable left navigation" button.




As you can see you may create your own tabs anywhere, NPM 10.4 also comes with pre-defined subvies in order to help you with intuitive navigation.

Let's continue with another important enhancement.


Universal Device Poller (UnDP) improvements


UnDP - something that NPM users know very well. NPM didn't support multiple device pollers in a single chart. This is useful when you need to correlate trends between various metric from your device (temperature vs. CPU frequency vs. fan speed). 10.4 gives you the possibility to define new type of chart where you can put various UnDP pollers on your "Y" axis like this:


You can simply click "Add More" and select your existing custom poller. Then you need to define units for your data. NPM can automatically convert some kind of units into higher or lower metric (for example bytes to Kb) so you can read it on your chart without counting zeros. This chart also runs on the new engine so you can use zooming and other features.




























Another useful improvement for UnDPs is UnDP Parse Transform function. This is little bit advanced feature to use. It is especially useful when you have custom pollers that return a text string and you have to parse the text string to remove the number and use it in a transform function. If you want to use it, go to the UnDP application (Windows start menu -> SolarWinds Orion -> Network Performance Monitor -> Universal Device Poller) on the NPM server. For the formula use the following syntax: parse((REGEX,{POLLER}) as you can see on the picture bellow.


The regular expression you need will depend on the string you are trying to parse.

We also tweaked UnDP polling retention settings capabilities. If you go to the UnDP settings you may now change the polling interval for each pollers type and also define retention period for the UnDP statistic data and summaries.



Those are just most visible new features in the new Network Performance Monitor. I would like to briefly mention other important and useful features:

  • Support for Microsoft Windows 8 (for evaluation purposes) and Windows Server 2012
  • Native support for HP MSM 760/765 wireless controllers.
  • De-duplication of nodes with the same IP address


You may also see release notes for the list of bugs we fixed.


As you can see, this release is really big one and I would like to thank you - our great Thwack community for your contribution and willingness to help us understand what problem do you need to solve. Thanks!

It's been a busy week or two here at SolarWinds, another release candidate is heading your way. I know, I know, you're as excited as when the new phonebooks came and your name was in print!


In true "You Asked, We Listened" style, Log & Event Manager (LEM) 5.5 is going to be a release focused almost entirely on YOUR feedback. We did a ton of customer interviews, Q&A, and show and tell, and have been tracking your feedback on Thwack and support cases. We took the top few items and we decided to get something into your hands sooner rather than later.


Spot issues more quickly with new Top 10 and Health widgets on the LEM Ops Center dashboard


We heard from you that you wanted it to be fast and easy to discover issues, spot trends, and have a dashboards that mix in real-time data with other information. What we've done is added new default widgets that let you spot trends and trouble faster by monitoring the most common things - nodes on your networks, users, and events - in more Top 10 and health-oriented way. We've added 5 new widgets that are right up your alley. In no particular order...


Node Health: sometimes it's most useful to know that a node HASN'T sent you data lately. Maybe a remote site dropped off the map, your firewall configuration disabled logging, or something's not quite right. The Node Health widget shows you a summary of node status, when the last event was received from that node, and any version/OS information we might have (from agents).



Top 10 Events, Users by # of Events, Nodes by # of Events, and Rules by # of Rules Fired: these widgets surface information about frequency of events in the big picture, helping you spot trends and potential anomalies. Use the Top 10 widgets to see your most common type of event (filterable by different general types/groups of events), usernames that appear most frequently across events, nodes  that appear most frequently across events, and rules that are being most frequently triggered. These will help you spot items at the top that shouldn't be (why is "administrator" logging on so frequently?), sudden spikes in data (why is my server suddenly generating the most events?), and unexpected high severity events (security issues, scans, or suspicious activity).




Troubleshoot node and user issues with our new Node and User Details Drill-Down Dashboards


We're starting to pull pieces together to enable faster common patterns that our customers use when you want to investigate problems. Those new Health and Top 10 widgets mentioned up above follow a new drill-down pattern that we're introducing on the dashboard by combining info into new dashboards. The Node Details and User Details dashboards will show a summary of the node/user and all events related to that node/user name.


If you've spotted an unexpected trend with a user (say, "Administrator" really is coming up a bunch and you don't know why), click on that user from the Top 10 Users widget to see detail associated with them, and most importantly their most recent events to help troubleshoot the "why". Refine the chart further to find out only certain types of data (say, only changes related to "Administrator" - changes they are making or made to them).




Similarly, if you've spotted a server generating an unexpected amount of error or warning traffic, you might want to check out the last 10 minutes of events to see if there's any commonalities.




Automated configuration for syslog and SNMP-trap based device integrations


Thanks to some great suggestions from you, our support team, and our sales engineering team, we've found a way to make configuring new devices much simpler with some automated configuration. Instead of having to manually configure a connector to match your syslog device up to our connectors, we've made it possible for you to enable syslog (or SNMP trap) forwarding to the appliance and push a button to add the node. But wait, there's more! We've also made it possible for you to scan on-demand for ANY new data, in case you're not sure how many devices or what types have been configured. You'll find these new buttons in Ops Center in the new Node Health widget and in Manage > Nodes.


If a scan is going to take a while, you'll see a notification and the scan will get backgrounded. When new nodes are found, you'll see a handy notification:


When you click the "View Now" you'll be taken to the discovery/scan results, and you have a chance to confirm that you'd like to add new connectors to monitor the detected sources. This summary presents you information about what IP address was generating the data and what vendor/connector will be configured:


After you confirm, magic happens and these connectors are automatically hooked up to those log sources. Note: You won't see new nodes appear until data appears. In the example above, I won't see data from for "Checkpoint Edge-X" until that IP address sends me more data. Nodes appear with the data, but we scan historical data to do the discovery magic. As those nodes appear, you'll see the yellow notification appear with a confirmation as to which IP addresses are now sending data.


Also handy, when new nodes appear for existing connectors, you'll get the same notification that tells you what's happened. This happens if you've already got a connector configured for, say, a Cisco firewall, and you start logging another Cisco firewall to the same facility. You don't need to configure another connector, but LEM will let you know something new is now sending you data.


...and more!


A few other things you'll notice:


  1. New Default Filters: We totally revamped our default filters to match your use cases better. Filters are grouped for Overview, Security, IT Operations, Change Management, Authentication, and Compliance, and all have some handy default widgets.
  2. More Help & Thwack Widgets: We've added a "What's New in LEM" and Thwack feed widget, along with help widget updates to help you find features that lots of people didn't know existed.
  3. Event is the new alert. After listening to you talk about LEM, we've modified our in-product language to match how you think about events. Things that come in to raw logs are called "messages", these get normalized into "events", which you can then trigger rules on, which may cause "alerts" like notifications or incidents to be fired in addition to active responses. There are still a few things that say "Alert" (e.g. SecurityAlert) that we're saving for a future update, but for the most part, Event Event Event.
  4. What the heck is a NATO5? We've also eliminated a few of the things that made your brow wrinkle, including renaming rules that are on by default "Default Rules" and rules that are templates for you to use "Rule Library." Along similar lines, we've made it clear that the thing that connects logs to the system are referred to as "connectors" in LEM as well as elsewhere.
  5. Support for Windows 8/2012, including Hyper-V 2012: We had a compatibility issue with Hyper-V on 2012 that has been resolved. Additionally, we've confirmed you can use the LEM Console in IE 10 on Windows 8, and install the agent in Windows 8 and 2012 (you'll need to run it in compatibility mode for now until we resolve an installation issue, though).
  6. Customer requests & fixes: Common reported issues include the node statusbar showing non-agent nodes as "disconnected" - now they have a separate entry from agents; refresh and edit buttons are more obvious in Ops Center and nDepth; performance improvements in rules; hotfixes from 5.4 rolled in to 5.5; and lots of new connectors. A full list will be included with the release notes.


Notes for Upgrading Customers


We didn't touch your existing filters or dashboard configuration, we didn't want to mess with your feng shui (or your "zen thing, man"). You can always add the new dashboard widgets to Ops Center by going to Ops Center's "Widget Manager" and perusing the "Additional Widgets" section. For filters, if you're interested in the new defaults, the easiest thing to do is create a new user and check them out to see if you're interested. We can either help wipe out your existing settings and revert to the default, or you can export/import only the stuff that looks good.


If you've got existing connectors already configured and want to try out the new connector discovery scan workflows, no worries. Anything you've already got configured will stick around and we won't configure duplicates. A very small number of you who had connectors configured for /var/log/messages or /var/log/syslog will want to run the new node scan after upgrading to pick up the new default configurations.


Lastly, you'll notice in some places where you had items that said "Alert" they now say "Event". We avoided changing some things (like filter names and descriptions), but others (like groups) will be updated.


Download, download, download! And share your feedback


All LEM and SIM customers under active maintenance can download the 5.5 RC by going to the Customer Portal and clicking "Choose Download" next to the RC. If you want to deploy a new system, use the new installers. If you'd like to upgrade, download the upgrade, and be SURE to check out the instructions (you'll need to extract it to a share - generally the root of a share is safest - and then go to the virtual console or SSH to get it installed).




To give us feedback, join the Security Event Manager (SEM) Release Candidate group on Thwack. What do you think about the new widgets? Are there more you'd like to add? How's automated configuration treating you? Anything we missed or is confusing? Would you like to know more!?

If you are an active user of IP Address Manager and User Device Tracker, you know that having port, IP address & connected user information is important during troubleshooting. Understanding of who is using given IP address and where an IP address is physically connected is critical for IT engineers so they can focus on specific device or user if needed. It is also important if an user that is currently using such IP address is expected to use it according to your IP subnet rules. IPAM and UDT are well integrated via single web console but there is a way how you can see UDT related information directly within your IPAM subnet detail page and save your time.


IPAM and UDT already have this data so we prepared a small script that can help you to see port, AD account or port history link directly in one row in IPAM. So the output may look like this:






If you are missing a module, download links are provided for evaluation - only IPAM and UDT are required.

This script will allow you to pull data from modules other than UDT also (NetFlow for example). If you are a skilled power shell user, you may edit our script and modify the data you would like to see in IPAM. It uses custom properties so it should be something you are familiar if you have used IPAM before. IPAM custom properties are bit different than custom properties you may know from NPM or SAM. IPAM has "string" and "url" types of custom properties.


First, you need to meet these requirements before installation:

  1. You need the Orion SDK - download here. Please refer to SDK setup issue or how to set-executionpolicy unrestricted articles in case of issues.
    • Create ALL of the following REQUIRED custom fields/properties in IPAM exactly as you can see below:


    Populated by - UDT

      1. 1.      Switch
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description - Name of the Switch the IP is plugged into
      2. 2.      Port_Link
        1. a.      Field Type - URL
        2. b.      Link Title – Port History
        3. c.      Max String Length – 500
        4. d.      Description – Link to Port Details in UDT
      1. 3.      Interface
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – Interface name where the IP was last seen
      1. 4.      ConnectionType
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – Direct vs Indirect connection
      2. 5.      VLAN
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – VLAN the IP belongs to
      3. 6.      MACAddress
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – MacAddress for the IP
      4. 7.      SwitchIP
        1. a.      Field Type - Text
        2. b.      Link Title – Port History
        3. c.      Max String Length - 100
        4. d.      Description – IP Address of the switch
      5. 8.      IPDetails
        1. a.      Field Type - URL
        2. b.      Link Title – Port History
        3. c.      Max String Length - 500
        4. d.      Description – Link directly to the IP Details in UDT
      6. 9.      ADAccount
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – AD Account most recently logged in
      7. 10.  AccountLogonTime
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – Login Time

    Populated by - NTA

      1. 1.      NetFlowData
        1. a.      Field Type - Text
        2. b.      Link Title – IP Traffic
        3. c.      Max String Length - 500
        4. d.      Description – Link to Netflow data filtered for the IP


    Populated by - VNQM

      1. 1.      Extension
        1. a.      Field Type - Text
        2. b.      Max String Length - 100
        3. c.      Description – IP Phone extension in VNQM
      2. 2.      PhoneDetails
        1. a.      Field Type - URL
        2. b.      Link Title – Phone
        3. c.      Max String Length - 100
        4. d.      Description – Link Direct to IP Phone details in VNQM

    Populated by – NCM

      1. 1.      NCMID
        1. a.      Field Type - URL
        2. b.      Link Title – NCM Node
        3. c.      Max String Length - 100
        4. d.      Description – Link Direct to NCM Node Details
      2. 2.      NCMConfig
        1. a.      Field Type - Text
        2. b.      Link Title – Config
        3. c.      Max String Length - 100
        4. d.      Description – Link Direct to NCM Config

    Now it's time to open the script and fill in credentials and variables (the pink text in the image below):


    • IPAMDBUsername – The username used to connect to the IPAM Database
    • IPAMDBPassword – The password used to connect to the IPAM Database
    • IPAMdbServer – The IP address of the IPAM Database server
    • IPAMdatabaseName – The Name of the IPAM Database
    • integratedAPIServer – The IP address of the IPAM server
    • integratedAPIUserName – Account used to login to the webconsole - with permissions to all modules
    • integratedAPIPassword – Password used to login to the webconsole

    Once you prepare your credentials you can run the script.

    You should run the script from windows command line (open the Windows Start menu -> All Programs -> Accessories -> Command Prompt). You need to run the script a couple of times to make sure all of the credentials and properties setup correctly.  Once you have done that you should be able to schedule it as a recurring windows task.

      • NOTE: The script will tell you how long it took to run… a good idea or the best idea is to not schedule it to run more frequently than the time it takes to complete.
      • EXAMPLE: If it takes 5 minutes to run, I would schedule it to run every 30.


    The final step is to configure the UI and display your new columns in the IP Address view. Click on the column and select new custom properties from the list.



    If you want to see data from SAM or SEUM you may modify script and your custom properties accordingly.


    DISCLAIMER: This script offers a great sneak peek at integration we’re working on productizing and we’d love to get your feedback on this concept – see this IPAM post for more info.  HOWEVER, we must point out that this script is NOT officially supported by SolarWinds support and they will NOT take cases on this functionality.  Any bugs or problems with the script-based integration are subject to thwack forum support ONLY, so please keep that in mind when deciding if it’s something you want to try in your production environment.  Happy testing!


    Script download link

    Each of the products in the SolarWinds portfolio of products brings unique capabilities to the table to make I.T. management in your organization a much less painful process.

    • Server & Application Monitor (SAM) provides the ability to monitor servers and the applications running on them, and display status and generate alerts based on that status.
    • Log & Event Manager (LEM) provides the ability to collect log events from servers and network devices, and correlate those events.

    Combining these two products in a cooperative effort can have exponential impacts on reducing the effort involved in managing I.T. those improvements. Let's look at two examples of scenarios where these products can enhance each other.


    SQL Server performance loss

    In our first example, consider the scenario where you have configured SAM to monitor an instance of SQL Server. SAM tracks a number of state and performance values on a SQL Server instance. One of the performance values that can be tracked is the amount of time consumed in running queries. If the queries exceed the defined performance threshold, SAM generates an alert that the condition exists. This information, however, requires further action. By itself it might require involvement of additional people, other tools, and will likely take some time to track down.


    Adding LEM into the mix allows us to leverage the ability to correlate that performance metric with actual events that have occurred in that SQL database, SQL instance, and the server hosting the database engine. In addition to displaying the alert on the SAM console, we configure SAM to send that alert direct to LEM. LEM receives the alert, and through LEM's event log analyzer and the use of correlation rules, it can help to identify specific events that correlate to the performance degradation. In this example we discover that a configuration change made to the database by a DBA has resulted in the observed performance changes reported by SAM.


    Exchange server farm reliability

    In another example, consider the volume of log messages that are generated by an Exchange server farm. These log messages involve logons, logoffs, mail receipt, mail sends, distribution list expansions, and a whole host of other activities. The amount of events generated by a busy Exchange farm is really extensive. LEM allows us to use these correlation rules to identify issues on a more macro-scale than individual events. In our example the LEM correlation rule on a collection of Exchange events identifies a potential reliability issue with the Exchange server farm. LEM generates an automated alert to SAM, which results in a single Exchange monitor alert displayed on the SAM NOC view, and a technician can be dispatched to begin the investigation before the actual outage occurs.


    Cooperative benefits

    In both of these examples, SAM and LEM provide complimentary features that play to their own strengths. SAM has a great reporting dashboard that can focus on high-level status information, and LEM has a powerful correlation rules engine that allows for the automated interpretation of thousands of discrete events that represent trends in the state of an application or system.

    SAM-LEM Cooperation.png

    Both products are available for download today [SAM][LEM] with a 30-day evaluation. If you’re already using one of these great products, explore the benefits of enhancing your environment with the other.

    Hi all,


    We have officially reached release candidate (RC) phase for IPAM 3.1.

    If you are an existing IPAM customer under active maintenance, you can install the RC. RCs are fully supported and made available to existing customers prior to the official release.


    Our engineering teams are working on the most wanted features in order to help you with DHCP, DNS, IP address management (DDI).

    First, we added support for DNS management. IPAM 3.1 RC can manage your Microsoft DNS services. You can create, modify or delete zones directly from a web console (no more RDP connections to the server):

    DNSZone add.png


    Second, you can also manage your DNS records within the same web console - this is very useful when you provision new serves or if you want to look for obsolete DNS records. To do that, click on the "DNS zone" tab and then on the "DNS records" button:


    Then you will see a list of existing DNS records within given zone. When you click on "Add New" you will see following dialog and supported DNS record types:

    3.1 dnsRecAdd.png

    Your DNS changes are immediately propagated on your DNS servers, also you may see changes from your DNS servers in IPAM.

    Third, we extended DHCP functionality on Cisco devices - including Cisco ASA devices. That means you may manage your IP address reservations, exclusions or DHCP scopes with the same method as you were used to in previous release of IPAM for MS DHCP services. For example, to do an IP address reservation, navigate to your Cisco DHCP scope, pick an IP address that you want to reserve and change its status to "reserved". IPAM will take care of all the background communication with your Cisco DHCP device.


    You may also notice improved UI for IP subnets and exclusions for your scopes. This is important in case you want to understand what is the distribution of your DHCP scopes:

    3.1 scopes&split.png

    And finally we added support for split scope scenarios on your Microsoft and Cisco DHCP servers. Split scope actions are widely used for high availability and load balancing performance purposes. You may find it in both Microsoft and Cisco DHCP best practice whitepapers. Microsoft and Cisco don't offer a easy to use GUI to do that. We decided to design a brand new interactive wizard for split scope action. To create a new split scope you need to select an existing DHCP scope under the "DHCP Scopes" tab. You also have to have at least two DHCP servers (so the second server may handle newly created scope). Then you click on the "split scope" button and IPAM will show you the three step wizard for configuration. You may simply use the slider to define an IP address ratio for your existing and new scope:

    10-9-2012 15-59-04.png

    IPAM 3.1 can also poll data about existing scopes from your DHCP servers and it can also detect disabled scopes.

    We are looking for your feedback and the RC is ready for download in case you are an IPAM user under active maintenance. Please follow this link to see RC discussion or participate in the RC IP Address Manager 3.1 Release Candidate 1 available for download

    IPAM 3.1 RC also adds support for SQL 2012 and various bug fixes.



    Filter Blog

    By date: By tag:

    SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.