Skip navigation
1 2 3 4 5 Previous Next

Product Blog

634 posts

I am excited to say that Database Performance Analyzer 10.0, with MySQL support, is now available.  For the Orion users out there we have also extended the DPA data for MySQL into the integration. DPA 10.0 is now available in the customer portal to download for customers on active maintenance.  If you are new to DPA and want to try it, you can download an evaluation from the SolarWinds website.

New Features in 10.0

 

  • Support monitoring MySQL in DPA
    • Register and monitor your on-premise, cloud, and RDS MySQL instances.
    • Multi-Dimensional Monitoring of MySQL
    • Advisors for MySQL
    • Metrics for MySQL
    • Integration between DPA and Orion for MySQL instances
  • Baselines for Resource page
  • Updated Resource collection for SQL Server, No More WMI!!!

Note: DPA 9.5 was renamed to 10.0 before release.  If you are running the release candidate DPA 9.5, no need to rush to upgrade to 10.0.

 

 

Register MySQL Instances

 

Register MySQL on-premise and in the cloud (RDS &  EC2). Whether your MySQL instance is on RDS, EC2, or on-premise, the data shown in DPA is the same!  Register a MySQL instance the same as you would for any other supported database in DPA. Have several instances to register no problem, use the Mass Registration wizard that can be found in Options.

dpa95regi.png

 

 

Multi-dimensional Monitoring of MySQL

 

MySQL DBA's have never really had a tool that could show them their problem SQL Statements.  A lot of tuning work comes from the slow query log and monitoring metrics. While this can be important, this tuning path often misses the SQL that most effects the user.  You certainly can't find a query in the slow query log if it runs in .01 seconds.  However if that query is now running in .1 seconds and it runs thousands of times in an hour, it is most definitely the biggest pain point for your users.

 

In the screen capture below, you can see I have drilled into the familiar 'Time' dimension.  From here, you can see that  I can easily click to the Database tab to select and isolate SQLs that are coming from 1 specific database.  This isolation can be done the for any of the dimensions.

dpa95dimension.png

 

The new dimensions for MySQL are 'Wait Instruments' and 'Operations'.

  • Use the Wait Instruments dimension to drill into the granual detail of what a specific wait is doing, as an example I can drill into the 'updating' wait and then choose to find out just the query's that are in the 'io/file/innodb/innodb_log_file' wait instrument vs the 'lock/table/sql/handle' instrument.
    • Wait Instruments are exposed by MySQL if the MySQL Performance Schema is enabled. Wait Instruments are based on instrumented portions of the DB engine that you can enable at startup or during run-time via the Performance Schema configuration

dpa9.5waitinstrumentupdate.png

  • Using the example mentioned above, once I select the 'io/file/innodb/innodb_log_file' wait instrument, I can go to the Operations tab I can see the SQL that are either performing sync or write operations.
    • Operations are exposed by MySQL if the MySQL Performance Schema is enabled. Operations are based on instrumented portions of the DB engine that are enabled by enabling Wait Instruments.

dpa95operation.png

 

Advisors

 

You may say 'Ok Kathy, that is a lot of information and all of this data is great, but what do I do with it?'.  That is where the Advisors, Query Advice, and wait advice in general comes in.  Let's say we saw a lot of blocking with a SQL. I click on the Query Advice and select the SQL I am concerned with.

 

Below is an example of the Query Advisor in DPA.  You can see the highest hours that had blocking, an explanation of what Blocking is, and other areas to look in DPA to troubleshoot this problem further.

 

dpa95advisor.png

 

 

Resource Metrics

 

DPA has added more out of the box metrics for MySQL than we have for any other database we support.  The good news is you get all these metrics PLUS, you still can create a custom resource metric just like you can for the other monitored instances

 

DPA95metrics.png

Note:This is one area of DPA that provides more detail for InnoDB than other engines.

 

Integration with Orion

 

We are building on what we did in the previous 9.2 release by giving SAM and Orion users the ability to see MySQL in Orion.

  • Dashboard views for NOC teams.
  • Publish response time analysis data to application monitors used by development and support teams.
  • See what is happening on your hosts and be able to correlate host activity to database activity

 

To see the full integration with Orion, go here Announcing DPA 9.2 GA : Is it the Application or the Database?

dpa95dpao.pngMy

 

Baselines for Metrics Page

 

Let's go back to that Resource (metrics) page for a moment.  you may notice something new.  Yep, that is the same 'Show Baselines' button that is on the Resources tab. When there is  a metric that is in alarm on the home page, here the Memory 'Warning alarm is circled', you want to click on that alarm to find out more details.

 

dpa95home.png

 

You can see that clicking on that warning icon brings you to the memory tab on the metrics page.  However once we got to the Resource Metric page, you noticed that there is a critical issue with Sorts and the Memory issue has resolved itself.  Here you can see a short snippet of what this Metric means as well as the Baseline for the metric. You can easily see that the Row Sort Rate is higher than the baseline for this hour.  This would call for more investigate in DPA.

dpa95baseline.png

 

So the obvious next question is 'How I can download the DPA 10'?

 

For current customers, just log into the Customer Portal to download DPA 10.0.

If you want to try out DPA for the first time, download it from the SolarWinds website

 

What's next for DPA?  You can review our What We Are Working on post  What We Are Working On for DPA (Updated Feb 11, 2016)

(updated on November 12, 2015)

 

As a part of helping untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance and support for the Risk Management Framework (RMF). In this post, I'll outline what FISMA compliance is, we'll walk through FISMA bit-by-bit, and we'll talk about where SolarWinds products can help.

 

FIS-WHAT? What is FISMA AND RMF? And how does NIST play into it? And FIPS?

 

What it actually means to take on what's commonly referred to as "FISMA Compliance" is described in several NIST (National Institute of Standards and Technology) publications. It's pretty impressive the amount of NIST publications out there, but there's really only a few we're interested in. A couple of these are FIPS (Federal Information Processing Standard) publications - usually when we think of FIPS we think of encryption, but here we're mostly focused on risk analysis.

  1. NIST 800-37: Establishes the Risk Management Framework as the security life cycle approach.

  2. NIST 800-53: This is the main "FISMA Compliance" publication. This describes what controls need to be applied to different systems.
  3. FIPS 199 and
  4. FIPS 200: These two documents describe how to perform risk analysis and categorization for systems on the network. You'll need this categorization when you actually go to implement 800-53.

 

Here's a great summary, though wordy, of how all of that fits together:

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations follow the Risk Management Framework to determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

 

Okay, okay, how about the super simple version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!

 

Navigating and Implementing NIST 800-53 - High Level

 

We'll leave the whole exercise of assigning risk up to you, since it'll be different for each environment. Once you've done that, as you walk through the 800-53 requirements, you'll see different controls that need to be applied at different levels. Generally, you'll have to comply with the "document" and "policy" controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.

 

NIST 800-53 and the RMF provide a great breakdown of the steps that need to be applied. Of interest to us when it comes to where SolarWinds products can help are:

  • Step 3: Implement controls
  • Step 4: Assess controls are working correctly
    • Our security product portfolio, including NCM, and Log & Event Manager (LEM), can be used to make sure controls have been implemented correctly.
  • Step 6: Monitor
    • Lastly, several products, including LEM, Network Performance Monitor (NPM), and NCM, can be used to make sure that controls are working as expected, bypasses aren't attempted, and produce reports that can be used to prove it.

 

I'll walk through each control and identify relevant products for each category as I go, so you don't have to memorize them all just yet.

 

Key Out of the Box Content for NCM and LEM

 

Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 & Step 6), there is out of the box content included in NCM and LEM that is designed to help:

  1. For LEM:
    1. There are hundreds of out of the box reports, many of which are categorized for FISMA specifically. These reports really help address the Assess/Monitor by helping look for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the LEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.
      1. LEM-industry-reports.png
    2. In addition, LEM includes dozens of correlation rules categorized for different compliance initiatives that can help - and be quickly enabled. From the LEM Console, navigate to Build > Rules, and either launch the Add Rule Wizard or navigate to the categories on the bottom left. I'd recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.
  2. For NCM:
    1. There are several templates included to help (starting with NCM 7.4 - DISA STIG and NIST FISMA Reports Now Shipping with NCM! - earlier versions can download from the Content Exchange):
      1. NIST - Services: identify services exposed on network devices
      2. NIST - Remote Access: identify remote access enabled on network devices
      3. NIST - Management: identify management protocols used on network devices
      4. NIST - Access Lists: identify key access control lists that should be present
    2. In the NCM web console, under CONFIGS, then Compliance, you should see them listed under the NIST category.
      1. NCM-FISMA.png

 

Control-by-Control Details

 

You might want to get a cup of coffee (or tea) while you read through this, as there's a lot here. The entirety of Appendix F of 800-53 actually describes the controls and implementing them in detail. I'm going to skip over a lot of them since they don't apply to implementing SolarWinds products, but I'll include a description for each and more details where they are especially relevant. Got your warm beverage? Let's get going.

 

  • AC-X: Access Control
    • General Notes: In general, there's a few areas our products can help, but a lot of these controls will be implemented at the policy or device level. For some of these, NCM can help you distribute configuration or identify violations where it comes to network devices; LEM can help audit and monitor for potential changes.
    • Of interest:
      • AC-2: Account Management:
        • You could use LEM to identify accounts that are created outside of these controls - e.g. service accounts being added to unexpected groups - either in real-time or via reports.
        • You could use LEM to audit when passwords were changed on accounts, when users were added to groups, etc - either in real-time or via reports.
        • LEM can help satisfy AU-2(2): Automated Auditing for creation, modification, enabling, disabling, and removal, either in real-time or via reports.
        • LEM can assist with AU2(12): Atypical Usage by looking for logon activity or patterns that are outside your environment norms, either in real-time or via reports.
      • AC-4: Information Flow Enforcement
        • LEM can help with AC-4(17) - ensure local authentication is not used by auditing for local authentication activity on systems (logons not to the domain), either in real-time or via reports.
      • AC-6: Least Privilege
        • LEM can help audit where things deviate from least privilege - e.g. when an unexpected user accesses certain files, systems, or commands, either in real-time or via reports.
        • NCM can help audit device policies for existing privileged users as things change, and roll out configuration changes if necessary.
      • AC-7: Unsuccessful Logon Attempts
        • Usually this is implemented in IAM/Domain/system policy, but you can use LEM to confirm this policy is being enforced and see how frequently it is used, generally via reports/historical analysis.
      • AC-8: System Use Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-9: Previous Logon (Access) Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-10: Concurrent Session Control
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-11: Session Lock
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-12: Session Termination
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-16: Security Attributes
        • Depending on how controls are implemented, it's possible that LEM can help identify when things deviate from expected policy, either in real-time or via reports.
      • AC-17: Remote Access
        • LEM can help audit/monitor remote access, but not implement controls. LEM can also help audit where remote access is being used outside of expected controls (e.g. controls are being bypassed, or attempts to bypass are being made). As usual, this can be done either in real-time or via reports.
          • Explicitly, LEM can help with AC-17(1) - automated monitoring / control
        • NCM can help audit where and how remote access is being used across network devices, identify violations, and potentially roll out policy changes if necessary.
      • AC-19: Access Control for Mobile Devices
        • You may be able to use User Device Tracker (UDT) to detect usage of devices that are in those classified networks/facilities, and possibly also use LEM to identify authentication from unexpected users or devices.
      • AC-20: Use of External Information Systems
        • LEM can help audit AC-20(2) and AC-20(3) - use of portable storage devices and personal devices with USB-Defender when policy is bypassed/ignored.
      • AC-23: Data Mining Protection
        • You may be able to use LEM with SQL Auditor or Database Performance Analyzer (DPA) to identify when large queries or unexpected activity is being done to a database.
  • AT-X: Awareness Training
  • AU-X: Audit and Accountability
    • General Notes: A lot of this set of controls is about what data you might feed into a system like LEM and how that data needs to be preserved. LEM can help satisfy some controls directly. Some of the comments below are about how LEM treats relevant data within the controls, should be implemented to satisfy the controls, or satisfies these requirements specifically.
      • A really good note from AU-6(10) to keep in mind: remember that you can adjust audit levels depending on organizational needs and risks changing! You don't have to just enable the firehose.
    • Of Interest:
      • AU-2: Audit Events
        • LEM helps serve this, but this control is about what you feed into LEM.
      • AU-3: Content of Audit Records
        • Again, LEM stores this data, but generally this is up to logging sources. Where we normalize data, we preserve these fields.
        • AU-3(2) - Centralized Management of Planned Audit Record Content - about automation. At a low level, you would serve with tools like NCM (for devices), or Group Policy, but LEM can play a factor in automating configuration to ensure the right data is captured from similar systems with connector profiles.
      • AU-4: Audit Storage Capacity
        • Depending on your storage requirements you would need to ensure LEM has enough storage capacity to meet your needs, and can implement archiving as well.
      • AU-5: Audit Processing Failures
        • LEM can generate events when agents go offline, when there's an issue storing or processing data, when running out of disk space, and on behalf of other systems when audit logs are cleared, when there are hardware issues we can detect via log data
      • AU-6: Audit Review, Analysis, and Reporting
        • LEM satisfies this requirement, up to you to decide which systems need to be audited and for what, and ensure the required data is logged for collection
        • Correlation with some data sources (e.g. "non-technical sources" in AU-6(9)) may have to be a manual process done as a part of investigation.
      • AU-7: Audit Reduction and Report Generation
        • LEM satisfies this requirement
      • AU-8: Time Stamps
        • LEM satisfies this requirement (note - we will use timestamps provided by log sources as well, but may only be down to the second)
      • AU-9: Protection of Audit Information
      • AU-10: Non-repudiation
        • For data stored and accessed in LEM, LEM satisfies this requirement
      • AU-11: Audit Record Retention
        • Depending on your retention requirements, you'd need to ensure LEM has enough storage capacity to meet your needs
      • AU-12: Audit Generation
        • LEM helps satisfy this requirement
      • AU-14: Session Audit
        • With AU-14(3), you may be able to satisfy some requirements with DameWare.
      • AU-15: Alternate Audit Capability
        • You may want to set up backup logging for devices that syslog, or architect LEM in such a way that you can go to point systems or syslog servers or servers directly to ensure (prove) you can still access data.
      • AU-16: Cross-Organizational Auditing
        • Potentially, you can use LEM to foster cross-organizational auditing (exporting, providing limited access, etc)
  • CA-X: Security Assessment and Authorization
    • General Notes: for the most part, this isn't an area we can help support, but Continuous Monitoring does fall under this area.
    • Of Interest:
      • CA-7: Continuous Monitoring
        • LEM can help facilitate continuous monitoring (correlating security data, alerting, reporting). We also find many federal government customers utilizing NPM, Server & Application Monitor (SAM), and other parts of our monitoring suite to support enterprise-wide continuous monitoring.
  • CM-X: Configuration Management
    • General Notes: A few products can help here, but primarily NCM when it comes to network devices. Patch Manager and LEM can also pitch in in a few key areas.
    • Of Interest:
      • CM-2: Baseline configuration
        • For devices, NCM (and partially FSM) can help establish and automate comparing configs to a baseline, and retaining configs.
      • CM-3: Configuration Change Control
        • For devices, NCM (and partially FSM) can help test/validate/document, automate changes
      • CM-5: Access Restrictions for Change
        • You may be able to use LEM to audit when changes are made depending on components and policies actually changed. NCM for devices and things like dual authorization.
      • CM-6: Configuration Settings
        • CM-6(1) - automated central management - use NCM for network devices.
        • CM-6(2) - NCM can help for devices, and LEM can potentially alert on relevant events in real-time.
      • CM-7: Least Functionality
        • LEM can help audit when unauthorized software and programs are being executed.
      • CM-8: Information System Component Inventory
        • Patch Manager can help audit software and system status.
      • CM-10: Software Usage Restrictions
        • You can use LEM to audit when P2P and other software is used in general, and Patch Manager to audit what's installed on a system, but it may not ultimately be perfect.
      • CM-11: User Installed Software
        • You can use LEM to audit when much software is being installed, and Patch Manager to know what's on a system.
  • CP-X: Contingency Planning
  • IA-X: Identification and Authentication
  • IR-X: Incident Response
    • General Notes: For the most part, LEM can help when it comes to incident generation and investigation, and also leveraging active response can provide you in-the-moment capabilities to deal with incidents as they occur.
    • Of Interest:
      • IR-4: Incident Handling
        • LEM can support this - including IR-4(4) information correlation, IR-4(5) automatic disabling of information system, and IR-4(9) dynamic response capability.
      • IR-5: Incident Monitoring
        • LEM may generate incidents from correlated activity, and this information can be tracked and stored (reports produced, alerts sent, etc).
      • IR-6: Incident Reporting
        • LEM can help support IR-6(1) - automated reporting to report correlated incidents detected from within LEM. (Where other SW products are used to detect and generate incidents, this is also generally true of them.)
  • MA-X: System Maintenance
    • General Notes: NCM is a key player here to help with controlling and managing approvals where it comes to network devices. LEM can help alert when stuff just doesn't seem according to expected maintenance policies.
    • Of Interest:
      • MA-2: Controlled Maintenance
        • NCM can help with MA-2(2) automated maintenance for network devices, and LEM can help audit when maintenance is taking place outside of expected maintenance windows.
      • MA-4: Nonlocal Maintenance
        • LEM can help audit MA-4(1) - auditing and review of nonlocal maintenance.
        • NCM can help with MA-4(5) - approvals and notifications - when it comes to network devices.
  • MP-X: Media Protection
    • General Notes: Most of this isn't relevant when it comes to SolarWinds products, but there's one area when it comes to removable devices where LEM's USB-Defender can help.
    • Of Interest:
      • MP-2: Media Access
        • LEM's USB-Defender can help with the USB removable media component of this.
  • PE-X: Physical & Environmental Protection
  • PL-X: Security Planning
    • General Notes: Several of the mentioned controls are those which may be supported by LEM, which can be used to centrally manage auditing and monitoring, especially within PL-9. Also interesting when it comes to PL-8 is mention of defense-in-depth techniques.
  • PS-X: Personnel Security
    • General Notes: A lot of this is external and policy-related, but think about using LEM to ensure what should happen did (i.e. Trust, But Verify).
    • Of Interest:
      • PS-4: Personnel Termination
        • May use LEM to audit usage of credentials and ensure attempts to use them do not continue after users are terminated.
      • PS-7: Third Party Personnel Security
        • May use LEM to audit usage of third party credentials and ensure attempts to use them do not continue after users are terminated
  • RA-X: Risk Assessment
    • General Notes: There's a lot of policy and procedure here, and really only one area where LEM and Patch Manager especially can help.
    • Of Interest:
      • RA-5: Vulnerability Scanning
        • Can use Patch Manager to assess vulnerable systems by missing patches
          • RA-5(1) Update Tool Capability and RA-5(2) Update by Frequency/Prior to New Scan/When Identified - Patch Manager is automatically updated with new patches
          • RA-5(6) - automated trend analysis - Patch Manager can report on patch status over time
          • RA-5(8) - review historic audit logs - Patch Manager will include audit activity of what is being patched and tracked
        • Also, you can use LEM with a vulnerability scanner to support RA-5(6) and RA-5(8) as well, along with RA-5(10) correlate scanning information.
  • SA-X: System & Services Acquisition
    • General Notes: There's not a lot that applies here to us, but it's worth mentioning that SA-4(8) speaks to ensuring new systems/apps include activity that can be monitored as part of continuous monitoring planning. Think about how you're going to monitor systems as you implement them, rather than after the fact.
  • SC-X: System & Communications Protection
    • General Notes: SC is a pretty fascinating set of controls, with everything from cryptography, to honeypots, to detonation chambers. There's a few places I made notes where SolarWinds products are relevant.
    • Of Interest:
      • SC-5: Denial of Service Protection
      • SC-7: Boundary Protection
        • Monitoring communications with LEM, NTA/NPM, and NCM/FSM for the configuration side.
        • SC-7(8) - you can also use LEM to monitor attempts to bypass proxy server.
        • SC-7(10) - you can generally use LEM for monitoring here.
      • SC-19: Voice Over Internet Protocol
      • SC-29: Heterogeneity
        • Where you have a heterogenous environment, third party monitoring and management tools like SW (e.g. Virtualization Manager, SAM, NPM, and LEM) are more important!
  • SI-X: System & Information Integrity
    • General Notes: There's a big section for LEM in here specific to auditing (aside from the normal steps for compliance), but also a couple of other smaller areas of note.
    • Of Interest:
      • SI-2: Flaw Remediation
        • Patching - Patch Manager can help with SI-2(1) central management, SI-2(5) automatic software updates, and SI-2(6) removal of previous versions
      • SI-4: Information System Monitoring
        • This is all about LEM - also especially SI-4(2) automated tools for real-time analysis , SI-4(4) inbound and outbound communications traffic, SI-4(5) system-generated alerts, SI-4(7) automated response to suspicious events, SI-4(11) analyze communications traffic anomalies, SI-4(12) automated alerts, SI-4(13) analyze traffic/event patterns, SI-4(16) correlate monitoring information, SI-4(17) integrated situational awareness, SI-4(19) individuals posing greater risk, SI-4(20) privileged users, SI-4(22) unauthorized network services, SI-4(23) host-based devices, and SI-4(24) indicators of compromise.
        • You could also use NPM/NTA where traffic comes into play to potentially detect unexpected traffic patterns or performance issues that indicate security issues
      • SI-7: Software, firmware, and information integrity
        • Can use LEM to detect some unexpected changes, e.g. windows does a system file check initially which can create events, and can also use LEM's FIM to detect critical system changes (files, registry keys).
          • LEM would also support SI-7(5) automated response, SI-7(7) integration of detection and response, and SI-7(8) auditing capability for significant events
      • SI-15: Information Output Filtering
        • You would want to integrate these into LEM, and consider something like LEM's SQL Auditor to detect failures when it comes to databases.

 

Double whew! I bet your hot beverage cup is empty at this point, perhaps I should have warned you to use the large one.

 

Got FISMA?

 

Hopefully at this point we've given you a lot more info on how we can help you get moving with FISMA compliance. If you've got questions, feel free to post them and we'll update the post as things change or more details are necessary.

Now that Virtualization Manager (VMAN) 6.3 includes new management actions, alert remediation, and more, we’ve moved full steam ahead on the next release. We are continuing the evolution into a complete monitoring and management tool for virtualization environment. Here are the highlights of what we have we are currently working on:

 

  • Continued integration into the SolarWinds Orion platform
  • Orion Global Search
  • Recommendations - Recommended actions to take to ensure performance, optimal capacity, avoid potential issues, and improve uptime.
  • Red Hat Enterprise Virtualization (KVM) support
  • Citrix XenServer Support
  • Cloud Monitoring and Management
  • VMware vCenter and Microsoft Hyper-V Events

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

 

If you don't see what you are looking for here, you can always add your idea(s) and vote on features in our Virtualization Manager Feature Requests forum.

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.

 

So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.

 

download button.png

 

What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.

 

 

From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.

 

We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.

 

threat_intelligence_enable.png

 

Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).

ndepth.png

 

Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.

filters.png

 

And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

ootb correlation rule.png

 

In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.

 

So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.

cobrien

What We're Working on for NPM

Posted by cobrien Employee Jul 28, 2015

Since the release on NPM 11.5 we've been hard at working building the next round of exciting functionality and improvements in existing functionality.  I'm excited to share the following list of items we're working on:

 


Ongoing Initiatives:

  • Increased scalability per SolarWinds instance (target of 250k elements / instance)
  • Improved performance and decreased resource load times via analysis with SolarWinds DPA
  • Increased number of pollers possible per instance

 

You can always access the most up to date version of this information here: What We're Working on for NPM (Updated April 21st, 2016)

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

I’ve got a question for you:  "If Orion were a car, what kind of car would it be?"

current.png

 

We recently asked customers this question during feedback sessions.  The responses were quite consistent, and very telling. One user said:

 

“A Ram 1500 work truck; it’s got lots of compartments for tools but sometimes I just can’t find that wrench I need even though I know it’s in there somewhere! It’s not as luxurious or attractive as some of its competitors”

 

Agreed - Orion certainly is a workhorse! In addition to comments about the attractiveness of the design, there is a deeper theme in this quote that many other users echoed.  We can do better in terms of findability and usability. To address these concerns, we are working on a series of user experience (UX) improvements that we plan to release in addition to our normal features and functionality.

 

Catching up with the times

 

As a first step, we've been working to modernize and refresh the UI.  While these changes may appear to be a basic facelift, our primary goal is to set the stage for the future.

 

We focused on a few key areas that we've heard loud and clear from you:

  • Minimize space used by the header and make more room for data.  The current header takes up a lot of space, the tabs can be difficult to navigate (try hovering over a tab and then clicking on the last item in the menu bar), and that big yellow notification banner? No, thank you. The content on the page should be front-and-center.
  • Eliminate visual noise to help you focus on what is important.  The current visual design uses a mixture of colors, styles and iconography which are pretty on their own, but make it hard to parse the UI when they are shown all together. Taking a step back, the UI should highlight status, exceeded thresholds and alerts.  The big red things should draw your attention.
  • Simplify, but support density of information. There is a delicate balance between creating a roomy, clean visual design and showing data in proximity with other necessary pieces of information. Our goal is to stop the "pogo stick" effect, which requires you to jump around the page to find what you need. We haven't fully addressed this issue with the UI refresh, but we have taken baby steps.

 

You tell us, "If this version of Orion was a car, what kind of car would it be?"

new.png


Rome Wasn’t Built in a Day!

 

We’re putting the final touches on the modern UI, and now we’re kicking off deeper UX improvements.  Joel Dolisy, our CTO, recently referenced these efforts during the thwackCamp keynote address (1min 26sec).

 

Here is a sneak-peek at some the ideas we’re investigating:

  • Re-building the front-end using browser UI frameworks and HTML5 - AngularJS, CSS3, and some cool visualization engines for those of your who really want to geek out. Here’s looking at you, wanine39!
  • Pulling data from multiple sources to create powerful visualizations.  For example, stacking performance metrics on a single timeline for easy correlation (see a conceptual design below).
  • Improving user interactions to keep up with excellent browser applications - Google Maps, Photos, etc. More exciting interactions should take our products beyond useful, and in to the realm of delightful.

stack.png

 

 

Become an active partner in UI and UX design

 

Input from you, our users, has helped to shape the direction we’ve taken.  Keep the feedback coming to ensure that we stay on track! There are a couple ways to stay involved:

 

  • Get a sneak peak and share feedback on the UI refresh through the SAM 6.3 beta

button.png?t=Sign+up+to+download+the+SAM+6.3+beta&f=Calibri&ts=20&tc=fff&tshs=0&tshc=000&hp=20&vp=8&c=9&bgt=unicolored&bgc=e69138&bs=1&bc=fff

  • Give us early feedback on ideas, designs and builds by signing up to participate in walkthroughs and feedback sessions with our research team (Hi Kellie!):

button.png?t=Sign+up+to+participate+in+UX+feedback+sessions&f=Calibri&ts=20&tc=fff&tshs=0&tshc=000&hp=20&vp=8&c=9&bgt=unicolored&bgc=3d85c6&bs=1&bc=fff

 

SolarWinds Time Machine


And now, for some fun, here's a brief history of the Orion UI! Which is the earliest version that you remember?

1.png

2.png

3.png

4.png

5.png

6.png

7.png

8.png

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.

 

Is patching virtual (guest) systems really different? Yes, and no.

 

At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).

 

  1. Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.
  2. Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.
  3. Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.

 

Don't forget your hypervisor!

 

When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.

 

For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.

 

VMwarePatchPortal.PNG

 

 

Patching utilities for host<->guest communication is important, too

 

Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.

 

When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog.  With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.

 

For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:

1. Use the Third Party Updates Configuration Wizard to synchronize available updates from SolarWinds

Administration & Reporting > Software Publishing > Patch Manager Update Configuration Wizard

SynchronizingWizard.PNG

2. Click "Next" when the Wizard completes to see the full list of available updates from all vendors.

DoneSynchronizingWizard.PNG
3. Scroll down and make sure "VMware Tools" and "VMware Tools (Upgrade)" are selected from the list of subscriptions.SelectWizard.PNG
4. Click next and finish to confirm your package synchronization schedule, then Finish.PackageSynchronizationSchedule.PNG
5. To see the available packages and versions, go to Administration and Reporting > Software Publishing, then right click and select "Refresh". After doing so, you should see "VMware, Inc" appear in the list, and see the respective packages.PackagesinList.PNG
6. From here, you can select to publish the packages to your WSUS/SCCM server (click "Publish Packages" on the right). Select x86 if you've got any 32-bit systems out there, otherwise select x64, then click Next.PublishingWizard.PNG
7. You'll watch an awesome progress bar for a little bit as it downloads and pushes the packages... then click Next to continue.DownloadingPackages.PNG
8. What do you know, more awesome progress bars as it pushes the packages to the Patch Manager server... (there will be two at first as it pushes the files, then one warning you to be patient as it publishes.). Once it's done, you can hit "finish" to finish the publishing step.

PublishingWizardtoPAM.PNG

DonePublishing.PNG

9. If you head back up to your Updates view, you'll see the new packages in the list.

Update Services > <your server> > Updates > Third Party Updates (you might have to right click on "Updates" and click "Refresh" first).

UpdatesView.PNG
10. From here, you can do your standard Patch Manager tasks, such as Approve the package for distribution and decide which systems should receive the package/update. Click "Approve", then click on each group to approve to and click the "Approved for Install" button (in my example, I approved the update for my Servers group), then click OK. You'll see another fancy progress bar while things finish, then confirm.ApproveUpdate.PNG

You can also automatically download and approve future versions with the new-in-Patch Manager 2.1 auto-approval feature, if you check out our GA blog post there's a bunch of details on that feature - Announcing General Availability of Patch Manager v2.1 - Automated 3rd Party Patches & More!.

 

What's Next for Patching Virtual Systems?

 

If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.

 

What big issues do you have with patching virtual systems? What can we do to help?

Since the release of Server & Application Monitor (SAM) 6.2, the team has been busily plugging away on a long list of new features and general product enhancements.  Chief among them are improvements to the aesthetics and overall design of the Orion web interface. While not the primary focus of this blog post, it is near impossible to post screenshots for some of what we've been working on without divulging some sneak peeks into the very early stages of this interface design refresh. A follow-up blog post is currently in the works that will go into detail and explain our multi-phased approach for delivering a fresh, clean, and modernized interface for all products that run atop the Orion platform. Suffice it to say, it is our aim to accelerate overall Orion web interface performance, dramatically improve usability for many of the most common tasks, as well as refine and enhance the product's visual appearance as part of this endeavor. Continue watching the Product Blog for more specifics surrounding the Orion UI redesign, as well as opportunities to provide feedback to members of our user experience team regarding these improvements. Your feedback might just earn you some much deserved Thwack points that can be redeemed for some cool SolarWinds SWAG!

 

With that prologue out of the way, it's time to run through a few notable new features we've been working on that are sure to put a smile on your face. As always, your feedback on features such as these is essential; and the absolute best time to provide that feedback is during betas. So if you're anything like me and would rather try out the new features yourself rather than simply read about them, then short circuit this post entirely and click the big red button below. Otherwise strap in, adorn your reading glasses (if you need them) and soak in the geek goodness below as I walk through some of the new features planned for this release and expose a few glimpses of the web interface redesign.

 

SAM 6.3 Beta button.png

 

Active Directory Discovery

One of the many aspects we wanted to focus our attention on improving within this release is how servers are discovered in SAM. Network subnets, IP address ranges, and lists of individual IP addresses might seem like natural options for those of us who come from a network centric background. However, for those possibly unfamiliar with the networks design or IP addressing schema, Active Directory in many instances provides much or all of the information needed about the servers residing on the network.


Active Directory discovery can be added as an additional discovery method to any new or previously existing discovery profile and used in conjunction with the three previously available methods for complete coverage across the environment. 


Similar to the other three methods of discovery, multiple Active Directory domains may be used in the discovery profile. This is especially handy for large organizations that may have multiple domains running in their environment due to mergers and acquisitions, separation of internal business units, or even lab vs. production systems. Also, unlike Active Directory authentication to the Orion web console, there is no requirement for the Orion server to be in the same Active Directory domain as the domain controllers used for discovery.

Discovery 2 - Add Domain Controller.png


Active Directory has the distinct advantage of allowing for more precise and targeted discovery within the environment. Instead of using a very broad discovery technique such as subnets or IP address ranges, you can more surgically discover only those items you wish to monitor, such as servers and/or workstations. This is particularly useful for organizations using class B "/16" (65,534 IP address) or class A "/8" (16,277,214 ip addresses) subnets, where sequential network scanning techniques may take hours or even days to complete successfully. In environments such as these, much of that IP address space is unused, but it still must be swept to determine which IP addresses are in use and are not part of the discovery process. Active Directory however, has a complete database of all hosts on the network which are members of the domain. Leveraging that database allows for a much more rapid scan of servers and workstations running on the network that could be monitored by SAM.


Discovery 3 - Add Domain Controller.png

Discovery 4 - Select OUs.png

Once you've added the Active Directory domain you wish to discover and click "Next" you are shown a complete listing of all Containers and Organizational Units (OUs) in the domain hierarchy. By default all OUs and Containers are selected, including any future Organizational Units that may be created after the discovery profile creation process is complete. Selecting the root level domain object toggles between select/deselect all, and the individual checkboxes on the left allow you to select the specific OUs to include or exclude from this discovery profile. The checkbox to the right of each OU listed designates whether to include any sub-OUs that may be created under that Organizational Unit in the future. For example: you have a root level Organizational Unit named "California" because you have only one office in that region today, located in Los Angeles. Later a new office is brought online in San Francisco. As a result you may decide to create two sub-OUs under California named "LA" and "SF" to manage group policy separately for each of those offices. The "Include Future OUs" option allows for these types of changes to occur within an OU, sub-OU, or domain without the need to update SAM's discovery profiles that are used for recurring nightly scheduled rediscovery of new devices in the environment. If not applicable or desirable in your organization, this option can of course be disabled.

 

Automatic Monitoring

Another primary area we focused on for this release is reducing or outright eliminating the maintenance overhead required to keep SAM up to date as new systems are brought online. Too many of us have been in similar situations where a new critical business system is brought up in the environment, and the first time there's a reported problem or issue with the system there's immediately an exchange of finger pointing that occurs amongst the responsible parties attempting to assign blame for why the system wasn't being monitored. As a result many organizations have implemented rigid policies and processes surrounding the provisioning of new systems in an attempt to mitigate these blind spots on the network. Unfortunately even the best laid plans aren't immune from human fallacy, even those with the best of intentions.

 

With that in mind we aimed to provide a mechanism that would ensure that as new systems were brought up in the environment that they would be monitored without relying on someone in the organization to manually add them to SAM for monitoring; or dig through the nightly Network Sonar Discovery Results to select which new items should be monitored. If adding individual devices manually is more your speed, or thumbing through the Network Discovery Results is how you enjoy spending your morning "me" time, those options continue to remain intact and unchanged in this release.

Discovery 5 - Automatic Monitoring.png

 

When selecting "Automatically Monitor" from the "Monitoring Settings" step of the Network Sonar Discovery Wizard you may continue on by clicking "Next" and accept the recommended defaults (only "Up" interfaces, non-removable media volumes, etc.) or use your own preferences by clicking the "Define Monitoring Settings" button. Clicking this button takes you through a mini-wizard where you are given the ability to define what you'd like automatically monitored should they be found during the Sonar discovery process. These options include, but are not limited to, interface type (trunk, non-trunk) , state (up/down/shutdown/etc.) upon discovery, interface name (contains, does not contain), interface description (contains, does not contain), volume type (Fixed Disk, Mount Points, etc), and AppInsight Applications. Additional steps may appear within the mini-wizard depending upon which Orion modules are also installed alongside SAM.

 

The next time the Network Sonar Discovery runs, either at the completion of creating the new Discovery Profile or its next scheduled run, any items found meeting the criteria defined within the profile not already monitored in Orion, will be automatically monitored by SAM.

 

For nodes managed via the optional Agent that was included as part of the SAM 6.2 release, these automatically become managed nodes in Orion by default when they first register with the Orion server or additional polling engine using Agent Initiated mode. Monitoring of these hosts however is limited to status, response time, CPU, and memory, without taking some additional step to select the specific items you'd like monitored on those hosts. The new automatic monitoring option shown here allows you to predefine those items just for agent managed nodes, agentlessly managed nodes, or all nodes in the environment depending upon the settings defined within the discovery profile.

Discovery 6 - Automatic Monitoring - Select Volumes.png

 

There's still more in store for this release, but we are eager and anxious to get your feedback on some of the features already starting to near completion. Please note that the absolute best time to provide feedback is during the beta, as things are still very fluid and there's plenty of time to fix bugs, make adjustments, and alter the design before release. That's right, betas are intended not only as a mechanism for finding bugs, visual defects, or other things broken in the code, but also to address usability issues and design flaws as well. If you are interested in taking SAM 6.3 for a spin and kicking the tires on some of these (and other) features, simply sign-up here. The only requirement for participation in the beta is that you own an existing license of Server & Application Monitor which is currently under active maintenance.

We've seen time and again that dividing your security attention between the inside and the outside threat (and unfortunately the blend of both - when outsider leverages or becomes an insider) is an ongoing challenge. If you check out our last 1-2 years of Federal IT Security Surveys, you'll see the insider is still a pretty big concern that's far less understood and harder to solve (more on that - Internal Federal Cybersecurity Threats Nearly as Prevalent as External, SolarWinds Survey Reveals), spreading from training to actual technical controls to the challenges of monitoring. In the interest of giving you a bit of a head start, here's some insight into some ways you can monitor for malicious insiders with Log & Event Manager (LEM).

 

(Note: Anywhere you see a screenshot below, be sure to click to see a full version - they might look fuzzy otherwise.)


Endpoint Monitoring with File Integrity Monitoring (FIM) and USB-Defender

Out of the box, LEM includes both built-in File Integrity Monitoring (FIM) - which can audit for file and registry access/changes - and USB-Defender - which monitors USB device access. On systems where you may have potential exposure - think kiosks, systems with access to confidential data, servers, and shared workstations - deploying FIM and USB-Defender will allow you to:

  • Monitor for unexpected copying of files and data to USB devices that can indicate data is being exfiltrated
  • Attempts to bypass application installation and access policies by running applications directly from USB devices that can put systems at risk
  • Changes to system settings and files that can indicate potential unexpected modifications, either due to malware, policy bypassing, or intentional abuse

 

Out of the box, you'll want to look at the following LEM content:

  • Default FIM Monitors - the Windows Server template can also be applied to workstations as a place to start

FIM Monitors.PNG

  • Filters of interest:
    • Endpoint Monitoring > USB-Defender
    • Change Management > USB File Auditing, All File Audit Activity

EndpointFilters.png

  • Rules of interest can be found in the categories:
    • Activity Types > USB Device Monitoring, File Auditing

EndpointRules.png


System and Endpoint Monitoring for Authentication and Change Events

Beyond tracking files and USB Devices, on servers and workstations alike authentication and changes can offer unique insights into what's happening on the network, and provide critical clues when it comes time to investigate. Windows does not audit the mechanism a user used to log on, or changes made to local system accounts, at a domain controller, so without insight into the actual workstations and member servers directly you'll be missing pieces of the puzzle. Deploy agents to all your critical member servers and that same pool of workstations you need insight into and get to tracking the local Event Logs. With this data, you can see:

  • Users logging on unexpectedly - unused accounts suddenly being used, service accounts being used to access the wrong systems, admin accounts being used incorrectly
  • Remote access - usage of remote desktop vs. interactive logins, access from VPN accounts/addresses, contractors authenticating to unexpected systems
  • Additional users & privileges - users being added to local or domain admins, local users being created

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest in these categories:
    • Change Management
    • Authentication
    • Endpoint Monitoring

AuthFilters.png

  • Rules of interest in the following categories:
    • Change Management
    • Authentication
    • Activity Types > Inappropriate Usage

AuthRules.png


Network Device Traffic Monitoring


If we move off of the systems themselves, we should also be able to detect behavior patterns that look abnormal using network traffic events, too. Sometimes putting agents on all workstations is infeasible, not to mention accounting for transient or new devices, and BYOD if you've got that in the mix as well. Log activity from all the devices you can that can monitor traffic patterns and connectivity - IDS/IPS, firewalls, wireless APs/WLAN controllers, routers, switches, VPNs, etc. With network traffic data, we can look for:

  • If you've got a proxy or similar policy in place, users attempting to bypass proxy policies with direct communication on port 80 (i.e. network traffic that's not outbound from your proxy server)
  • Network traffic to/from unexpected hosts or ports - your servers/workstations will generally communicate to a smaller subset of known hosts, traffic outside of this pattern would be unexpected
  • Excessive network traffic - sometimes traffic patterns can become clear without utilizing netflow or deep packet inspection based on sheer event numbers, types, or behavior patterns alone

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest:
    • Start from the out of the box filters in IT Operations and Security and build from them, especially the traffic filters

NetworkFilters.png

  • Rules of interest in the following categories:
    • Activity Types > Network
    • Devices > Firewalls

NetworkRules.png

 

Check out our thwackCamp session on using firewall log data, too - thwackCamp 2015 - Digging for Security Gold: Using Firewall Logs to Find Security Issues.


Traditional Malware and Security Event Detection

You can definitely put your existing investments in pure security technology to work for you here, too. The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:

  • Antivirus/anti-malware technology cleaning or having trouble cleaning potential infections
  • IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration
  • Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc
  • System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest include:
    • Security > Virus Attacks, IDS
    • IT Operations > Windows Error Events

MalwareFilters.png

  • Rules of interest in the following categories:
    • Security > Malware
    • Devices > IDS and IPS (and related device types for your systems)

MalwareRules.png


Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

Thinking forward, if you've seen our LEM What We're Working on page, you'll note we're talking a little bit about Threat Intelligence Feeds. We're working on adding the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network. This will be a really good way to see:

  • When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected
  • When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt
  • Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues

 

Watch for more on that here - when we've got more to discuss we'll update this post with how to use it to detect malicious insiders more specifically.

 

Manually, you can create and import lists of potentially unwanted IPs and ports and compare those to traffic as well. If you've got a list of known good ports that should be used to communicate on your network (especially inside>outside), or known applications if you're using Next-Gen firewalls, or known IP addresses when we're talking servers and controlled communication, build User-Defined Groups and rules/filters that compare to them.


What About Other SolarWinds Products? How Can They Help, Too?

Sure! Here are some ideas on using other products to help you detect potential malicious behavior internally:

  • Network Performance Monitor: monitor for unexpected firewall/network performance issues and high bandwidth utilization that can indicate an outbreak or single host is infected
  • Netflow Traffic Analyzer: building on the above unknown traffic patterns, look for possible unexpected hosts, ports, or communication patterns that might give you an idea something is wrong
  • User Device Tracker: useful when tracking and potentially detecting issues at endpoints - the "who" to go with the "where"
  • Server & Application Monitor and even Virtualization Manager: look for systems & applications performing unexpectedly or becoming unstable, these can be early warnings for security issues, too
  • Database Performance Analyzer: building on that, look for batch transactions, long-running queries, and sudden performance issues, identify their sources
  • Network Configuration Manager and Firewall Security Manager: as always, cover your bases with configuration first!
  • Patch Manager: track systems out of compliance with patching policies, out of date systems are MUCH more likely to be victims of malware and other security issues

 

Feel free to let us know if you've got any content you're interested in seeing around detecting malicious insiders, any ideas or successful stories yourselves, or any other questions we can help with in the comments!

We are happy to announce that version 7.4 of SolarWinds Network Configuration Manager ships the DISA STIG, NIST FISMA, and PCI DSS compliance reports out of the box. Wait -- that's not all! For DISA STIGs, we now support Brocade, Dell, Cisco, Juniper, and Palo Alto. The NIST FISMA and PCI reports have been developed for Cisco.

Simply select any of these new report(s) that you wish to run and “enable” them by following the steps outlined below.

 

Corresponding instructions for older versions of NCM can be found here: DISA STIG Resources for SolarWinds NCM (Now also for Juniper!). Also, don't miss a similar post for LEM: DISA STIG Compliance with Log & Event Manager.

 

How to enable the new compliance checks?

 

  1. Enter the compliance management interface: Configs tab / Compliance view / Manage Policy Reports.

    Manage-Reports.png

  2. Select the reports you are interested in and enable them.

    Enable-Reports.png

  3. Update the reports.

    Update-Reports.png

  4. Compliance status of your network is ready!

    Check-Results.png

Further recommendations

  • Make sure the reports you are interested in are displayed in the Policy Violations summary resource. (Policy Violations resource / Edit)

    Edit-Violations-Resource.png  Violations-Resource.png

  • Customize the violation severity labels to match your needs. (Settings / NCM Settings / Manage Violation Levels)

    Manage-Violation-Levels.png  Violations-Resource-CAT.png

  • Look for Cisco firmware vulnerabilities.
    If network security is a concern in your organization, you should definitely use this new capability of NCM -- run a nightly vulnerability assessment based on recent CVE data provided by the National Vulnerability Database -- NVD (by NIST). NCM will download and process the CVE data in a SCAP-compatible way and will notify you of potential vulnerabilities, provide detailed information and let you take an appropriate action. This security scan works even if your NCM server is not connected to the Internet -- you just have to download the datafiles manually.

    Wait for the nightly update or force the scan manually in Settings / NCM Settings / Firmware Vulnerability Settings / Run Now
    (See the below referenced NCM 7.4 RC blog post for more screenshots and details.)

    Firmware-Vulnerabilities.png

  • Check other new features of NCM 7.4
    All details are available here: Network Configuration Manager v7.4 Release Candidate is Available!
    Quick start:

    Whats-New.png

Miscellaneous

  • Please note that the US Army has granted a Certificate of Networthiness (CoN) to NCM V 6.0. CERT-201109082. CoN has also been granted to NPM, SAM (APM), NTA and Engineer's Toolset.
  • The following SolarWinds products are Common Criteria EAL 2 certified by the NIAP: NPM, SAM (APM), IPAM, NTA, VNQM, NCM, EOC. Our Validation ID is 10453
  • You can also find Federal Information Security Management Act (FISMA) / NIST reports for NCM 6.1, on Thwack.com (same installation procedure applies)
  • Did you know that Gartner positions NCM in their research “MarketScope for Network Configuration and Change Management”, Deb Curtis, David Williams, 31 March 2010, ID Number: G00175140, as follows:
    • NCM is the most widely deployed of the products meeting Gartner’s criteria for evaluation (except CiscoWorks)
    • NCM is rated in the top tier (Positive / Strong positive) with the “Big-4”
  • A reference to SolarWinds (NPM) in the SIGNAL Online article “Marines Revolutionize Network In Southwest Afghanistan

I am happy to announce General Availability (GA) of SolarWinds Network Configuration Manager (NCM) v7.4. This version includes the following new features and improvements:

 

  • Cisco IOS and ASA Vulnerability Reporting
    NCM uses Cisco IOS and ASA firmware and configuration vulnerability data from the National Vulnerability Database to record which nodes in NCM are vulnerable. This information is available in a new Firmware Vulnerability resource and as a report.
  • NCM Entirely Web-based
    The NCM desktop application is no longer available and all functionality has migrated to the SolarWinds Orion Web Console.
  • New Compliance Reports
    • You can run over 60 Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy reports, preconfigured with the necessary rules and policies.
    • You can run National Institute of Standards and Technology Federal Information Security Management Act (NIST FISMA) and Payment Card Industry Data Security Standard (PCI DSS) reports.
  • Device Template Wizard
    • Create and edit device templates using the new, web-based Device Template Wizard in the SolarWinds Orion Web Console.
    • All templates from previous versions of NCM are migrated to the SolarWinds Orion database during an upgrade.
    • Access templates that other SolarWinds users share through thwack directly in Device Template Management.
  • Enhanced Change Approval Workflow
    The NCM approval system allows three different workflows:
    • Use a one-tier approval workflow to submit configuration changes to an NCM administrator.
    • Use a non-privileged, two-tier approval workflow to require non-privileged users (any user with the WebUploader role) to submit configuration changes to two different approval groups.
    • Use an inclusive, two-tier approval workflow to require all users to submit configuration changes to two different approval groups.
  • Web-based Reports
    • Create and edit reports using new, web-based reports.
    • NCM now uses Orion Platform reports (HOME > Reports) instead of the NCM reporting pages (CONFIGS > Reports).
    • Previous reports are not migrated to the web-based reports system and can no longer be edited after an upgrade.
    • Schedule reports with the Orion Report Schedulers instead of the NCM Run Report job.
  • Policy Violation Remediation
    You can automatically remediate violations in a device configuration on multiple nodes using a script.
  • Web-based Alerts
    • Create and manage alerts using the web-based alerting engine.
    • Alerts created using the desktop-based alerting engine are automatically migrated to the web-based alerting engine.

 

More details can be found in the Release Notes and in the RC blog post: Network Configuration Manager v7.4 Release Candidate is Available!.

I'm excited to formally announce that Database Performance Analyzer 9.2 is now Generally Available! 


This release of Database Performance Analyzer (DPA) has a very special feature only available when integrated with Server & Application Monitor (SAM) 6.2.1+.  We developed this feature based on the collective experience of DBAs and SysAdmins who've been caught up in nasty blame games.  Let me tell you a story...


blame-o-saurus-lg.jpgImagine a web site used by your customers that depends upon a database.  Not hard, right? Now imagine the customers have been calling in daily, about an intermittent performance issue that threatens your business.  It's been really irritating because the I.T. Pros just can't pinpoint the cause and it's stressing out executives who are demanding a swift resolution! 


  • The SysAdmins say that the web server looks fine.  No CPU spikes.  Plenty of memory.  No red flag in metrics. 
  • The DBA says the database server looks fine.  No CPU spikes.  Plenty of memory.  Very little storage IO and all queries received results within SLA.  There was a small spike of activity after the time the customers complained, but it was just a momentary spike in concurrent activity and again, all queries received responses within SLA.
  • The Web Developers want to blame the database because it's their primary dependency and it has caused them problems in the past.


So you've got 3 silos denying responsibility for the problem customers reported.  Executive attention focuses on the Developers who begin forming hypotheses they can't prove, like network performance is the issue or that web server and database server clocks may not have been synchronized and that little database spike actually did cause the web site performance problem.  And these are just the reasonable hypothesis.  Soon, you feel like you're on an episode of CSI, looking for a genius mastermind hacker that's broken into your system to steal customer data! 


This is a case where disparate monitoring solutions can leave you hanging... siloed... at each other's throats!  So what do you do?  Calm down!  First you need to clarify to everyone that they don't have a shred of evidence to prove any of these things.  But an integrated monitoring solution can give you a complete picture.  Let me show you how DPA 9.2 integrated with SAM 6.2.1 can help! 


chickenoregg.pngWith SAM 6.2.1, you can monitor an IIS web server with AppInsight for IIS which exposes some ASP.NET metrics that I love! :


  • Request Execution Time - Tells you how long it took IIS to complete the most recent web request.
  • Request Wait Time - Tells you how long IIS held a web request in a queue before it began processing it.
  • Requests Queued - Tells you how many web requests are in the queue because the web server has reached it's limit of worker threads.  Ideally, you keep this at zero!
  • Requests Rejected - Tells you how many web requests IIS has simply rejected because the queue is full.  GAME OVER!  YOU LOSE!


Now, when DPA 9.2 is integrated with SAM 6.2.1+, it adds a Query Response Time resource to your AppInsight for IIS view, which reveals how much *database wait time queries from the web server have incurred.  This enables you to perform a diagnosis of exclusion.  That is to say, if A and not B then C.  If (A) the web server requests are slow, you will see it in those ASP.NET metrics.  If the Query Response Time resource doesn't show (B) a matching spike in database wait time, then the web site performance issue must be caused by (C) something else.


So back to our story for a minute...  You see how the request execution time was high for a bit there, then suddenly dropped?  Do you see how the Query Response Time shows an inverse pattern?  The spike the DBAs mentioned that occurred after the web site problem...


Here's what REALLY happened...  True story from my past, actually.  It is true that historically, the database has caused many web site performance problems, but the Web Developers didn't evaluate every dependency.  As it turns out, the web server also relies upon 3rd party web services.  They've never been a problem before, so they haven't been monitored and were thus were overlooked.  Our web code needs these web services to complete before the web server will query the database and that is why we see the inverse relationship between Request Execution Time and Query Response Time.  When the 3rd party web services cleared their performance problem, the web server sent all the associated database queries to the database server, which responded to that load spectacularly, the DBA adds!


So as you can see, monitoring this web site with AppInsight for IIS and the dependent database with an integrated Database Performance Analyzer enables both teams to see the big picture in a single pane of glass.  Pretty cool, huh?


For more information about Database Performance Analyzer 9.2 features and value, check out the beta blog posts, my recent post on Geek Speak and a video explaining the difference between health and performance monitoring.


 


*database wait time - The amount of time a database client waited while the database server worked on the client's query.  Time is broken down into discreet steps performed by the database server, how long it spent on those steps.  Fpr more info see http://logicalread.solarwinds.com/response-time-analysis.

VMAN 6.3 is now generally available to all customers to download and in the Customer Portal for for current customers.



What is the Goal of this Release

The SolarWinds team has been working diligently to release Virtualization Manger 6.3, which continues the evolution of VMAN to an operational management and monitoring platform for the virtual infrastructure. As you have seen VMAN evolve over the last couple of releases we focused on providing monitoring utility, troubleshooting utility and reporting utility.  Culminating with VMAN 6.2 management utility was added by providing power management actions, snapshot management actions and AppStack support (to name a few features). With the release of Virtualization Manager 6.3 we further extend the operational role of VMAN with the end goal of providing remediation utility to the mix of features we provide. Not only does an administrator have the tools to identify and troubleshoot an issue in the virtualization infrastructure but they can also remediate the problem within VMAN.


What's New in Virtualization Manager 6.3

This is the 1st of several blog posts reviewing the new features of Virtualization manager 6.3. Provided below is a high level overview of what is new in VMAN 6.3:

 

New Management Actions

In Virtualization Manager (VMAN) 6.3, we further enhanced the existing management functionality by including migration actions, VM removal actions, and change CPU and memory actions.

  • Migration Management Actions
    • Move VM to a different host - Provides the ability to migrate a VMware® or Hyper-V® virtual machine to a different host within VMAN.
    • Move VM to different storage - Provides the ability to migrate VMware or Hyper-V virtual machine storage to a different datastore or Cluster Shared Volume (CSV) from within VMAN.
  • VM Removal Actions
    • Delete VM – Provides complete removal of the VM from the virtual infrastructure once the VM is turned off.
    • Unregister VM – Removes the VM machine files form the hypervisor but leaves behind the VMDK files on disk once a VM is shutdown.
  • Change CPU/Memory Resources Management Actions
    • Add/Remove CPU - Grow or shrink the amount of virtual machine CPU from within VMAN.
    • Add/Remove RAM - Grow or shrink the amount of virtual machine RAM from within VMAN

Tools.jpg

The Virtual Manager Tools can be found on the virtual machine details page and are conveniently accessible to remediate a virtualization manager alert with out leaving Solarwinds.  For instance an administrator may get a virtualization alert that indicates a VM with high disk latency, they could now initiate a storage vMotion or live migrate the VM to a different datastore or CSV from within Virtualization Manager to resolve the alert.

Sprawl.jpg


Execute management actions directly from the Sprawl page

Not only do we alert the administrator to Sprawl issues in the virtual infrastructure we also provide the the appropriate management action to remediate the problem on the Sprawl page.

    • Top 10 VMs by Overallocated vCPUs - Change CPU/Memory Resources
    • Top 10 VMs by Underallocated Memory - Change CPU/Memory Resources
    • Top 10 VMs by Overallocated Memory - Change CPU/Memory Resources
    • Top 10 VMs by Snapshot Disk Usage - Delete Snapshots
    • VMs Powered Off for More than 30 Days - Delete VM
    • VMs Idle for the Last Week - Power off VMs
    • VMs that might benefit from decreasing vCPUs - Change CPU/Memory Resources (Decrease vCPU)
    • Orphaned VMDKs (New Sprawl Resource) - Delete Orphaned VMDKsTop 10 VMs by Underallocated vCPUs - Change CPU/Memory Resources

 

 

An administrator monitoring their virtualization environment can use the Sprawl page to inform them of areas in which they can right size to reclaim resources or improve performance.  For an IT team that has has multiple administrators provisioning virtual machines it becomes a task in itself to determine which resources were temporary and no longer needed.  By leveraging the VMs Powered Off for More Than 30 Days alert to identify virtual machines that are no longer needed , the administrator can identify what needs to be deleted and then remove the unnecessary VM from the Sprawl page.






New Sprawl Resource - Orphaned VMDK

This new resource to the Sprawl page alerts to any orphaned VMDKs in the monitored environment.  Orphaned VMDKs are virtual hard-disks that are not connected to a VM. Most likely the result of removing the VM from inventory but never deleting the vmdk file and thereby using valuable datastore capacity.

Orphaned VMDK.jpg
A virtual administrator is alerted that they have multiple orphaned VMDKs files from VMs that were unregistered from the cluster but never deleted from disk.  They can now track and take action using the Orphaned VMDK resource and open up valuable Disk storage by deleting the unneeded VMDK files.

Alert Remediation

Provides the ability to configure an alert to trigger a management action based on a threshold.  By providing management actions as a trigger for an alert the administrator can now choose to automatically remediate any alert that crosses a critical threshold without needing to manual perform the management action.

Alert triggers.jpg

The ability to create an alert with a management actions as a trigger is valuable by ensuring up-time for a VM or maintaining performance of an application hosted on that VM. The administrator in charge of the server infrastructure is always concerned about the next time a threshold is reached, how fast can they react to that issue, and how that may affect the application that resides on the VM.  Creating an alert and setting a management action as a trigger helps to reduce the Time To Resolution for the affected VM without the administrator manually needing to execute the action.  For example, if there is a reporting server that does all its heavy lifting from 12 am - 5 am and application performance is suffering from datastore latency, an alert action can trigger a migration of VM storage to a destination predetermined by the administration if the latency threshold is crossed. This would ensure that the VM has the storage performance that is necessary to complete its workload (reports) before the administrator arrives in the morning.

 

 

All Alerts Dashboard Migrated to Orion

All Alerts.jpg


Migration of the all alerts alerting widget from the Virtualization Manager (VMAN) appliance to the Orion® Virtualization Summary, provides customers with a VMAN specific data of the environment from the Summary page. The very useful All Alerts widget is now available in as two resources, All Active Virtualization Alerts and Potential Virtualization issues.  The resource provide virtualization alerting in Orion Out-of the-Box with all VMAN alerts enabled by default when Orion is integrated with VMAN. Each triggered alert provides an alert details page with recommendations to take to resolve the issue, general alert details, and a link to the VM details view.

 

  • All Active Virtual Alerts -  Provides a view of all triggered virtualization specific alerts with a severity of warning or higher.  All alerts in this resource indicate a problem that is affecting performance or functionality in the virtual infrastructure and should be prioritized accordingly.  These alerts are sorted by active time and provide the following details:
    • Alert name
    • Alert message
    • Triggering Object (i.e VM, datastore, host, etc)

 

 

 

 

 

  • Potential Virtualization Issues - All triggered alerts with low severity and grouped by alert name.  These alerts notify the administrator of items that require attention but do not necessarily equate to a critical issue.  The VMs with Bad Tools alert is an example of this scenario, which notifies the administrator that the virtual infrastructure contains VMs that require a VM tools update but this does not necessarily ensure that the VM is having a critical performance issue.

 





  • Categories without issues - This resource provides Virtualization Manager specific alerts that have not been triggered but do provide a glimpse into what alerts are enable out-of-the box. Unlike the Potential Virtualization Issues resource and the All Active Virtual Alerts resource these alerts are not select-able and do not provide an alerts detail page.









Polling Improvements

We have improved polling performance in Virtualization Manager 6.3 allowing for on demand data polling and improved scaleability. Common use cases that improved polling addresses are situations where the virtual topology changes due to management actions, maintenance, or provisioning but VMAN fails to reflect the new VM to host or datastore association in a timely manner. In VMAN 6.3 once a migration management action is executed, the topology change is reflected within minutes. An administrator who receives a virtualization alert and resolves the alert with a management action will see the results of the action immediately within Virtualization Manager.

 

SolarWinds Virtualization Manager v6.3 Release Notes

We wrote back in 2012 about the challenges of SharePoint auditing and how to address them via Auditing SharePoint with LEM & LOGbinder SP, but the folks over at Monterey Technology Group (the same folks who brought you Ultimate Windows Security) went on to create even MORE useful Microsoft auditing tools. This time around, we've also integrated LOGbinder for Exchange (LOGbinder EX).

 

Without LOGbinder EX or a tool like it, it's very hard to get visibility into the Exchange auditing logs. Audit data is stored as a part of the mailbox instead of the Event Log, and there's no clean way to get the data into the Event Log repeatably and consistently. Even if you were able to do that, there's a ton of coded data, with different types and metadata that you'd have to translate. The LOGbinder system does this automatically, storing data into the Event Log and both making it easy for you to read and for a system like Log & Event Manager to monitor, alert, and store it.

 

Use LOGbinder EX for:

  • Detecting non-owner mailbox access (e.g. delegate or users opening other users' mailboxes)
  • Changes to audit log settings and audit log integrity
  • Permissions, policy, certificate, federation, and IRM changes

Check out the full list of events LOGbinder EX generates for more details.

 

Use LEM + LOGbinder EX together for:

  • Alerting on unexpected client activity (mailboxes accessed from something other than Outlook/OWA)
  • Alerting on unexpected mailbox access (someone opening one or many mailboxes other than their own)
  • Alerting on unexpected changes across Exchange infrastructure
  • Reporting on Exchange audit and change management events
  • Viewing Exchange events in context with other system, network, security, and application events

 

I just uploaded some rules, filters, and reports for LOGbinder EX over at the Content Exchange that provide some additional insight for the LEM side of your configuration. There's an integration guide in the Zip file that will explain how to install the files, which are all tailored to the LOGbinder EX event log data. You will need an agent installed on your LOGbinder EX system, you'll need to make sure you have the latest product connectors installed, then it's just a matter of following the guide to get set up and start monitoring. You can download a free trial of LOGbinder for Exchange from their website, too.

Top three new monitoring and troubleshooting capabilities every SolarWinds customer should learn to use (and that we’ll be demonstrating during our Lunch & Learn at Cisco Live)

See how to use and set up these dashboards at the SolarWinds Lunch & Learn, Monday, June 8 in San Diego, during Cisco Live. Sign Up In Advance Here.


Over the past year, SolarWinds has been hard at work bringing you more product features to make your everyday work a bit easier. But the benefit to you isn’t just about having MORE features, but rather about how those features work together. Weall know it’s time to stop wasting time going back and forth between toolsets to find and fix things. So, without further ado, let’s walk through the top three new monitoring and troubleshooting capabilities we’ve rolled out recently (that work across SolarWinds® products) that all our customers should learn to use.


Network Troubleshooting Dashboard

Through combining our products, you’ll have access to powerful dashboard views. Integration of Network Performance Monitor (NPM), Network Configuration Manager (NCM), NetFlow Traffic Analyzer (NTA), and Engineers Toolset allows you to consolidate and use shared data to your full advantage.


When you look at pieces of a puzzle, you can understandthat there’s a picture, but the pieces are not a clear representation of the entire picture. However, when you put the pieces together,you’re able to clearly see what you were vaguely aware of before. That is the essence of the network troubleshooting dashboard. It allows you to visualize and be alerted on critical paths, identify the root cause from configurations to bandwidth analysis, and resolve issues through configuration management.


Map your critical path and set up intelligent alerting so you can visually see issues from your troubleshooting view. Then,from the same page, correlate events, syslog, real-time change notification, and NetFlow data to pinpoint the root cause, followed by real-time stats on interfaces and devices with the Toolset. Now you are focus-driven and have identified the issue. Simply use the NCM resources to upload a configuration or execute a script to resolve what you have identified, all from one view.


The future is not simply monitoring or having network change management software. The future is being able to link monitoring, analyzing bandwidth data, and managingconfigurations together.

How to create a Network Troubleshooting Dashboard

       

        Deep Packet Inspection

The SolarWinds Quality of Experience (QoE) console leverages packet analysis. What does this mean to you as a customer? This is a solution for your critical network and server performance. This allows you to have traffic type and volume distributions from one view by identifying types and relative  application traffic flowing over a network based on the host IP addresses, ports, and protocols in use.


Because DPI is inspecting AND interpreting network transactions, you are able to use the QoE dashboard for troubleshooting application issues. That pesky little question of is it the network or the application” finally has an official answer with the QoE dashboard.  (In depth look at DPI)


The QoE dashboard allows you to quickly identify reductions or changes in application performance and determine if the change is caused by an increase in network delay or slow application server performance.


Monitoring applications returns detailed information and specific types of each of the following three categories:


  1. Category
    1. remote access,social networking,streaming media, VPN, and Web services.
  2. Risk level
    1. No risk,minimal risk,possible misuse,data leaks/malware,evades detection/bypasses firewalls.
  3. Productivity rating
    1. All social, mostly social, both business and social, mostly business, all business.


As you can see, the amount of information just from the QoE dashboard is extensive and valuable. You are able to determine behaviors of applications and even set up accurate Quality of Service (QoS) policies that can help ensure that your network performance is optimized for critical applications.

Learn more about DPI


          AppStack

Now, number three on the list, AppStack. You know the requirements for effective management. OK, I’ll provide the list. Contextual visualization for faster root cause analysis, agentless is better, out-of-the-box usability and customizability, and capacity management. Wow, did I just list a SolarWinds portfolio or what? LOL. Seriously, application awareness is a top priority.


Visibility from the application down is expected, app-centric storage insight is wanted, rapid time to value across platforms is being demanded, and of course, virtualization is becoming more robust.


How can you quickly, confidently, and cost effectively cover these areas and be in the know?  SolarWinds Application Stack view. This combines Server & Application Monitor (SAM), Virtualization Manager, Storage Resource Monitor (SRM), and Web Performance Monitor (WPM) to give you the app stack consolidated views necessary to stay on top of your application needs!  (Quick overview video)


Integration of these products allows you to correlate therelationship, resources, and metrics across products within one view. This shows you how infrastructure resources impact application performance directly.


Using automatic maps, see how infrastructure layers relate to one another so you can identify trouble areas at a glance. Hmmm, could I use this for impact analysis? Yes! This bundle has impressive risk assessment and impact analysis that allows you to determine what would be effective in case an upgrade was to fail.


Think about storage teams that want a quick risk and impact report on an array. All they have to do is to click on an array in question. This shows you all the relationships and dependencies on that SAN. Then, determine if any ESX®, Hyper-V® hosts, VMs, and/or applications they serve would be impacted if the array went down. Having a clear view of your application relationships means you are proactively in charge of your network, and are able to make accurate risk assessments when needed.


On top of that, you are able to gather data and correlate information like WPM: user experience for internal and customer facing Web applications; SAM: applications, servers, hosts, virtual clusters, virtual data centers, volumes;Virtualization Manager: data stores, additional performance metrics for virtual servers like CPU ready, ballooning, snapshots, etc.; SRM: LUNs, NAS volumes, pools, vServers (NetApp), storage arrays.

More on AppStack


Man, I’m telling you what; the network troubleshooting and AppStack bundles really are some work horses! The key to data is that the information is valid and consistent. SolarWinds,by using one database for storage data, allows you to group, use custom properties, and even use limitations throughout to get theinformation you require where you want it. That is the power of integrationbeing able to combine useful information to help you troubleshoot faster and resolve sooner.


Well that sums up the top three monitoring and troubleshooting capabilities with Solarwinds products. Expect more from your software suite. We are constantly integrating and adding features to our products. We love to discuss planning and what you really want from your IT solutions. So come join us at the Lunch & Learn @ Cisco Live – San Diego.

 

~Dez    

Filter Blog

By date:
By tag: