This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Why doesn't UDT support this?

So I already brought this question to support and they are going to submit a feature request but I had to ask why in the heck this already doesn't work?

Here's my environment and my question...

I have a windows domain with domain joined computers. I also have cisco switches.

Now I wanted to configure an alert with UDT that would tell me if someone plugged in a computer that is not domain joined or doesn't follow our standard naming convention and is only happening on specific subnets. (as these are the only one's someone would be able to reach)

The first is not possible as far as I could find and support could find. The second is somewhat possible but has limits.

I can create a whitelist with the naming convention using wildcards. For example say my naming convention is laptop01.mydomain.com, my whitelist rule (under dns name) would be laptop**.mydomain.com.

However I would also like to only get this for two specific subnets.  (Say 192.168.1.x/24 and 10.20.1.x/24) So I would create a second whitelist and (at this point I'm not sure if I add in every other network but these two on the whitelist or just add these two, I went with the former)

then I would create an alert using the canned rogue dnsname alert and duplicating it to edit the parameters.

Going through the alert when I get to trigger condition I select the first action using Rogue DNSName and put in the parameters needed.

Then I check on the 'Enable complex conditions' check box below the selection box (because this is a complex condition?) and add in the parameters for Rogue IP Address.

Finish configuring my alert settings and enable.  Then I test it by connecting a computer that 'does not' follow the normal naming convention.  And wait, and wait and nothing. No alert.

When I go back to my alert and check under summary to see what if any systems might be triggering this alert I see a big fat 0.  Nadda.

So I contact support and I'm told that I can NOT do something like this.  I have to ask why?

Why can't I do something like this? It should be supported. Is this not a complex alert?

Anyone have any idea how I might do something like this through other means from within solarwinds?

One other question, How do you clear out old entries for rogue dns entries? I am not able to see these anywhere in solarwinds. I checked dns, dhcp, and everywhere else I could think of.

I ask this because if I take away the ip address part of my alert above I do get alerts for some 'older' systems that we were testing. These do NOT exist anywhere in my AD, DNS or DHCP on the Microsoft side of the house and I checked SolarWinds DNS and DHCP entries and nothing there either. So they are saved in some table somewhere but for the life of me I can't find them and clear them.

  • We purchased Cisco ISE to accomplish this, in much more granular / powerful enterprise format.  I like your idea for using UDT to accomplish it.  One would think that if Solarwinds NPM/NCM/UDT has RW capabilities, it could react to unauthorized devices and shut their network port(s) automatically.

  • We are considering Cisco ISE because there are some other things we want to be able to do as well and solarwinds just does not support the advanced features we are looking for.

    However, it actually does have the ability to shut down a port based on an alert.  I've never given my solarwinds setup r/w access to our switches or firewalls though because I prefer to keep the control for those systems limited and I don't fully trust solarwinds to not loose its mind and do something stupid.

    But yeah it is kind of crazy that it wouldn't support alerting like this off of two parameters that 'IT STORES ITSELF!!"  lol...