Planet Network Management

Held at BMW-Welt on March 8th and hosted with local Splunk Partner IT-Cube Systems, attendees came from across Germany, Switzerland and Belgium to learn from presentations by Swisscom and Accenture.

Splunk competed successfully in the morning, drawing a room full of interested Splunk Live! attendees despite the brand new BMW cars and motorcycles on display in the BMW-Welt entrance.

Mika Borner: Swisscom

The first customer presentation was by Mika Borner, a long-time Splunk user. Swisscom is the leading telco/ISP in Switzerland and Mika spoke about their use of Splunk for managing their Internet messaging services.

Before Splunk: custom parsers/analytics, grepping through even one day’s logs took a long time (Swisscom handles 40 million emails per day), there was no live view and finding anomalies was almost impossible. In short, managing the distributed environment was hell.  More importantly, a high percentage of the messages going through their network was spam.

With Splunk: They no longer need custom parsers and can get a handle on what’s really happening in their environment.

“We’ve got a near real-time view on what’s going on, adapting for new logfiles is straightforward, and searching and alerting about anything is easy.”

“Think different. The only limit what Splunk can do for you is yourself.”

Swisscom uses Splunk for troubleshooting and investigating user and infrastructure incidents. Finding and preventing abuse and fraud–including preventing phishing emails, and abuse and fraud of their SMS service–was the initial driver for purchasing Splunk. They were further able to justify the purchase of Splunk to address service crashes. Not only did Splunk greatly reduce the time to resolve issues, they achieved ROI almost right out of the gates. Splunk is also used for reporting, statistics, trending, and capacity planning.

The Swisscom Splunk deployment consists of 2 Splunk indexers, 1 search head, capturing 140GB/day, and storing 6 months of data on a 10TB SAN. They use Splunk forwarders whenever possible, and make heavy use of Splunk’s Common Information Model.

Near the end of his presentation, Mika said: “How would I describe Splunk? Eierlegendewollmilchsau” (loosely translates from the German as an animal that does everything!).

Alexander Strobl- Accenture Technical Consultant

Alexander gave a presentation detailing how one of his clients uses Splunk. The client is one of the largest worldwide trading and services companies, with more than 50,000 employees on three continents. Before Splunk, the company was often faced with critical service downtime—a common problem for retailers both online and off.

Alexander said that now, with Splunk, “In 15 minutes I can end all the finger-pointing.” They keep tabs on the general health of their environment using Splunk dashboards, and Alexander recommends, “Wrapping your processes around Splunk to uncover its true power and benefit.”

Splunk is integrated into 10+ business critical applications and services, generating 20-50 GB/ day or approximately 1200 events per second, including custom files and events. The current deployment consists of 2 Splunk instances—one for testing; one for production, with data from hundreds of servers including WebLogic and custom Java logs. They’ve established interfaces between Splunk and other tools to speed problem resolution and issue trouble tickets.

What’s next? The client is planning to use Spunk for transaction tracking across all apps and services, and doing business process analysis.

To celebrate the first German SplunkLive, Splunk Sales Engineer Christian Glatschke marked another first–the first time a Splunk product demonstration was given while wearing Lederhosen. Thanks to all who joined us Next stops in EMEA—Stockholm and Amsterdam in early May.

This month, Alain discusses the two patches from Microsoft, 0day vulnerabilities in Apache, Opera, Internet Explorer and finishes with VRT activity in March.

Microsoft Security Advisory (MS10-016): Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system. Microsoft Security Advisory (MS10-017): Microsoft Excel contains several programming errors that may allow a remote attacker to execute code on an affected system. Apache HTTPD mod_isapi RCE (2010-0425): The mod_isapi module

There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding

This post is long overdue, as the idea struck me when dicussing with Lefred while preparing his Fosdem talk on Maintaining too big tables

I got triggered finishing this post by Mr BuidlDoctor

Fred has been struggling with a typical DevOps problem resulting in the most unmanageable database setup possible, there's little room for him to move but he managed is way out .. because he is good at his job

It set the mark for me that because in different organisations even the Opsteam is fragmented `in different groups that there also we need to get the Devops idea going.

Typical setups here are the Network guys vs the Platform guys , specially with the growth of virtualization where the network stack doesn't stop at the physcial switchport anymore but the vlan trunks go deep in to the VM's a lot of discussion happens. There where traditionally the story for the network engineer stopped at the switch they now want control much deeper in the infrastructure.

But an even bigger group that needs integration are the security folks, it's no secret that in some organisations the security guys job is to be the bad guy, their default reply to something is NO. Specially to people wanting to drill holes in their architecture .

Patrick wonders if its the specialist vs generalist dillemma, I think it's the Web vs Enterprise IT way of thinking ..
DevOps first gained ground in Web environments , the battle has only started ..

We still have a long way to go before in say a banking environment the Devs and SecOffs' and the DBA's and the Ops are on the same line ... they all need to break the walls of confusion, they all need to come out of their silos. And when you are a generalist in charge of a bunch of these things you have to make sure your tuesday afernoon security persona talks with his other persona's from time to time ... otherwise you are really gonna need those meds :)

I recently had the opportunity to sit in on our San Francisco Puppetmaster and Developer trainings and it became clear to me that we have quite a few powerful features that we don’t mention quite enough. Namely, Puppet is a powerful, data-driven, customizable system that has capabilities that can, if needed, go far beyond Puppet language. There are numerous points where Puppet can be easily extended.

Custom External Nodes

As a starter example, last year we announced Puppet Dashboard, a GUI that allows you to gain an easier view and access into your Puppet infrastructure.

The “node classifier” in Puppet Dashboard is built on top of a powerful system Puppet has had for a long time, called External Nodes, which tells a given host what Puppet classes and variables should be assigned to it, based on the return calls of a command execution where the hostname of the system is an argument to the command. The command just returns a simple set of data in YAML format on standard out. This is totally dynamic and perhaps one of the easiest puppet extensions to write.

While also enabling Dashboard, External Nodes gives you the choice to also use your own in-house tool to provide this information, for instance, that might integrate with your existing LDAP infrastructure or another database. It’s also how the Puppet Integration in apps like Cobbler work.

Custom Types And Providers

Another powerful feature is the ability to write custom types. While Puppet ships with a very large library of standard resource types, it’s quite easy to write your own to manage a resource stock Puppet does not manage out of the box. For example, recently we’ve developed a type for Managing LVM volumes. If you need assistance writing types, it’s suggested that you read the source code for some of the existing types. The LVM one is a great example. If you are still stuck, we can help.

Custom Facts

Similarly, if you need to evaluate conditional expressions or source template variables that Puppet doesn’t provide out of the box using Facter, Facter can be trivially extended by writing Custom Facts. For instance, you may wish to write a custom fact that provides some added information about hardware inventory, or perhaps information about specific in-house software.

Custom Functions

For even more power, it’s possible to write custom functions. While Facts are evaluated on the managed-nodes, functions are evaluated server side. In this way, it is possible to write a function that looks up data from a file. One such example is extlookup. Even if you wanted to write most of your data in Puppet language, including some bits from external sources is fairly simple.

Language Options

It is true that custom facts and functions currently require writing Ruby code, but External Nodes can be written in any language that can produce output in simple YAML. We’re also considering a way to allow custom facts to be written as simple shell scripts dropped into a conf.d type directory. While traditionally manifests have been required to be written in Puppet Language, work on our Ruby DSL will allow manifests to be described in native Ruby. Note that these manifests are intended to be run on the central server, not on the clients, and the result of running them is the creation of a Puppet catalog. If you’re doing things on the clients and wish to use Ruby, writing a type and provider is the way to go and that’s been doable for some time.

A Pluggable, Open System

The fundamental takeaway is this — Puppet is an flexible open system, and your data and needs should decide how to drive your infrastructure. Puppet provides many ways to make that possible, and in the future, you’ll see this continue to grow and evolve. Rather than having an giant enterprise tool that provides a set work flow and locks in your data, we want Puppet to be a system that can easily adapt to your particular needs.

–Michael DeHaan

I ran across another cool post that a member of the thwack community put together that I wanted to share with everyone.  lasher put together some new resources for Orion NPM v9.5.1 which allow you to create double and triple gauges within a resource for Universal Device Pollers.  If you wanted to accomplish this today, you would need to use a custom html resource, so this makes life much quicker and easier.

So I can hear you saying, ok you had me at double and triple gauges, how do I get this?

First, you can download this resource here

To install:

• Copy CustomOIDEditGaugeDoubleTriple.aspx and CustomOIDEditGaugeDoubleTriple.aspx.cs to InetPub\SolarWinds\Orion\NetPerfMon\Resources folder.
• Copy CustomPollerRadialGaugeDoubleTriple.ascx and CustomPollerRadialGaugeDoubleTriple.ascx.cs to InetPub\SolarWinds\Orion\NetPerfMon\Resources\NodeGauges folder.
• Copy CustomOIDEditLinearGaugeDoubleTriple.aspx and CustomOIDEditLinearGaugeDoubleTriple.aspx.cs to InetPub\SolarWinds\Orion\NetPerfMon\Resources folder.
• Copy CustomPollerLinearGaugeDoubleTriple.ascx and CustomPollerLinearGaugeDoubleTriple.ascx.cs to InetPub\SolarWinds\Orion\NetPerfMon\Resources\NodeGauges folder.

As lasher states, there are 4 known issues with it. 

• Auto-Scale not working and has been disabled.
• Auto-Hide Resource not working correctly and has been disabled.
• Must set Warning & Error Threshold or Gauges will display red.
• Gauge labels do not set correctly when first added to page.  (Workaround is to edit the gauge and click submit.  Labels will show up correctly after that.)

Lots of events going on in OpenNMS-land. I thought I’d list a few here:

• Early bird registration for the OpenNMS Users Conference to be held in Frankfurt, Germany on May 6th and 7th ends tomorrow. This is the place to be to hear all about OpenNMS, and early registration can save attendees €60.
• Next week I’ll be at the Computerworld Open Source Business Conference in San Francisco. Drop me a note if you are going and want to meet up.
• On April 10th, Jeff Gehlbach will be speaking at the Texas Linux Fest 2010 on using OpenNMS in enterprise environments. If you have seen any of his OpenNMS and Asterisk presentations in the past, you know how good they are and won’t want to miss this one.
• We once again have training scheduled in metropolitan Pittsboro, NC, USA for the week of the 19th of April. These classes are both a lot of fun and the best way to get started with OpenNMS.
• David Hustace, Craig Gallen and myself will be attending the TeleManagement Forum’s ManagementWorld conference in Nice, France, on 18-20 May. Again, if you use or are interested in OpenNMS and you’ll be at the conference, please let us know. We’d love to meet you.
• And finally, The OpenNMS Group is a platinum sponsor of the Southeastern Linuxfest to be held in South Carolina the weekend of June 12th. Since this is close expect a lot of the OpenNMS crew to be there, and I’ve submitted a couple of talks but haven’t heard back if they have been accepted.

Of course, I’m able to talk, in depth and at length, about OpenNMS pretty much anywhere and anytime (grin). Hope to meet you in person soon.

In TBSM v4.2.1 FP1 a new role has been introduced to allow control over TBSM View Definitions. The new role is called ‘tbsmViewDefinitionAdmin’ and should be added to appropriate groups as appropriate to allow editing View Definitions via the TBSM Service Viewer GUI.

Note that after applying TBSM v4.2.1 FP1, this new role isn’t applied. You may notice that all View Definitions are “grayed out” and unable to be edited. Apply this role to the appropriate groups to gain access to editing View Definitions.

For a review of all TBSM v4.2.1 FP1 roles, review the documentation here: http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.itbsm.doc/adminguide/bsma_opscusers.html

TBSM v4.2.1 FP1 has been in the wild for a few weeks now. I’ve seen numerous issues with this fix pack related to local server disk space requirements.

Please review each server’s available disk space before starting your FP1 installation. Make sure you have plenty of space available (> 5GB ++) specifically in the /tmp, /home and where you choose to do a backup. Make sure the tbsm install user has permissions to write to that backup location.

If you do not want to do a backup (ie new install & patch), you can use the flag ./install.sh -DNO_BACKUP=true to skip the backup step.

Nagios Core 3.2.1 has just been released and can be downloaded from www.nagios.org/download. This latest stable release include several bug fixes, including fixes for compilation under Fedora and Solaris and incorrect check scheduling when time changes occur. Changelog is available here.

Just a quick post that pictures from Craig Gallen’s trip to Botswana are now available. He told me he had a great time, and perhaps I can visit one day.

Savio Rodrigues just posted commentary on the Eclipse 2009 survey which found Ubuntu market share has increased dramatically in the last year or so. I wanted to share some additional data on the same topic from the GWOS community.

The attached chart shows the OS breakdown of people running GWOS products who have chosen to share anonymous usage information with us. This chart is only concerned with the Linux flavour GroundWork Monitor is running on - whether the installation is used to monitor Unix, Linux, Windows, storage, applications or web sites doesn’t affect the overall counts. Since GroundWork Monitor runs on top of Linux (as installed software, in a virtual appliance or on Amazon EC2) the non-Linux categories from the Eclipse survey don’t apply in this case.

The rapid growth of Ubuntu Server in serious, data-center monitoring installations was one of the reasons we added first-class support for the Ubuntu Server platform in our latest 6.1 release. 2010 is shaping up to be an exciting year for Linux vendors of all types.

Link to chart: http://www.flickr.com/photos/39742313@N03/4418870558/

CentOS… 46%
Fedora or RHEL… 25%
Ubuntu… 14%
SUSE… 8%
Debian… 5%
Other… 2%

On Saturday, February 27, 2010, a very interesting article in the San Francisco Chronicle called, Real threat in virtual battleground: hackers” by Alejandro Martínez-Cabrera, Chronicle Staff Writer (http://xrl.in/4pe1), discussed the virtual world called World of Warcraft (WoW). For those folks that don’t know what WoW is, haven’t played on line, or haven’t seen the excellent South Park episode that spoofs WoW, the simple explanation is to say that it’s a virtual medieval world where you can adopt a character, buy stuff with virtual currency, go on quests, and pick fights with other characters in the game.

What I was unaware of until this article came out was the following: “Experts say the underground secondary market where hackers buy and sell stolen online gaming accounts, items and in-game currency has become a billion-dollar criminal industry. In hacker forums, a WoW character account can sell for as much as four times the value of a stolen credit card, said Steven Davis, chief executive officer of game security firm SecurePlay.”

If this sounds like a case of ‘art mirroring life’, it hit me that way too. In real-life, identity theft occurs and for a time these stolen identities were bought and sold in a sort of hacker market place. The interesting difference for me is that every action in the virtual world leaves digital footprints in log data where in real-life this isn’t always the case. This points to a need for a very highly scalable solution that can provide for monitoring of user actions while looking for patterns of account activity that could mean identity theft or fraud in the game.

Because the types of fraud/threats to players are constantly evolving, this isn’t a situation where a filtered SIEM style view of the games logs will work. Detective work can’t be limited or filtered to only what you expect to find. If the fraudsters limited their fraud attempts to what was expected – my guess is that we’d have stamped out fraud a long time ago. No, what’s interesting is what you don’t expect to find. Imagine a CSI episode where the hero limits the investigation only to what they expect to find. This would be bad detective work and boring television.

With over 10 million players in the game (that’s the total population of New York City and Chicago combined), the bad part of art mirroring life will continue given the amount of opportunity. Policing a virtual world can’t be easy and with all the players thinking that everyone in the virtual world is there just for an innocent bit of fun, thieves are likely much more emboldened and opportunities too huge to resist. Massively scalable search against all the data for patterns is Splunk’s forte.

“In Mordor where the shadows lie…”
The Lord of the Rings

We keep hearing and seeing it, including on Twitter a week ago: “CA is a place where good software goes to die a slow, painful and horrible death.” Really? Well, it’s been nearly six months since CA acquired NetQoS. No foul Orcs have threatened to torture, maim and kill us. We have neither seen nor felt the fires of Mount Doom. No mob of CA employees has come at us with pitchforks (Oh wait, wrong work of fiction…).

On the contrary, CA has welcomed us and our software as a key component of its Service Assurance vision: To help IT teams deliver optimal service levels by mapping transaction, infrastructure, and business value into one complete picture of service delivery. In fact, technology from the NetQoS Performance Center is quickly finding its way into broader Service Assurance projects focused on common views and workflows.

From our experiences, we see CA as a dynamic, fluid organization not afraid to shake things up in the name of giving customers what they need. From a new CEO to a new CMO to fresh faces and thinking at all levels, there is a sense of excitement and innovation that those of us from the NetQoS fast-growth culture like to see. CA’s CTO Don Ferguson, named to the post last September, recently launched his blog on CA.com with the name “Life, the Universe, IT Management & Everything.” This isn’t your stodgy CA of old.

We at NetQoS welcome change and the chance to have our solutions be an integral part of a broader, more complete offering for customers.

Have there been hiccups? Sure: There are with any acquisition. Spending a half hour on the phone with tech support just to have a password changed is no fun. Our e-mail systems are still not integrated. And we’ve lost a few employees who feel they thrive in smaller environments: They have chosen to take jobs at start-ups in Austin or elsewhere. And that’s okay. Most of us see great opportunity at CA.

So we are not like Gollum or other creatures unfortunate enough to have been caught by the evil that lurks in Mordor: Beaten, stretched, and morphed into a shell of their former selves. This isn’t your father’s CA. In our case, it’s a place where good software goes to flourish and fulfill the promise the NetQoS co-founders dreamed up at a kitchen table nearly 11 years ago this month.

Wanted to use MIB Smithy SDK to develop Tcl/Tk based SNMP applications you can distribute to your customers but User-Based and Host-Based Licensing made that infeasible? There’s an option for that now with the MIB Smithy SDK Developer License (or MIB Smithy SDK “Embedded Edition”).

MIB Smithy SDK Embedded provides all the same features as a regular license for MIB Smithy SDK, but is a special build and Developer License Agreement. Each Developer License grants a single developer a royalty-free license to embed the SDK and distribute it as an integral component of the developer’s applications, and includes a Single User or Single Host License for the normal SDK to use for development and internal use.

When you purchase online or by purchase order, a license and download permissions for both will be added to your account. The Developer License Redistributables available from the Downloads page contains only the files necessary for redistribution so you don’t have the overhead of downloading MIB modules and documentation bundled with the SDK twice.

As previously (but quietly) announced, User-Based Licensing was introduced in MIB Smithy SDK 4.0, and subsequently in MIB Smithy 4.2 and MIB Views 1.5. Earlier versions of these products supported only Host-Based Licensing.

Host-Based Licensing permits any user to use the software on a single specified computer, provided it’s used by only one person at a time. This scheme is useful in multi-user environments where use is less frequent, as licenses can be shared in this manner, with the trade-off being limits on how often the license can be transferred to another computer.

User-Based Licensing, on the other hand, permits a single specified user to use the software on any computer, provided it’s used on only one computer at a time. This scheme is useful in environments where a user uses multiple computers or changes computers frequently (such as on a desktop and laptop), with the trade-off being that each user needs their own license.

The User-Based Licensing feature was implemented in these releases, but until now the systems on the web site weren’t set up to handle it. From now on, when initially configuring their license key, new customers can choose whether to designate it as a User-Based or Host-Based License, and whether to use the old license key format (compatible with all versions) or new license key format (compatible with these versions and later) for Host-Based Licenses. The new format includes a couple of freely editable plaintext fields (usually filled in with the product name and serial number) that make it easier for customers with multiple license keys to distinguish them from one another, and gets rid of those BEGIN/END lines people often don’t realize are required parts of the old key format.

Customers who initially purchased their license prior to December 31, 2010 (through end of this year) who are using Host-Based Licenses can elect to permanently convert their keys to User-Based Licenses, provided their support is current, and can now do so online by following link at the bottom of the License Detail page, accessible via serial number link at Manage Licenses. This future cutoff date was chosen to allow for transition time, as some current MIB Smithy SDK users may want to switch to User-Based Licenses, and may wish to acquire additional licenses, but need time to port their scripts or hardware from SDK 3.x to 4.x API and Platform Changes.

After conversion to a User-Based License, you’ll be permitted to continue to use your old Host-Based license key as necessary for migration and script porting, but it may no longer be shared (it must be used only by the newly assigned user) and no further Host ID transfers will be permitted.

The new format looks approximately like this, with the two fields in ||’s editable in any way that helps you keep track of your licenses (except by inserting | characters):

|MIB Smithy Professional - Windows|XXXXXX-XXXXXX-XXXXXX|dcPkYQW
hJeSOYzDPDYvWprYQoaQd9zsoDihw25qLweMriJBDksDQbRuwbHfdprYfIKQdQQ
YjY42AzazjkeNn30s8ygPiOOChK2UveIM4BWNmF2Vg=lyma9fS60Ah9k0JZ02ja

If you’d like to convert your license to the new format, but stay with Host-Based Licensing, please contact support. As with conversion to User-Based, your support must be current (it’s only supported by the above versions of the software).

P.S. No, that’s not a valid license key, so don’t even try. :)

Pollution is bad for the environment and bad for Splunk. When your Splunk datastore gets polluted it can impact your search experience negatively. It can also be difficult, if not impossible, to clean up without re-indexing.

Pollution can happen for a number of reasons:

• the wrong timestamp is extracted (events are dated in the past or future)
• events are broken at the wrong place
• incorrect metadata (host, source, sourcetype) is associated with an event

What does this mean to you? Pollution can cause time-bound searches to return inaccurate results. For example, if you are searching over the last 24 hours and events are incorrectly dated a week ago they will not be returned as part of the result set. Any subsequent operations (e.g. stats, timechart) on the result set will be inaccurate. Pollution can also cause skew in the event count. If Splunk inadvertently breaks an event into multiple parts, the reported event count will differ from the true event count. Thirdly, if the wrong sourcetype or host data is assigned to an event, searches on sourcetype or host will be troublesome.

What can you do if any of the conditions above threaten the integrity of your Splunk installation? It is possible to delete events, whereby they are not returned in search results, but even delete has its limitations. The alternative is to clean and re-index data. This is a very heavy-handed approach and assumes you do not mind losing/reprocessing many millions/billions of events or months/years of data.

Preventing pollution is the best policy. Problems can easily go undetected in a sea of events. Ensuring these problems don’t crop up over time when they become more difficult to address can save you time and save you from having to make difficult decisions about re-indexing.

Here are some simple ways to help you defeat contamination:

1. When first setting up Splunk or adding a new data source, run through some safety checks to make sure Splunk is indexing the data sensibly. Check out the attached on-boarding checklist for some suggested sanity checks.
2. For testing, use a staging environment, not your production Splunk installation. Get a sample of the data and see how it performs. Use Splunk Free, use your desktop, use your neighbor’s desktop–anything but the production Splunk server. If no alternative to the production server is available, at the least, setup a sandbox index where you can test the new data to your heart’s content. When you’re done testing, divert the data stream to the default index (or wherever you need it to go), then delete the sandbox index. Cleaning an index is much easier than trying to surgically remove events from an index.
3. Remove the guessing from timestamp extraction, line breaking, sourcetyping. For your convenience, these 3 topics are covered separately in my previous blogs.

Pollution is not our friend.

Our friends at SlideShare are sponsoring a Puppet HackDay in Delhi, India this weekend. You can get full details including agenda, registration information and all the logistic details here: (http://www.barcamp.org/Puppet-HackDay-Delhi).

Our Founder and CEO Luke Kanies will be speaking remotely as well, so if you are in India this weekend you should definitely plan on attending.

The day’s goals are:

• to give newcomers the opportunity to learn Puppet in a collaborative environment (with a two-hour guided exercise on EC2 machines that we will provide)
• to apply that knowledge in a one-day competition immediately following the exercise, on the same machines (or on other machines if you like), or apply the principles in the systems automation tool of your choice, i.e. Puppet, cfengine, chef, lcfg, bcfg2
• develop the community of like-minded senior operations professionals focused on furthering the promise of systems automation – and the profession

We hope you can check it out and let us know how it went!

As President of Ipswitch Inc.’s Network Management division I have had the opportunity to speak with many of our customers about their experience using WhatsUp Gold.

Now, because WhatsUp Gold can be deployed and utilized in a variety of ways, each new story I hear varies from the last. But I have noticed a few common themes over the years. One such theme sounds like this:

“The phones stopped ringing as soon as it was deployed on the network.”

In fact, a few weeks ago I had a new customer call up our sales team and rave about the silence he and his team have enjoyed since they implemented WhatsUp Gold on their network. No more phone calls about the network being slow, that this server is down, that the Internet isn’t connecting, etc.

Because of the powerful systems and performance monitoring WhatsUp Gold delivers, these guys are finally the first to know when something is wrong on their network. They can now fix an issue before it affects their users.

This latest customer interaction reminded me of our history with job-search-giant, CareerBuilder. As a longtime user of WhatsUp Gold solutions, our product has literally grown along with CareerBuilder’s company.

In its early stages in 2003, at a point when the job search site was just one-fifth the size of the market leader, they brought in WhatsGold to solve their basic monitoring needs. As they’ve grown and matured, becoming the nation’s largest online job site, WhatsUp Gold has stayed a step ahead to continue to provide them the tool-set and functionality they need to manage a network that now includes close to 1300 devices.

Despite the evolution of technology and the increasing complexity of networks and managing solutions, we know that with most of our customers it is still the little things that make such a big difference. Mark Fouraker, Technologist at CareerBuilder, touches on just that in a favorite quote of mine from this customer story:

“My favorite story about WhatsUp Gold is when I was in an important meeting and was getting silent alerts on my pager about an impending issue on our network. I was sneaking out at breaks to troubleshoot and address the matter, eventually resolving it. The bottom line is that no one outside of a few people in operations had any idea there was even an issue at all. It’s just a beautiful product.”

A story like this is really powerful, in my opinion, because it shows how technology can evolve and customer needs can change, forcing us to continually adapt and innovate our product to meet those changing needs. It also shows that business relationships can certainly last as long as it remains mutually beneficial, with a bit of give and take from both sides.

Nowadays, state of the art websites use CDNs (Content Delivery Networks) to deliver static websites assets like images, CSS, and JavaScript files. In order to deliver these objects as fast as possible to the website visitor, the CDN providers run a network of so called "edge servers" in multiple locations. As soon as your browser requests a website object, its connection is directed to the nearest server (in a network topological view) which finally delivers the data. This sounds great in theory, but in real life it can be a complex task. One aspect is running an edge server network around the world (largest provider Akamai reports more than 40,000 servers around the globe). And there is "the last mile" issue: Website visitors usually do not sit in data centers with fiber optic connections, but use cable, DSL, T1, etc. instead. With a broadly conceived test, we want to find out:

• How much of the CDN's performance really reaches the user in the end?

• How much faster are CDNs, compared to normal web servers running at cloud hosting providers around the globe?

For CloudClimate.com we have developed a CDN Performance Test suite that you can run over your personal Internet connection. It will download a 64 kbyte image from 12 selected CDN hosting companies plus 12 cloud servers running in public clouds around the globe. The results are shown in a graph for comparison and will be logged in the Cloudclimate CDN performance database. Please spread the word! We need as many website visitors as possible to go to the CDN Performance Test on cloudclimate.com so we can get a broad base of performance tests. As soon as enough data has piled up in the database we will provide consolidated results in this webpage. Run the CDN Performance Test now

On March 3 2010, the The Cisco Product Security Incident Response Team (PSIRT) has published three important vulnerability advisories:

• Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
• Cisco Digital Media Manager Vulerabilities
• Cisco Unified Communications Manager Denial of Service Vulnerabilities

Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
A vulnerability exists in the Cisco Digital Media Player that could allow an unauthenticated attacker to inject video or data content into a remote display.

Vulnerable Products
Cisco Digital Media Player versions earlier than 5.2 are affected by this vulnerability.

Details
Cisco Digital Media Players are IP-based endpoints that can play high-definition live and on-demand video, motion graphics, web pages, and dynamic content on digital displays. The Cisco Digital Media Player contains a vulnerability that could allow an unauthenticated attacker to inject video or data content into a remote display.

Impact
Successful exploitation of the vulnerability could allow an unauthenticated attacker to inject video or data content into a remote display.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b925.shtml

 

Multiple Vulnerabilities in Cisco Digital Media Manager
Multiple vulnerabilities exist in the Cisco Digital Media Manager (DMM). This security advisory outlines details of the following vulnerabilities:

• Default credentials
• Privilege escalation vulnerability
• Information leakage vulnerability

These vulnerabilities are independent of each other.

Vulnerable Products
The following products are affected by vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 4.x
• Cisco Unified Communications Manager 5.x
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. An affected Cisco Unified Communications Manager services may require a manual restart to restore voice services.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b923.shtml

 

Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager (formerly Cisco CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption of voice services. The Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and Computer Telephony Integration (CTI) Manager services are affected by these vulnerabilities.

Vulnerable Products
The following products are affected by vulnerabilities that are described in this advisory:

* Cisco Unified Communications Manager 4.x
* Cisco Unified Communications Manager 5.x
* Cisco Unified Communications Manager 6.x
* Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. An affected Cisco Unified Communications Manager services may require a manual restart to restore voice services.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b924.shtml

---

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: DOS, Inject data, Privilege escalation

PF_RING has been designed for enhancing packet capture performance. This means that the RX path must be accelerated, and in particular a way to accelerate this is by reducing the journey of the packet from the adapter to userland. This is obtained by allowing the driver to push the packet from the NIC to PF_RING directly and not through the usual kernel path. For this reason PF_RING has introduced an option named “transparent mode” whose goal is to tune how packets are moved from the NIC to PF_RING. This option (that can be specified when inserting the PF_RING module via insmod) can have three values:

1. insmod pf_ring.ko transparent_mode=0
   This is the default and it means that packets are sent to PF_RING via the standard kernel mechanisms. In this setup the packets are both sent to PF_RING but to all other kernel components. All NIC drivers support this mode.
2. insmod pf_ring.ko transparent_mode=1
   In this mode, packets are sent directly by the NIC driver to PF_RING, packets are still propagated to other kernel components. In this mode packet capture is accelerated because packets are copied by the NIC driver without passing through the usual kernel path. Please note that in order to enable this mode, you must use a NIC driver that supports PF_RING. Available PF_RING-enabled drivers can be found in the drivers/ directory of PF_RING.
3. insmod pf_ring.ko transparent_mode=2
   In this mode, packets are sent directly by the NIC driver to PF_RING, packets are not propagated to other kernel components as this slows down packet capture. Please note that:
   • in order to enable this mode, you must use a NIC driver that supports PF_RING.
   • Packets are not sent to the kernel after they have been delivered to PF_RING. This means that you won’t have connectivity from NICs driven by PF_RING-aware drivers.
   • This mode is the fastest one as packets are quickly copied to PF_RING and immediately discarded after they have been processed.

Editor Profile - Denny K Miu was the Founder and former CEO of two companies, Gigamon Systems and Integrated Micromachines (now Touchdown Technologies). Denny has extensive experience in developing technology, products and business relationships. He has been a Professor, an engineer, an entrepreneur, a team leader as well as an individual contributor. Denny is currently the Executive Editor of LoveMyTool.com. Denny's Note: I have been experimenting with Google Buzz. It is an interesting tool that could have lots of potentials for the LoveMyTool community. For now, it is also a unique forum allowing me to write about things that interest... Denny K Miu

A couple of weeks a go Brian Profitt pinged me for a chat about Devops , the result of that chat , his article can now be found on the Zenoss blog, it's titled Datacenter Barometer: Better days arrive when dev meets ops

It's a very nice read with some pointers to places regular readers of my blog should already know ;)
So with lots of leading Open Source infrastructure companies on different levels, such as config management (OpsCode and Reductive Labs) , monitoring (Zenoss) , deployment (openQRM, RPath, and obviously Consultancy companies , the upcoming Devops conferences around the planet promise to be a lot of fun ! ;)

Oh, and apparently there is some more on the story on /.

MIB Smithy 4.2 and MIB Views 1.5 are now available. These releases are based on MIB Smithy SDK 4.0, adding IPv6 support, Linux x86_64 support, a username-based licensing option, and many MIB compiler improvements (a full list can be found in the MIB Smithy SDK 4.0 Release Announcement, which also describes changes to supported platforms that apply to these releases as well).

The format used specify OCTET STRING values in hex in the SNMP Query Tool and Agent Settings dialog has changed, in keeping with SDK 4.0’s changes to binary data handling. Instead of prefixing the value with 0x, as in 0x:12:ab:cd, you surround the value in single quotes, as in '12:ab:cd'. However, you can now suppress conversion from hex, treating the value as a literal string (with quotes) by surrounding the value in another pair of single quotes, as in ''12:ab:cd''. Essentially, any string value with surrounding single quotes will have one set of quotes stripped off; if, after stripping, the value looks like colon-delimited hex (without quotes), hex conversion will occur.

Although these releases don’t do much beyond what SDK 4.0 brings, it’s still a significant milestone. Now that MIB Smithy and MIB Views are up to the new SDK version, the holds on new features are lifted, so I can get back to tackling my sizable wish list for these products. First, though, I’ll be working on getting the web site updated to support generating the new username-based license keys and providing access to the Linux x86_64 platform (x86_64 won’t be treated as a unique platform from x86 as far as purchasing and license keys are concerned, but it is a different build/distribution, and the systems aren’t set up yet to handle two different files for a single platform+version).

RiverMuse PRO includes a Reusable Business Logic (RBL) engine to streamline the creation of all configuration components in a single reusable package. The configuration is loaded through a text file; it is then parsed and converted by a back-end engine that updates the configuration of multiple components within the RiverMuse product. This is a vast change [...]

RiverMuse PRO provides the facility to consolidate your Data Center Operations in a single pane of glass, and achieve Operational Excellence by automating tasks and streamlining processes. RiverMuse Core, the first enterprise-class open source Real-time Consolidated Operations Console system ideally collects information via SNMP traps and Syslog messages out-of-the-box. Additionally it supports 8 standards-based APIs to [...]

The fourth annual Network Computing Awards held their awards ceremony last night at a black tie event under the shadow of London’s famous Tower Bridge. WhatsUp Gold was nominated in four categories so naturally we were all anxiously waiting for news of any results!

We were thrilled to find out that WhatsUp Gold had won the Network Management Product of the Year award. We received the news right away, thanks to our representitive who attended the ceremony in our honor. Here’s a quick recap of the night:

With high hopes of taking home some hardware, we sent Martin Brindley, our account rep at DMG Europe, to represent the Ipswitch Network Management Division. Armed with his smartphone in hand, Martin set out to keep us updated in real-time by tweeting throughout the night. Early on we knew he was the right person to represent us at the ceremony as we noticed his first tweet of the night:

@martinbrindley: On my way to network computing awards, if you fancy meeting up I’ll be the one in the dinner jacket and black tie

Dressed to impress and representing WUG to the best of his ability, Martin settled in at his table as they began announcing winners and handing out awards.

@martinbrindley: Congrats to extreme networks for wireless product of the year
@martinbrindley: Congrats to netscout for data centre product of year

Some anxious moments followed as Martin watched some of the awards that WUG was in the running for go to our competitors. Things were starting to look grim for WhatsUp Gold and it seemed we might be shut out at the Network Computing Awards for the third straight year.

But just as Martin started to worry that the acceptance speach he prepared might go to waste, WUG’s big moment came as they announced the big award.

@martinbrindley: Congrats to ipswitch for network management product of the year!

His tweet was simple and understated, yet the message was clear. This was a very big moment for the entire Ipswitch Network Management division as everyone’s hard work from the past year had been validated and paid off with this great award.

We will enjoy the sweet taste of victory for a bit, but won’t let it go to our heads as we get right back to work in what will be a busy but very exciting 2010 for Ipswitch Network Management!

Highlights from Planet Network Management for Week 9.

• Wireshark Quick Tip: Using the Expert Info (by Chris Greer) – why comb through hundreds of thousands of packets, looking for a problem, when Wireshark can point out issues for you?
• Community works! – A simpler way to manage Orion email alerts – instead of configuring static email addresses in the To: field of your Solarwinds Orion Advanced Alert notifications, use a variable (a.k.a macro)
• Avoid Traffic Headaches on the Road and in your Network – dopplerVUE 2.0 is now available for download with exciting new features including discovering and mapping HSRP primary and secondary links, a new interface with graphics for better visibility, improved SNMP table polling
• Released: Icinga Core 1.0.1 & Web 0.9.1 beta *NOW* – Icinga marches on with the release version 1.0.1 and a heap of improvements to boot
• Common Failing of Current IT Event and Fault Management Systems: Static and Non-Transportable Business Logic – A common feature of current generation IT Event and Fault management systems is that you have to encode into the configuration of the system, a knowledge or representation of the logic that you use to manage the network, or device, or application
• Musings upon the open core functionality ceiling – does a functionality ceiling exist in open core [one of mine again]
• Answers to Common Active Directory Management Challenges – a few words of wisdom when it comes to dealing with some of the most pressing Active Directory Management challenges – security and efficiency

"What Am I Doing Wrong?" I am often asked, "What am I doing wrong in regard to security?". This question is usually in reaction to some event, such as a failed audit, a network outage as a result of malware... Paul Asadoorian

The script monitors changes and problems with a BackupExec configuration by reading its database. The script consists of five different test that each checks important configuration parameters. The script can be downloaded from our forum.

BESmtpEnabled

BECheckEmail

BEGlobalAlerts

BEJobsOnHold

BEJobTimeoutSet

Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors. He can be contacted at chris (at) packetpioneer (dot) com. Why comb through hundreds... Chris Greer

First of all, mad props to byrona for sharing this tip with the community.  I know there’s a lot of you already using this simplified email alert management trick, but I wanted to make sure to spread the word just in case.

Here’s how it works.  Instead of configuring static email addresses in the To: field of your Orion Advanced Alert notifications, use a variable (a.k.a macro).   The value of this variable can be a custom property.  

In byrona’s case, he wanted to have emails sent to the “Primary Contact” or owners of each of the nodes in the event of an issue, so he created a custom property called “Primary Contact” and entered this value for each of his nodes.   Then, when setting up alerts, he used the ${Node.PrimaryContact} variable to specify the To: address.

Simple, right?  But, you wonder as you lie awake at night, what happens if the Primary Contact hasn’t been filled in on some nodes?  Does alerting die slowly?  Well, as jainsworth verified, blank fields don’t break email alerts.  The emails just don’t get sent out for those nodes.  Sleep well.

If this gives you a few minutes back in your day and you want some community karma for yourself, please don’t be shy, share your tips and tricks with the community!

It’s a fast and furious release cycle! We’ve cut Chef 0.8.6 due to a change that accidentally broke users of Fedora – and Ian Meyer from Etsy stepped up and fixed it. His reward is being your Chef 0.8.6 MVP – congratulations, Ian!

Kris Rasmussen from Aptana tracked down a bug in the git deployment code where, if you were consistently :force_deploy-ing the same version, you would eventually wind up hitting the released version limit, and then we would prune the (only) version you have deployed. Thanks for tracking down a particularly sneaky bug, Kris.

Tollef Fog Heen just can’t let a release go by without a commit. In this case, he updated the User Resource to allow you to use ‘group’ along with ‘gid’, since the provider can take both the gid and string form of a group name.

Over at Opscode we didn’t sit idle – in particular, we fixed an irritating bug where if you added a Node with a bad role name you would no longer be able to manipulate the Node until a role with that name was added.

See you at Chef 0.8.8, and as always, the full release notes follow:

Release Notes – Chef – Version 0.8.6

Bug

• [CHEF-926] – cleanup! of old releases sometimes deletes current release
• [CHEF-964] – Adding a bad role name to run list breaks everything for that node.
• [CHEF-992] – A node created with a role that did not exist can not be edited or deleted
• [CHEF-994] – chef no longer requires ruby-hmac
• [CHEF-1000] – Runlist expand does not pass couchdb value on
• [CHEF-1006] – fedora missing from chef/lib/platform.rb
• [CHEF-1010] – Yum provider ignores specified version in some circumstances

Improvement

• [CHEF-707] – Change "gid" to "group" for the User Resource
• [CHEF-968] – Chef rest should be more flexible with user keys and headers
• [CHEF-1005] – knife cookbook upload should support a list of multiple cookbooks
• [CHEF-1012] – knife help text needs a scrub for accuracy and consistent formatting

Ohai! We’ve got a new release of Ohai for you, with a pair of much-needed fixes. The first is by our release MVP Tollef Fog Heen (whose just racking up the MVP’s lately – clearly, he is destined for the Hall of Fame.) Tollef has added support for disabling ohai plugins, which lets people control just how much information they really want to see. If you’re using Ohai with Chef, you can add this to your /etc/chef/client.rb:

Ohai::Config[:disabled_plugins] = [ 'passwd', 'darwin::system_profile' ]

Which would ensure that the ‘passwd’ and ‘darwin::system_profile’ Ohai plugins will be skipped. Thanks, Tollef!

Additionally, this release fixes a bug that was causing Ohai to leave behind zombie dmidecode processes on each run. The issue was that we were not waiting on our children if an exception was thrown while parsing the output of those children. Ohai now cleans up after itself regardless.

See you at Ohai 0.5.2!

Release Notes – Ohai – Version 0.5.0

Bug

• [OHAI-155] – Chef summons army of dmidecode Zombies

New Feature

• [OHAI-166] – Make it possible to disable plugins

We added multiple rules to the specific-threats, spyware-put, web-client, backdoor, and web-misc rule sets as well as making a whole lot of modifications to existing rules. Just a bit of a clean up. Details here: http://www.snort.org/vrt/advisories/2010/03/04/vrt-rules-2010-03-04.html

Some things really are a matter of opinion. My buddy Greg Newman prefers spinnerbaits while I prefer to fish with plastic worms. My brother Zach prefers to shoot a pump gun while I shoot an over/under. And apparently my friend and fellow-blogger Michael...(read more)

Hopefully you have participated in GWOS’ barCAMP Deux, which has been held over the last two days with good success.  Over 200 system admins have attended the 11 sessions, and have contributed good questions and insight on real IT monitoring problems.

Today, we are pleased to announce a package that will further assist system and network administrators.  It’s a new virtual appliance that bundles GroundWork Monitor Enterprise Edition (6.1) with a Zendesk connector, built on Novell SLES.

If you are interested in learning more, I recommend you attend the next GWOS barCAMP Deux session that starts at 9am PT/ noon ET today (Thursday, March 4).  Attendance is free.

Introduction to ZenDesk Integration (event # 924 082 525)  password is Welcome1

If you’d like to learn more about the Enterprise + Zendesk connector package - read more here.  More on Zendesk (a hosted help desk and ticketing solution) is available here.

Last night I had a lot of fun chatting with the Linux Link Tech Show guys. It is episode #343 and it is available for download.

I love any forum where I can run my mouth for an hour and a half talking about OpenNMS and open source software, and I can’t wait to meet these guys in person at SELF (where we are a diamond sponsor).

Note that it is subtitled “linux talk. unfiltered” and I do use the occasional profanity. The spirit took me toward the end and I did drop one “f-bomb” so if you are sensitive to such things you should probably avoid this podcast.

On October 8, 2009 Cisco announced the winners of its “Think Inside the Box” Developer Contest. Launched on Dicember 2008, the competition challenged application developers around the world to develop applications that run on the Cisco® Application Extension Platform (AXP), which resides on the popular Cisco Integrated Services Router (ISR).

The winning teams were determined by a panel of seven industry experts who selected the following applications as the most innovative, implementable and relevant to businesses. More than 100 qualified teams from 75 countries entered the competition. The finalists demonstrated the business relevance of the AXP in solving real-world problems, in areas of unified communications, security, advertising, cloud architectures and energy management.

Below the winners list:

First Place: Team MADnetwork, led by David Perez in Spain, won US$50,000 for the Building Automation Service application (BAS). Created with branch offices and multitenant units in mind, BAS helps businesses remotely monitor and manage building operations.

By integrating the service management capabilities on AXP, the application minimizes the need for external servers to manage disparate facilities (HVAC, lighting, plumbing, presence, fire, flooding and smoke detectors), which reduces capital and operational costs. The solution also saves energy costs by determining, in real time, which resources are being consumed, and to what degree, by working with a remote management solution.

Second Place: Team Enhancers, led by Rajesh Kotagiri in India, won US$30,000 for the Local Advertising Mesh Network Platform (LAMP) application.

LAMP creates a distributed ad-serving platform hosted on the AXP. This platform will reside on ISRs targeted initially toward retail deployments: for instance, retail stores can display ads on LCD units in various locations. With this solution, businesses can tap potential new revenue streams by shifting some of their advertising efforts to their existing networking infrastructures.

Third Place: Team BugsBernie, led by Bernhard Beckmann in Germany, won US$20,000 for the Integrated Surveillance System application. With this application, Internet Protocol phones can be turned on during nonworking hours to monitor any audio signals in the offices.When abnormal audio signal patterns are detected (crossing a configurable threshold), the application notifies external security services or devices such as mobile phones, computers and video monitoring systems. Sabotage of telephony equipment is also detected.

The Integrated Surveillance System is a simple and cost-effective means to enable a security solution in branch offices by taking advantage of an existing IP-telephony network. The application improves manageability of security systems by providing an integrated security framework to an existing network.

References:

• http://www.cisco.com/web/solutions/axpdev/index.html
• http://blogs.cisco.com/…/cisco_developer_contest_the_winners/
• http://newsroom.cisco.com/dlls/2009/prod_100709.html
• http://www.cisco.com/web/solutions/axpdev/finalistdemos/index.html

---

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: AXP, Competition, Video

This release fixes a minor bug that was introduced in 4.0 that I discovered while getting MIB Smithy ported to the 4.0 SDK, in an API primarily used by MIB Smithy to list the topmost nodes in a module within the Project Tree. It also has one minor new feature to simplify the porting of MIB Smithy and MIB Views. MIB Smithy 4.2 and MIB Views 1.5, based on SDK 4.0, will be available as soon as a few remaining build issues are resolved.

Changes in this release:

2453: smilib get -rootnodes returning no results

The smilib get -rootnodes property for modules was inadvertently broken in SDK 4.0’s rearchitecture such that orphaned records (those with missing or undefined dependencies) were no longer returned in the result.

2458: Add smilib get -format option for OBJECT-TYPEs

smilib get -format can now be used on OBJECT-TYPEs to return the DISPLAY-HINT for the TEXTUAL-CONVENTION referenced by the OBJECT-TYPE’s SYNTAX. This saves the step of having to first look up the SYNTAX.

SplunkLive is coming to a city near you. We braved the wintry weather of Boston to kickoff the 2010 SplunkLive series and now we’re heading south and east (even though the snow may still follow.)

First we’ve got SplunkLive Munich. Monday, March 8, 2010 at BMW Welt.

Christina Noren VP, Products, and Steve Sommer, VP Marketing, will be representing the Yanks, along with our new German crew, who’ve just opened our Munich offices.

Alexander Strobl has been bringing the power of IT Search to Accenture’s enterprise clients in Germany where he works as a Technical Consultant in the Data Center Technology and Opeations team. Alexander is responsible for analysis, design, roll out of Splunk. His most recent Splunk project was with a large worldwide services company with more than 50,000 employees on three continents operating mail order, distribution, e-commerce and over-the-counter-retail trade. Accenture implemented Splunk to transform the management of several technologies including Linux, virtualization and large-scale storage systems.

Then Mika Borner, Head of Internet Messaging for Swisscom will tell us how Splunk’s monitoring, alerting and reporting helps to keep its network running in peak form and helps Swisscom to fight spammers and e-mail system abusers. He first heard of Splunk when we held SplunkLive Zurich in 2008, and now he’s back to share his own success story.

Register now for SplunkLive Munich to join the discussion and see the latest Splunk features.

Back on US soil, we’ll be attending SANS 2010 in Orlando, FL at the Swan and Dolphin on March 9. We recognized as a User Vetted solution to address SANS Top 20 Critical Controls–check out why in booth 107.

And if you’re in town for SANS, why not swing over to SplunkLive Orlando on Wednesday, March 10! We’ll be just down the street at the Sheraton Safari Hotel and Suites.

For the SplunkLive event, long-time customer Voxeo takes the stage to share its success. They help enterprises improve service and lower costs by automating and connecting their most common phone calls with its Interactive Voice Response (IVR) or Voice over IP (VOIP) solutions. More than 100,000 developers build apps on Voxeo’s platform, and they access the data they need to troubleshoot those apps through Splunk! Plus more than 150 staffers in Voxeo’s 24 x 7 NOC watch Splunk dashboards to watch for spikes and errors, then dig in to remediate problems before they cause network outages. They are power users of Splunk and it’s a great opportunity to see the places you can take Splunk in your IT environment.

Coleman Technologies, a leading-edge IT and systems engineering services provider, uses Splunk to support the availability, security and compliance of IT systems it maintains for multiple customers. It’s first and second-tier staffers monitor Splunk to keep customer’s systems online and customer satisfaction scores high.

Register now for SplunkLive Orlando to join the discussion and see the latest Splunk features.

From Orlando, we’ll jet up to Atlanta to host Cox Communications, The Atlanta Journal Constitution and a large healthcare provider for SplunkLive Atlanta on Thursday, March 11, 2010.

Cox Communications delivers cable and telecommunications services to more than 6 million customers. Cox uses Splunk to run its NOC, SOC and conduct forensic investigations.

The Atlanta Journal-Constitution is the only major daily newspaper in Atlanta, Georgia. The AJC is the flagship publication of Cox Enterprises and reaches more than 2.3 million unique visitors per day. The AJC gets a single view of its security posture across workstations, servers, network and security devices using Splunk.

The large healthcare provider has virtualized much of their IT environment–hosting critical business applications, development servers, and the webservers hosting subscriber information websites all on VMware instances. As you can imagine wrangling and troubleshooting all of these VMs can present quite the management problem–which is why it chose Splunk to help ensure uptime, and facilitate capacity planning. Join us to learn more about the proactive ways this IT team is managing its cirtual systems with Splunk.

Register now to join us at the W Atlanta – Perimeter on Thursday March 11.

Join us if you can, or send your friends or colleagues–should be great to hear these customer stories!

Devops, Devops, Devops, everybody talks about it but we're still defining it ...

There's so many different interpretations possible for the term Devops , It's automated infrastructure, it's agile infrastucture, it's getting devs and ops closer to eachother, it's briding the gap between devs and ops , it's agile system administration, it's the movement , it's the mindset , it's the spirit.

Lots of people, lots of opinions .. Indeed some people have been doing this kind of work for ages, some claim the cloud is what makes devops become visible (but we've been doing cloud since before the cloud marketeers called it cloud)

Some define the devop as a European based , open source backgrounded , thirtysomething senior sysadmin , or should I say infrastructure architect , originated concept . Others claim it's developers gone sysadmin gone partly developer again ..

But it seems like lots of people claim that Devops is more about the team, not about the unique individual doing a job.

You'll have to agree however that our jobs are significantly different from the system adminstration type jobs you'll find at the average IT department. With that in mind: How shall we call this breed of people cooking up chef stuff, playing the puppeteer or cranking up the CFEngines ?

And no I don't like Devministrator :)

Traffic congestion on the way to work is a sure way to get an immediate headache. That is why I’m a big fan of viewing live traffic patterns from my smart phone. I get a live view of traffic that shows which routes are congested and clear. With this information, I arrive at the office much faster and in a better state of mind (my co-workers agree).

Wouldn’t it be nice if finding congestion in network traffic was as simple as flipping on your smartphone and pressing a couple of buttons? Maybe someday. In the mean time, to make life as simple as possible, I use dopplerVUE which has Netflow built in, so I can look deep into routers and capture rich details about what types of traffic, which IPs are talking and how much bandwidth is being used. Take a look at dopplerVUE in action below. You can try it out free for 30 days.















If you don’t have access to tools like dopplerVUE, there are free tools that can help you as long as you’re willing to invest the time.


There are basically two types of techniques to monitor congestion - packet monitoring and packet capturing. I’ve listed some free tools for both methods below.

Packet Monitoring
Packet monitors watch the number of packets whizzing by and tell you a little bit of information about them, such as the number of packets and if there are any errors in the packet. But that is about it, you don’t get much more detail. So this method is good for watching long term trends.


1) For Windows users, look at the network interface properties. The display shows you packets sent and received. This is an easy way to see if your interface is working.

























2) The Windows command line provides a number of useful tools to determine the performance of your TCP/IP connection. The Netstat command can give you details about each TCP connection including how many packets have been processed. Below is the result of a netstat –e command.

















A list of the most common communications related commands available for the Windows command line are listed below:



















Packet Capturing
Packet capture actually stores a copy of each packet that comes by which allows you to look at all characteristics of the packet. But all this detail comes with a down side - it will eat up storage space very quickly. So this method is best to capture a small sample of traffic for deep analysis.


1) For packet capture, the gold standard for open source tools is Wireshark. Here is a screenshot of a packet capture done with Wireshark on my laptop. As you can see, every packet is listed with full details about source and destination address, protocol type and data contents.











Wireshark is one of many open source tools that leverage the Winpcap tool for network monitoring. A list of tools that use Winpcap can be found here.


2) Windows server users have access to a similar tool called Network Monitor that helps monitor network traffic. Below is a screenshot of Network Monitor in action.















I hope these tools help you avoid congestion on your way to work and in your network.

I don't know what the next big security trend is going to be, but I can certainly tell you what a lot of vendors here at RSA are clearly hoping it will be: something with a cloud. There's clouds everywhere here at the show. It's like walking through some high-tech, noisy version of the afterlife, (although I didn't see any cherubs or harps. Probably a good thing.)

Every vendor seems to be trying to figure out how to pre-fix, appending or otherwise insert the word "cloud" in their messaging to make sure that, on the slim chance there's actually someone out there looking for a cloud security solution, they might swing by. Yes, I know, there are plenty of good things that can get delivered through the cloud, even some security services, but you'd think from the noise here that the most pressing need facing enterprises today was trying to figure out how to keep all that sensitive data floating around in someone's cloudy infrastructure, out-sourced to the planet Neptune, secure from attack.

Let's be honest with ourselves here for a minute. It's not. No, really.

Cloud, is cool.  It's a neat idea.  And I'm sure they'll figure it all out and we'll all have flying cars and fusion-powered margarita machines, but right now the pressing issue is how to get the basics of security right. When we're rolling out of a record year of security breaches and when the US infrastructure was just found rather wanting in defenses from external cyber-attack, I think we should be worried a little less about clouds and bit more about rainy days.

I met with Sharon Watson yesterday from Security Squared and in addition to a very interesting discussion on the convergence of physical and cyber-security, we got talking about cloud, and who's really driving it. I'm a vendor. I work for a company that provides, I believe, some seriously clever security solutions for enterprises with enterprise-sized security challenges. So I know the pressure to be following (or ahead of,) the next big shiny thing in the market. But in the end, doing that serves us, the vendor community. Not our customers, and not, in the end, the goals we all, as security professionals, are trying to achieve.

In my last post I referenced my opinion that simply throwing money at problems isn't always the right approach. The subject came up again today in a discussion around how organizations approach risk management, and the way they look at outsourcing. The pressure to reduce costs, and the need to access a skilled resource of staff have provided the impetus to really up the ante when it comes to sophistication in the way organizations must manage outsourced security services. One of the things I do see is that while the desire to outsource remains high, the need to be able to provide oversight of risk is even greater.

I talked to Jeff Kutler from Risk Management Magazine about this and he was seeing much the same thing, along with the same pressures on the security organization to demonstrate the impact to risk of the activities. There's money available to help manage risk, the challenge is figuring out which risk is important, and then measuring whether the money is doing any good.

Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at

Icinga marches on with the release version 1.0.1 and a heap of improvements to boot:

Core 1.0.1: If you haven’t been keeping up with Michael F’s updates, the Core team has been making a whole heap of improvements in IDOUtils with optimized indexes and housekeeping, oracle enhancements and two fantastic new features from the community – cheers to Vitali Voroth, DECOIT GmbH for his escalation condition patch and Bill McGonigle for his service_check_timeout_state suggestions! The list goes on, so check out the changelog for more info.

Docs 1.0.1: The Docs team has kept up to speed with new help topics on escalation conditions, using Oracle as the RDBM and of course how to upgrade it for Icinga Core 1.0.1.

Web 0.9.1 beta: As previously hinted, the Web team has developed a bunch of new features including compound commands, status icons, built in persistence and even more flexible user settings.

So click on that download button on the right to check it out for yourself – and don’t forget to give us your feedback in the comments or issues lists!

We get many, many questions on thwack regarding Windows credentials for adding a Windows DHCP server to IPAM.  There are few tips and tricks I will share that can make this process relatively painless.  First, let me explain why you need to enter Windows credentials in IPAM.  A Windows account is required to pull scopes from a Microsoft DHCP server.  This account has to be a member of one of the three following groups on the DHCP server: local Administrators, DHCP Users, or DHCP Administrators. IPAM uses this account to log into the DHCP server and to pull scopes you want to manage.

Second tip: the DHCP server you’re adding to IPAM must already be defined as a node in Orion NPM.  If you haven’t added the DHCP server as a node in Orion NPM, you won’t be able to add it to IPAM.  When you’re adding a DHCP server to IPAM, it displays a list of devices to choose from, and this list is generated from your Orion nodes.

Third tip: use the Windows Credentials manager in IPAM if you’re working with more than one set of Windows credentials.  Go to IPAM Settings>>Manage Windows credentials for scope scans, which will take you here:

Note the two sets of Windows credentials I’ve created: Windows 1 and Windows 2.  Once created, these are available to you when adding a DHCP server in IPAM, as shown below.

Fourth tip: when in doubt, check out our Knowledge Base articles on this topic.  You can find them here.  These two articles have some great information on errors you may encounter and how to resolve them.