CorreLog. Ping Monitor Adapter Software Users Manual

Similar documents
CorreLog. SQL Table Monitor Adapter Users Manual

CorreLog. SNMP Trap Monitor Software Users Manual

CorreLog. LDAP Interface Software Toolkit Users Manual

White Paper Integrating The CorreLog Security Correlation Server with McAfee epolicy Orchestrator (epo)

Security Correlation Server Redundancy And Failover Guide

orrelog File Integrity Monitor (FIM) User Reference Manual

Security Correlation Server System Deployment and Planning Guide

CorreLog. File Integrity Monitor (FIM) User Reference Manual

Common Management Database Database Definition & User Guide

Security Correlation Server Backup and Recovery Guide

orrelog McAfee epolicy Orchestrator (epo) Adapter Software Installation And Users Manual

orrelog Security Correlation Server User Reference Manual

CorreLog. Pivot Report Generation Function Application Notes and User Guide

Network Performance Monitor

Overview of IPM. What Is IPM? CHAPTER

CorreLog IP Block List and Reputation Database Application Notes

BIG-IP Analytics: Implementations. Version 13.1

CorreLog. Syslog Windows Tool Set (WTS) User Reference Manual

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Getting Started with ehealth for Voice Cisco Unity & Unity Bridge

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

WhatsConfigured v3.1 User Guide

Technical Response Logging and Monitoring Requirements December 23, 2010

WhatsUp Gold 2016 Application Performance Monitoring

WhatsConnected v3.5 User Guide

HP Network Node Manager 9: Getting Started. Manage your network effectively with NNMi. Marius Vilemaitis. J enterprise PUBLISHING MUMBAI BIRMINGHAM

Forescout. Configuration Guide. Version 2.4

Performance Monitors Setup Guide

Navigating Cisco Prime Health and Utilization Monitor Tasks in LMS 4.1

Using SolarWinds Orion for Cisco Assessments

CorreLog. Syslog UNIX Tool Set (UTS) User Reference Manual

NerveCenter 8.4 Release Notes (Pre-Release Copy) Windows and Linux Version 8.4. June 2018 NCRN

Quick Start Guide. Version R92. English

Concord OneClick for ehealth

Network Performance Monitor

BIG-IP Analytics: Implementations. Version 12.1

NetAlly. Application Advisor. Distributed Sites and Applications. Monitor and troubleshoot end user application experience.

Frequently Asked Questions About Performance Monitor

Best Practices Guide for Managing Statistics Poller Error Messages

HPE Network Node Manager i Software 10.30

Application Connectivity Monitor 2.0 USER S GUIDE P/N REV A01

Configuring Cisco IOS IP SLA Operations

New Features Guide EventTracker v6.2

User Guide. Version R95. English

Connection Logging. Introduction to Connection Logging

WhatsUpGold. v14. Getting Started Guide

ITIL Event Management in the Cloud

User s Manual. Version 5

BIG-IP Local Traffic Manager : Monitors Reference 13.0

CorreLog. Apache TLS / Crypto Enhanced Encryption Software

Siebel Server Sync Guide. Siebel Innovation Pack 2016 May 2016

Configuring Cisco IOS IP SLAs Operations

WORKFLOW BUILDER TM FOR MICROSOFT ACCESS

Visualize Real-Time Topology, Traffic, and Status in a Single View Troubleshoot Network Issues More Rapidly

Pivot Demonstration Configuration Procedure

Siebel Server Sync Guide. Siebel Innovation Pack 2015 May 2015

WhatsUpGold. v14.1. Getting Started Guide

Slide 1. Best Practices. Copyright 2003 Concord Communications, Inc. All Rights Reserved. EDU Module Name Here Slide 1

Monitoring Table of Contents:

Configuring SNMP. Understanding SNMP CHAPTER

WhatsConfigured for WhatsUp Gold v16.0 Getting Started Guide

Getting Started with ehealth for Voice--Cisco CallManager

Managed NIDS Care Services

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

Configuring the Management Interface and Security

Overview of IPM. What is IPM? CHAPTER

Modifying IPM Components

Prerequisites for Using Enterprise Manager with Your Primavera Applications

Symantec Control Compliance Suite Vulnerability Manager User's Guide

Connection Logging. About Connection Logging

Proactive Performance Monitoring for Citrix XenApp & XenDesktop

Oracle Mission Critical Support Platform. General. Installation. Troubleshooting. Inventory and Discovery. Frequently Asked Questions Release 2.

FireScope Presentation. Updated: July 14, 2017

Configuring IP SLAs LSP Health Monitor Operations

Remote Operation Services

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

HPE Intelligent Management Center

Schneider Electric Floating License Manager

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Reference Book

USER GUIDE Spring 2016

Protection! User Guide. A d m i n i s t r a t o r G u i d e. v L i c e n s i n g S e r v e r. Protect your investments with Protection!

NCM Connector for Cisco SmartAdvisor

RedundancyMaster PTC Inc. All Rights Reserved.

WhatsUpGold. v14.3. Getting Started Guide

Configuring SNMP CHAPTER. This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point.

AuditConfigurationArchiveandSoftwareManagementChanges (Network Audit)

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Network Configuration Manager

FieldView. Management Suite

Overview of the Plug-In. Versions Supported

Performance Monitor Administrative Options

10 BEST PRACTICES TO STREAMLINE NETWORK MONITORING. By: Vinod Mohan

System 800xA Public Address System User Manual

Utilities. Introduction. Working with SCE Platform Files. Working with Directories CHAPTER

Kaseya 2. Quick Start Guide. for VSA 6.0

ehealth Integration for HP OpenView User Guide

Schneider Electric License Manager

USER GUIDE Summer 2015

Acronis Monitoring Service

Transcription:

CorreLog Ping Monitor Adapter Software Users Manual http://www.correlog.com mailto:info@correlog.com

CorreLog, Ping Monitor Users Manual Copyright 2008-2017, CorreLog, Inc. All rights reserved. No part of this manual shall be reproduced without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein. Ping Monitor Adapter, Page - 2

Table of Contents Section 1: Introduction.. 5 Section 2: Software Installation.. 9 Section 3: Software Operation.. 13 Ping Monitor Adapter, Page - 3

Ping Monitor Adapter, Page - 4

Section 1: Introduction This manual provides a detailed description of the CorreLog Ping Monitor software. This is an optional set of files and executables added to the CorreLog Server order to expand the role of the CorreLog to include monitoring of device states using ICMP Ping messages. The manual provides information on specific features and capabilities of this special software, including installation procedures, operating theory, application notes, and certain features not documented elsewhere. The Ping Monitor software consists of several components. A background process continuously polls devices, and compares response times to thresholds. The user can configure timeouts and retries, and can specify the syslog message that is sent when thresholds are violated. Additionally, the user can inspect the list of ping response times collected on the system. These components are described in detail within this document. This manual is intended for CorreLog users who will operate the system, as well as system administrators responsible for installing the software components. This information will also be of interest to program developers and administrators who want to extend the range of the CorreLog system's role within an enterprise to include ICMP Ping monitoring of device states and availabilities Ping Monitor Adapter, Page - 5

Overview Of Operation The Ping Monitor Adapter software extends the CorreLog system to permit polling of device states using standard ICMP Ping. This allows CorreLog to actively monitor network states, in particular whether devices are capable of sending messages to the CorreLog server. The CorreLog Ping background process continuously polls groups of devices, compares the ICMP response time to threshold values, and then sends Syslog messages (of user specified severity and content) to the main CorreLog server when response times are greater than anticipated. This gives CorreLog more awareness of the network and enterprise state. The CorreLog Ping background process is configured and monitored using a tightly coupled integration with the main CorreLog web interface. The user configures address groups that are polled for specific values, and defines the message and severity that is sent to CorreLog when a threshold is tripped. Ping Basics ICMP (also referred to as "Ping") is a network protocol that is supported by virtually all network devices. Ping requests are serviced at the interfaces to these devices, and provide a good indication of whether a device exists and is capable of receiving messages. Note that if a network interface card responds to an ICMP request, it does not necessarily mean that the system is actually operating or capable of processing. Although this is inference is commonly made by networking professionals, the Ping request does not actually reach the CPU of the system. Hence, if the CPU is busy (or crashed) the managed device may still respond to Pings. If the objective of the user is to assure that a device is actually operational, SNMP is a better choice than Ping. (The user should consider installing the SNMP Adapter Software, discussed elsewhere.) However, if the objective of the user is to determine whether a device is accessible and likely operational, then Ping is an excellent choice, since it is supported by virtually all network devices. Ping Monitor System Software Components The CorreLog Ping software comes as a single downloadable package in selfextracting WinZip format. This package is installed at the CorreLog server, and contains the following specific components. CO-Ping.exe Program. This is the polling agent that is responsible for gathering Ping information on the system. The process is configured to Ping Monitor Adapter, Page - 6

run on CorreLog system startup (via the "System > Schedule" screen, as documented below.) Ping Configuration Screen. This is a support screen, available under the "Messages > Adapters > Ping" tab of the CorreLog web interface as part of the Windows component installation. This screen allows the user to configure the devices to be polled, as well as the message severities and timeouts for the polling process. System Block Diagram The CorreLog Ping Monitor process consists of a single background process, which executes at the CorreLog server. This process reads configuration data that has been configured by the operator, and continuously polls a list of devices. (The devices are specified by IP address, by an IP address wildcard, or by a standard CorreLog Address Group specification.) As the list of managed devices is polled for values, the Ping response time of each device is compared to an operator configured threshold. When the threshold is exceeded, the Ping Poller process issues a Syslog message to the Main CorreLog server. The actual message (and its severity) is configured by the operator, and appears in correlation threads and tickets like any other received message. As indicated in the above diagram, the CO-Ping.exe process (installed and configured as described in the next chapters) continuously polls a list of managed devices. These devices can be Windows platforms, UNIX servers, Ping Monitor Adapter, Page - 7

Routers, Switches, and other network equipment. The polling process is completely controlled and monitored by data that is configured by the operator using the "Messages > Adapters > Ping" screen of the Main CorreLog Server web interface. How To Use This Manual The next section of this manual (Section 2) provides the essential information needed to install the CorreLog Ping Monitor software. Note that the only required components of the system are the CO-Ping.exe program and the Ping configuration screen, documented herein. Other information on the CorreLog server can be found in the standard "User Manual", including operation and application notes that will be of assistance in processing the Ping messages generated by the CO-Ping.exe program, and received by the CorreLog Syslog receiver process. Ping Monitor Adapter, Page - 8

Section 2: Software Installation The CorreLog Ping Monitor software is usually delivered as a self-extracting WinZip file. The installation requires a few simple manual installation steps, and no automatic installation is provided or required. The basic installation steps are as follows: 1. The user obtains the CorreLog Ping Monitor software, in self-extracting WinZip format. 2. The user stops the CorreLog Server "Framework Service", and verifies via the task manager that all CorreLog background processes have stopped. 3. The user executes the self-extracting WinZip file. This unzips the Ping software into the CorreLog Windows Distribution, including all configuration data and executables, and modifies the CorreLog program to start the CO-ping.exe program on system startup. 4. The user restarts CorreLog, and configures address groups and other items via the "Messages > Adaptors > Ping screen. 5. The user configures other parts of the CorreLog system, such as Threads, Alerts, and Ticket users, to correlate and process the syslog messages that are generated by the Ping Monitor software. Administrative logins are required in order to perform the software installation. The detailed steps needed to perform the installation are provided in the sections that follow. Ping Monitor Adapter, Page - 9

Installation Requirements Existing CorreLog Server Installation. Prior to installing the Ping Monitor software, the CorreLog Server system must be installed on a Windows platform, as discussed in the CorreLog User Reference Manual. Disk Space Requirements. The Ping Monitor software requires no significant disk space beyond the normal footprint of the CorreLog server. There is generally no extra disk space load due to this software. CPU Requirements. The Ping Monitor software requires very little extra CPU requirements. A single process is started the CorreLog Windows platform, which consumes minimal CPU resources. Firewall Requirements. The Ping Monitor software requires that managed devices respond to ICMP ping requests from the CorreLog server. This is the normal condition (however some sites may purposely disable ping responses from devices, and those selected devices will not be manageable by CorreLog.) To insure proper installation of the program, the user should close all windows, and temporarily disable any port blocking or Virus Scan software on the system. The existing CorreLog server process should be stopped prior to the installation. Reboot, after installation, is not required. Windows Installation Procedure The specific steps needed to install the software are as follows: 1. Login to the CorreLog Server Windows platform using an "Administrator" type login. 2. Stop the CorreLog Server processes via the Windows Service Manager, or via the "Start and Stop Services" utility found in the Windows Start menu. Verify with the Windows "Task Manager" that all CorreLog processes are stopped. 3. Obtain and execute the "co-n-n-n-ping.exe" package, extracting files to the directory location where CorreLog is installed (by default the location "C:\CorreLog"). After extracting files, the "About" dialog is displayed indicating the success of the installation. Comment: After extracting files, the installer will modify the CorreLog "Schedule" facility (in the "System" tab) to automatically start the background process "CO-ping.exe" program on system startup. Ping Monitor Adapter, Page - 10

4. Restart the CorreLog system processes via the Windows Service Manager or via the "Start and Stop Services" utility. 5. Verify with the Windows "Task Manager" that the "CO-ping.exe" process is now running on the system. Ping Software, Device Group Configuration Once the CO-Ping.exe program has been installed and is running on the system, the user can configure the list of devices that are polled by the agent. The user accomplishes this activity via the "Messages > Adapters > Ping" tab of the web browser interface. (The "Adapters" tab is automatically added to your system, if it does not already exist.) Note that, by default, the CO-Ping.exe program does not poll any devices. The address group of "0.0.0.0" (which is the default poll address for all items) disables the polling process for that group. The user must configure a device IP address (or list of addresses), which is polled by the CO-Ping.exe program. The user clicks on the "Edit" button to edit an existing monitor. The user can provide an IP address or device group as follows. 1. The user can specify a static IP address, such as "10.1.1.1". In this case, the monitor will poll the single device. 2. The user can specify an IP address with wildcards, such as 10.1.1.*. In this case, the monitor will poll all devices in the "Devices" tab of CorreLog that match the specified wildcard. 3. The user can specify an address group such as @@my_servers@@ that describes one or more devices. These device groups provide the most maintainable way of polling the devices. The device groups are configured in the "Correlation > Config > Address Groups" tab of the program. Note that when using wildcards as the IP address, the devices are polled only if the wildcard matches one or more entries in the "Messages > Devices" tab of the program. The user can add device entries with the "Add New" button, found on this screen. Setting the IP address value to "0.0.0.0" effectively disables any polling for a specified Ping monitor. This provides a way of disabling the polling associated with a particular monitor without deleting the Ping monitor from the system. More information on "Device Groups" and their usage is available in Section 3 of this manual. Ping Monitor Adapter, Page - 11

Ping Monitor Adapter, Page - 12

Section 3: Software Operation The CorreLog Ping Monitor software allows the user to correlate message information, sent by devices in the form of Syslog messages or SNMP traps, with information regarding network device states. This provides an extra capability to gather information in a consistent way, which cannot be self-reported by devices. The Ping Monitor establishes that devices are booted, and are therefore capable of sending messages. The CorreLog Ping Monitor program requires very limited operating notes. Once the program is installed, it makes use of reasonable default values. The operator only needs to set the device groups in order to immediately start using the programs. The user may add Ping Monitor Groups, in addition to the pre-configured "Default Ping Test" monitor that come with the system. This activity typically requires a moderate understanding of the network, such as what devices are available, and what types of monitoring will provide the most visibility without loading down the network with useless message and status information. This section provides a description of these optional software elements, their usage, and other considerations, including screenshots and explanation of monitor configuration values. Ping Monitor Adapter, Page - 13

Ping Monitor Screen As part of the Windows installation, a new tab is created in the "Message > Adapters" section of the CorreLog web interface, which permits the user to configure various parameters associated with the Ping Monitor program. This screen is available only to CorreLog administrators. The screen is depicted below. The above screen is a standard CorreLog parameter "AddNew" editor screen. The user can click the "SaveNew" button to save a new monitor value. Once the monitor value is created, the user can further modify the entry by clicking on the "Edit" button on the parent screen for the new entry. Ping Monitor Adapter, Page - 14

The Ping Monitor screen provides the following parameters, which are read by the CO-Ping.exe program Ping Monitor Title. This is a short title that prefixes any message sent by the monitor background process as part of the Syslog message. This value also appears on the top-level Ping Monitor page, used to quickly identify the nature and purpose of the monitor function, usually the same as the type of device or network segment being polled. IP Addr / Group. This value identifies the particular device or list of devices polled by the background process. This value can be a single IP address, an IP address wildcard, or an "Address Group" defined in the "Correlation > Config > Address Groups" screen. If an IP address wildcard is specified, the addresses listed in the "Devices" tab are polled if they match the wildcard value. The special value of "0.0.0.0" disables polling on the system. Timeout / Retries. These settings provide control over the timeout and retry values of the polling process The timeout is typically two second, and retry value is typically under three retries. Specifying a high value for timeout and retry may seriously degrade the poll time for the specified Ping Monitor. These values should be adjusted carefully. Alert Message Severity. This is the severity of the message that is generated by the CO-Ping.exe program when a threshold is violated. This is a standard syslog severity ranging from "debug" to "emergency". Alert Message. This is the actual content of the message that is sent by the CO-Ping.exe process when the timeout threshold is violated. The message will consist of the "Monitor Title" configured above, and the content of this message. The value should be descriptive of the particular event, and may include corrective action or remediation steps. The value can be selected to include keywords that cause the message to be recorded in certain CorreLog threads, or to match triggers and actions. Ping Monitors The Ping Monitor software operates on a series of monitor groups. These groups are displayed on the entry screen of the "Messages > Adapters > Ping" tab. Each group is an arbitrary partition consisting of one or more devices that are continuously pinged by the system. There can be multiple Ping Monitors on the system, with overlap between the polled devices. The "Ping Monitor" title, displayed on the entry screen, is hyperlinked to the list of polled devices and the most recently polled response times for each device. The user can click on the Ping Monitor title to view all the devices being polled and Ping Monitor Adapter, Page - 15

the response time (in milliseconds) value as of the last poll. This provides an easy way to assess the nature of the monitor, including whether the threshold for the monitor is set inappropriately. There can be a maximum limit of 2000 Ping Monitors, each polling a maximum of 10,000 devices. In practice, the number of Ping Monitors will be much less. The larger the number of Ping Monitors and polled devices, the slower the polling process will be. The system will never poll faster than once every 60 seconds. The actual time to poll may be much larger, especially if there are many Ping Monitors, each with large numbers of polled devices. The actual time to finish a single poll cycle is displayed in the lower left of the screen Monitor Status Bar At the bottom of the Ping Monitor screen, beneath the list of Ping Monitors, are a series of metrics that indicate the progress and state of the CO-ping.exe background process. These metrics are updated at the end of each poll cycle, and provide the following information: Poll Duration. This is the time in seconds needed to poll all monitors on the system one time. The time is calculated at the end of each poll cycle, and will indicate the general load on the system. If the time is less than 60 seconds, then the CO-ping.exe program will wait until at least 60 seconds have elapsed before resuming polling. (See additional notes below.) Number Of Polled Devices. This is the total number of devices polled during the last cycle. It represents the total number of Ping requests that have been issued by the program during the last poll cycle. This number will be equal to the number of Ping Monitors multiplied by the total number of devices for each monitor. The value will be under 10,000. Number Of Poll Timeouts. This is the total number of poll timeouts during the last cycle, indicating that an object could not be fetched. This typically indicates that one or more devices are either offline, or the read community of the device has changed or is misconfigured at CorreLog. If this value is high, the operator should address the issue by returning the device to an online state, removing the device from the Ping Monitor, or changing the read community of the managed device. The particular devices that have timed out can be viewed by clicking on the Ping Monitor title hyperlink. Number Of Poll Errors. This is the total number of errors during the last cycle, indicating that the remote Ping agent does not support ICMP ping. This typically indicates that the managed device should not be part of the Ping Monitor Adapter, Page - 16

group. In either case, the operator should address the problem by clicking on the Ping Monitor title hyperlink and removing the device or adjusting the device to respond to Ping requests. Number Of Poll Cycles. This is the total number of poll cycles since the system started. This value will increment each time a complete poll cycle finishes. This value, when divided by the system up time of the CorreLog server, will indicate the average time to poll all Ping Monitor devices and objects. Number of Messages Sent. This is the total number of Syslog messages that have been issued by the Ping polling process to the CorreLog server since the system started, useful for assessing how busy the polling monitor is. The number should precisely correspond to the total number of messages in the "Messages" tab of CorreLog (related to Ping Timeout threshold violations detected by the CO-poll.exe process.) Poll Duration The "Poll Duration" found in the lower left of the Ping Monitor screen (and first mentioned above) provides special utility in determining the polling performance of the CO-ping.exe program. This value indicates the total time to Ping poll all the devices per cycle, taking into consideration network latencies and delays, as well as timeout and retries. This value can become fairly large, and is useful for determining performance. For example, if the value is 300 seconds, then the fastest any error condition will be detected is once every five minutes. If the value is 3600 seconds, the fastest any error condition will be detected is once each hour. To reduce this value and increase the polling screen, the user can eliminate Ping Monitors that are not useful, or reduce the number of devices polled by each monitor to a minimum. It is a common mistake to load the Ping Monitor with many different devices, especially devices that do not support ICMP ping. For example, setting an address group to be "*.*.*.*" (i.e. all devices) can have a deleterious effect on the program's performance. This may result in a high value for the "Poll Duration", reducing the effectiveness of the program to rapidly detect network conditions. In most (but not all) environments, this may be an undesirable configuration for the software. Additionally, the "Poll Duration" setting is useful for setting the "Alert Interval", when opening tickets on the system. When configuring Correlation Threads and Alerts the "Alert Interval" should be greater than the "Poll Duration" setting to prevent multiple tickets from being opened due to a single network condition. This special consideration is discussed in a later section. Ping Monitor Adapter, Page - 17

Working With Address Groups Each Ping Monitor polls a list of one or more devices. A device can (and typically does) exist in multiple Ping Monitors, and is polled for multiple values. The list of devices is configured for each Ping Monitor using one of the following techniques: Single IP Address. The user can specify a single IP address to be polled. In this case, the Ping Monitor polls no other devices. The user can configure multiple Ping Monitors, each polling the same or different device and each containing the same or different IP address. IP Address Wildcard. The user can specify an IP address wildcard to be polled, in the form, such as 10.*.1.*, or "10.5.1.*", which will cause a range of IP addresses to be polled. This is especially useful if networks and devices follow some convention (such as routers ending in a ".100" IP address.) The special case of "*.*.*.*" matches all devices in the "Messages > Devices" tab of the program, and should be specified with caution because it can dramatically increase the poll duration, reducing the responsiveness of the polling process. Address Group. The user can specify a CorreLog Address Group, in the form "@@name@@", configured in the "Correlation > Config > Address Groups" tab of the program. This permits the user to specify multiple IP addresses, IP address wildcards, exclude addresses, and exclude IP address wildcards. More information on Address Groups and their usage is provided in the CorreLog User Manual. When using an IP address wildcard or address group, each address must exist in the "Messages > Devices" tab of the program. If the device IP address is not listed on the system, the user may manually add a new device using the "AddNew" button on the "Devices" screen. When specifying an IP address wildcard, only those addresses listed in the "Devices" screen are actually polled. Specifying a wildcard that does not match any address, while not an explicit error, has no effect on polling, and causes no devices to be polled. The special IP address "0.0.0.0" disables polling for the Ping Monitor. This is the default address for each monitor on the system. Therefore, to use any of the "out-of-the-box" monitors, the administrator must first configure a valid IP address, IP address wildcard, or Address Group for the monitor to actually begin polling. Finally, note that the most maintainable way of configuring devices is via the "Address Group" function. This permits the user to update, add, or delete from an address group to change the polling behavior of an Ping Monitor, without having to edit the Ping Monitor. This is an effective technique for managing the list of Ping Monitor Adapter, Page - 18

polled devices. Rather than using a single IP address, it may be better practice to define an address group that represents that single IP address. Sending Syslog Messages A separate message (of content and severity as defined by the user) is sent each time a Ping Monitor timeout threshold violation is detected, during every poll cycle. While the alert condition exists, the system sends additional messages, at a rate no faster than once each minute, or at the "Poll Duration" value found in the lower left of the Ping Monitor screen. It should be well noted by the reader that, if the "Poll Duration" is 120 seconds, a new message will be sent by the CO-ping.exe process (and received in the CorreLog "Messages" tab) every two minutes while the timeout threshold violation exists. This means that a chronic problem can generate multiple repetitive messages scattered throughout the event logs. At first glance, it may seem to a new user that it would be better for the Ping Monitor to send a single message only (rather than multiple messages each time the condition is detected). However, experience with CorreLog quickly demonstrates that the behavior of identifying an alert condition with multiple Syslog messages (rather than a single message) provides considerable more safety and flexibility to the user, and leveraging the analytical power of the program. Specifically, CorreLog uses the "Threads", "Alerts" and "Tickets" system functions to reduce the number messages to a single alert condition and actionable ticket. The CorreLog alert facility detects the continuous stream of messages, sets the alert, and prohibits any further tickets or alerts from being generated while the messages are being sent. This means (for example) that a user is notified a single time when a problem is first detected, and not necessarily each time a message is received indicating that the problem still persists. Experience demonstrates that this behavior is both desirable and well handled by the Correlation functions of the program. Because the Ping Monitor never sends the same message more than once every 60 seconds, there is no danger that CorreLog will be overburdened by these Ping Monitor messages. Instead, this provides a clear indication of a chronic or unaddressed problem on the system, and a clear indication when that problem is finally resolved (causing the messages to stop, and any associated alert to clear.) Creating Threads, Tickets, and Alerts Because the messages sent by the Ping Monitor are fully under the control of the operator, it is easy to create threads, tickets and alerts that will correlate and reduce the monitor's message into actionable data. The basic method for Ping Monitor Adapter, Page - 19

correlating the Ping Monitor messages is no different that the techniques discussed elsewhere. The basic steps are provided below. 1. The operator creates a thread to tabulate the messages sent by the monitor using the "Correlation > Threads > Add New" screen. This screen is used to collect all the messages of a particular type (such as all messages with "Router" or "Ping" in their title, possibly further qualified by a particular address group, severity, or time of day.) 2. The operator creates an Alert for the thread counter using the "Alerts > Counters > Add New" screen. This alert will send a Syslog message back to the main list of messages when one or more messages are received during an interval of time. As is always the case, when an alert is triggered, a single message is sent back to CorreLog, and a single ticket is opened while the alert is set. (See additional notes below.) 3. The operator optionally identifies an "Assignee" for the alert via the "Alerts > Counters > Add New" screen. This causes a ticket to be opened on the system, and assigned to a particular user or a ticket group. The user can assign a ticket to any existing user, or ticket group. 4. The operator optionally adds a "Ticket Action" to the system, which sends e-mail (or performs some other action) when a new ticket is opened on the system, providing a real-time indication that a timeout threshold of the Ping Monitor software has been violated. This message will typically contain the descriptive text entered by the operator when the alert was created, which may be slightly (or totally) different than the originating Ping Monitor message. As a special note, if only one ticket is to be opened on the system per Ping threshold violation (as will often be the case), then the "Alert Interval", configured on the "Alerts > Counters" screen, should be higher than the "Poll Interval" displayed at the lower left of the "Messages > Adapters > Ping" screen. Additionally, the "Auto-Learn" function for the alert should probably be disabled to prevent this interval from changing automatically. Failure to understand or implement this consideration may result in multiple tickets being opened for the same system threshold violation, which will not be desirable, especially if one of the ticket actions is to send e-mail or provide other intrusive notifications to the ticket assignee. Device Screen Support As a final topic, it should be noted that the Ping Monitor affects the operation of the "Messages > Devices" screen, as follows: Ping Monitor Adapter, Page - 20

Normally, the "Devices" screen represents devices that have recently sent messages with a "Green" indication, and devices that have not send devices for a configured duration with a "Red" indication. This normal operation permits the user to determine which devices have not recently sent messages, and which may be offline. The Ping Monitor" adds an additional color indication to the "Devices" screen. If the device has recently sent a message, but is now not responding to ICMP requests, the indicator turns "Yellow". This signifies that the device is an active participant in sending messages to CorreLog, but is currently offline. Therefore, the user can rapidly see that certain devices are offline by noting which devices are associated with "Yellow" indications. (This capability is much more immediate than the normal "Red" indication, which is shown only after the device has not sent message for an extended period of time, such as one hour, one day, etc.) When a device goes offline, the "Devices" screen will reflect that change within the "Poll Duration" interval discussed above. This special feature is available only when the Ping Monitor software is installed, and is not otherwise available to users. Section Summary, Additional Notes 1. The CO-ping.exe program polls each device group entry no faster than once per minute. While the threshold is in violation, the CO-ping.exe program will repeatedly issue messages indicating the violation. 2. If a poll fails, this value will appear in the list of current values (accessed by clicking the Ping Monitor name hyperlink on the top level screen.) This will cause a Syslog message to be sent to the CorreLog server. 3. The user can determine the poll time and response time for the COping.exe program by drilling down into the Ping Monitor name hyperlink, which shows the current response time values for all devices during the last poll cycle. 4. Caution should be taken to avoid specifying devices in the poll lists that do not support ping. This can substantially degrade the performance of the polling (especially if the timeout and retry value is high for the monitor. 5. Particular caution should be taken when specifying an address group of "*.*.*.*", which will cause all the devices in the "Devices" tab to be polled. This may result in multiple timeouts and errors that will degrade the performance of the polling agent and increase the "Poll Interval" (described below.) Ping Monitor Adapter, Page - 21

6. The "Poll Interval" metric, available at the bottom-left of the Ping Monitor screen, indicates the time (in seconds) needed to poll all values during a single cycle. This value, if over 60 seconds, indicates the typical duration between poll cycles, and the rate at which the Ping Monitor will send Syslog messages when a threshold is violated. 7. When configuring a CorreLog alert, the "Alert Interval" should be greater than the "Poll Interval" value to prevent multiple tickets from being opened for a single incident. Additionally the "Auto-Learn" function for the alert should typically be disabled. 8. When the Ping monitor software is installed, the operation of the "Messages > Devices" screen is augmented as follows: "Green" indicates that the device is sending messages, and is currently responding to ping requests; "Yellow" indicates that the device has recently sent messages, but is no longer responding to ping requests; "Red" indicates the device has not sent messages in a user configured period of time (irrespective of whether the device is responding to ping requests.) Ping Monitor Adapter, Page - 22

For Additional Help And Information Detailed specifications regarding the CorreLog Server, add-on components, and resources are available from our corporate website. Test software may be downloaded for immediate evaluation. Additionally, CorreLog is pleased to support proof-of-concepts, and provide technology proposals and demonstrations on request. CorreLog, Inc., a privately held corporation, has produced software and framework components used successfully by hundreds of government and private operations worldwide. We deliver security information and event management (SIEM) software, combined with deep correlation functions, and advanced security solutions. CorreLog markets its solutions directly and through partners. We are committed to advancing and redefining the state-of-art of system management, using open and standards-based protocols and methods. Visit our website today for more information. CorreLog, Inc. http://www.correlog.com mailto:support@correlog.com Ping Monitor Adapter, Page - 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback