Video

SolarWinds Lab Episode 33: SolarWinds Odd Couples

By the power of Orion®, we are SolarWinds® odd couple-enabled! In this episode, the Head Geeks examine Database Performance Analyzer and its integration into the Orion Platform. They show you how to use Virtualization Manager with Security Event Manager (formerly Log & Event Manager) to secure your Microsoft Hyper-V and VMware vSphere VM file sets. The latter is an ode to SolarWinds Lab™ Episode 27 “You’ve Already Been Hacked! Now What?””

Back to Video Archive

Episode Transcript


Hey, Leon, what are you doing?

Well, I was just thinking about some of the stranger combinations that modern professionals get into nowadays.

You mean like pairing this shirt with this tie?

Well, I wasn’t going to say anything about it.

Well, that’s okay, but you know what else is odd?

I’m actually afraid to ask.

Well we could cut right to the demo.

Oh, like this?

Well, Tom, it is great to finally have you back on the set.

Finally? It’s not like it’s my first trip.

Well, it just seems like you’re always out and about, or buried under the snow in Massachusetts, or just, you know, you’re available on Skype and the phone and we talk all the time, but it’s good to have you here.

Yeah, it’s good to be here, but I’ve also just been out on the road a lot, presenting at places like Germany and London, spreading the good word of DPA and SolarWinds, and maybe you’re just a little bit jealous.

That’s possible. Executive Platinum was pretty good to me. All right, so what are we talking about today?

Ah, today, DPA integration for Orion.

Yes, and we’ve been hinting at this for a couple of episodes, and so we wanted to show it to you today.

Yeah, everybody knew it was coming and certainly all the SolarWinds old timers knew it was coming. It’s what happens to all the products, right? They get integrated in. Well I am happy to say it’s ready.

Awesome. So, just as a reminder, this is Database Performance Analyzer, formerly Confio Ignite, and it’s now integrated in the same dashboard as all the other Orion modules.

Yeah, it’s all buttery goodness.

Don’t you mean bacon-y goodness?

Mmm, bacon.

All right, well let’s go ahead and take a look at this. Hey, look at that! Orion with a database tab.

I know, isn’t it awesome? And you see right here, we have the big button that just says integrate.

Yeah, normally we’d get rid of this resource that kind of tells you how to get started, but in this case, when you come up the first time it’s going to give you this box; so click on ‘integrate.’

And what you’re going to come back with, now we’ve already integrated, so the screen’s a little bit different, but what you’re going to be able to do is put in the host name or IP address, put in your DPA credentials, and then you’ll be able to simply click another button that says integrate.

Yeah, and I won’t make a joke here about these port numbers.

No, don’t.

Don’t say it?

No, don’t say it.

Don’t say it?

Don’t say it.

Don’t say SWIS?

Ha.

All right. So we’ll come back here to the main tab. And what are we looking at?

So what you see here is integration with the nodes for SAM and for Orion along with some information from your individual database instances that are running. So you can drill through right now. Go ahead and click. So you’ve clicked through on the Disk Statistics for that particular instance, and you know that you’ve come right to the page, right to the absolute point where you want to look at for that particular issue. If you scroll up, you can see what page you’re actually on. You’re in the databases tab, the instance, and you’re looking at all the information, all the buttery goodness that’s come in for DPA for that particular instance.

That’s great, and here’s the subtabs that you would normally have on DPA underneath, so if you want to actually look at response time, either by wait, application, database, nodes, You can actually sort it that way.

Absolutely.

That’s really cool. And then the other way you can get to that is if you go from the main database tab, and then you come down and click on an instance. You click on the node.

Yep, you click on the node.

You’re going to go to node details page and now you have…

That’s right.

The database performance tab.

And of course if you click on summary, you get all the usual AppInsight views that you used to see.

Right, so it’s just a set of resources that are integrated, either subtabs or summary view, or anywhere else, just like you’d expect it. And I definitely like being able to actually be, kind of get the net out almost like you would with applications up-down, that summary view. I’d still like to see this as a donut chart but I’ll take those two big boxes.

So let’s scroll down real quick. I just love the fact that what you’re getting here is just that high-level information for you to understand: is this a problem, and what can I do about it next? You get really good information and really good insight as to whether or not you can take action or if you need to call in the DBA and have them look at something else.

That’s just get great. Thanks Tom. You know, we did hustle kind of hustle through that, just a little bit, but one of the reasons is, there’s a lot of great videos on Database Performance Analyzer, how to use it, how to set up, you’ve certainly done a lot of them. So we’ll throw the show notes with some links to those videos in, so you can check those out as well. And it’s great to have you.

Oh great, thank you. You seem taller.

Are you suggesting that I’m standing on an apple box?

No, no, not at all.

Well I am.

The new integrated DPA and Orion look phenomenal. But I have to admit, they’re not really that odd a combination. Now, they go really well together.

No, you’re absolutely right, but there was something a little odd about that segment.

Well there’s the fact that Tom and Patrick both aren’t actually in this episode.

Who’s not in this episode?

I stand corrected. [All laugh]

Actually though, the point of odd couples that you made there, isn’t so much that they don’t together, it’s that you don’t always think of using those two things together the way you thought.

You mean like your pancake syrup and your Velcro?

Yeah that was pretty disturbing from the promo.

Okay, right, but I see what you’re saying, which is, as IT professionals, sometimes we have to look past the obvious combinations and look at pairings that may seem weird but they end up creating this really elegant solution when we’re done. Hence the theme today of odd couples.

Right, so which one of you is the grumpy old slob, and which one of you is the OCD freak?

[Sighs] So, Kevin, you know another strange thing? We haven’t actually done any introductions, would you like to correct that oddity for us?

Sure, I’ll get started. I’m Kevin Sparenberg.

I’m Leon Adato.

And I’m Patrick Hubbard. And thanks again for coming by SolarWinds Lab today. We’re obviously talking about non-obvious combinations of tools, and hopefully you’re chatting with us and giving us some insight into the things that you are using that you wouldn’t expect to see together in the chat box over there to the right. If you don’t see the chat box, well, that’s because you aren’t here live during the show. So you can fix that by swinging by our homepage, which is lab.solarwinds.com, sign up for reminders for upcoming episodes and you can also give us feedback about what you’d like to see on future shows.

So what I’d like to do now is I want to go back to an old odd couple that Kong mentioned a few episodes back, when we were talking about security. He mentioned securing virtual machine files using Log & Event Manager and Virtualization Manager. So, Kevin, you want to take a crack at that?

Absolutely, I may have to do so. So in the SolarWinds security episode, Kong provided four tips for securing VMs. So let’s focus on the steps that involve monitoring the VM folder and files.

Okay, so here we are in LEM. And tell me where we’re going to go from here, like where to start.

Okay, well, one of the things that LEM is really great about is grabbing security logs and bringing them all together in one concise location. So one of the things we’re going to want to do is monitor some of our Hyper-V hosts. So the first thing we should do is actually install the Agent on the Hyper-V host.

All right.

So for that we’ll have to remote to the agent or go to it directly.

Okay, so I’ve got a remote session set up here, here we go. And there’s our installer. And we’ve been through this a couple of times before, once with Rob Johnson—actually twice with Rob Johnson, so we’re not showing anything necessarily new, but in case you haven’t caught those episodes, we’re just going to quickly go through this. There’s the Windows Agent. We’re going to run the installer. All right, so here we are in the installer. Just like many of the SolarWinds installers, it’s not really a real brainteaser, just yes, yes, yes, next, next, next. Nothing we’re going to change on the ports?

Not ports, but we do have to put in the Manager Name.

Oh, the manager’s name. Not the manager’s dog’s name, which is a custom property in Orion that I love. There we go. I think we have one more next, and done. So the Agent is installed, there’s not a whole lot of fanfare or glory about this, we’re just, we’re there. So I think at this point we need to flip back to the LEM screen?

Yep, go back to the LEM console.

Shrink that down, here we go. And from here, if I remember correctly, we want to go to manage nodes?

Manage nodes.

Okay, so we’re going to go to the manage drop down, pick nodes. Now you can see that we had one already installed, VO2. We just installed VO1.

Yup.

We didn’t have to do anything about it, we didn’t have to add it or anything, it’s just [claps hands] picked it up and went. So, we’ve got the agent installed. And what does that get us out of the box?

Out of the box, it gives us basic alerting for events and some correlation for security events, and auditing stuff from the Windows events side.

Okay.

But the one thing for a hypervisor, what we really want is probably to watch the virtualization configuration files, those are the files for the guest operating systems, and also probably we want to watch the disk drives, whether that’s VMDKs, or in this case, VHDs and VHDXs.

Okay, great, so how do we set that up?

Okay, all we have to do is hit the gear.

The gear next to O1?

And go to connectors. And then, up at the top, fastest way to get here is actually just to hit search.

Okay.

And type FIM.

F, I, M.

And there you go.

Okay, so we want FIM File and directory, not FIM Registry.

Correct.

Although FIM registry is also a very interesting thing to do. Hit the gear there.

Yep, and create a new one. And we’ve got several templates you can start with; the one that we’re going to show today is going to be the PCI, so just select PCI and Add. And then on the right-hand side, you can see down at the bottom here, we actually have a lot of things that are already watching out of the box, but that doesn’t actually include the paths we’re actually looking for here.

Okay, so we want to hit this on the right-hand side and Edit monitor?

Edit the monitor.

Okay.

And then we can add new paths.

Okay, so what path do you think we want?

Well, let’s go ahead and hit the browse

Uh-huh, oh.

And actually navigate through. So in this machine, it’s on the D drive.

Okay.

And then Hyper-V, and VHD. And you can just check the VHD box…

Great.

And tell it to read children, so…

Uh, read children?

Oh, sorry. Just hit OK here and it’ll gives you the option to recurse through. So it automatically does that.

Got it.

All files, recurse.

All files, recursive? Perfect.

For this, we probably don’t need to watch every single thing, but probably File Create, File Write, and definitely File Delete.

Okay.

We probably are not going to need too much more, although permissions probably is a good idea, so Permissions Write is good. And that should be pretty much it.

Okay, and just to take a step back so that everyone can focus in on this screen for a second. So you not only have the ability to watch a granular level of directories, specific ones, or not ones, or whatever.

Yep.

And recurse, but you can also say what it is that you’re looking for. So you’re looking for directory changes, creations or whatever or deletions, file deletions and so on and so forth, I mean everyone can read the screen here. The reason why I emphasize this is because one of the facets of the Target hack, the point-of-sales systems, was that the virus was such that it was creating fake directories underneath the user folder. Which is a very difficult thing for, not only anti-virus programs to get, but even—I tried to write a PowerShell script to do this, and it’s not easy to get into the user directory with admin authority, and then recurse down to look for specific file types. This is the kind of thing that would have caught that, and it wouldn’t have been horrifically expensive, because we’re not talking about putting it out on every single system or target, we’re talking about putting it on point-of-sales systems, which are important enough.

Oh yeah, critically.

So, these are the kinds of things where, when you’re considering LEM as a solution, you may be thinking, “Oh, well, it’s file correlation, and I’m just grabbing all of my Windows event logs, what’s that going to give me?” Well, there’s some other features in here that serve you in good stead. So we’ll hit save here. That gives us our extra path. Just to, again, restate, what we have now is the ability to know when disk files, because we’re talking about a virtual machine, are added or deleted, so we know when drives appear or disappear.

Yep. Very critical, especially if you do any type of drive sharing or if you do anything with snapshots. You can also monitor your snapshots folders, you can monitor if you’re using differencing disks, you can watch those as well. So there’s all kinds of options there. And of course, you can put filters on there if you only want to worry about the VMDKX files and you don’t care about your old VM, or excuse me, your VHDX files. And you don’t care about your VHDs; you can put your filters on there and be done with it.

Great. So, we have that set up. But that just tells us what LEM does, which is cool. Remember, we’re talking odd couples; so now we want to see how does this fit into the VMAN environment?

Sure, and that’s actually a really great segue. So one of the things you can see yesterday is that very, very large Free Space made a drastic, drastic change on one of my hypervisors. And I’m watching a couple of Hyper-V hosts, and in the ESX vSphere environment with this. So I get a little bit of everything. But here you can see that there is a dramatic change in the free disk availability. Now, had I had LEMs up yesterday, I would have known instantaneously that someone had gone in, created a very large computer, and did not thin provision the disks. So all of a sudden, they took up a huge chunk of disk space, and now I am completely running out of it. And I need to go back and either move that to another host, or go around and smack somebody. [Both laugh]

Got it, okay. And just to clarify, what we’re saying is that this is what we you called earlier “in-mind” event correlation.

Yes.

So it’s not that you’re going to see on this screen, the LEM output, or on the LEM screen, the VMAN output, but having the total insight of knowing on the LEM side, hey, the disk was created, the directory was created, the files were created, whatever happened, will let you understand what’s happening here.

Yes. And the other thing is both systems have alerting. So you can set up your alerts to come in, either one or both, and have them come in, and they will correlate in your email box. Obviously not the ideal way to do it.

Right.

But you’ll be able to validate what you’re seeing.

Sure.

So we just got done configuring the agent on Hyper-V side, so we can look at event logs from the Hyper-V hosts. If you have a mostly virtualized infrastructure with VMware, we still have a solution for you. You can actually go in and send your Syslogs directly from your ESX hosts to LEM. And then LEM can go ahead and process them and give you all the security information you want, including up down events, one offs, changes in sizes and all that kind of information.

Oh great, that’s very convenient.

So, if you out there only have a single ESX host, we’re actually going to go ahead and provide a set of command lines that you can go ahead and run on that hosts through the vSphere client.

Oh, this is a great time for a chart.

Yes, it would be a great one.

Ready? Here we go. There.

There, so just go ahead through there and just replace the LEMHostname with your host name or your IP address and your environment, and you can run this, and it’ll just go right through and start reporting directly to LEM. However if you’re running vSphere or vCenter, you can actually make it a little easier if you prefer the GUI.

Okay, so here we are, we’re actually in the vSphere, the thick client. And where do you want me to go from here?

Just go ahead and select one of the ESX hosts.

So there we go.

And then you go to Configuration tab, and down near the bottom you will see— you’ll have to scroll a little bit, there you go, Advanced Settings.

Advanced Settings, right at the bottom.

Uh-huh. Looks like a huge list. It’s kind of intimidating at first, but don’t worry about it. So scroll down and click on Syslog. And then you can see on the fourth option here, we’ve got the global Syslog host. All you do is put in–very similar to the script you guys just saw–it’s the same pattern. So it’s udp://, name, colon and then the port. In this case 514 for LEM.

Okay.

And that’s it. You hit OK and it’s done. The only thing you will have to do is you will have to change the firewall to allow that.

Obviously, depending on where your systems are and all that stuff, so.

And actually, the in-built firewall on the ESX hosts. They have their own firewall.

Got it, okay, so just an FYI in case—when people say firewall, you’re always thinking, “Oh, I have to talk to the security team,” you’ve also got to make sure that the virtualization team, assuming that you’re not the virtualization team…

Exactly.

Also is aware of that piece. That’s a good catch.

Yep, burned me for a while, so we can go ahead and click on security profile.

Okay.

And then properties.

Down here?

And then all you do is check the box for Syslog, which on this machine, it will already be checked.

Syslog, okay so there. It’s easier to find if you sort by label, but there’s the Syslog one and like you said, it’s already checked for us, so we’re good, click OK.

And done.

It’s automatically applied.

Fantastic. So all you do is repeat this process for all of your additional ESX hosts, and if you have a bunch, you can create what’s called a host profile, and basically build the setting into it and then assign that host profile into each of the ESX hosts.

Fantastic, so if you’re dealing with an environment where it has 400…

Exactly.

Or 4,000…

Multiple vCenters, multiple clusters, all that, you can just do it once and set it and forget it.

Great, so that takes care of the ESX side. Now, what happens on the LEM side? Let’s flip over.

Sure.

And here we are in LEM. There’s the ESX boxes that we were just looking at.

Yep, and we’ve actually come in and we didn’t even have to really manage the nodes on this one. I went to the original op center, these were the first devices I added, and after I set up the Syslog, I said, “Add node”, selected that they were Syslog hosts, hit OK, and it said, “We found these too, are these correct?” I said “yes.” And they said, “They look like VMware”, I said, “Yeah, they’re VMware”, so it said, “We’re going to go ahead and select these options for you.” And then LEM just took off from there and it’s been watching security events ever since.

So there’s really no configuration, besides just adding a Syslog host in here. And at that point, all the information is coming in?

Yep, the only thing after that point is then you have to worry about your alerting and any correlation rules you want to put in place, and anything like that. That, of course, is unique to everyone’s environment, what they want to watch.

Right, but just to clarify again, this is the same concept as we did just a minute ago with watching disk changes, file size, the same thing. It’s just a different information stream. So this is one of those “more than one way to skin a cat” kind of things.

Exactly.

Great, thank you.

And that’s it. So now, we’ve got security on both ESX hosts and VMware environments and Hyper-V hosts and Microsoft environments.

This is fantastic.

That was great, guys. And it’s another example of using two things together, that you might not always think of and once you dig into it, it makes perfect sense.

Right, it’s something that IT pros are used to doing, even when you combine tools from multiple different vendors. For example, you can take SolarWinds monitoring, and then use Perl scripts to push alerts to a Jabber instant message server and have those alerts contain programmatically built links to your PM Wiki knowledge base.

Yeah, but you’d also want to open a ticket with web help desks so you can continue the tracking on that.

Right. And then what you can do is build on that, and…

That would all be very cool. But I think we have plenty of content for another episode, and so if you guys have ideas about what you’d like to see us talk about then make sure you swing by our home page and let us know. That, of course, is lab.solarwinds.com, and let us know what you want to see because this show, again, is driven entirely by what you guys are asking for. So you know what else would be really odd?

No, what?

What’s that? Is if it went to straight to credits without even more yammering. I’m Patrick Hubbard.

I’m Leon Adato.

And I’m Kevin Sparenberg. Thanks for watching SolarWinds Lab.