test

U S E R G U I D E

V E R S I O N 4 . 2

Sniffer® Enterprise Administrator

COPYRIGHT

© 2005-2006 Network General Corporation. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network General Corporation or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

Sniffer, InfiniStream, Network General, Business Container, Instant Business Visibility, NetVigil, and the Network General logo are registered trademarks or trademarks of Network General Corporation. Only Network General Corporation makes Sniffer® brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AGREEMENTNOTICE TO ALL USERS: PLEASE READ THIS CONTRACT CAREFULLY. THE TERMS AND CONDITIONS OF THIS END USER LICENSE AGREEMENT (“AGREEMENT”) GOVERN USE OF THE SOFTWARE UNLESS YOU AND NETWORK GENERAL CORPORATION (“NETWORK GENERAL”) HAVE EXECUTED A SEPARATE END USER LICENSE AGREEMENT WITH RESPECT TO THE PRODUCT.

Network General is willing to license the Software to you only upon the condition that you accept all the terms contained in this Agreement. By clicking on the “I accept” button during the software installation or using the Software, you have indicated that you understand this Agreement and accept all of its terms. If you do not accept all the terms of this Agreement, click on the button that indicates that you do not accept the terms of this Agreement or do not install the Software.

1. Definitions.

(a) “Documentation” means installation guides and operation manuals provided with the Product.

(b) “Product” shall mean Software product, hardware product, or a product which consists of Software and the associated hardware provided by Network General or Network General's authorized reseller or distributor (an “Authorized Partner”) for use with the Software.

(c) “Software” means (i) the computer programs in object code only (except as otherwise provided in Section 13 of this Agreement) provided to you by Network General or an Authorized Partner and (ii) any upgrades, subsequent versions and updates (collectively “Updates”) to such software that may be provided to you by Network General or an Authorized Partner if you are under a support contract.

(d) “Use” or “Using” means to access, install, download, copy or otherwise benefit from executing or interaction with the Software.

(e) “Network General” means Network General Corporation, a Delaware corporation, and any of its subsidiaries and affiliates.

2. License Grant. Subject to the terms and conditions of this Agreement, Network General hereby grants to you a nonexclusive, non-transferable license to Use the Product for your internal business operations. Some third party materials included in the Software may be subject to other terms and conditions, which are typically found in a “Read Me” file or “About” file in the Software. You agree to read such other terms and conditions and if you do not agree to accept such terms, do not use the Software.

3. Term. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of Software. This Agreement will terminate immediately without notice from Network General if you fail to comply with any provision of this Agreement. Upon termination of this Agreement, you must destroy or disable all copies of Software.

4. Ownership Rights. The Product is protected by United States and other copyright laws, international treaty provisions and other applicable laws in the country in which it is being used. Network General and its suppliers own and retain all right, title and interest in and to the Product, including certain patents, all copyrights, trade secret rights, associated trademarks and other intellectual property rights therein. Your possession, installation, or Use of the Product does not transfer to you any title to the intellectual property in the Product, and you will not acquire any rights to the Product except as expressly set forth in this Agreement. Any copy of the Software and Documentation authorized to be made hereunder must contain the same proprietary notices, including any notice of copyright, trademark, logo, legend or other notice of ownership, that appear on and in the original copy of the Software and Documentation.

5. Additional Terms for Unsupported Products. If the product you have received with this license is (i) “Evaluation,” (ii) “Alpha” or “Beta” product (such Alpha or Beta product referred to herein as “Pre-Release Product”), or (iii) Sniffer Tool Collection software (together with Evaluation and Pre-Release Product, “Unsupported Products”) then the provisions of this section apply. To the extent that any provision in this section is in conflict with any other term or condition in this Agreement, this section shall supersede such other term(s) and condition(s) with respect to the

September, 2006 / 103021 / Sniffer Enterprise Administrator 4.2

Unsupported Products, but only to the extent necessary to resolve the conflict. You acknowledge that the Unsupported Products may contain bugs, errors and other problems that could cause system or other failures and data loss. Consequently, Unsupported Products are provided to you “AS IS” and Network General disclaims any warranty or liability obligations to you of any kind. Network General support service offerings are not available for the Unsupported Products. WHERE LEGAL LIABILITY CANNOT BE EXCLUDED, BUT MAY BE LIMITED, NETWORK GENERAL'S LIABILITY AND THAT OF ITS SUPPLIERS AND AUTHORIZED PARTNERS SHALL BE LIMITED TO THE AMOUNT PAID OR PAYABLE BY YOU TO NETWORK GENERAL FOR THE PRODUCTS LICENSED HEREUNDER FROM WHICH SUCH LOSS OR DAMAGE DIRECTLY AROSE. You acknowledge that Network General has not promised or guaranteed to you that Pre-Release Product will be announced or made available to anyone in the future; Network General has no express or implied obligation to you to announce or introduce the Pre-Release Product; and you understand that Network General may not introduce a product similar to or compatible with the Pre-Release Product. Accordingly, you acknowledge that any Use of the Pre-Release Product or any product associated with the Pre-Release Product is done entirely at your own risk. During the term of this Agreement, if requested by Network General, you will provide feedback to Network General regarding testing and use of the Pre-Release Product, including error or bug reports. If you have been provided the Pre-Release Product pursuant to a separate written agreement, your use of the Pre-Release Product is also governed by such agreement. Upon receipt of a later unreleased version of the Pre-Release Product or release by Network General of a publicly released commercial version of the Pre-Release Product, whether as a stand-alone product or as part of a larger product, you agree to return or destroy all copies of earlier Pre-Release Product received from Network General and to abide by the terms of the applicable End User License Agreement for any such later versions of the Pre-Release Product. Your Use of the Evaluation or Pre-Release Product is limited to 30 days unless otherwise agreed to in writing by Network General. With respect to Pre-Release Products, you understand the features and functions are confidential and you will not disclose any such features and functions until such time as the Pre-Release is Publicly available.

6. Restrictions. You may not sell, lease, license, rent, loan, resell or otherwise transfer, with or without consideration, any Product. If you enter into a contract with a third party in which the third party manages your information technology resources (“Managing Party”), you may transfer only your rights to Use the Product to such Managing Party, provided that (a) the Managing Party only Uses the Product for your internal operations and not for the benefit of another third party; (b) the Managing Party agrees in writing provided to Network General to comply with the terms and conditions of this Agreement, and (c) you provide Network General with written notice that a Managing Party will be Using the Product on your behalf. Except with Network General's prior written consent, you may not permit third parties to benefit from the Use of the Product via a timesharing, service bureau or any other arrangement. You may not reverse engineer, decompile, or disassemble the Product, except to the extent the foregoing restriction is expressly prohibited by applicable law. You may not modify, or create derivative works based upon, the Product in whole or in part. You may not copy the Software or Documentation except for a single copy for back-up purposes. You may not disclose the results of any benchmarking or other tests of the Software or Hardware to any third party without Network General’s prior written approval. You may not remove any proprietary notices or labels on the Software.

7. Warranty and Disclaimer. Network General warrants that (i) hardware will be free from defects in material and workmanship under normal use and service and will conform in all material respects to Network General's applicable specifications for one (1) year from the shipment date, and (ii) Software will perform substantially in conformance with the specifications set forth in the Documentation for 60 days from the shipment or transmission date. Network General does not warrant that operation of the Product will be error-free or uninterrupted. Network General shall, at its option, repair or replace any defective hardware and will provide a workaround or correction for any nonconformity in the Software provided that (a) you give Network General prompt written notice of the defect or nonconformity within the warranty period specified above; and (b) you return the defective hardware at your expense to Network General in accordance with Network General's standard parts exchange procedures. This warranty does not apply to defects or nonconformities in the Product caused by: (a) your failure to follow Network General's installation, operation or maintenance instructions or procedures; (b) your mishandling, misuse, negligence, or improper installation, deinstallation, storage, servicing or operation of the Product; (c) modifications or repairs not made by Network General or a Network General-certified individual; and (d) power failures, surges, fire, flood, accident, actions of third parties or other events outside Network General's reasonable control. Any hardware repaired or replaced by Network General or any Software for which a workaround or correction is provided shall continue to be warranted for the remainder of the original warranty period. Some newly manufactured Network General products may contain and Network General support may use remanufactured/reconditioned parts or components that meet the same quality standards as new parts and components and are covered by the applicable Network General product warranty. THIS WARRANTY (1) IS YOUR SOLE AND EXCLUSIVE REMEDY AND NETWORK GENERAL'S ENTIRE LIABILITY FOR DEFECTIVE OR NONCONFORMING ITEMS, AND IS IN LIEU OF ALL OTHER WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS, AND (2) IS BETWEEN NETWORK GENERAL AND YOU (AS THE ORIGINAL PURCHASER) AND MAY NOT BE TRANSFERRED OR ASSIGNED, BY OPERATION OF LAW OR OTHERWISE, WITHOUT NETWORK GENERAL'S PRIOR WRITTEN CONSENT.

8. Limitation of Liability. NETWORK GENERAL SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM OR ARISING OUT OF OR IN CONNECTION WITH THE PRODUCT OR USE HEREUNDER, INCLUDING NETWORK FAILURES OF LOST PROFITS. NETWORK GENERAL'S LIABILITY SHALL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY YOU FOR THE PRODUCT THAT DIRECTLY CAUSED THE LIABILITY. Network General is acting on behalf of its suppliers for the purpose of


disclaiming, excluding and/or limiting obligations, warranties and liability as provided in this Agreement, but in no other respects and for no other purpose. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

9. Notice to United States Government End Users. The Product and accompanying Documentation are deemed to be “commercial computer software” and “commercial computer software documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction, release, performance, display or disclosure of the Product and accompanying Documentation by the United States Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

10. Confidentiality. Each party agrees to maintain the confidentiality of the other party's Confidential Information, and not to disclose it to a third party, without the prior written consent of the other party. “Confidential Information” shall mean all documents, disclosures and written or oral statements disclosed by the disclosing party that are identified as “confidential;” and all such information that, by its nature is confidential regardless of whether it is marked.

11. Export Controls. You are advised that the Product and Documentation is of U.S. origin and subject to U.S. Export Administration Regulations; diversion contrary to U.S. law and regulation is prohibited. You agree not to directly or indirectly export, import or transmit the Product and/or to any country, end user or for any end use that is prohibited by applicable U.S. regulation or statute (including but not limited to those countries embargoed from time to time by the U.S. government). You represent that neither the United States Bureau of Industry and Security nor any other governmental agency has issued sanctions against you or otherwise suspended, revoked or denied your export privileges. You agree not to use or transfer the Product for any end use relating to nuclear, chemical or biological weapons, or missile technology, unless authorized by the U.S. Government by regulation or specific written license. Additionally, you agree not to directly or indirectly export, import or transmit the Product contrary to the laws or regulations of any other governmental entity that has jurisdiction over such export, import, transmission or use. You Buyer agree not to use or transfer the Products and/or Documentation for any end use relating to nuclear, chemical or biological weapons, or missile technology, unless authorized by the U.S. Government by regulation or specific written license.

12. High Risk Activities. The Product is not fault-tolerant and is not designed or intended for use in hazardous environments requiring fail-safe performance, including without limitation, in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of the Product could lead directly to death, personal injury, or severe physical or property damage (collectively, “High Risk Activities”). Network General expressly disclaims any express or implied warranty of fitness for High Risk Activities.”

13. Governing Law. This Agreement shall be governed by and construed under the laws of the State of California without regard to the conflicts of law provisions thereof. All litigation arising under this Agreement shall be tried in the courts of Santa Clara County, California. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.

14. Free Software. The Software may include some software programs that are licensed (or sublicensed) under the GNU General Public License (GPL) or other similar free software (“Free Software”) licenses which, among other rights, permit a user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to users in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code will be provided to you upon your request. If any Free Software licenses require that Network General provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.

15. Audit for License Usage. Network General reserves the right to periodically audit you to ensure your compliance with the terms of this Agreement. During your standard business hours and upon prior written notice, Network General may visit you and you will make available to Network General or its representatives any records pertaining to the Software. The cost of any requested audit will be solely borne by Network General, unless such audit discloses an underpayment or amount due to Network General in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in an unauthorized manner, in which case you shall pay the cost of the audit.

16. Miscellaneous. This Agreement sets forth all rights for the user of the Software and is the entire Agreement between the parties with the exception of any applicable licenses described in Section 13 (“Free Software”). This Agreement supersedes any other communications, representations or advertising relating to the Products and Documentation. This Agreement may not be modified except by a written addendum which references this Agreement and is issued by a duly authorized representative of the parties. No provision hereof shall be deemed waived unless such waiver is in writing and signed by a duly authorized representative of Network General. If any provision of this Agreement is held invalid, the remainder of this Agreement shall continue in full force and effect. All rights not expressly set forth hereunder are reserved by Network General.

17. Network General Customer Contact. If you have any questions concerning these terms and conditions, or if you would like to contact Network General for any other reason, please call 408-571-5000 or write to: Network General,178 East Tasman Drive, San Jose, California 95134.


Contents

1 Administrator Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

What’s New in this Release? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Navigating the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Using Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Viewing Information on the Resources Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Manage Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

System Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

NetworkUser Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

My Resources for NetworkUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

System Summary for NetworkUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2 Adding and Licensing Resources . . . . . . . . . . . . . . . . . . . . . . . . 21

Adding Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Adding a Single Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Adding Multiple Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using Wild Cards in Multiple Resource Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Discovering Resources from a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About InfiniStream Resource Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Adding Licenses from the Resources Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Licensing Additional Managed Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Viewing Current License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Requesting and Loading Additional Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3 Managing Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

About Managed Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Managing Sniffer Enterprise Visualizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Managing InfiniStream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Viewing the Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Connecting to Resources through the Resources Page . . . . . . . . . . . . . . . . . . . . . 37

User Guide 5

Contents

Viewing Resource Properties through Resource Details . . . . . . . . . . . . . . . . . . . . . 38

Editing the Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Editing a Resource Internal Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Resources > Overview Page Status Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Resource Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Viewing System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Deleting Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4 Configuring Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring Sniffer Distributed Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring Resources Using Clone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 46

Working with Software Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Adding Software Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Applying or Scheduling Software Update Packages . . . . . . . . . . . . . . . . . . . . . . . . 51

Software Updates within a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Editing Software Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Uploaded Files Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Viewing or Deleting Pending Software Update Packages . . . . . . . . . . . . . . . . . . . . 54

Automatic Patch Download and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Manually Applying Update Packages and Patches . . . . . . . . . . . . . . . . . . . . . . . . . 56

Troubleshooting Automatic Patch Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

SEA Agent is Missing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5 The Administrator Community . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Viewing Members of the Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Adding Servers to the Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

MySQL Server IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Adding a Replicating Pair to a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Setting up Communities in a NAT Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Editing Servers in the Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Deleting a Server from the Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Deleting a Replicating Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Deleting a Server behind a NAT Firewall from the Community . . . . . . . . . . . . . . . . 65

6 Configuring the Administrator Server . . . . . . . . . . . . . . . . . . . . . 67

Administration > Overview Page Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Setting Session Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Supported Proxy Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6 Sniffer Enterprise Administrator 4.2

Contents

Specifying Server Control Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Specifying a Shared File Storage Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Changing the File Storage Path to a Shared Network Drive . . . . . . . . . . . . . . . . 71

Database Replication and Replication Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Replication and Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring Database Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Specifying an External Storage Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Viewing Replication Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Email Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Restarting the Administrator Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Add IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Select Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Access Control IP List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Setting Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7 Creating and Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

User Administration when Administrator is Managing Other Devices . . . . . . . . . . . . . . 83

Viewing the Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Users List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

User Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Password Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Limitations of User Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Creating New Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Permission Settings for Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Sniffer Distributed Appliance Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

MultiSegment Intelligence Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Enterprise Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Enterprise Visualizer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

InfiniStream Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Domain-specific Role Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Editing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Editing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

NetVigil Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Getting User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

User Guide 7

Contents

8 Working with File Management . . . . . . . . . . . . . . . . . . . . . . . . . . 99

File Management - Shared File List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

9 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

About Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

One-Time Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

More about Unanimous Access Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Adding and Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Editing Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

RADIUS Authentication Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Windows Domain Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

TACACS+ Authentication Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

LDAP Authentication Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Deleting Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

10 Working with Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

About Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Domains and Visualizer Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Domains and NetVigil Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

The Domains List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Adding Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Assigning NetVigil Departments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Editing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Deleting Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

11 Working with Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

The Alarms > Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Top Ten Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Alarm Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Viewing the Alarm Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring the Alarm Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Removing Alarm Forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

The Alarm Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Working with the Alarm Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122


Contents

Alarm Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Filtering the Alarm Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Configuring Alarm Severity Definitions and Thresholds . . . . . . . . . . . . . . . . . . . . . . . . 125

Severity Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Setting Alarm Severity Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Editing Alarm Severity Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Automating Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Viewing the Alarm Automation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Adding Automated Alarm Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

12 Enabling Third-party Tools to Receive Alarms . . . . . . . . . . . . . 131

Communicating with Third-party Alarm Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring HP Open View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Specifying HPOV NNM as a Configured Destination . . . . . . . . . . . . . . . . . . . . . . . 132

Configuring Tivoli Enterprise Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

13 Accessing Activity Logs and Generating Data Logs . . . . . . . . 137

Viewing and Filtering the Activity Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Viewing Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Filtering Activity Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Recorded Activities and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Recorded Administrator Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Detailed Activity Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Recorded Visualizer Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Recorded InfiniStream Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Recorded Administrator and Visualizer Activities . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Saving and Printing Activity Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Activity Log Data Purging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Generating Data Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Generating Data Logs for the Administrator Server . . . . . . . . . . . . . . . . . . . . . . . . 165

Generating Data Logs for Sniffer Distributed Agents . . . . . . . . . . . . . . . . . . . . . . . 165

Generating Report Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

A Error Messages, FAQs, and Troubleshooting Tips . . . . . . . . . 167

Log and Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Resource Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Authentication and Security Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

General Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

User Guide 9

Contents

Third-party Software Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Connection Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Resource Discovery and Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . 177

Authentication and Authorization Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Alarm Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Remote Reimaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Database Replication Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Verifying Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Database Recovery Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Loading a Database Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Recovering from a Replication Stoppage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Collecting Information for Unresolved Replication Issues . . . . . . . . . . . . . . . . . . . 193

Converting a Secondary System to a Primary System . . . . . . . . . . . . . . . . . . . . . . 193

Converting a Replicating System to a Standalone System . . . . . . . . . . . . . . . . . . 194

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197


1
Administrator Over view
This section provides the following overview to get you started with Administrator, including:

What’s New in this Release? on page 11

Navigating the User Interface on page 12

Viewing Information on the Resources Page on page 14

NetworkUser Preferences on page 19

System Summary on page 18

Active Users on page 17

About the User GuideThis guide provides detailed information for using the features provided with this release of Sniffer Enterprise Administrator.

Audience

This guide is designed and produced for two audiences:

Network troubleshooters or managers who use Sniffer Distributed, Sniffer Portable, InfiniStream platforms.and/or Sniffer Enterprise Visualizer installations.

Application Managers working in collaboration with Network Managers to find application performance problems.

What’s New in this Release?This release of Sniffer Enterprise Administrator provides the following new features and functionality:

Integration with Sniffer Enterprise NetVigil. Starting with this release, Administrator can discover, manage, and provide user authentication for NetVigil installations. When a NetVigil installation is discovered by Administrator, Administrator provides a list of managed Visualizer installations to NetVigil.

User Guide 11

Chapter 1

With the integration of NetVigil, Administrator also provides a single log on for Visualizer and NetVigil installations.

For detailed information, see NetVigil Membership on page 95, Working with Domains on page 111. and Domains and NetVigil Installations on page 112.

Management of Application Intelligence Appliances. Administrator can discover and manage AppIntell appliances in the same manner in which it discovers and manages Sniffer Distributed resources.

Navigating the User InterfaceA user with administrative privileges will see the tabs and options summarized in the following table.

A user without administrative privileges, or assigned the NetworkUser role, will see a simplified Resources page upon logging in. See NetworkUser Preferences on page 19, My Resources for NetworkUser on page 20, and System Summary for NetworkUser on page 20 for more information.

TIP: Pressing F5 from anywhere in the user interface will return you to the Resources > Overview page.

NOTE: Administrator is licensed by feature set. Depending on the features purchased and licensed with your installation, you may not be able to access and view all pages summarized in the following table. An installation licensed for MultiSegment only does not allow access to any resource, domain, user management, or user authentication pages. An installation licensed for resource management functionality only does not allow access to MultiSegment pages.

Table 1-1. Pages and Tasks

Tab Tasks

Resources View the Resources list and resource details as well as add new resources. If you’re just getting started, see Adding Resources on page 21 to populate your Resources list.

Links available from the Resources tab:

• Software Update

• Pending Updates

• Automatic Patch Distribution


Administrator Overview

Users View the Users list and user details. If you’re just getting started, see Adding Users on page 85 to add users to your system.

Links available from the Users tab:

• Add User

• Role Configuration

• File Management

Domains View the Domains list and domain details.

Link available from the Domains tab:

• Add Domain

Activity Log View the activity log for the Administrator server. Log filtering options are provided at the top of the page.

Alarms View the top ten alarms and the alarm summary, access the Alarm Monitor, and configure alarm forwarding.

Links available from the Alarms tab:

• Severity Definition

• Automation

Analysis (MultiSegment Intelligence)

View current MultiSegment Intelligence sessions and session details.

Note: The Analysis tab is available when MultiSegment Intelligence is licensed and enabled.

Links available from the Analysis tab:

• Templates

• Schedules

• Compare

• Settings

• Preferences

NOTE: To access session data and view session decode analysis, open the session from the Current Sessions pane. After opening a session, you’ll have the session Summary, Filter, Application Analysis, Multitier Analysis, Details, and Settings tabs available through an additional window.


Tab Tasks

User Guide 13

Chapter 1

Using Online HelpThere are two help access points within Administrator. To launch the main help system, click User Guide from the navigation bar.

To access context-sensitive help for each screen, click the help icon located in the top-right corner of most panes. This launches the system help file open to the topic related to what is onscreen.

After context-sensitive help is launched, you can use the arrow tools ( or ) to scroll through topics. Click to open the left pane of the help system

to view the table of contents, search, and index features.

NOTE: When using the help system, click Show in Contents ( ) to synchronize the displayed topic with the contents or list in the left pane.

Viewing Information on the Resources PageAfter successfully logging in, you will see the Resources > Overview page. The following table summarizes the contents of the Overview page.

NOTE: Just getting started? See Adding Resources on page 21 for more information on populating your Resources > Overview page.

Administration View and edit current server administration parameters, view and edit the current email server configuration, and request additional resource licenses.

Links available from the Administration tab:

• Access Control

• Authentication

• Community

• Backup/Restore

• System Status


Tab Tasks



Table 1-2. Resources > Overview Page Contents

Name Description

Manage Resources Provides an overview of the resources available to the user. Using icon links in the pane, you can:

• Connect to the resource via a Console ( ). The appearance of this icon is dependent on the resource type and version, as well as what consoles, if any, are installed on the browsing client. See Connecting to Resources through the Resources Page on page 37 for more information.

• View System Performance ( ).

• Clone Resource Configuration ( ).

• View Current Activities ( ) (from the Activity column).

NOTE: Users are allowed to connect to resources if they have access permission as defined in the user profile. Membership in a domain that contains the resource and enabling access to the resource through role permissions are required. However, a user with Enterprise Administrator permission will only need to enable access to the resource through role permissions.

The Status column displays icons representing the current state of the resource. See Resources > Overview Page Status Icons on page 39 for detailed information.

Add Resources See Adding Resources on page 21 for detailed information.

Additional Icons Additional icons on the Resources > Overview page include:

• Refresh List ( ). Click to retrieve and view the latest entries.

• Help ( ). Click to open context-sensitive help for that area.

• Export to CSV ( ).

• Print ( ).

• Status icons: See Resources > Overview Page Status Icons on page 39 for detailed information.

User Guide 15

Chapter 1

Manage ResourcesThe Manage Resources pane provides an overview of resources available to the user and quick links to perform configurations, connections, and other actions on resources.

To edit the configuration for a resource listed in Manage Resources, select the resource in the list, and then click Configure at the bottom-right corner of the pane. Access to the external console is authenticated using the credentials supplied during the log in to Administrator.

Table 1-3. My Resource Pane Contents

Column Description

Actions Actions you can perform on the resource are represented by the following icons:

• Clone Configuration ( ). Click to open the Administrator Clone Configuration page. Clone configuration allows you to copy the settings of a resource and apply those settings to one or more managed resources. See Configuring Resources Using Clone Configuration on page 46 for more information.

• Connect ( ). Click to open Console session and connect to a resource. The appearance of this icon is dependent on the resource type and version, as well as what consoles, if any, are installed on the browsing client. See Connecting to Resources through the Resources Page on page 37 for more information.

Resource The name of the resource. If a name was not entered during resource configuration, the IP address is shown.

Address The IP address of the resource.

Device Name of the network interface card for that resource.

NOTE: Administrator recognizes one interface as one resource although a managed resource or Appliance may have two or more interfaces installed.

Version Version of the resource. For example, Sniffer Distributed Agents running version 4.5 will show 4.5.x.

Topology Topology of the resource.



Viewing System StatusClick the Administration tab, then click System Status to view system information.

Active UsersThe Active Users list on the Administration > System Status page provides an overview of users currently logged into Administrator. This lists the users currently logged in and the IP address for each user.

Status The status of the resource as represented by multiple icons. See Resources > Overview Page Status Icons on page 39 for detailed information. See Resource Compliance on page 41 for detailed information about compliance status displayed in the Status column.

An alarm icon ( ) indicates an alarm has been

triggered on that resource. Click the icon to open the Alarm Monitor and view detailed information for the alarm.

Note: Icons or status indicators may not appear if an alarm has not been triggered on a resource.

Activity Click Show Activity in this column to view the Activity Log. Log entries are pre-filtered for events specifically on the selected resource.

Table 1-3. My Resource Pane Contents

Column Description

Table 1-4. System Status Page Contents

Name Description

Active Users Provides an overview of users logged in. Clicking the

Edit icon ( ) opens the Edit User Account page.

System Summary Provides a quick overview of your Administrator system. Information provided includes the number of resources online, the number of current user sessions, the number of domains created for the system, a licensing summary, and server information.

See System Summary on page 18 for detailed information.

User Guide 17

Chapter 1

If you wish to terminate an active session, highlight a user from the list and click End Session.

NOTE: Clicking the Edit icon ( ) opens the Edit User Account page for that user.

System SummaryAccess the System Summary at any time by clicking the Administration tab and clicking System Status. The System Summary includes:

Resources. The number of resources managed by Administrator and listed in the Resources list. Also shown are the resources currently online, or the number of resources currently connected.

Users. The number of users entered into the Administrator system and listed in the Users list, and the number of users currently logged in.

Domains. The number of Administrator domains listed in the Domains list.

Licenses Available. The total number of licenses represents the maximum number of resources manageable by this installation.

Server Information. Includes a summary of configurations on the Administrator machine:

Local Time. The local time set on the Administrator server.

Variation. The Administrator version installed on the Administrator server.

Free Disk Space. The free space remaining on the C: drive at the time the Administration > Overview page was loaded.

Database. The database and version installed and used by the Administrator server.

Webserver. The Web server version installed and used by the Administrator server.

OS Name. The operating system and version installed on the Administrator server machine.

OS Architecture. The operating system platform or architecture.

System Type. Indicates the Administrator server is configured as a Primary, Secondary, or Non-replicating server.



NOTE: The Get Logs link at the bottom of the Server Information list allows you to download system files to be used by Network General Technical Support in the event you have to troubleshoot Administrator activities. Click Get Logs and then open or save the contents of the zip file to your local system. See Generating Data Logs for the Administrator Server on page 165 for detailed information.

Terminating User Sessions

When a user ends an Administrator connection by closing the browser window without formally logging out, an inactive user session is reported on the Administration > System Status page > System Summary through the User sessions currently running indicator. Multiple connections ended in this manner increment the inactive sessions count indefinitely. It is highly recommended that you formally log out when you would like to terminate your Administrator connection. If you do not, Administrator deletes user sessions after 30 minutes of inactivity.

NOTE: Administrator licensing is based on the number of managed resources — not user sessions. Therefore, the number of user sessions can extend beyond the Administration > System Status page > System Summary > Total Users count without adverse consequences.

NetworkUser PreferencesA user is a person who will manage resources, view alarm events, and access MultiSegment Intelligence to analyze network data with Administrator. The Preferences tab provides an area to edit the NetworkUser’s first and last name (not the account name in which the user logs into the system), password, email address, phone number, and description.

A user with administrative privileges grants other users administrative privileges or access to resources and Administrator components. See User Roles on page 87 for detailed information about creating and assigning roles.

If the Administrator user is assigned the “NetworkUser” role (a user who does not have administrative privileges), the user will see a simplified Resources page after logging in.

NOTE: A user with administrator rights will see the Resources page after logging in. This page provides a system summary of users, resources, domains, licenses, a server status snapshot, and a summary of user activity on your Administrator installation. See Navigating the User Interface on page 12

User Guide 19

Chapter 1

for more information.

My Resources for NetworkUserThe My Resources pane provides an overview of resources available to the user (grouped by domains) and quick links to perform configurations, connections, and other actions on resources. Table 1-3 summarizes the information and options available in this pane.

System Summary for NetworkUserThe System Summary for a user with NetworkUser privileges is an abbreviated version of the System Summary available to administrative users. The pane includes Resources online and Server Information for the Administrator server.


2
Adding and Licensing Resources
A resource is any Network General product that is browser enabled and manageable by Administrator. For resources with multiple interfaces in one Appliance, Administrator recognizes one resource for each available interface or media module.

Adding Resources on page 21

Adding a Single Resource on page 23

Adding Multiple Resources on page 23

Discovering Resources from a CSV File on page 26

Adding Licenses from the Resources Page on page 28

Licensing Additional Managed Interfaces on page 28

Requesting and Loading Additional Licenses on page 29

Adding ResourcesAdding a resource to the Administrator Resources list establishes a connection with the resource. Administrator cannot manage or communicate with a resource until the resource has been added. After adding resources, they will also be available for use in Analysis sessions. Resources do not have to be a member of a domain to be managed by Administrator.

See also:

Adding a Single Resource on page 23

Adding Multiple Resources on page 23

Discovering Resources from a CSV File on page 26

Adding Licenses from the Resources Page on page 28

When adding resources, please keep the following in mind:

User Guide 21

Chapter 2

You may only add resources to an Administrator Appliance if there are sufficient number of licenses available. If you want to manage additional resources beyond your current number of licensed resources, you must obtain a valid license file. See Licensing Additional Managed Interfaces on page 28 for more information. Please note, if you have reimaged your Appliance, the base software image is not licensed for any resources.

For Sniffer Distributed resources, the WWW service on the Agent must be started before discovering the Agent through Administrator.

You cannot selectively discover and add some of the interfaces of a resource with multiple interfaces. For example, if you have two available licenses, you cannot discover two of the four interfaces of an ET05 Appliance. You will need to increase the available licenses to four or more before discovering an ET05 Appliance.

For Administrator to properly manage a resource, the device name must exactly match the name of the adapter card.

Licensing is per interface, not per resource. To discover a resource with multiple interfaces, you need to have enough licenses to manage all the interfaces the resource contains. If your available licenses are less than the number of interfaces the resource you intend to discover contains, you will not be able to discover the resource at all.

In a database replication scenario, if your primary Administrator Appliance has more than the default number of resources licensed, and the secondary Appliance has only the default resource licenses, you will not able to add additional resources to the secondary Appliance until additional resources are licensed specifically for the secondary Appliance.

To add and manage a Visualizer installation you have to first discover all the interfaces monitored by Visualizer and then discover the Visualizer. When you attempt to discover a Visualizer, Administrator will check to see if all the interfaces the Visualizer is monitoring are already managed. The Visualizer discovery will abort if that is not the case.

If you perform any of the following configuration changes on managed resources, make sure to delete (unmanage) and rediscover those resources after completing the changes.

link aggregation for bundling or unbundling of Sniffer Distributed media modules

Station Mode Option changes for Sniffer Distributed resources

Stream aggregation for Sniffer InfiniStream interfaces



Adding a Single ResourceTo add one or more resources, you must be an administrative user with access to view all resources within your system.

To add a resource:

1 Click Resources.

2 Ensure the contents of the Single tab are displayed in the Add Resources pane.

3 To add one resource, specify the resource name (optional) and address. You can also specify the Windows DNS name.

NOTE: External addresses can be entered post-discovery through the Details pane for that resource. Entering an external address indicates that the resource is inside a NAT-based firewall. This implies that the resource will have one IP address inside the firewall (the “address”) and a different IP address outside the firewall (the “external address”).

4 Click Add.

NOTE: If a Visualizer Appliance is already monitoring any interfaces, those interfaces must also be managed by the Administrator Appliance or the discovery will fail. If necessary, discover the interfaces in Administrator and then repeat the discovery of the Visualizer Appliance.

Adding Multiple ResourcesTo add one or more resources, you must be an administrative user with access to view all resources within your system.

NOTE: If you are unable to add a valid, known resource, try increasing the Connection timeout value on the Administration tab > Overview page. Shorter connection periods may cause premature connection termination during resource discovery, which may result in a resource discovery failure.

To add multiple resources

1 Click Resources.

2 In the Add Resources pane, click the Multiple tab.

User Guide 23

Chapter 2

3 Enter the starting IP address and the “end” range in the appropriate fields. Enter a range for the last field only. For example, specify 123.123.123.1 to 123.123.123.234 as in the following example.

Figure 2-1. Multiple Resource Discovery

You can also use a wild card in the fields to find multiple resources. See Using Wild Cards in Multiple Resource Discovery on page 26 for more information.

NOTE: Up to 254 resources can be discovered during the multiple resource discovery process. If your network contains subnet masks shorter than 24 bits and resources with IP addresses such as 1.1.1.0 and 1.1.1.255, these resources cannot be discovered as part of the multiple discovery process.

4 Click Search.

Administrator generates and displays a list of resources that match your resource criteria. All discovered resources are saved at once, and the Resources list is refreshed. The discovery progress is also displayed in a message box to the right.

If a resource has multiple interfaces, all the interfaces are selected and saved automatically. Administrator manages all interfaces within the resource when more than one interface is discovered.

NOTE: You can run multiple discoveries at one time, including multiple discoveries on the same IP address. If the Administrator user starts an additional resource discovery while a discovery is already running on a different IP address, you are asked to confirm the additional discovery.

NOTE: If a Visualizer Appliance is already monitoring any interfaces, those interfaces must also be managed by the Administrator Appliance or the discovery will fail. If necessary, discover the interfaces in Administrator and



then repeat the discovery of the Visualizer Appliance.

User Guide 25

Chapter 2

Using Wild Cards in Multiple Resource DiscoveryYou can use subnet wild cards during resource discovery to find multiple addresses within a single specification. Note the examples in the following table when using wild cards.

NOTE: Up to 254 resources can be discovered during the multiple resource discovery process. If your network contains subnet masks shorter than 24 bits and resources with IP addresses such as 1.1.1.0 and 1.1.1.255, these resources cannot be discovered as part of the multiple discovery process.

Discovering Resources from a CSV FileIf you have a CSV file containing resource data (IP addresses), you can upload the CSV file from the Resources > Overview page. Administrator reviews the IP addresses within the file and determines whether or not the addresses provided are manageable resources.

NOTE: If you are unable to add a valid, known resource, try increasing the Connection timeout value on the Administration > Overview page. Shorter connection periods may cause premature connection termination during resource discovery, which may result in a resource discovery failure.

For Sniffer Distributed resources, the WWW service on the Agent must be started before discovering the Agent through Administrator.

NOTE: To add one or more resources, you must be an administrative user with access to view all resources within your system.

Table 2-1. Valid Wild Cards during Multiple Resource Discovery

Rule Valid Entry Invalid Entry

Use wild cards to represent one position in the second to last or last field only.

1.1.1.*

1.1.*.1

1.1.*.*

1.1.1.1*

1.1.1.11*

1.1.1.1*1



Sample CSV File Format

The CSV file should be formatted as follows. The CSV file is case-sensitive. It is important that Address,Name is entered as shown. Also make sure that no line in the CSV file contains any extra trailing white space (spaces, tabs, or non-printable special characters).

<IP address>,<Machine name> or <DNS name>, <Machine name>

For example:

Address,Name

172.21.71.237, resource05

172.21.72.216, Agent45SP1

172.21.72.71, p3

IMPORTANT: In the CSV file, remove space between words in the header row. The header row is also case-sensitive — do not use “address,name” (lowercase) in the header row.

To upload a file for resource discovery:

1 Click Resources.

2 Click the From CSV tab in the Add Resources pane.

3 Click Browse and navigate to the file.

4 Click Add.

About InfiniStream Resource DiscoveryUser-defined names (the stream alias) for streams on InfiniStream version 3.0+ resources are discovered by Administrator. On discovery, the resource name will be created as follows:

If the InfiniStream resource provides a stream alias, it will be used as the resource name. If a user provided the resource name through a single discovery or multiple discovery from a .CSV file, that name will be overridden by the alias coming directly from the InfiniStream resource. If the name is the same as a previously existing resource name, the name will be appended automatically with the IP address (i.e. “STREAM 1_12.34.56.78”).

User Guide 27

Chapter 2

As with Sniffer Distributed resources, if the InfiniStream resource does not provide an alias, then the resource name will be used. If the name is not specified either, or in the case of resources discovered using an IP address range, the resource name is created from the IP address.

There are certain changes to streams that are not updated in Administrator if you make these changes on InfiniStream. These include:

Removing the stream

Changing the stream name

Changing the topology of the stream

If you change the stream name from Infinistream or modify topology of the stream, you must remove and (re)add the ICE to Administrator to view the changes in Administrator.

Adding Licenses from the Resources PageThe Resources > Overview page provides a quick link to add additional licenses to enable you to add and manage additional resources.

After clicking the Add Licenses link from the Add Resources pane, you are redirected to the Administration > Overview page to complete the license request process. See Requesting and Loading Additional Licenses on page 29 for detailed information.

Licensing Additional Managed InterfacesBy default, the Administrator Appliance is licensed for 10 interfaces out of the box. (Please note, if you have reimaged your Appliance, the base software image is not licensed for any interfaces.) To increase the maximum number of manageable interfaces, you must generate a license request through the Administrator interface (Administration > Overview page), go to the external Network General website to submit the license request via an online licensing process, then load the license file on the Administrator server. Detailed information is provided in Requesting and Loading Additional Licenses.

See Viewing Current License Information on page 29 for information on current license status displayed on the Administration > Overview page. If your system is in a replicating pair, see Replication and Licensing on page 73 for license status in this environment.

NOTE: The secondary Administrator in a replicating pair is prohibited from being licensed.



Viewing Current License InformationThe Administration > Overview page provides a summary of the current licenses status:

Total licenses configured. If an Administrator is not in a community, the total licenses configured is the number of licenses used for this Administrator. If an Administrator is a member of a community, the Total licenses configured value seen on the Administration > Overview page is the total number of licenses used between all community members.

Licenses of this Administrator. The number of interfaces licensed for the Administrator Appliance you are connected to.

Licenses of other Administrators in community. The total number of licenses configured or used between all Administrators within the community.

Unused licenses. The total licenses configured less the number of managed resources.

Requesting and Loading Additional Licenses

WARNING: Before creating a new license request or loading a license file, please ensure that the date and time settings on the Administrator Appliance are correct. Also, the license file date and time stamp must be earlier than, or the same time as, the system date and time when you attempt to load the license file. If you already have an existing license file, the new license’s date and time stamp must be later than the existing license’s time stamp, or the new license will not load.

If your installation is not licensed or your license has expired, immediately upon accessing Administrator by entering the URL in your browser, you are redirected to a licensing page where you can perform the required licensing steps.

See Viewing Current License Information on page 29 for information on current license status displayed on the Administration > Overview page.

To request and load additional licenses:

1 Click Administration.

2 In the Increase Quantity by field within the Increase License Quantity pane, enter the number of additional interfaces you would like to manage.

User Guide 29

Chapter 2

NOTE: One “license” authorizes one interface. The number of licenses you have purchased is cumulative. For example, if you have ten (10) interfaces already licensed and you are requesting 10 additional licensed interfaces, the new license would be for a total of 20 interfaces. You would enter 10 in the Increase License Quantity field. (The number entered in Increase License Quantity field is the number by which you would like to increase your license count).

3 Click Generate Request to create the license request.

4 In the dialog box that follows, click Save and specify where you would like the request file placed on the Client system.

5 After receiving the generated request file, submit the file to the Network General Product Licensing Web site:

http://licensing.networkgeneral.com/productdownload/jsp/license.jsp

Or you can navigate to www.networkgeneral.com > Support > Technical Support > Licensing

The Network General Product Licensing Web site provides its own Online help, containing detailed instructions for submitting your license request.

NOTE: The product categories displayed on the site depend on your service contract. If you have questions or need assistance with the site, contact Customer Service at [email protected].

6 If the request is granted, the Network General Product Licensing Web site creates a license file and emails the file to the email address provided by the user when logging in to the licensing Web site. This license file can only be used with the Administrator Appliance which was used to generate the request. If for some reason you need to reimage the Administrator Appliance, back up this license file prior to the reimage and restore the license file after a successful reimage.

7 Place the license file received from the Network General Product Licensing Web site in a folder accessible to Administrator. The location can be on the Client machine or a network drive.

8 Access your installation.

Return to the Administration > Overview page.

If your installation is not licensed or your license has expired, immediately upon accessing the installation by entering the URL in your browser, you are redirected to a partial licensing page where you can perform the remaining licensing steps.


http://licensing.networkgeneral.com/productdownload/jsp/license.jsp


9 Within the Load License File pane, click Browse to navigate to the license file location.

10 Click Load to validate the license file and apply the new license.

NOTE: After completing the licensing process, please back up the most recent license request file for future re-use in the unlikely event you need to restore or reimage the Administrator Appliance.

User Guide 31

Chapter 2


3
Managing Resources
This section provides instructions and information for the following resource management-related tasks:

About Managed Resources on page 33

Viewing the Resources List on page 36

Connecting to Resources through the Resources Page on page 37

Resource Compliance on page 41

Viewing System Performance on page 42

Deleting Resources on page 42

About Managed ResourcesA resource is any Network General product that is browser enabled and manageable by Administrator. For Sniffer Distributed and s6040 Appliances, Administrator recognizes one resource for each available interface or media module.

Resources can be configured either directly or through Administrator. Through Administrator, you can configure several resources at one time. To manage additional resources, see Adding Resources on page 21 for detailed information.

A resource can be managed by only one Administrator installation. If you attempt to register the resource with a different Administrator, an error message will indicate the resource is already managed by an Administrator.

Managing Sniffer Enterprise VisualizerYou can also manage your Enterprise Visualizer installations through Administrator. You would add or discover a Visualizer Appliance just as you would any other resource. When a Visualizer Appliance is discovered, a domain is automatically created in Administrator specifically for the Visualizer Appliance.

Once it is managed, Administrator provides the following for the Visualizer Appliance:

User authentication

User Guide 33

Chapter 3

User access control

User permission management

Interface assignment (to Visualizer)

Resource limit enforcement (for Visualizer resources)

License enforcement (for Visualizer resources)

Audit trail for Visualizer events

Health monitoring for Visualizer

The following information is also shared:

If the resource being edited is monitored by a (managed) Visualizer Appliance, then the Visualizer Appliance is informed of the change in IP address.

When a Visualizer Appliance is managed by an Administrator Appliance, the Visualizer Appliance provides conversation information for a given pair of nodes to be used for auto-capture set up within MultiSegment Analysis.

Administrator also provides an internal mechanism which keeps the list of managed Visualizer Appliances up-to-date in the NetVigil interface.

WARNING: Visualizer does not currently contain a fallback method when an Appliance becomes unmanaged. In the rare event that the Visualizer management by Administrator is lost, you are unable to locally create or manage Visualizer users.

NOTE: Before you can launch Visualizer from Administrator, you must add the URL of the target Visualizer as a Trusted Site in Internet Explorer.

Managing InfiniStream

“Local-Only” Authentication

Prior to Administrator discovery, InfiniStream Capture Engines contain their own connection authentication system. Each Capture Engine contains four default accounts—root, admin, console, and monitor—with varying levels of access. You may use the InfiniStream Console’s Admin dialog to manage these accounts as well as add your own custom accounts. This is called a “Local-Only” mode of authentication.


Managing Resources

“Administrator-Only” Authentication

Following Administrator discovery, a Capture Engine defaults to a strict authentication policy where it passes all authentication requests to Administrator. This “Administrator-Only” mode ignores all default and custom user accounts created on the Capture Engine, only authenticating accounts managed by Administrator.

Although Administrator ignores local Capture Engine accounts, the InfiniStream Console’s Admin dialog Account tab still displays all local accounts as well as all Administrator accounts that have accessed the system. You may add, delete, and modify the local accounts, but the Capture Engine maintains those accounts locally and doesn’t communicate changes to Administrator. You may delete the Administrator accounts that show up in the Admin dialog Accounts tab, but they are for user name and home directory reference only and will be automatically replaced during the user’s next connection.

If, for any reason, the Capture Engine is unable to forward an authentication request to the Administrator, the Capture Engine configured for “Administrator-Only” mode temporarily fails over to “Local-Only” mode. In this case, administrative and normal users can access the Capture Engine using its locally administered user accounts until the Administrator becomes available.

“Administrator with Local Fall-Back” Authentication

Optionally, you may configure individual Capture Engines to fall-back to “Local-Only” mode in cases where the user specifies a non-Administrator user account that is locally managed on the Capture Engine. This is called “Administrator with Local Fall-Back” mode and requires root privileges to change the configuration.

To configure Local Fall-Back, edit /etc/ngc_administrator.conf on the Capture Engine, replace the string “FALSE” with “TRUE” in the line <ALLOW LOCAL FALL BACK>FALSE</ALLOW LOCAL FALL BACK>, and write the change to disk. This enables Local Fall-Back mode immediately since the Administrator-managed authentication system uses this file during every connection attempt.

/etc/ngc_administrator.conf contents

<ADMINISTRATORS>

<MAIN_ADMINISTRATOR>

<SERVER>172.24.4.225</SERVER>

<USESNIFFERCENTRAL>TRUE</USESNIFFERCENTRAL>

<ALLOWLOCALFALLBACK>FALSE</ALLOWLOCALFALLBACK>

<REPORTDEBUGTRAIL>FALSE</REPORTDEBUGTRAIL>

<LOCATION>/enterprise</LOCATION>

<PROTOCOL>https</PROTOCOL>

<PORT>443</PORT>

User Guide 35

Chapter 3

</MAIN_ADMINISTRATOR>

<BACKUP_ADMINISTRATOR>

<SERVER></SERVER>

<USESNIFFERCENTRAL>FALSE</USESNIFFERCENTRAL>

<ALLOWLOCALFALLBACK>FALSE</ALLOWLOCALFALLBACK>

<REPORTDEBUGTRAIL>FALSE</REPORTDEBUGTRAIL>

<LOCATION></LOCATION>

<PROTOCOL></PROTOCOL>

<PORT></PORT>

</BACKUP_ADMINISTRATOR>

</ADMINISTRATORS>

Viewing the Resources ListThe Resources page is available immediately upon logging in, or by clicking Resources. For administrative users, the Resources page displays the list of all managed resources in the system. Non-administrative users (or administrators who have clicked the View My Resources link), will see the resources you have permission to access, grouped by domain. Administrators can click View All Resources to restore the full resource list.

For each resource, the Resources list provides the resource name, resource status, IP address, device type, product information, and topology information. Topology information is not supplied for Sniffer Distributed s6040 1.5 Agents.

NOTE: If the Automatic Patch Distribution status indicates DISABLED, automatic updates are not configured for the listed resources. Click the hyperlink to open the Automatic Downloads page and then enable Auto Downloads and Auto OS Patch Distribution as desired. See Automatic Patch Download and Distribution on page 54 for more information.

See also:

Connecting to Resources through the Resources Page on page 37

Viewing Resource Properties through Resource Details on page 38

Resources > Overview Page Status Icons on page 39

Resource Compliance on page 41

Viewing System Performance on page 42


Managing Resources

Errors viewing the Resources pane? Are you prompted to install the ActiveX Control?

If you do not already have the ActiveX Control installed, you may be prompted to install it (depending on your browser settings). It may also install automatically unless a browser pop-up blocker displays a message similar to “This site requires the following ActiveX control…” in the advisory bar.

The ActiveX control provides support for connect operations to managed resources.

Connecting to Resources through the Resources PageWhen available, clicking Connect from the Resources > Overview page opens a Console session and connects to that resource. The appearance of this icon is dependent on the resource type and version, as well as what consoles, if any, are installed on the browsing client. For some types of resources the Connect icon supports web-based Console access if the win32-based Console access is unavailable.

The icon will appear under the following conditions:

If the resource is reachable. The Connect icon will never appear for an Unreachable resource.

If the resource is InfiniStream version 2.5 and the InfiniStream 2.5 console is installed on the browsing client. Clicking the Connect icon will start the InfiniStream 2.5 Console, but it will not automatically connect to the InfiniStream Capture Engine. A new instance of InfiniStream 2.5 Console will start every time the Connect icon is clicked, but using only one instance of the InfiniStream 2.5 Console is suggested.

NOTE: For InfiniStream 3.0, Administrator launches the InfiniStream 3.0 Console if it is present. If the Console cannot be found, Sniffer InfiniStream Web Access (IWA) is launched.

If the resource is Sniffer Distributed version 4.7. Clicking Connect in this case will either (1) launch the Win32 4.7 console if that is installed on the browsing client, or (2) launch WebConsole if the Win32 console is not available. In this case, without the Win32 console, note that some interfaces do not support WebConsole connections (e.g. SysKonnect). For those types of interfaces, the icon will not appear if the Win32 console is not available.

If the resource is Sniffer Distributed version 4.6 and the Win32 4.6 console is installed on the browsing client.

User Guide 37

Chapter 3

If the resource is Sniffer Distributed version 4.5 and the Common SniffView Console (CSC) is installed on the browsing client.

Viewing Resource Properties through Resource DetailsAs you select a resource in the list on the Resources page, the resource information is summarized in the Details pane on the right, including the users who are allowed access to the resource, Matrix Switch configuration, Switch information, and the Agent Note passed from the Sniffer Distributed Appliance.

In the Details pane, click View Report next to Compliance to open a second window that summarizes any service packs or security patches installed (or not installed) on that Appliance and applications running on that Appliance. See Resource Compliance on page 41 for more information.

You can only change the resource owner (the Managed by field in the Details pane) for Sniffer Distributed Agents. This is not available for Visualizer and InfiniStream Appliances. Visualizer and InfiniStream Appliances need to be deleted and rediscovered by a different Administrator if you wants to change the ownership.

NOTE: When resources are grouped by domain, you can edit resource properties through the Details pane on the right side of the Resources page.

Editing the Device NameClicking the Device Name from the Details pane on the Resources > Overview page allows you a field in which you can edit the Device Name. For Administrator to properly manage a resource, the device name must exactly match the name of the adapter card. Any discrepancy in this will also stop data collection by Visualizer.

Changes to Device Name are transmitted to the Visualizer monitoring the interface if the Visualizer is managed by Administrator. Thus the interface name in Visualizer will be consistent with Administrator.

Editing a Resource Internal AddressEdit the internal address for a resource in the event a resource IP address has changed and you need to reconnect to the same resource with different IP address.

To edit an internal address:

1 Select a resource from the Resources > Overview page.


Managing Resources

2 In the Details pane on the right, click the Internal Address link.

3 In the address field that opens, edit the address as desired and click Save.

Resources > Overview Page Status IconsThe Resources > Overview page updates automatically every 15 minutes. Status icons next to a resource are summarized in the following table.

NOTE: Icons or status indicators may not appear if an alarm has not been triggered on a resource.

Table 3-1. Resource > Overview Page Status Icons

Icon Represents...

Operating System patch status: Up to date. All available operating system updates or patches certified by Network General have been applied to this resource. See Resource Compliance on page 41 for more information.

Network General patch status: Up to date. All available Network General software patches have been applied to this resource.

Operating system patch status: In Progress. An available operating system update or patch certified by Network General is being applied to this resource.

See Resource Compliance on page 41 for more information.

NOTE: If you would like to schedule automatic updates, see Automatic Patch Download and Distribution on page 54.

Operating system patch status: Not up to date. Available operating system updates and patches certified by Network General have not been applied to this resource.

Network General patch status: Not up to date. Available Network General software patches have not been applied to this resource.

The resource is unreachable. Either the resource is down or the WWW Service is not running.

The status of the resource is unknown. The resource is invalid, meaning Administrator communication has not been established with the resource.

Click to establish communication with the resource. If the status does not change, the resource could not be found or there was a communication problem.

User Guide 39

Chapter 3

An alarm has been activated on this resource. Click the alarm icon to open the Alarm Monitor and view alarms triggered on that resource.

A capture is running on that resource. Applies only to Sniffer Distributed 4.5 Agents or higher.

Table 3-1. Resource > Overview Page Status Icons

Icon Represents...


Managing Resources

Operations available from the Resources > Overview page include:

View System Performance . See Viewing System Performance on page 42.

Delete. See Deleting Resources on page 42.

Configure. See Configuring Sniffer Distributed Resources on page 45.

Deploy Image. Detailed information on remote reimaging through the Administrator interface is available in the Sniffer Enterprise Administrator Remote Reimaging Guide.

Reboot. Select a resource and click Reboot to restart the resource remotely.

Clone Configuration . See Configuring Resources Using Clone Configuration on page 46.

Export to CSV. Click to export the data displayed onscreen into a CSV formatted file that you can open for viewing or download and save. Saved files will open in Excel if you have Excel installed on your client system.

Print. Click to open a text file in a separate browser window containing a summary of current data onscreen. Print this page using browser menu options.

Show Activity. Click to view activity log entries filtered for that particular resource.

Resource ComplianceAdministrator remotely checks for the presence of Network General software update packages on a resource and for security patches applied to the operating system of the resource. Compliance status icons in the Status column on the Resources > Overview page are summarized in Resources > Overview Page Status Icons on page 39.

If you would like detailed information for a given resource, the Compliance report summarizes which patches have been applied and which patches are available and can be applied to the resource.

NOTE: If desired, Administrator can download and apply the appropriate operating system patches to managed resources. See Automatic Patch Download and Distribution on page 54 for more information.

User Guide 41

Chapter 3

To view resource compliance reports:

1 Click Resources to open the Overview page.

2 In the Details pane, click View Report next to Compliance.

3 In the window that opens, view the summary. Note that Administrator detects which operating system patches have been applied and which are missing from the resource. The summary also reports which of the latest applicable Network General product update patches are available.

Viewing System PerformanceClick View System Performance next to a resource listed on the Resources > Overview page to view the health summary of that resource. Information provided for the resource includes the status of resource processes, memory utilization, free and used disk space, and CPU usage.

NOTE: Clicking the View System Performance icon also updates the resource status if the resource is online.

Deleting ResourcesDeleting a resource removes the resource from the Administrator system.

Please note the following if you are deleting a Visualizer resource or deleting an interface that is managed by Visualizer:

When you remove a Visualizer resource, the Visualizer Appliance becomes unmanaged and it continues to monitor all the interfaces that it had before.

When you remove a managed interface from Administrator and that interface is also monitored by a managed Visualizer resource, this removes the interface from Visualizer. You are prompted to confirm this action before continuing.

If you try to remove a Visualizer resource AND all its monitored interfaces from Administrator at one time, the interfaces will also be removed from Visualizer. You are prompted to confirm this action before continuing.


Managing Resources

If you want to remove a Visualizer resource and all its monitored interfaces from Administrator, but want Visualizer to continue monitoring those interfaces, first remove the Visualizer resource from Administrator, and then remove those interfaces from Administrator.

To delete resources:

1 Click Resources.

2 Select one or more resources in the Resources list.

3 Click Delete.

NOTE: If all resources are removed from a given address, Administrator unregisters the resource.

User Guide 43

Chapter 3


4
Configuring Resources
This section provides instructions and information for the tasks relating to resource configuration, including software updates and patch distribution for managed resources:

Configuring Sniffer Distributed Resources on page 45

Configuring Resources Using Clone Configuration on page 46

Working with Software Update Packages on page 48

Automatic Patch Download and Distribution on page 54

Configuring Sniffer Distributed ResourcesSniffer Distributed resource configuration is the setting of parameters for a resource or a group of resources through an external console.

NOTE: Resource configuration is supported for Sniffer Distributed Agents only.

When accessing Config Console for Sniffer Distributed 4.6+ Agents, Extended Configuration options are limited to the following adapter-specific options:

Mac Threshold

App Threshold - TCP and App Threshold - UDP

Protocols -TCP, Protocols -UDP, and Protocols -IPX.

NOTE: You can also clone existing resource configurations and apply the settings to one or more managed resources. See Configuring Resources Using Clone Configuration on page 46 for more information.

Follow this procedure to access Config Console to configure resources managed by Administrator. Unsupported, invalid, or offline resources cannot connect to Config Console.

User Guide 45

Chapter 4

To access the Config Console to configure Sniffer Distributed resources:

1 Click Resources.

2 Select one or more resources from the Resources list.

By configuring multiple resources at one time, you are applying the same configuration settings and parameters to two or more resources. To configure multiple resources at the same time, the resources must be of the same type.

“Same type” implies that the card must be of the same type, the Appliance platform must be identical (s4000, s4100, or s6000), the topology must be same (ET02, ET03, etc.) and the Appliances must be running the same version of the Sniffer Distributed software.

NOTE: In situations where there are different cards for the same IP address, different subtypes cannot be selected for configuration.

3 Click Configure below the Resources list to open the Config Console in a separate browser window.

NOTE: Detailed information on how to use Config Console is available in the Config Console Online help.

Configuring Resources Using Clone ConfigurationClone existing resource configurations and apply the settings to one or more managed resources using the Clone Configuration option available from the Resources > Overview page. Configuration cloning is only available for supported Sniffer Distributed Agent versions. This operation allows configuration cloning on Agents with the same Sniffer Distributed version and topology as the Agent in which you select to clone.

Settings you can push out to other resources include Expert options, threshold settings, and protocol settings. The following table summarizes cloned settings.



Please note the following restrictions:

Interfaces with different encapsulations due to different topology designations are incompatible for configuration cloning.

If you change the encapsulation after an Agent is discovered in Administrator, Administrator will detect the new encapsulation at the next refresh interval (the default interval is 15 minutes). Configuration cloning will fail if you start the clone configuration process after making encapsulation changes but before Administrator detects the new encapsulation settings.

Invalid or offline resources cannot use this operation.

A resource that is currently being configured cannot be cloned. If you attempt to clone a configuration that is in progress, an error message will appear indicating the action is not available at that time.

There cannot be any active configuration sessions on the resources to which you will apply the cloned settings.

After applying the configuration settings to the resources, you must manually reboot the resources for the configurations to take effect.

To use Clone Configuration:

1 Click Resources.

2 Select one resource from the Resources list and click Clone Configuration ( ).

Table 4-1. Supported Cloned Settings

Option or Setting Cloned Not Cloned

Expert Options Objects

Alarms

Protocols

RIP Options

Subnet Mask

Multicast

VOIP settings

Tools menu > Options Mac Threshold

TCP Threshold

UDP Threshold

TCP Protocol

UDP Protocol

IPX Protocol

Update Frequency

Alarms

Protocol Forcing

User Guide 47

Chapter 4

This action instructs Administrator to retrieve configuration settings from that Appliance. The configuration settings are placed in a buffer. These are the configuration settings that are pushed to the resources selected in Step 4.

3 The Resources list refreshes with a subset of resources that can be cloned, including the resource selected in Step 2.

NOTE: The updated list contains only Appliances with the same Sniffer Distributed version and topology.

4 Select the resources for which you would like to apply the buffered configuration settings.

5 Click Apply.

As the cloning continues, the Progress column in the table of resources indicates the cloning status. Icons will appear as cloning progresses: the yellow icon identifies the resource being currently configured and green represents a successfully configured resource. A red icon for a specific target means there were errors for this target, but this does not necessarily stop the cloning process. Other targets may be successfully cloned after an error occurs on another target. The summary of all errors will appear after everything is completed.

6 When the configuration cloning is complete, the Resources page displays the updated and complete list of resources. Check the Activity Log page for detailed information about configuration cloning activities.

7 Manually reboot each resource for the configurations to take effect. Select the resource from the Resources list and click Reboot. Repeat as necessary until all newly configured resources have been restarted.

NOTE: Clicking Cancel stops the operation and returns you to the Resources page.

Working with Software Update PackagesYou can use Administrator to upload and apply software update packages developed by Network General. Update packages can be uploaded to individual or multiple Network General devices which are managed by Administrator and supported for software updates.

Generally, for each new release of Network General software, or each release of a service pack or patch, an Administrator upgrade/update package will be provided to licensed Administrator customers.



Packages are broadly classified as major or minor updates. Major and minor updates include Network General product updates and Network General certified operating system patches. Major software update packages typically distribute the package contents to the selected resource(s) and reboot the resource(s). Minor updates typically do not require a reboot of the resource(s).

“Immediate” Updates

Software update packages can be sent to the supported resource by scheduling software updates or by clicking Send from the Software Update page after selecting the resource(s).

When you click Send, this update will be sent within minutes from Administrator to the selected resource(s). This will also be noted on the Pending Updates page. Check the Activity log for information about the software update status.

InfiniStream Update Packages

If a file with a .rpm extension is received by an InfiniStream through a software update package, the .rpm file will be installed on the InfiniStream unit. The results of the .rpm installation is provided through a message generated for Administrator and viewed through the Activity Log page.

Success or failure of all update packages sent to InfiniStream units will be recorded in the Activity Log page.

Updates and Scheduling within the Community

For more information, see Software Updates within a Community on page 52.

Finding Available Update Packages

When packages become available, they are posted to the Network General download site:

http://productdownload.networkgeneral.com/productdownload/jsp/login.jsp

After downloading the package, upload the package through the Administrator interface.

See also:

Adding Software Update Packages on page 50

Uploaded Files Pane on page 53

Applying or Scheduling Software Update Packages on page 51

User Guide 49

Chapter 4

Adding Software Update PackagesAfter downloading a software update package from Network General and making the package accessible to the Administrator server, upload the files through the Administrator interface.

IMPORTANT: Software update packages normally contain one .csl file and at least one .exe file. If the package obtained from the download site is in .zip format, you’ll need to extract the contents of the .zip file prior to uploading the files to the Resources > Software Updates page. Please note that packages compatible with the SEA Agent do not need a CSL file.

From a remote machine, the data transfer rate for uploading files to a software update package and uploading update packages to resources depends on two parameters: [1] the File Transfer Rate specified on the Administrator Administration page and [2] network health.

To add a software update package:

1 Click Resources, then click Software Update.

2 Enter the name of the update package and optional description, and click Continue. The package name cannot contain spaces.

3 Click Upload.

4 In the Uploaded Files pane, click Browse, navigate to the directory where the update files are stored, and click Upload. Repeat as necessary to add more files to the update package.

NOTE: As stated in the window, do not close the File Upload window during upload. This window will close automatically after the upload is finished.

5 After the upload is complete, the update package appears in the Software Update Package list and is ready to be applied to resources.

6 Continue to Applying or Scheduling Software Update Packages on page 51.

NOTE: After uploading the package, you can also edit the package. See Uploaded Files Pane on page 53.



Software packages created on one Administrator are not automatically available on other Administrators that are a part of a community. For successful updates within a community, copy the files to other Administrators within a community after creating the software update package. See Software Updates within a Community on page 52 for more information.

Applying or Scheduling Software Update PackagesAfter uploading software update packages (see Adding Software Update Packages on page 50), apply an update package to one or more managed resource. You can only apply one update package to the selected resource(s) at one time, but multiple updates can be scheduled.

Restrictions apply regarding software update packages applied to a community. Please see Software Updates within a Community on page 52 for more information.

NOTE: The Software Update Package list may also contain update packages that were downloaded automatically from the Network General Web site as specified through the Automatic Patch Distribution page. See Automatic Patch Download and Distribution on page 54 for more information.

During this process, you can specify whether or not you want to run the software update immediately, or schedule the update for a later time. For example, you can schedule one update for all resources within Domain X to run Saturday, and also schedule another update for all resources within Domain Y to run Sunday.

When updating a resource, check that there are no other user connections to that resource at the time of the update. For pending updates, ensure there will be no user connections to the resource for the duration of the scheduled update.

NOTE: You cannot configure invalid resources or apply the update resource software package on invalid resources. Invalid resources are resources in which Administrator has not been able to establish communication with the resource or has lost communication with the resource. See Viewing the Resources List on page 36 for more information.

To apply or schedule software update packages:

1 Click Resources.

2 Select one or more resources from the Resources list and click Update.

User Guide 51

Chapter 4

NOTE: If there are no update packages uploaded to the system, the Update button is not available from the Resources page.

The available software update packages are listed in the Software Update Packages list. Mouse over an update package to view package information, including the files included in the update, in a box on the right.

3 Select an update package from the list and click Send Update or Schedule Update.

4 If Schedule Update is selected, specify the date and time you would like to perform the update and click Apply.

Specify the date and time of the scheduled update with respect to the Administrator server clock. Administrator will convert the supplied date and time to GMT.

NOTE: Administrator checks for pending updates every minute.

5 After applying an update package, you are returned to the Resources page while the update is in progress. To check the status of the update, click Activity Log to see what is happening on the resource(s).

NOTE: If you would like to receive e-mail notification that the update package process is complete, enable the Notify email recipients on completion of software update option on the Administration > Overview page. See Email Server Configuration on page 78 for detailed information.

Software Updates within a CommunityYou can schedule updates to any resource from any Administrator within the community. Update schedules are shared among all Administrators in the community. However, only the Administrator that owns the resource will execute the schedule referring to that resource. Administrator “owns” a resource when the resource was initially added as a resource on that Administrator installation. Ownership of resource can also be changed by configuring the Managed by parameter in the Details pane within the Resources > Overview page.



This update will be successful only if the update files can be found on the Administrator owning the resource. The update will fail if the update files are available on the Administrator from where the update was scheduled but not in Administrator owning the resource. This can be avoided by doing one of the following:

a Every time you create a software update package in any of the Administrators, manually create the same package in all other Administrators in the community.

or

b Point the parameter “File Storage” in the 'Administration' page of all Administrators to a common network share.

Option (a) is automatically true for auto-downloaded files on the Administrator. You can further automate use option [b] for other updates this by specifying a common file storage directory for all Administrators, however, please be cautious of inefficiency regarding your use of bandwidth.

When scheduling an update, if a package is present on multiple Administrator servers, the package is displayed only once. Pending updates are replicated within the community.

Editing Software Update PackagesAfter uploading an update package, you can add or delete update packages.

Editing Software Update Packages. Click Edit next to the update package in the Software Update Package list to add or remove files from the update package. When you add or upload a file to the update package, you cannot override files that are already uploaded. Files with the same name cannot be uploaded.

Deleting Software Update Packages. Selecting one or more update packages from the Software Update Package list and click Delete Update Package.

Uploaded Files PaneThe Uploaded Files pane appears after creating a new update package or after clicking Edit to edit an existing software update package on the Software Update page.

Editing uploaded software update packages includes adding or removing files to the update package. When you add or upload a file to the update package, you cannot override files that are already uploaded. Files with the same name cannot be uploaded.

User Guide 53

Chapter 4

To edit software update packages:

1 Click Resources, then click Software Update.

2 From the list of uploaded software packages, select a package and click .

3 In the Uploaded Files pane, add a file to the update package by clicking Upload, browsing to the file location, and clicking Upload. Remove a file by selecting the a file and clicking Delete.

4 Click Save.

Viewing or Deleting Pending Software Update PackagesView a list of scheduled software update packages through the Resources menu. You can also delete software update packages through this page.

To view pending updates or update packages:

1 Click Resources, then click Pending Updates.

From the Pending Updates page you can:

View current pending updates.

Delete one or more pending updates.

Automatic Patch Download and DistributionNetwork General provides software update packages and operating system patches as updates become available. Through the Administrator interface, you can schedule the Appliance to check for and download these updates on a regular basis. If an operating system patch is made available and downloaded, you also have the option to schedule the delivery of operating system patches on managed resources.

Automatic patch download and distributed is supported for Sniffer Distributed Agents only and is not applicable to InfiniStream and Visualizer resources. The Sniffer Distributed resource must be running Windows XP SP2. The patches cannot be applied automatically if the Windows XP SP2 is unavailable on the resource. If the resource is not running Windows XP SP2, the missing patches must be applied manually. See Manually Applying Update Packages and Patches on page 56.

NOTE: Administrator is capable of resuming downloads if the network



connection is lost. See Lost Network Connection During a Download on page 57.

Multiple patches will be sent at one time. There will be only one scheduled update in the pending updates page for all patches that are missing. Sniffer Distributed resources will be rebooted after the patches are applied.

The operating system patch levels may not be accurate if the downloads have not occurred since automatic downloads were enabled. To find out the patch status immediately, click Download Now available from the Resources > Automatic Patch Distribution page.

NOTE: Are you working in an environment with a proxy server? Proxy settings are specified on the Administration > Overview page. See Setting Session Control on page 67 for more information.

To enable and schedule automatic downloads:

1 Click Resources, then click Automatic Patch Distribution.

2 Enter your Service Contract number and password. Your Service Contract number and password are provided with your sales documentation or by your Sales Representative.

NOTE: If the service contract number and password are not entered, only the operating system patches will be downloaded. For Network General software updates to be downloaded, the Service Contract information is required.

3 If you’ve entered Service Contract information, click Verify & Apply.

4 To enable automatic downloading of available patch and software update packages, check Auto Downloads. Next select when you would like Administrator to check for and download the updates.

NOTE: Click Download Now if you want the download to occur immediately instead of waiting for a scheduled time. If Auto OS Patch Distribution is enabled, this action will also distribute any downloaded operating system patches.

Specifying Auto Downloads tells Administrator to automatically download new Network General software update packages and the latest operating system patches from a Network General web site. Files are downloaded onto your Appliance.

User Guide 55

Chapter 4

Downloads will be product-specific and selected based on the information about your Network General installation as provided with your grant number.

NOTE: The software update packages are not installed on or pushed to your resources, instead they become available on the Resources > Software Update page. See Applying or Scheduling Software Update Packages on page 51 for information on pushing the update packages to your resource.

5 If OS patches were downloaded in Step 4, you can then specify the time period in which the patches are pushed out to the applicable managed resource. Check Auto OS Patch Distribution and then select when you would like Administrator to check for and distribute the OS patch to managed resources. The OS patches will be distributed between the time range specified on the page.

The scheduled software update to a resource will be postponed by 60 minutes if there is an active session or a capture occurring at the time an update is scheduled.

NOTE: The Status area on the page only indicates file download status. For status on OS patch distribution to a particular resource, see the Activity Log.

6 Click Save.

Manually Applying Update Packages and PatchesThe Sniffer Distributed resource must be running Windows XP SP2. The patches cannot be applied automatically if the Windows XP SP2 is unavailable on the resource or if automatic distribution is disabled. In these cases, apply the missing patches manually by clicking Apply from within the OS patch compliance report.

To view the compliance report, access the Resources > Overview page and highlight the resource. In the Details pane, click View Report next to Compliance.

Troubleshooting Automatic Patch DistributionIf you are experiencing issues using the automatic download feature, please note the following.



Communicating with the Network General Web Site

In order for the Administrator Appliance to check and download the updates, the NGHomeBaseURL= and NGSnifferURL= elements within the automaticpatch.properties file (located in C:\Program Files\Network General\Enterprise\TOMCAT\shared\classes) must specify the correct link(s) to the Network General web site. If your Appliance is unable to communicate with the Network General web site and you suspect the file values are incorrect, contact Technical Support for the correct values.

Lost Network Connection During a Download

If you think that your network connection was lost during a software update package or patch download and the download was interrupted or stopped, Administrator is capable of resuming the download at the byte at which the connection was lost.

Administrator recognizes an http connection interruption. During the break in the connection, the Administrator server will attempt to complete the download during the open Administrator session (specified within the Session Control parameters specified on the Administration > Overview page). When a session ends, attempts to reconnect and resume the download are stopped. The appropriate events are recorded in the Activity Log.

The automaticpatch.properties file (located in C:\Program Files\Network General\Enterprise\TOMCAT\shared\classes) contains a property (DownloadTimeout=3) that controls the download time out limit. With the default value of 3, the downloads that are performed from the Administrator by SEA Agent follow a three minute interval for resuming a download if it fails. The Administrator will try as many times as it can to complete a download within the value that is set in this property.

NOTE: After making changes to any Administrator properties file, you must stop and restart the Network General Enterprise Service through the Control Panel on the Appliance. A user with administrative rights may also restart the service using the Restart Sniffer Enterprise Administrator button on the Administration > Overview page.

Error Message: SEA Agent is Missing on this Resource

A component needed to enable Automatic Downloads is not installed on the Sniffer Distributed Agent. This component can be installed by pushing an update package out to the resource. See SEA Agent is Missing on page 58 for detailed information.

User Guide 57

Chapter 4

SEA Agent is MissingSEA Agent is required to obtain OS Patch Status reports, perform OS Patch updates, execute Sniffer Distributed Agent installers, and to obtain Agent Health Reports. SEA Agent applies only to Sniffer Distributed Agents and is required on all supported Sniffer Distributed versions.

The Administrator version and the SEA Agent version running on the Agent must be the same. For example, if Administrator server is running version 4.2, the SEA Agent version on the Agent must be version 4.2. You can update the SEA Agent version on the resource through the Resources > Software Update page by sending the pre-installed SEA Agent package to the resource.

If you receive an error message indicating that the SEA Agent is not installed on the resource, please note the following:

If the patches are not applied correctly on the resource, check to see if dates on the files for SEA Agent are the same as the files built for that release. If the files are older than what they should be, send the SEA Agent one more time to the resource and then restart the resource. If the problem persists, reboot the resource, send the SEA Agent, and then reboot one more time.

For Administrator Appliance installations. If your Administrator system is an Appliance with the Administrator software pre-installed, then the package containing the SEA Agent updates is pre-installed on the Appliance and available on the Resources > Software Update page. Access this page and push the package out to the necessary Agents.

For Administrator software-only installations. If your Administrator system is a software-only installation, then the package containing the SEA Agent updates is available from the Network General download site. Download the package, upload the package to the Resources > Software Update page, and then push the package out to the necessary resource(s).


5
The Administrator Community
An Administrator community provides a console for multiple Administrator Appliances on your network. In this “single view,” you can log in one time and work with all resources via the same console—connect to resources and manage resource configurations.

Data that can be shared within a community includes user information, resources, domains, roles and user permissions, shared filters, task schedules, and certain resources configurations. Additionally, licenses may be shared within a community. Licenses installed on one Administrator Appliance are available to other Appliances. The total number of licenses shared between the community is limited to the total number of licenses purchased.

NOTE: Alarm data and MultiSegment session data and files cannot be shared within a community.

See also:

Viewing Members of the Community on page 59

Adding Servers to the Community on page 60

Setting up Communities in a NAT Environment on page 62

Editing Servers in the Community on page 63

Viewing Members of the CommunityClick Administration, then click Community to access the Sniffer Enterprise Administrators in the Community pane. This area provides information about the servers within the Administrator community, including the identification number, the name, address or hostname of the machine, the external IP address, the status, the version number, the number of authorized licenses, replication configuration details, and additional comments.

NOTE: An Administrator “owns” a resource when it provides authentication for the resource and pings the resource to retrieve health status among other activities. By default, the Administrator that discovers the resource becomes the owner of the resource, but you can change this manually if desired through the Details pane. Resource ownership also changes when an Administrator server is removed from a community.All resources that

User Guide 59

Chapter 5

Administrator owned become owned by the Administrator server that deletes the other Administrator server.

Actions from this page include:

Export to CSV. Click to export the data displayed onscreen into a CSV formatted file that you can open for viewing or download and save. Saved files will open in Excel if you have Excel installed on your client system.

Print. Click to open a text file in a separate browser window containing a summary of current data onscreen. Print this page using browser menu options.

Delete. Delete communities at any time by highlighting the community name in the Current Communities pane and clicking Delete.

See also:

The Administrator Community on page 59


Setting up Communities in a NAT Environment on page 62

Editing Servers in the Community on page 63

Adding Servers to the CommunityAdd Administrator Appliances (or “servers”) installed on your network to build a community. The installation must be the exact same version of the other servers. The database for the new server is checked before it is added to the community. When a server is being added to the community, all the shared data (the data that is shared between servers in community) will be erased from its database and replaced with a copy of the current data so that it synchronized with the other servers.

NOTE: If you are adding a new Administrator server to the community, and if it is already managing resources, then it is recommended to delete all resources from that server before adding the server to the community. If you have inadvertently added an Administrator to a community and found that it was managing resources, the resources need to be re-discovered by the same server (for Visualizer and Infinistream) or any Administrator (for Sniffer Distributed Agents).



If one of the managed resources on the new server is a Visualizer Appliance, then the Visualizer will not be managed anymore. The Visualizer Appliance will still think it's managed and won't allow it to be discovered by another Administrator server other than the one that originally managed it. If this occurs, rediscover the Visualizer Appliance from the original server after adding the Administrator server to the Community. If you do not want the Visualizer Appliance managed (or you want to rediscover it from a different Administrator server), delete the Visualizer Appliance immediately after discovering it.

See The Administrator Community on page 59 for detailed information about an Administrator community.

To add servers to a community:

1 Click Administration, then click Community to access the Current Communities pane.

2 On the right side of the page under Add Server to the Community, specify the following:

Server Name. The name of the Administrator system which you are adding to the community.

Internal address.

Use this address to communicate now.

If you check the This server has a NAT external address option, specify the external address in the field provided. See Setting up Communities in a NAT Environment on page 62 for more information.

Select The server is the Primary of a Replicating Pair if it applies to this machine. In the Secondary server field, enter the IP address of the secondary server in the replicating pair. A Primary server in a community performs management operations (authentication, ping, configurations, software updates) only on the resources that it owns. Resource ownership is determined by the server which discovered and added the resource.

Enter credentials to for user access into the server. User sessions are replicated across servers. If the user has a valid session on one server, that user is silently logged into all servers within the community.

3 After entering the information in the fields, click Add. Click Cancel to clear the fields.

4 Repeat as necessary to add additional servers to the community.

User Guide 61

Chapter 5

MySQL Server IDsA critical aspect of the community setup process involves making sure that the MySQL server IDs are unique within that community. For example, in a scenario where you want to create a community with two Administrator systems, you must:

a Change the MySQL server ID on one of the Administrator systems.

b Complete the steps in To add servers to a community: on page 61 from the Administrator system on which you did not modify the server ID.

Similarly, when adding additional Administrator systems to an existing community, change the server ID on the systems you want to add, then add them to the community from an Administrator already in the community.

WARNING: Do not change the server ID of any Administrator system unless you are adding the system to a community or a replicating pair, or you want to reassign or delete the resources managed by that Administrator system.

Adding a Replicating Pair to a CommunityA replicating pair can only be added to a community as a single unit. If you would like to add a replicating pair to a community and the replicating pair is not behind a NAT firewall, then just add the primary system to the community. The secondary will be added automatically.

If the replicating pair is behind a NAT firewall, the external NAT addresses for both the primary and secondary need to be specified in through Administrator when adding the servers to the community.

Additionally, if the server to which you are logged in when adding servers to the community is behind a NAT firewall, you must edit the server and specify its external address. We recommend doing this before adding other servers.

Setting up Communities in a NAT EnvironmentIt is very important to properly specify internal and external server addresses when setting up communicates in a NAT environment. You can add an external address to a server while setting up a community or while editing an existing community. For example, in the following environment:

[Administrator1] ---- [NAT] ---- (WAN) --- [NAT] --- [Administrator2]



Suppose you want to join Administrator1 and Administrator2 in a community. Adding Administrator2 from Administrator1, you specify the internal and external addresses for Administrator2 and check “Use external address to communicate now.” But if Administrator1 was a standalone system, its external address was not set, and Administrator2 will not know how to talk to Administrator1.

Therefore, you must edit Administrator1 (see Editing Servers in the Community on page 63) and ensure the external address has been set up. This must be done from Administrator1. This information will then be communicated to Administrator2 (because Administrator1 now knows how to talk to Administrator2), so Administrator will be able to talk back.

In other words, after adding an Administrator in a NAT environment to the community, you must go back to the Administration > Community page for that Administrator and specify the external IP address of that Administrator.

NOTE: Discovering and managing resources outside of a NAT environment by an Administrator within a NAT environment is not supported. Another Administrator in the community that is outside of the NAT environment will not be able to display the resource’s proper external address.

If you have a mixed NAT and non-NAT environment (some Administrators in the community are behind NAT firewall(s), and others are not), it is recommended to add external addresses to the resources outside of the firewall(s). This ensures connectivity to resources in various combinations like “client outside of firewalls logged into Administrator inside a firewall and trying to connect to agent outside of firewalls.” These external addresses should be the same as internal addresses.

Editing Servers in the CommunityYou can edit limited information for servers added to a community.

To edit servers in the community:


2 Click or highlight an existing server from the list.

3 On the right side of the page, the pane displays the Edit this Server pane. Edit the following:

Server Name. The name of the Administrator system. This appears in the Sniffer Enterprise Administrators in the Community list.

User Guide 63

Chapter 5

If you check the This server has a NAT external address option, specify the external address in the field provided. See Setting up Communities in a NAT Environment on page 62 for more information.

4 Click Save.

See also:

The Administrator Community on page 59

Viewing Members of the Community on page 59


Deleting a Server from the CommunityPerform the following if you would like to remove a single server from the community. If the server being deleted manages resources, ownership of these resources will be transferred to the server to which you are logged in when performing the delete operation. This additional operation may take some time to process completely.

IMPORTANT: When you delete a server from the community, make sure you are not logged into a secondary server of a replicating pair. This will reassign the resources from the deleted server to the secondary server. If this occurs, reassign the resources to a primary (or standalone) server.

If you would like to delete a replicating pair, see Deleting a Replicating Pair on page 64. Additional information is also available for servers in a NAT environment. See Deleting a Server behind a NAT Firewall from the Community on page 65.

To remove a server from the community:


2 Click or highlight the server from the list.

3 Click Delete.

Deleting a Replicating PairA replicating pair can only be added to or deleted from a community as a single unit.



To remove a replicating pair from the community:


2 Click or highlight the both the primary and secondary systems from the list.

3 Click Delete.

Deleting a Server behind a NAT Firewall from the Community

When an Administrator server behind a NAT firewall is removed from a community, the resources that the server managed are reassigned to the server that does the removal. However, if this server is outside of the firewall, it may not be able to manage the resources, as managing resources across NAT firewalls is not supported. Resources may appear as inaccessible on the Resources > Overview page.

If this occurs, reassign the resources through Details pane on the Resources > Overview page to another Administrator server that is behind the same firewall as the resources. You can also delete the resources from the Administrator.

User Guide 65

Chapter 5


6
Configuring the Administrator Ser ver
Use the pages within the Administration menu to set or configure properties of the Administrator Server and the Administrator installation:

Administration > Overview Page Options on page 67

Configuring Access Control on page 80

Administration > Overview Page OptionsAccess and configure the following system settings through the Administration pane on the Overview page:

Setting Session Control on page 67

Specifying Server Control Options on page 69

Specifying a Shared File Storage Path on page 70

Database Replication and Replication Status on page 72

Email Server Configuration on page 78

Setting Session ControlSession control, or session management, controls the time a user has access to Administrator and ends a user's session when the user is inactive. Options include:

Inactive time. The maximum amount of time in minutes the user can be logged in without interacting with the browser. The user session terminates after the designated time.

Total session time. The maximum amount of time in hours the user is allowed to use Administrator within a single session. The user session terminates when the limit is reached.

Setting the Inactive time and Total session time parameters to 0 (zero) allows users uninterrupted access to Administrator.

User Guide 67

Chapter 6

Use Proxy. If you use a Proxy server to access the Internet, you must enable and specify proxy settings to download and execute automatic downloads of operating system patches or other downloads available from Network General. You must specify both the Proxy Host and the Proxy Port.

After enabling Use Proxy, enter information in the Proxy Host and Proxy Port fields. For Proxy Host, enter the IP or name of the proxy server. For Proxy Port, enter the five digit value for the port.

NOTE: For Administrator to support resources “outside” or on the other side of a proxy environment, you must point the resource gateway to the outside interface of the Proxy server.

Also see Supported Proxy Environment on page 68.

To set the session control parameters:


2 In the Session Control area, enter new values for Inactive time, Total session time, and Proxy settings as desired.

3 Click Save.

Supported Proxy EnvironmentFigure 6-1 illustrates a sample, supported proxy environment.

NOTE: Think of ‘internal networks’ as different offices or locations, such as “Internal network 1 - San Jose,” and “Internal network 2 - Chicago.”

Table 6-1. Sample Supported Proxy Scenario

Internal Network 1 Internal Network 2

Sniffer Enterprise Administrator - A Sniffer Enterprise Administrator - B

Sniffer Enterprise Visualizer - A Sniffer Enterprise Visualizer - B

Sniffer Enterprise NetVigil - A Sniffer Enterprise NetVigil - B

Sniffer Distributed Agents - A, B, C Sniffer Distributed Agents - D, E, F

Sniffer InfiniStream - A Sniffer InfiniStream - B


Configuring the Administrator Server

Figure 6-1. Sample Supported Proxy Environment

Specifying Server Control OptionsServer control consists of the following fields:

File Transfer Rate (megabits/s). This controls the maximum bandwidth in bits per second for uploads and downloads of files to Administrator. This setting does not affect browsing. Adding any number in the field turns this feature on. If this value is set to zero, throttling is disabled, but file transfer is not disabled.

Resource Refresh Interval (minutes). The interval that Administrator pings managed resources and updates resource status and other resource-related information.

Connection Timeout (seconds). The HTTPS communication timeout. Limits the amount of time Administrator waits to communicate with an HTTPS server. For example, during resource discovery and pinging. Possible values allowed are either 0 (for an unlimited connection) or integers of 10 or more. It is not recommended to set connection timeout to below 60 seconds as this may cause discovery failures and false reports of resources being unavailable.

Activity Log Purging Option. The interval in which you would like to clear the activity log contents. Select Monthly, Weekly, or Daily. Monthly data purging occurs on the first of each month at 1:00 AM. Weekly data purging occurs each Monday at 1:00 AM. Daily data purging occurs every day at 1:00 AM.

If you have a pair of replicating Administrator systems, configure Activity Log purging on one system or the other, but not both.

IMPORTANT: If you change the Activity Log Purging option on the Administration > Overview page, please restart the Network General Enterprise (Administrator) service through the Administration >

WANInternalNetwork

A

ProxyServer

A

Internetand

Network General

RouterA

RouterB

InternalNetwork

B

ProxyServer

B

User Guide 69

Chapter 6

Overview page or the Control Panel > Administrative Tools > Services on the Administrator Appliance.

NOTE: Before a scheduled data purging, the contents of the Activity Log is saved to a CSV file, zipped, and emailed to the list of email destinations. See Email Server Configuration for email address configuration.

To specify server control options:


2 In the Server Control area, enter new values for File Transfer Rate, Resource Refresh Interval, Connection Timeout, and/or Activity Log Purging as desired.

3 Click Save.

4 On the Administration > Overview page, restart the Administrator service by clicking Restart Sniffer Enterprise Administrator.

Specifying a Shared File Storage PathThe file storage path on the Administration > Overview page specifies the location where files shared between resources and Administrators are saved. Shared files include software update packages. The same file storage path should be specified on each Administrator machine.

NOTE: Please be aware that changing the file storage path without first copying shared files from the previous shared directory to the new directory may leave existing shared filters inaccessible to resources. Software update packages may also not be available.

If two or more Administrator Appliances are being used, it is recommended that the File Storage field points to a centralized, secure location on your network accessible by all Administrator Appliances. This location should be backed up separately if possible.

WARNING: The Administrator Backup/Restore Tool does not back up and restore data in the directory specified in the File Storage field. It is important to back up this data manually if desired.



To specify a shared file storage path:


2 In the Administration pane, enter a path in the File Storage field to point to a common directory where shared files are stored.

NOTE: Because of Operating System limitations, Administrator cannot detect mapped drives. When you attempt to configure a storage path to a location on a mapped drive, a "Path does not exist" error message occurs. To prevent this, specify the UNC path for the storage path location.

3 Click Save.

4 Repeat the above steps on each Administrator machine.

Changing the File Storage Path to a Shared Network DriveIf you would like to have the file storage path on a shared network drive, please note the following necessary configurations.

To support a file storage path on a shared network drive:

1 Perform the following on the Administrator Appliance:

a Ensure the Network General Enterprise (Administrator) service is running.

b Create a user on Administrator and make that user a member of Administrators group. This user must have a password.

c Configure the Network General Enterprise service to log on using that new user (as opposed to the usual default “local system account”).

d Make sure that the location you are sharing from allows this user read/write access.

NOTE: If password is changed for this user, the service logon password will also need to be updated.

2 Perform the following on the system containing the folder which will be shared:

User Guide 71

Chapter 6

a Create a Windows user with the same name and password as the user who was created on the Administrator Appliance.

b Add the new user to the Access this computer from the network setting in the Windows Local Security Policy utility.

NOTE: This is the same utility we refer to in the Remote Reimage documentation when we reference the Local Security Policy Administrative Tool.

c Right-click the folder to be shared and select Sharing and Security…

d Share the folder with Full Control access for Everyone.

e Explicitly set the folder permissions to include Full Control access for the specific new user created above.

Database Replication and Replication StatusTwo properly installed and configured Administrator systems may be set up to replicate data between themselves. In such a configuration, the two Administrator databases will act as dynamic backups for each other. Replication configuration and status are displayed on the Administration Overview page.

NOTE: When replication is working normally, updates applied to the primary database will propagate to the secondary database and vice versa with a few exceptions — the File Transfer Rate, Resource Refresh Interval, Connection Timeout, Activity Log Purging, and Shared File Storage Path settings are not replicated.

How Replication Works

A replicating pair consists of one primary Administrator Appliance and one secondary Administrator Appliance. After the administrative user logs in, accesses the Administration Overview page, and specifies the second Administrator Appliance (the remote host) as the replicating Appliance (see Configuring Database Replication on page 74), Administrator begins the database replication process behind the scenes. The Administration Overview page displays the replication status as of the last time the Administration Overview page was refreshed. See Viewing Replication Status on page 78 for more information.



If replication is stopped at one end, the normal recovery procedure is to load a snapshot of the primary database onto the secondary system. If replication stops on the primary, the effect is that updates applied on the secondary will not propagate to the primary until the recovery procedure is performed.

Likewise, if replication stops on the secondary, updates applied on the primary will not propagate to the secondary until recovery is performed. In normal operation, a secondary does not:

Execute scheduled auto-captures. You can define auto-captures at either end, but only the primary actually runs them.

Process alarms (both primary and secondary can receive traps, but only the primary translates those traps into event records in our DB).

However, in the unlikely event that replication is stopped at both ends, you'll need to decide which database to keep (which data is more valuable, which data is a more reliable base to start with, or both) and then load a snapshot of the primary database onto the secondary database, or vice versa. You cannot selectively save data from both databases. Merging data between the databases on the two systems is not supported. See Recovering from a Replication Stoppage on page 191 for more information.

See also:

Replication and Licensing on page 73

Configuring Database Replication on page 74

Viewing Replication Status on page 78

Database Replication Troubleshooting on page 188

Replication and Licensing

In a replicating pair, the primary and secondary systems pool their licenses to manage a common set of resources. The license limit of the secondary system might (or might not) be the same as the license limit of the primary system.

For example, if the primary is licensed for 100 resources and the secondary is licensed for 20 resources,

the Administration > Overview page on the primary displays "100" for Licenses of this Administrator.

the Administration > Overview page on the secondary displays "20" for Licenses of this Administrator

the Total Licenses Configured for both systems displays as "120".

The Total Licenses Configured value indicates the maximum possible number of resources that the replicating pair can manage.

User Guide 73

Chapter 6

Resource discovery is not allowed for the secondary system in a replicating pair. To add resources to the pair, discover those resources from the primary. To increase the license limit for the pair, upgrade the license on either the primary or the secondary system. See Requesting and Loading Additional Licenses on page 29 for more information.

Configuring Database ReplicationBefore setting up two systems in a replicating pair, make sure all of the following requirements are met:

The prospective primary and secondary must be non-replicating Administrator Appliances. The following configuration procedure assumes that the primary and secondary systems have already been installed successfully as non-replicating Administrator Appliances.

In a replication setup, both systems must have the same database root password. Use the Database Administration tool (documented in the Sniffer Enterprise Administrator Installation Guide) to change the password if necessary.

It is required that you specify the same external file storage path for both the primary and secondary Administrator machine. See Specifying an External Storage Path on page 78 for more information.

There must be no alarms coming in to either system. This applies to first-time replication set up as well as system type reversal. Once the replicating pair is verified up and running, you can resume receiving alarms at the primary, secondary, or both.

NOTE: When entering a DNS name in the Replicating with Host (IP/DNS) field, make sure to use the name that your enterprise DNS server(s) return for the IP address of the host. For example, if nslookup returns a fully qualified domain name such as server1.engr.company.local, enter this name and not just server1. Also, Network General recommends using IP addresses instead of DNS names to identify replicants unless your enterprise DNS forward and reverse lookups return matching results (that is, the lookup by unqualified name returns the IP address, and the lookup by IP Address returns the unqualified name).

To configure database replication:

1 On the primary Administrator Appliance, perform the following:

a Log into the primary Administrator Appliance as a user with administrative privileges.

b Click Administration.



c In the Replication area within the Administration pane, enter the IP address or DNS name of the secondary or remote host in the Replication with Host (IP/DNS) field.

The remote host is the machine where the database of the primary Administrator Appliance will be replicated. Administrator does not validate IP addresses.

d Click Save and log out of the primary Administrator Appliance.

e Stop the Network General Enterprise service through the system Control Panel. Do not restart the service until you have completed the procedure.

f Execute the following from a command prompt: C:\mysql\bin\convertToPrimary.bat <secondary-IP-address> db_root_password

The password is entered after the IP address.

2 On the secondary Administrator Appliance, perform the following:

a Log into the secondary Administrator Appliance as a user with administrative privileges.

b Click Administration.

c In the Replication area within the Administration pane, enter the IP address or DNS name of the primary Appliance in the Replication with Host (IP/DNS) field.

The remote host is the machine name or IP of the primary Administrator Appliance.

d Click Save and log out of the secondary Administrator Appliance.

e Stop the Network General Enterprise service through the system Control Panel.

f Execute the following from a command prompt: C:\mysql\bin\convertToSecondary.bat <primary-IP-address> db_root_password

The password is entered after the IP address.

g Stop the MySQL service.

h Edit the MySQL configuration file (C:\my.cnf). Change the server-id value from 1 to a unique value less than the maximum number allowed.

User Guide 75

Chapter 6

IMPORTANT: Make sure the primary and secondary server-id values are different—the value in the primary cannot equal the value in the secondary. MySQL requires unique server IDs for successful database replication. Also ensure that the server-id is not used by two Administrators in a community. See Viewing Members of the Community on page 59 for an understanding how the server-id affects a community.

i Restart the MySQL service.

3 Restart the Network General Enterprise service on the primary Appliance through the Appliance’s Control Panel (Start > Settings > Control Panel > Administrative Tools > Services).

NOTE: Through the Control Panel, the service is named Network General Enterprise service, however, it is the same service that is also started and/or stopped through the Administration > Overview page.

4 Restart the Network General Enterprise service on the secondary Appliance through the Appliance’s Control Panel (Start > Settings > Control Panel > Administrative Tools > Services).

IMPORTANT: Allow one minute for the MySQL replication initialization between the two MySQL instances to complete before attempting to create a snapshot.

5 Load the secondary database from the primary database by performing the following steps in the c:\MySql\bin subdirectory. This procedure is also described in Database Recovery Procedure on page 189.

a On the primary, execute “stopAdminSvc ADMIN1”. (This example provides the Database root password on the stopAdminSvc command line.) Wait 30 seconds before continuing.

b On the secondary, execute “createSnapshot.bat <primary IP Address> ADMIN1” to create a snapshot of the primary system's data.

c On the secondary, execute “LoadSnapshot remoteSnapshot ADMIN1“ to load the snapshot just created. Wait one minute before continuing.

d On the primary, execute “startAdminSvc ADMIN1” . (This example provides the Database root password on the startAdminSvc command line.)



You may encounter problems here if your firewall is on (with the exception of an open MySQL port). Check that your firewall is off or open the MySQL port in the firewall exception list.

IMPORTANT: Allow 30 seconds to 1 minute for the MySQL replication initialization between the two MySQL instances to complete before attempting to create a snapshot.

6 On the primary and the secondary, verify the Replication Status at the bottom of the Administration > Overview page. See Viewing Replication Status on page 78. If replication is good at both ends, then the Replication set up is complete.

NOTE: The Administration > System Status page also provides the System Type in the Details section. See System Summary on page 18 for more information.

7 After initially setting up and verifying a replicating pair, it is recommended that you immediately create a snapshot of each database. Save the snapshots in a safe location other than the primary or secondary Administrator systems. See the Database Recovery Procedure on page 189 for more information.

IMPORTANT: Allow 30 seconds to 1 minute for the MySQL replication initialization between the two MySQL instances to complete before attempting to create a snapshot.

It is also recommended that you create a new snapshot of a system's database after that system's MySQL binary logs are purged, or when that system's database has been overwritten due to replication recovery.

Creating snapshots in this fashion ensures you will have consistent snapshots of each system, with valid replication coordinates. Save the most recent possible snapshot for each system in a safe location, other than the primary or secondary Administrator system.

WARNING: The replication recovery process takes data from one server and overrides all data on the other server. For example, if you resynchronize the Secondary server data with the Primary server data, all data residing on the Secondary server will be lost. If you choose to resynchronize the Primary server data with the Secondary server data, all data residing on the Primary server will be lost.

User Guide 77

Chapter 6

Specifying an External Storage PathIt is also required that you specify the same external file storage path for both the primary and secondary Administrator machine. See Changing the File Storage Path to a Shared Network Drive on page 71 for detailed information.

Viewing Replication StatusView the Replication Status from the Administration > Overview page. The section in the lower-right portion of the pane contains Replication status information. Status indicators represent the following:

Good. Database replication is active, or on. All data transactions made to the Primary Administrator database are being replicated to the Secondary Administrator database, and vice versa.

Resynchronizing. A successful connection to the remote host has been made. The local host is catching up with updates applied to the remote host’s database (database replication is in progress).

Reconnecting to remote host. Contact has been lost with the remote host and the local host is trying to re-establish contact. No updates are propagating from the remote host to the local host while the local host is in this state. Replication stoppage has not been detected, but stoppage may occur when network connectivity is regained.

Stopped. Database replication is inactive. The replication process may terminate when the network connectivity between the Primary and Secondary Administrator databases is unavailable. Replication may also stop if the primary system could not apply a database update propagated from the secondary, or vice versa.

Not currently configured. Database replication is not running or “off” as indicated by the configuration settings (an IP address has not been entered in the Replication with Host (IP/DNS) field. This is the normal state for newly installed Administrator systems.

Email Server ConfigurationConfigure the properties of the email server you will use to send alarm notification and other automated Administrator activities involving notification. One such activity is sending notice of new users automatically added because of successful authentication.

To configure the email server:




2 Within the Email Server Configuration section on the Administration pane, enter the following:

SMTP Server. Name or IP address of the SMTP server.

Sender Email. Enter a valid email address for the Administrator system administrator or user. This name or address will appear in the email header as the sender of the notifications received via email.

Email Recipients. Enter one or more email addresses whom you would like to receive automated messages from the Administrator Appliance. Separate multiple emails entered in the box with a comma.

All email destinations entered will receive Administrator activity notices, including Alarm notifications and new user authorization messages. If activity log data purging is set on the Administration > Overview page, the activity log data is converted into CSV format, zipped, and emailed to all the email addresses listed. Specific alarm notifications set through Alarms > Automation page are not sent to the email destinations.

Delete entries by highlighting the individual entry in the field and pressing Delete on the keyboard.

3 If desired, click Send Test Email to test the email configuration. This generates a test email which you can use to confirm the SMTP Server and email recipient entries are correct and functioning properly.

4 Select Notify email recipients on completion of software update to enable the Administrator server to send an e-mail to the listed recipients upon completion of software updates.

5 Click Save.

Restarting the Administrator ServiceSome Administrator configurations require the restart of the Administrator service. There are two ways in which you can restart the Administrator service, through the Appliance’s Control Panel (Start > Settings > Control Panel > Administrative Tools > Services), or through the Administrator interface. Through the Control Panel, the service is named Network General Enterprise service, however, it is the same service that is also started and/or stopped through the Administration > Overview page.

WARNING: Restarting the Administrator service terminates all active Administrator sessions. If you are logged into Administrator when the service is restarted, you must log in again.

User Guide 79

Chapter 6

To restart the Administrator service through the interface:


2 Click Restart Sniffer Enterprise Administrator at the bottom-right corner of the Administration pane.

3 Click OK to confirm and restart the service.

Configuring Access ControlConfigure access control to allow or deny access from a specified Console or client machine to Administrator and the resources managed by it, including Sniffer Distributed, InfiniStream, and Visualizer units. Access from a Console is allowed or denied based on the machine's IP address.

The Administration > Access Control page provides the following panes:

Add IP Address

Select Method

Access Control IP List

See also:

Setting Session Control on page 67

Using a Range to Build the IP List on page 82

Add IP AddressUse this pane on the Administration > Access Control page in combination with the Select Method pane to create an Access Control IP List. After selecting either Allow only the IPs in the list or Disallow only the IPs in the list on the right side, enter the desired IP address or a valid range in the fields provided.

See Setting Access Control on page 81 and Using a Range to Build the IP List on page 82 for additional information.

Select MethodUse this pane on the Administration > Access Control page in combination with the Add IP Address pane to create an Access Control IP List. After selecting either Allow only the IPs in the list or Disallow only the IPs in the list, enter the desired IP address or a valid range in the fields provided.




Access Control IP ListThe IP List provides the complete list of addresses for client machines allowed (or disallowed if specified in the Select Method pane) to access Administrator.

Use the Select Method and Add IP Address panes on the Administration > Access Control page to create the IP List.


Setting Access Control

To set access control:

1 Click Administration, then click Access Control.

2 Select an access control level in the Select Method pane:

Allow only the IPs in the list. Allows access to machines with the IP addresses appearing in the IP List. See Using a Range to Build the IP List on page 82.

NOTE: If you set access control using Allow only the IPs in the list and you would like to access the Administrator Login page directly from the Administrator Appliance using localhost, please add 127.0.0.1 to the Allow only the IPs in the list section. Also remove 127.0.0.1 from the Disallow only the IPs in the list section.

Disallow only the IPs in the list. Denies access to machines with the IP addresses appearing in the IP List.

NOTE: Direct access to Appliances managed by Administrator (for users attempting to access the Appliance directly through the Appliance’s URL) will be blocked if the IP address of the machine attempting to access the managed Appliance is disallowed.

3 Enter a single IP address or an IP address range in the appropriate fields in the Add IP Address pane. See Using a Range to Build the IP List. Repeat as necessary for single IP addresses.

User Guide 81

Chapter 6

4 Remove addresses from the IP List by selecting the address and clicking Delete.

5 Click Save to apply any changes, or click Cancel to return to your original settings.

IMPORTANT: The current browser's IP address has to be included for Allow only the IPs in the list and excluded for Disallow only the IPs in the list.

Using a Range to Build the IP List

You can specify a range of IP addresses when building the Address IP list under Configuring Access Control. When doing so, use a range in the last place only. For example: 145.145.145.145-160. Do not use 145.145.145-160.145


7
Creating and Managing Users
This section provides user management information, including:

User Administration when Administrator is Managing Other Devices on page 83Viewing the Users Page on page 84

Adding Users on page 85

User Roles on page 87

Editing Users on page 94

Getting User Reports on page 97

User Administration when Administrator is Managing Other Devices

When a Visualizer Appliance is managed by Administrator:

A message appears on the Administration tab > SE Administrator pane of the Visualizer window indicating the Visualizer device is being managed by an Administrator device. The User tab in the Visualizer application is also disabled. All user management activities for Visualizer users must be performed in Administrator. Information for creating users with Visualizer permissions, editing, and managing users is provided in this section.

When an InfiniStream Capture Engine is managed by Administrator:

There is no visible indication in the Console window that a Capture Engine is managed by Administrator. The Accounts tab options in the InfiniStream Administration window are still active and available. However, these options only affect the accounts set up locally on the Capture Engine. All additional information related to user management when an InfiniStream Capture Engine is managed by Administrator is contained within the InfiniStream documentation. A summary is provided in the “Working with Network General Enterprise Products” appendix in the Sniffer Enterprise InfiniStream User Guide.

This appendix also provides detailed information on using InfiniStream with Administrator, including usage notes and supported Administrator features.

When a NetVigil Appliance is managed by Administrator:

User Guide 83

Chapter 7

Administrator controls access to NetVigil through user creation and domain membership. Users are added to NetVigil by adding user(s) to a domain containing the NetVigil Appliance, or adding NetVigil to a domain containing the desired user(s). Changes in user assignments are transparently communicated to NetVigil. Each domain can contain no more than one NetVigil Appliance. However, each instance of NetVigil can belong to multiple domains as required.

Viewing the Users PageThe Users page provides a list of the current users in the Administrator system. From the Users page, you can:

See the user properties and domains each user belongs to on the Users List on page 84.

Create system users with Adding Users on page 85.

Assign users a predefined role with User Roles on page 87.

Update user information by Editing Users on page 94.

Access user data by Getting User Reports on page 97.

Remove users from the system by Deleting Users on page 96.

NOTE: To view a list of active Administrator users, click the Administration tab, then click System Status. The list provides the users currently logged in and the IP address for that user.

Users ListThe current Administrator Users list is displayed after clicking the Users tab.

Information provided for each user listed in the Users pane includes name, assigned role, and a description. Click any column heading to sort the list by that user property.

From this pane you can also:

View User Activities. Click Show Activity within the Activity column to view current activities for that user, or click an available action from the Actions column.

Edit Users. Click from the Actions column opens the Edit User Account page. On this page you can edit the user properties and change the user permissions through the assigned role. See Editing User Roles on page 93 for more information.



Print. Click to print the contents of the list as it appears onscreen.

Export to CSV. Click to export the contents of the list into a CSV formatted file. Saved files will open in Excel if you have Excel installed on your client system.

User DetailsDetails for the user selected in the Users pane are provided in the Details pane within the Users tab. Information includes user name, email address, description, permissions allowed to the user, domains the user is a member of, and resources the user is allowed access to.

MultiSegment Sessions indicates whether the user owns one or more MultiSegment Intelligence sessions. When you delete a user, any MultiSegment Intelligence session(s) owned by that user are retained so that administrators can access them when necessary.

If the column provides a number, the number represents the number of sessions. An administrator must reassign that user’s session(s) before deleting the user from Administrator.

Adding UsersThe default user name is administrator and the password is sniffer. To add additional users to the system and grant user privileges, perform the following.

NOTE: Carriage returns are not allowed as input in any field within the User pages.

To add users:

1 Click the Users tab, then click Add User.

2 Under Step 1, enter information about the user.

Administrator supports the use of period (.), underscore (_), or hyphen (-) in user names.

Passwords must be at least eight characters and comply with the recommendations detailed in Password Security Guidelines in the Administrator User Guide.

NOTE: The password set here is only in effect when Administrator

User Guide 85

Chapter 7

authenticates a user against its local database.

a In the Account Expiration Date fields, select an expiration date. This expiration date option stops the user from accessing Administrator at the specified future date.

b Enter an optional description.

c Select a role from the Role drop-down menu. After selecting, the permissions allowed for a user are summarized in the pane. If the predefined roles are not suitable for the new user, create a new role following Creating New Roles in the Administrator User Guide.

3 Under Step 2, specify that the user is a member of one or more domains by moving one or more domain names from the Available Domains column to the Selected Domains column.

Domain membership allows user access to resources within the domains. The list of resources this user may access is updated after adding domain membership and saving changes to the user profile.

NOTE: When creating a new user and including that user in a domain with NetVigil resources, you are prompted to assign NetVigil permissions. See NetVigil Membership on page 95.

4 Click Save All Changes to add the new user to the system.

Password Security GuidelinesAdministrator requires that the minimum password length is six (6) characters. Allowable password characters are upper and lower case letters [A-Za-z], digits [0-9], and certain special characters. Administrator supports the use of exclamation point (!), 'at' sign (@), dollar sign ($), caret (^), asterisk (*), left or right parenthesis, or period (.) in passwords.

Network General strongly recommends that you follow accepted practices for creating secure passwords:

Do include both upper and lower case letters.

Do include numbers.

Do not leave your passwords too short. Network General recommends a minimum of eight characters.

Do not use dictionary words for passwords.

Examples of acceptable passwords based on these principles include 13ghostS, 4mula1ne, or 3jbx82Z.



Limitations of User PropertiesWhen adding or editing user properties, please note the following limitations:

Limit the user’s first and last name to 15 characters.

Limit the password to 25 characters.

Limit the phone field to 18 characters.

Limit the description to 25 characters.

Carriage returns are not allowed as input in any field within the User pages.

Do not include spaces in the Email field.

When entering values for fields (including user name and passwords), do not use unsupported characters or symbols.

NOTE: Though Administrator allows you to create new passwords that begin with a numeral, InfiniStream's Linux Operating System requires passwords to begin with an alphabetic character. Therefore, authentication requests fail unless you create a password starting with and alphabetic character in Administrator.

User RolesRoles are a collection or group of user permissions given a single name within Administrator.

By default, Administrator has system-defined roles for SystemAdministrator and NetworkUser. Select one of the roles from the list and the pane on the right refreshes with configured permissions.

The following operations are available from the Roles pane:

Creating New Roles on page 87

Permission Settings for Roles on page 88

Creating New RolesIf the predefined system roles are not suitable for your system users, you can create new roles through the Roles page.

To create a new role:

User Guide 87

Chapter 7

1 Click Users, then click Role Configuration.

2 Under Create New Role, enter the name of the role in the field provided.

3 Select the permissions to grant to the user. See:

Sniffer Distributed Appliance Permissions on page 89

MultiSegment Intelligence Permissions on page 90

Enterprise Administrator Permissions on page 90

Enterprise Visualizer Permissions on page 90

InfiniStream Permissions on page 91

NOTE: For role purposes, an Application Intelligence Appliance is considered a Sniffer Distributed Appliance. Administrator’s Roles page shows only Sniffer Distributed permissions. AppIntell will not be displayed as another resource type. If you would like to allow a user AppIntell permissions, specify Sniffer Distributed permissions for that user.

4 Click Create.

Permission Settings for RolesYou can view the Permission Settings for each role by selecting the role from the list on the left of the Roles page. The permissions appear in the box on the right. Permissions are grouped by Sniffer Distributed Appliance Permissions, MultiSegment Intelligence Permissions, Enterprise Administrator Permissions, Enterprise Visualizer Permissions, and InfiniStream Permissions.

Notes about roles:

The SystemAdministrator role cannot be edited or deleted.

The administrator user is always assigned the SystemAdministrator role.

A role that is currently assigned to at least one user cannot be deleted.

For role purposes, an Application Intelligence Appliance is considered a Sniffer Distributed Appliance. Administrator’s Roles page shows only Sniffer Distributed permissions. AppIntell will not be displayed as another resource type. If you would like to allow a user AppIntell permissions, specify Sniffer Distributed permissions for that user.



Sniffer Distributed Appliance PermissionsSniffer Distributed Appliance options allow the user to configure or perform actions on managed Sniffer Distributed Appliances.

NOTE: For role purposes, an Application Intelligence Appliance is considered a Sniffer Distributed Appliance. Administrator’s Roles page shows only Sniffer Distributed permissions. AppIntell will not be displayed as another resource type. If you would like to allow a user AppIntell permissions, specify Sniffer Distributed permissions for that user.

Permissions include:

Remote Configuration. Allows the user to configure Sniffer Distributed Appliances remotely.

Control Session. Allows the user to control the session from an Agent console. If the user tries to log on to the Appliance and the Appliance already has an active connection, the user can either terminate the currently active connection and become the active user, or become a passive user without disrupting the active connection. (A passive user cannot capture packets, generate traffic, manage the database, or reset real-time statistics from the Agent.)

Database. Allows the user to access, manage, and retrieve information from the Sniffer Distributed Appliance’s database of real-time statistics. The Agent Database menu provides options for managing the Appliance’s real-time statistics database. This menu is grayed-out if the user does not have database access rights.

Reset Stats. Allows the user to reset the Sniffer Distributed Appliance’s real-time statistics from the Agent. When an active user resets real-time statistics, all passive connections will also be reset.

Capture. Allows the user to capture packets on the network. If this box is not checked, the user cannot capture packets, but can view a capture file. Selecting Capture enables the Frame Slicing and Frame Size fields.

Frame Slicing and Frame Size. Allows the user to set the frame slicing option. Selecting Capture enables the Frame Slicing and Frame Size fields. If enabled, select a value (32, 64, 128, 256, or 512 bytes) from the pull down menu to limit the size of the frame. Users will be restricted to the frame size defined in Administrator when resources are under the management of Administrator and if the value set in Administrator is smaller than the value set in Web Console.

GroupWare. Enables GroupWare Mode, which lets an active Agent console user and up to four passive Agent console users share the display of trace data.

User Guide 89

Chapter 7

MultiSegment Intelligence PermissionsMultiSegment Intelligence options set the user access levels to the MultiSegment Intelligence pages (the Analysis tab in the Administrator interface). Permissions include:

Access. Allows the user to create and view MultiSegment Intelligence sessions, import trace files, and run captures on resources given that the user is a member of the domain(s) to which the resources belong.

Administrator. Allows the user administrative access to MultiSegment Intelligence features. In addition to access rights, a MultiSegment Intelligence administrator has access to other users’ sessions, can view all sessions (unless password protected), copy and delete sessions (even if password protected), and can set certain global MultiSegment Intelligence options.

NOTE: Having administrative access to MultiSegment Intelligence features is necessary, but not sufficient to start a Analysis session with automatic capture of traffic from Agents. To do so, in addition to administrative access to MultiSegment Intelligence, the user should have the permission to access the Agent and permission to start capture in under Sniffer Distributed Appliance Permissions.

Enterprise Administrator PermissionsUnder Enterprise Administrator, specify whether or not the user has Administrator system administrator privileges.

Administrator. Allows the user administrative access to all Administrator functions.

NOTE: A user with administrative access can view and access all the resources managed by the Administrator without belonging to a domain which contains the resources. However, the privileges will be limited by the permissions specified under Sniffer Distributed Appliance Permissions, Enterprise Administrator Permissions, and InfiniStream Permissions.

Enterprise Visualizer PermissionsUnder Enterprise Visualizer, specify whether or not the user has Enterprise Visualizer system administrator privileges. Enterprise Visualizer Permissions appear on this page only if a Visualizer Appliance has been discovered and is a managed resource.



Administrator. Allows the user administrative access to all Enterprise Visualizer functions.

Regular user. Allows the user access to non-administrative functions.

Monitor user. Allows the user to access the Visualizer Dashboard only.

NOTE: Users with only Visualizer permissions will have access to Visualizer only if they are in a domain containing the Visualizer.

InfiniStream PermissionsUnder InfiniStream, specify whether or not the user has InfiniStream system administrator privileges. InfiniStream Permissions appear on this page only if an InfiniStream Appliance has been discovered and is a managed resource.

Monitor. Allows the user to view statistics, however, mining packets is disabled. The user does not have administrative access to the InfiniStream Capture Engine.

Console. Allows the user to view statistics and mine packets. The user does not have administrative access to the InfiniStream Capture Engine.

Admin. Allows the user administrative access to the InfiniStream Capture Engine, including all the rights of the Console user.

Root. Allows the user all the administrative and root access to the InfiniStream Capture Engine.

Domain-specific Role OverrideYou can associate a user role with a particular domain so that a user can have different types of access to different resources. The user role you assign to a domain overrides the user role for accessing resources in that domain.

You should only use domain-specific roles in situations where a user requires device access permissions different from those defined in their user role.

Figure 7-1 displays the Domain-specific Roles Pull-down Menu in the Edit Domain page (also displays in the Add Domain page) where you can select a user and specify a domain specific role.

User Guide 91

Chapter 7

Figure 7-1. Domain-specific Roles Pull-down Menu

If a user connects to resources through a domain that has a role, then this role overrides the user’s default role only for these resources.

All of a user’s permissions on Administrator are not affected by domain-specific roles. For example, if a user is a “SystemAdministrator” (domain role) for an Administrator-managed Sniffer Distributed system, but their user role is “NetworkUser”, the user (still) cannot access the Administration page in Administrator.



Editing User RolesYou can edit default and custom user roles.

NOTE: If user named “root” is created on the Administrator, then that user will always have the Root permission to the InfiniStream Capture Engine regardless of the InfiniStream Permissions setting on the Administrator.

To edit user roles:

1 Click Users, then click Role Configuration.

The Roles pane on the left side of the screen lists the default and user-created roles in the system.

2 Click to select a role from the Roles pane to open the Edit Role pane on the right side of the screen.

3 Edit the following items as desired:

Sniffer Distributed Appliance permissions. See Sniffer Distributed Appliance Permissions on page 89.

MultiSegment Intelligence permissions. See MultiSegment Intelligence Permissions on page 90.

Enterprise Administrator permissions. See Enterprise Administrator Permissions on page 90.

Enterprise Visualizer permissions. See Enterprise Visualizer Permissions on page 90.

InfiniStream permissions. See InfiniStream Permissions on page 91.

4 After making changes to any of the above options, click Save.

User Guide 93

Chapter 7

Editing UsersThe user profile consists of user information and the permissions granted by the roles assigned to the user. Before editing user settings, review Limitations of User Properties on page 87.

NOTE: Changing a user password in Administrator will invalidate all browser sessions for the user if the user was last successfully authenticated by an external server. The user will have to log in again.

To edit users:

1 Click the Users tab.

2 Click next to the desired user.

NOTE: If this user is a member of a domain that also includes one or more NetVigil installations, this page will display the NetVigil Membership pane. See NetVigil Membership on page 95 for detailed information.

3 Under Step 1, edit information about the user.

Administrator supports the use of period (.), underscore (_), or hyphen (-) in user names.

Passwords must be at least eight characters and comply with the recommendations detailed in Password Security Guidelines on page 86 in the Administrator User Guide.

NOTE: The password set here is only in effect when Administrator authenticates a user against its local database.

4 In the Account Expiration Date field, select an expiration date from the drop-down options. The user is denied access to Administrator at this future date.

5 Select a role from the Role drop-down menu. After selecting, the permissions allowed for a user with that role are shown in a box on the right. If the predefined permissions are not suitable for the user, create a new role following User Roles in the Administrator User Guide.



6 Under Step 2, add the user to one or more domains by moving one or more domain names from the Available Domains column to the Selected Domains column. The user will be a member of all the domains listed in the Selected Domains column.

Domain membership allows user access to resources within the domains. The resources this user may access list is updated after adding domain membership and saving changes to the user profile.

7 Click Save All Changes to save the user profile.

Notes about the “administrator” user profile:

The administrator user always has the SystemAdministrator role.

The administrator user will never expire.

NetVigil MembershipWhen editing a user profile (see To edit users: on page 94) for a user with NetVigil access (see Domains and NetVigil Installations on page 112), you will see a NetVigil Membership pane at the bottom of the Edit User page. An example is shown in the Figure 7-2.

For each NetVigil resource, the following options are provided in the NetVigil Membership pane (sample shown in Figure 7-2). Settings here apply to the user only.

Department: Allows user access to the specified or selected department.

Read only: Allows NetVigil read only permissions for this user.

Read-write: Allows NetVigil read and write permissions for this user.

NOTE: When creating a new user and including that user in a domain with NetVigil resources, you are prompted to assign a NetVigil department and permissions to the user after clicking Save in the Add User page. The options are the same as above.

Detailed information on NetVigil departments and read and/or write permissions are included in the Sniffer Enterprise NetVigil User Guide.

Click Apply in the lower right corner of the NetVigil Membership pane to apply settings for this user.

NOTE: When a NetVigil installation is managed, there are no permissions for NetVigil on the Administrator Role Configuration page. Users with

User Guide 95

Chapter 7

Administrator administrative rights can add users (including themselves) to domains including NetVigil installations. An administrative user can also assign users within a domain to NetVigil departments and user groups, or assign users NetVigil superuser privileges in the NetVigil Membership pane. This area defines what the user can do on NetVigil, regardless of the role of the user specified in Administrator.

Figure 7-2. NetVigil Membership Pane on Edit User Page

Deleting Users

To delete users from Administrator:


2 Select one or more users from the Users list and click Delete.

Notes about deleting users:

The administrator user cannot be deleted.

Before deleting a user, check that the user does not own MultiSegment Intelligence sessions (displayed in User Details). If the user owns MultiSegment sessions, an administrator must reassign that user’s session(s) before deleting the user. By default, deleting a user will also delete any MultiSegment Intelligence session(s) owned by that user.

NetVigilMembership



Getting User ReportsAdministrator provides reporting functionality by formatting data that can be used to create a report.

To view and save report data files:


2 Click . The contents of the page can be downloaded into a separate file.

NOTE: Alternately, you can print the contents of the window using the Print option ( ) available on the page.

User Guide 97

Chapter 7


8
Working with Fi le Management
The Administrator Appliance provides a secure file server for managed Sniffer Distributed Appliances (versions 4.5+). Through Administrator, you can manage filters and other supported files after the files are made sharable through the resource. After the files are made sharable, you need to upload the files to Administrator in order to distribute filters to selected Sniffer Distributed Appliances, or share files between users and applications.

This application has many practical uses for managing your network of Network General devices. For example, a filter for a known virus can be sent to managed Sniffer Distributed Appliances from Administrator to isolate the virus on your network.

File Management - Shared File ListClick the Users tab and then click File Management to open the File Management page. This page provides a list of files that have been shared through the resource. A user with administrator privileges can view and delete files in the list. Sharing capture configurations and trigger files is not supported.

From the File Management page, you can upload files in .xml format. Uploading .csl filter files is not supported.

NOTE: Shared files on Sniffer Distributed systems running any version earlier than 4.5 cannot be managed by Administrator.

Options available from File Management page include:

Upload File. From the File Management page, you can upload .xml format display filters only. Uploading .csl filter files is not supported. See Uploading Files on page 100 for detailed information.

Edit files. Click next to the item in the list to edit the file description as seen in the list. You cannot make changes to the file content or the file name.

Delete files. Select one or more files from the list and click Delete to remove the file from the Administrator Appliance.

NOTE: You cannot download or view the contents of the files listed on the File Management page.

User Guide 99

Chapter 8

Uploading FilesTo add files to the Administrator server, upload them from the File Management page accessed from the Users tab. Uploading files to Administrator makes the files available for use on managed resources of the same version. You can upload files in .xml format. Uploading .csl filter files is not supported.

NOTE: Files are validated prior to the upload. If the file is not a filter file and the content within the file is invalid, the upload will fail. Ensure that the file is a Sniffer Distributed filter file and the content is not corrupt, then try the upload again.

To upload files:

1 Click the Users tab, then click File Management.

2 Within the Upload File pane, click Browse to navigate to the file location.

IMPORTANT: The specified path should not contain any semicolons. Copy the files to another location where the path is free of semicolons before sharing the files if necessary.

3 Select the file from the Choose file dialog box, then click Open.

4 Provide a description in the field provided (optional).

NOTE: During file validation, if a description is found within the content of the file itself, then this description overrides any text you add to the Description field within the Upload section. If you would like to change the description read from the file, edit the file description after the file is uploaded.

5 Click Upload.


9
Authentication
Use the pages within the Administration tab to set or configure properties of the Administrator Server and the Administrator installation:

About Authentication on page 101

Authentication Servers on page 102

Authentication Settings on page 103

Adding and Configuring Authentication Servers on page 105

RADIUS Authentication Protocol Options on page 107

Windows Domain Authentication Protocol on page 108

TACACS+ Authentication Protocol Options on page 108

LDAP Authentication Protocol Options on page 109

About AuthenticationExternal authentication methods require that a site administrator enter user name and password information into the external server. Administrator interacts with the external server to validate existing users the same way that anything else would interact with that authenticator—when presented with a user name and password combination, it verifies that the user is valid or not, and reacts accordingly. Administrator does not interact with the external server to define new users as it does not write new user information into the database(s) of any external authentication server(s). Administrator only validates user information by consulting external authenticators, then (if the user is validated) creates a local entry for that newly validated user.

There are multiple Administrator authentication methods. Selecting the Administrator method will validate users against the local Administrator database. RADIUS, LDAP, Windows Domain, and TACACS+ methods are external systems.

For external authentication methods, access the external application and enter the user information as you have entered in Administrator. If the server cannot find or recognize the Administrator user, it will reject all user log in attempts. For client set up, you will also need to set up the external server to recognize the IP address of the Administrator Appliance as a valid authentication client.

User Guide 101

Chapter 9

If you have previously entered user names and passwords into RADIUS, LDAP, Windows Domain, or TACACS+ systems, you can also add these users to Administrator. Users may be added manually, or automatically upon successful external authentication (and authorization, if required). Please see Authentication Servers on page 102 and Authentication Settings on page 103 for more information.

If a Sniffer Distributed Agent is managed by Administrator, Sniffer Distributed users are authenticated against Administrator or any authentication configurations on the Administrator Appliance, if any. All external security methods are disabled on the Agent.

When an InfiniStream resource is being managed, Administrator users will also have access to the InfiniStream installation through SSH or any other specified authentication. For the Administrator user that has never logged into the InfiniStream Capture Engine, SSH authentication is disabled until the user has logged into the Capture Engine locally, or through the InfiniStream Console.

Authentication troubleshooting tips are provided in the following sections:

Authentication and Security Messages on page 168

Authentication and Authorization Settings on page 179

One-Time Password AuthenticationAdministrator supports the use of token servers such as RSA Security's SecurID for one-time password (OTP) authentication.

The use of a token server limits the range of available authentication types for RADIUS and TACACS+. With RADIUS, only PAP will be supported. With TACACS+, only ASCII and PAP will be supported.

This limitation does not affect RADIUS or TACACS+ interaction with authenticators (such as Cisco SecureACS version 3.0 for Windows) which are not configured to use token servers to validate users.

Authentication ServersThe Authentication Servers list on the Administration > Authentication page provides the list of servers that are configured to authenticate Administrator users. Add servers to the list by clicking Add New Server. The Add New Server page appears. See Adding and Configuring Authentication Servers on page 105 for more information.

WARNING: Make sure you have at least one authentication server enabled


Authentication

at all times.

Information for each listed server includes the following:

Name and Address. Name provided by the administrator for the authentication configuration, and the IP address of the actual server.

Protocols. Protocols supported by the server.

Enabled. Indicates that the server is enabled for authentication. Disabled servers are not consulted during the authentication process. The local authentication server (the Administrator Appliance) will normally remain enabled at all times.

Actions. Edit the server settings by clicking next to the desired item in the list. Clicking will display the appropriate information for that server in the Server Settings list. After making updates, click Save.

NOTE: You cannot specify "Sniffer Enterprise Administrator" for a remote (external) authentication server.

Authentication SettingsThe authentication settings below the Authentication Server list on the Authentication page are independent of configured servers or authentication protocols. The settings apply to all authentication servers and protocols.

To specify independent server settings:

1 Click Administration, then click Authentication.

2 Specify or edit the following:

a Access denial must be unanimous. Select this if you would like to specify that access denial for a user must be unanimous across all authentication servers and protocols. If a user is known to any one authenticating server, that user is allowed access. See More about Unanimous Access Denial on page 104.

b Require Remote Authorization. If this box is checked, Administrator will deny access to users lacking authorization even if the user name and password combination is valid.

User Guide 103

Chapter 9

Refer to the third-party authentication server documentation for the specific procedures for configuring that server to provide authorization as well as authentication. Examples of RADIUS vendor-specific attribute IDs and possible values are provided on page 182.

c Enable Remote Authentication of Unknown Users. If this is selected and a locally unknown user is successfully authenticated using a remote method, Administrator will create a new local database entry for that user.

- Default Role. The properties for the user selected in the drop-down box will be applied to the new user. This does not include membership in any Administrator domains.

NOTE: It is not recommended to specify a user with Administrator administrative permissions as the default role.

- Expire. The authorized user automatically entered into the system as specified in the previous option will expire after the number of days entered.

- Send Email notification. Check this to send an email notification when a new user is added automatically. All email addresses listed under Email Destinations on the Administration page will receive email notification.

3 After changing any of the above options, click Save.

More about Unanimous Access DenialIf the Access denial must be unanimous option is checked, all enabled authenticators must agree to deny access. When a user is successfully authenticated through an external server, a database entry is added automatically to the Administrator Appliance.

Consider a scenario where User 1 is known to External Server 1, and User 2 is known to External Server 2. With the Access denial must be unanimous option checked, User 2 will be allowed access to Administrator after Administrator first checks External Server 1, does not find User 2, but next checks External Server 2, and finds User 2. In this case, two events can trigger Administrator to look at External Server 2: Denial on External Server 1, or External Server 1 times out.

In the same User scenario noted above, with the Access denial must be unanimous option not checked, Administrator looks for User 2 on External Server 1, does not see User 2, stops the process after looking at one external server, and denies access for User 2. However, Administrator will check External Server 2 if External Server 1 times out.


Authentication

The process is the same regardless of how many authentication servers are configured. If the first external server times out (or does not respond), then Administrator tries a second external server. The Administrator Appliance continues to look for an external server that will allow access to the user attempting to log in until all configured authentication servers are checked.

Adding and Configuring Authentication ServersAdd and configure authentication servers with one or more authentication protocols on the Add New Server page. Configured servers are added to the Authentication Server list on the Authentication page.

To add new authentication servers:


2 From the Authentication page, click Add New Server.

3 For the new server, specify the following:

Name. The name of the server that will appear in the Authenticated Servers list.

Address. The IP address of the machine.

Description. A description of the configured server (optional).

Retries. The number of times Administrator will try a particular authentication server before attempting to authenticate against the next server, if any.

Timeout. The interval in seconds between successive authentication attempts against a single server. Administrator sends a request and waits this many seconds for the authenticator to respond. One retry is used when the authenticator does not respond.

Enabled. Indicates that the server is enabled for authentication. Disabled servers are not consulted during the authentication process.

4 Select one or more authentication protocols.

Selecting the protocol on the page and configuring the options available for that protocol configures the server with that protocol. You can select or enable any combination of protocols as long as the protocols are supported on the server you are configuring.

User Guide 105

Chapter 9

Sniffer Enterprise Administrator. Selecting this specifies that the server will authenticate users by looking for the users in the Administrator database.

NOTE: For a user authenticated by the Administrator database, changing that user's password will invalidate all active Administrator sessions currently associated with that user. That user will have to log in again.

For specific information about additional protocols, please see the following:





5 Click Add New Server.

NOTE: Click Cancel to return to the Authentication page without making changes.

Editing Authentication Servers

NOTE: Deleting the authentication server or changing its configuration in Administrator will invalidate all browser sessions for users last successfully authenticated by that external server. Those users will have to log in again.

To edit authentication servers:


2 From the Authentication page, click next to the existing server.

3 Edit or update the following:

Name. The name of the server that will appear in the Authenticated Servers list.

Address. The IP address of the authentication server.

Description. A description of the configured server (optional).


Authentication

Retries. The number of times Administrator will try a particular authentication server before attempting to authenticate against the next server, if any.

Timeout. The interval in seconds between successive authentication attempts against a single server. Administrator sends a request and waits this many seconds for the authenticator to respond. One retry is used when the authenticator does not respond.

Enabled. Indicates that the server is enabled for authentication. Disabled servers are not consulted during the authentication process.

4 Select one or more authentication protocols.

Selecting the protocol on the page and configuring the options available for that protocol configures the server with that protocol. You can select or enable any combination of protocols as long as the protocols are supported on the server you are configuring.

Sniffer Enterprise Administrator. Selecting this specifies that the server will authenticate users by looking for the users in the Administrator database.

For specific information about additional protocols, please see the following:





5 Click Save.

NOTE: Click Cancel to return to the Authentication page without applying any edits.

RADIUS Authentication Protocol OptionsEnter or configure the following parameters for RADIUS:

Type. The protocol (packet format) and handshaking method used for authentication. Select PAP (Password Authentication Protocol) or CHAP (Challenge-Handshake Authentication Protocol). If Administrator is authenticating through SecurID or other one-time password authentication systems, CHAP is not supported.

User Guide 107

Chapter 9

Shared secret. Common key used to encrypt data.

Port. Connection port.

RADIUS Guidelines

Adhere to the following guidelines when configuring Administrator with RADIUS authentication:

RADIUS servers require a list of hosts (IP addresses) with permission to connect.

The user name on the Administrator server must match the user name on the RADIUS server.

NOTE: You may need to list the RADIUS Server in the Hosts file on the Administrator Server.

Windows Domain Authentication ProtocolEnter or configure the following parameters for Windows Domain:

Domain. Enter a valid Domain value (the Windows domain associated with the users to be authenticated) in the field provided. Domains defined here are Windows domains — not Administrator domains.

Controller. This is any machine configured to act as a primary or backup controller on behalf of the specified Windows domain.

Windows Domain Guidelines

Windows Domain is an external system. In Administrator, enter the same user names and passwords as entered in your Windows Domain configuration for Administrator to properly communicate and authenticate your users with Windows Domain.

NOTE: Windows Domain authentication relies on the local database for user settings, including role assignment. An administrative user must configure Administrator to allow automatic addition of externally authenticated users. After users are added, an administrator is responsible for modifying existing user properties, including assigning roles.

TACACS+ Authentication Protocol OptionsEnter or select the following TACACS+ parameters:


Authentication

Type. The packet format and handshaking method used for authentication. Choose one of the following.

ASCII. Simple user name/password authentication other than PAP.

PAP. Password Authentication Protocol.

CHAP. Challenge-Handshake Authentication Protocol. If Administrator is authenticating through SecurID or other one-time password authentication systems, CHAP is not supported.

MS-CHAP. Microsoft Challenge-Handshake Authentication Protocol version 1. If Administrator is authenticating through SecurID or other one-time password authentication systems, MS-CHAP is not supported.

Key. The shared secret string common to Administrator and the TACACS+ server (required).

NOTE: When configuring Administrator with TACACS+ authentication, the user name on the TACACS+ server must match the user name on the Administrator server.

LDAP Authentication Protocol OptionsEnter or configure the following parameters for LDAP:

Search Base. The domain name of the LDAP Server.

Group. Group defined on LDAP server that contains the users. The default group name is People.

NOTE: The user name on the LDAP server must match the user name on the Administrator server.

Deleting Authentication ServersDeleting authentication servers erases the server configuration settings in Administrator and removes the configured server from the Authentication Servers list on the Authentication page.

Deleting an authentication server will also invalidate all browser sessions for users last successfully authenticated by that external server. Those users will have to log in again.

User Guide 109

Chapter 9

The local authentication server (the Administrator server itself) may not be deleted.

WARNING: Removing one or more configured authentication servers may result in non-availability of one or more authentication methods, or may affect the ability of one or more users to log in.

To delete authentication servers:


2 For the server you would like to remove, click next to the server in the Authentication Servers list.

3 Click Delete.


10
Working with Domains
This section provides the following information on domains:

The Domains List on page 113

Adding Domains on page 113

Editing Domains on page 115

Deleting Domains on page 117

About DomainsA domain is a collection of resources and users. Domains facilitate configuring and managing several resources at one time by allowing or denying users access to several resources. A domain cannot contain another domain, but one resource or user may be in multiple domains.

In addition to associating users with Visualizer installations, domains can also be used to add an interface to a Visualizer so that the Visualizer starts receiving data from that interface.

Domains also control user access to NetVigil. Users are not subject to domain access control if they have "SEA Administrator" permissions in their role. These users can login to any resource without being in the same domain as the resource. If this type of user logs into NetVigil, the system automatically adds the user to the Superuser group. If you want to prevent this from occurring, you can manually add the user to a domain with NetVigil and assign the user to a Department.

NOTE: Do not confuse Administrator domains with Microsoft Windows domains. The two types of domains are unrelated.

Domains and Visualizer InstallationsWhen a Visualizer is discovered, if Visualizer is monitoring an interface a new domain is automatically created containing that interface and the Visualizer. The Domains page contains a column for Visualizers included in the domain. A domain will not be created if Visualizer is not monitoring any interfaces.

User Guide 111

Chapter 10

To add an interface to Visualizer, create a new domain or edit an existing domain to contain the Visualizer and the interface.

To remove an interface from Visualizer, remove the interface from the domain or delete it from Administrator. All data collected from the interface will be lost in this process.

To remove all the interfaces from a Visualizer, remove the Visualizer from the domain.

To delete a Visualizer from Administrator without losing interfaces, delete it from Administrator's Resources list without deleting it from the domain.

NOTE: You cannot delete a domain containing Visualizer before removing Visualizer from that domain.

Users with only Visualizer permissions will have access to Visualizer only if they are in a domain containing the Visualizer. To associate a particular user with a particular interface you can use the domains used to add interfaces to Visualizer or create a new domain with only users and Visualizers.

To help control user access, you can add more than one Visualizer to a domain as long as you do not add interfaces to this domain.

NOTE: If you wan to uninstall/reinstall Visualizer without saving the Visualizer database, make sure you delete Visualizer from Administrator before uninstalling/reinstalling Visualizer.

Domains and NetVigil InstallationsAdministrator can discover, manage, and provide user authentication for NetVigil installations. Once a NetVigil resource is discovered, Administrator controls user access to the resource. User creation and authentication (access) for NetVigil resources are provided through domain membership. Once a user is created in Administrator and added to a domain containing a NetVigil resource, that user will be allowed access to NetVigil upon a log in attempt to NetVigil. Similarly, if a NetVigil resource is added to an existing domain with one or more users, those users will now have access to that NetVigil installation. The Domains page contains a column for the NetVigil installation included in the domain.

IMPORTANT: An Administrator domain can contain no more than one NetVigil resource.



The Domains ListClick the Domains tab to open the Domains > Overview page. This page provides a list of the domains defined in the system. The resources and users within each domain are summarized in the appropriate column. Click a column heading within the Domains list to sort the list by entries in a particular column. Details for the domain are summarized in the pane on the right side of the window.

NOTE: A user with administrative privileges will be able to access and view all domains listed on the Domains page, regardless of domain membership.

From this page, you can also:

Edit domains. Click from the Actions column to open the Edit Domain page. See Editing Domains on page 115.

Print. Click to print the contents of the list as it appears onscreen.

Export to CSV. Click to export the contents of the list into a CSV formatted file. Saved files will open in Excel if you have Excel installed on your client system.

Adding Domains

To add a domain:

1 Click the Domains tab, then click Add Domain.

2 Enter a name in the Domain Name field.

NOTE: Do not use single quotes ('), double quotes (“), commas (,), or spaces in a domain name. Domain names are limited to 25 characters.

3 Select User, Instrumentation, Visualizer, or NetVigil from the options presented in the top-right corner of the screen (shown in Figure 10-1).

User Guide 113

Chapter 10

Figure 10-1. Add Domain Options

4 In the Membership tables, select items and then move items between the Available and Selected columns. Repeat as necessary to include or exclude additional items (User, Instrumentation, Visualizer, and NetVigil) in that domain.

5 Click Save and Add Another Domain if you would like to create additional domains. Otherwise, just click Save to add to new domain to the Domains list.

6 If the new domain contains a NetVigil and if one or more of the users within the domain are not currently NetVigil users or are not assigned a NetVigil department, Administrator will prompt you to assign a NetVigil department to the user(s) before the domain can be saved. See Assigning NetVigil Departments for more information.

7 Click Save to finish adding a domain.

If required, click Reset to clear all values you have entered. Click Cancel to stop the action and return to the Domains page.

See Domain-specific Role Override on page 91 for information about the ...Override User Role With... pull-down menu.

Specify type here



Assigning NetVigil DepartmentsIf you are creating a domain that includes a NetVigil installation, or adding a NetVigil installation to an existing domain, all users within the domain must be assigned a NetVigil department. This information is passed to NetVigil.

If one or more of the users within a domain that includes one or more NetVigil installations are not currently NetVigil users or are not assigned a NetVigil department, Administrator will prompt you to assign a NetVigil department to the user(s) before the domain can be saved.

When the following screen appears (Figure 10-2), assign users to a Department and a role. You can change the department and role to which a user belongs in the Edit Users page.

NOTE: If you opt to Cancel at this screen, any changes you made to the domain will not be saved. If you were creating a new domain, the domain will not be created.

Figure 10-2. Assign NetVigil Departments

Editing DomainsEdit domain properties to add and remove users and resources to allow or deny users access to resources.

NOTE: A user with administrative privileges will be able to access and view all domains listed on the Domains page, regardless of domain membership.

To edit domains:

1 Click the Domains tab.

User Guide 115

Chapter 10

2 In the Domains list, click next to the domain you would like to edit.

3 If you would like to edit the Domain Name, do not use single quotes ('), double quotes (“), commas (,), or spaces in a domain name. Domain names are limited to 25 characters.

4 Select User, Instrumentation, Visualizer, or NetVigil from the options presented in the top-right corner of the screen (shown in Figure 10-3).

Figure 10-3. Edit Domain Options

5 In the Membership tables, select items and then move items between the Available and Selected columns. Repeat as necessary to include or exclude additional items (Users, Instrumentation, Visualizers, and NetVigils) in that domain.

6 Click Save and Add Another Domain if you would like to create additional domains. Otherwise, just click Save to save the changes made to that domain.

7 If the domain contains a NetVigil and if one or more of the users within the domain are not currently NetVigil users or are not assigned a NetVigil department, Administrator will prompt you to assign a NetVigil department to the user(s) before the domain can be saved. See Assigning NetVigil Departments for more information.

Before saving, click Reset to return values to previously saved settings. Click Cancel to stop the action and return to the Domains page.

See Domain-specific Role Override on page 91 for information about the ...Override User Role With... pull-down menu.

Specify type here



Deleting Domains

IMPORTANT: Deleting a domain containing a Visualizer resource may disable Visualizer monitoring or result in a loss of collected data for some interfaces in that domain. Please remove the Visualizer resource(s) from the domain before deleting the domain.

A domain cannot be deleted if it contains a NetVigil resource.

To delete domains:

1 Click the Domains tab.

2 From the Domains page, select one or more domains from the Domains list.

3 Click Delete.

User Guide 117

Chapter 10


11
Working with Alarms
NOTE: Resource management must be enabled through your Administrator license to access Administrator Alarm functions. A MultiSegment Intelligence-only installation does not present the Alarm tab or the Alarm Monitor, or do anything else with alarms.

Administrator’s Alarm pages and the Alarm Monitor provide a centralized view of alarms generated by managed resources. Alarms are SNMP traps. They can come from Sniffer Distributed resources, InfiniStream installations, or other devices configured to send SNMP traps to the Administrator Appliance.

Alarm management features within Administrator allow administrative users to configure, view, and consolidate events from multiple Network General devices into one easy to access interface. Behind the scenes, alarm events from multiple resources are consolidated, deduplicated, processed, and forwarded to the database. An Administrator user with administrative permissions can view the Alarm tab and the Alarm Monitor.

A list of alarms which can be sent from managed resources can be found in the Administrator Online help. See the resource-specific documentation for what possible actions these alarms may require, if any, and how to configure alarms on the managed resources.

NOTE: If the Windows Event Viewer Application log on the Distributed Appliance is full, the Distributed Appliance will not continue to forward alarms to Administrator. You must clear the Event Log on the Distributed Appliance to continue with alarm forwarding. See the Sniffer Enterprise Administrator Installation Guide for detailed information.

Click Alarms to access the following alarm features and pages:

Overview. See The Alarms > Overview Page on page 120.

Alarm Monitor. See The Alarm Monitor on page 122 (a quick link is available from the Alarm > Overview page).

Severity Definition. See Configuring Alarm Severity Definitions and Thresholds on page 125.

Automation. See Automating Alarms on page 127.

User Guide 119

Chapter 11

NOTE: Users without administrative permissions have access to the Alarm Monitor.

The Alarms > Overview PageThe Alarms > Overview page provides a summary of alarms generated by the Administrator system, and contains areas to specify where to receive and forward alarms. See:

Top Ten Alarms on page 120

Alarm Summary on page 120

Viewing the Alarm Monitor on page 121

Configuring the Alarm Forwarder on page 121

Top Ten AlarmsThe Top Ten Alarms pane displays the top ten alarms seen by Administrator. In the pane, the following are identified:

Ranking. Alarms are ranked 1 through 10, 1 being the alarm with the highest count.

Description. The alarm type, the current value, and any applied threshold values are summarized here.

Count. The number of times the alarm has been triggered.

IP Address. The IP address of the managed device that produced the alarms.

Card. The name of the card within the managed device that produced the alarms.

To view the latest alarms, click Refresh List ( ).

Alarm SummaryThe Alarm Summary is available by clicking Overview from the Alarms menu. The Alarm Summary contains a summary alarm types received by Administrator broken down by severity. This section provides a quick overview of the current status. This is not real-time information. To view the latest alarms, click Refresh List ( ).


Working with Alarms

Viewing the Alarm MonitorClicking View Alarm Monitor from the Overview page (top-right corner) launches the Alarm Monitor page in a separate browser window. This allows you to monitor alarms and simultaneously use other features of Administrator. For detailed information about the Alarm Monitor, see The Alarm Monitor on page 122.

Configuring the Alarm ForwarderAdministrator provides an option to forward alarm data to destinations capable of accepting SNMP data. In the Forward Alarms section of the Alarm > Overview page, you are specifying the IP address and the listening port for the third-party server/application to which the Administrator system will send or forward alarm notification.

To communicate with third-party applications, the Alarm Forwarder converts data back into SNMP format. The third-party application specified must be configured to accept communication and data from Administrator.

NOTE: By default, the Alarm Receiver is started automatically when Administrator is started.

Before alarms from Sniffer Distributed Appliances can be forwarded to Administrator, you must first configure the SNMP settings on the Agent. See Alarm Management on page 182 for detailed information.

To configure alarm forwarding:

1 Click the Alarms tab.

2 Under the Add Alarm Destination section within the Forward Alarms section, enter a name, IP address, and port number in the fields provided.

3 Click Add Destination. The address is added to the Configured Destinations list.

NOTE: A destination will receive alarm data only if specified in the automated alarm criteria through the Automation page. When Forward is specified on the Automation page, all configured destinations will receive the alarm notification. However, for alarms forwarded from the Alarm Monitor, you can specify a single destination to receive the notification.

User Guide 121

Chapter 11

4 Repeat Step 2 and Step 3 as necessary to add additional destinations to the list.

Removing Alarm Forwarding DestinationsTo remove addresses from the Configured Destinations list, click Delete next to the address in the list. You cannot delete a forwarding destination if you specified the destination in the criteria of an automated task. See Adding Automated Alarm Criteria on page 127 for more information.

NOTE: You cannot edit configured destinations. To update a configured destination, click Delete next to the address in the list and re-enter the appropriate information.

The Alarm MonitorThe Alarm Monitor is the main interface which displays the alarms generated by Network General devices according to thresholds defined through Administrator. This page is accessible by administrative and non-administrative users. Through the Alarm Monitor, you can monitor the alarms generated from resources you have access to through domain membership in the Administrator system.

NOTE: The times displayed on the Alarm Monitor are in GMT.

To access the Alarm Monitor:


2 For users logged in as administrators, click View Alarm Monitor from the Alarms > Overview page.

NOTE: Non-administrative users will see the Alarm Monitor immediately after clicking Alarms.

Working with the Alarm MonitorThe following information and options are provided for each alarm:

Actions. The following actions may be available for a listed alarm:


Working with Alarms

Show Details ( ). Opens the Alarm Details page and view additional alarm data. See Alarm Details on page 124 for more information.

NOTE: If an alarm is received from a resource managed by Administrator, you have the option to launch SniffView or the Win32 Console (where supported) to investigate the alarm using Connect ( ).

Alarm ID. Unique number generated by Administrator to identify the alarm.

Description. Identifies the alarm type.

Resource. The IP address and network interface card, or the resource name when discovered data is saved to the Administrator system through the Resources pages.

Severity. Displays the current severity level of the alarm.

To determine the severity level, Administrator looks at the resource-specified severity and the severity level specified through Administrator. The default severity level is the resource-specified severity (if no other severities are specified).

NOTE: A resource-specified threshold is used by the resource to determine whether an alarm should be sent. Administrator cannot edit or display this threshold value. Administrator only reports the severity level itself.

Severity level icons represent the following:

Normal

Minor

Important

Major

Critical

Count. The number of times the alarm is triggered on the resource.

Current Value. The value of the statistic during the last sampling period.

First and Last Occurrence. Date and time of first and last occurrence of the alarm.

Other actions from the Alarm Monitor include:

User Guide 123

Chapter 11

Refresh List ( ). Refreshes the onscreen data one time.

Filter. If necessary, click to open the filter fields on the page. Specify filter criteria in the fields provided, then click Set Filter. Click Clear Filter to remove the Alarm Monitor data display filter settings.

Stop Auto Refresh. By default, the Alarm Monitor is automatically refreshed every 30 seconds with new data, if any. Click Stop Auto Refresh to stop the auto refresh interval. When Auto Refresh is off, new data received will not display on the Alarm Monitor.

Delete. Deletes the entry from the Alarm Monitor.

Email. Provides email notification. Select one or more alarms, click Email, and then enter the email address. For email to function properly, enter the IP address of the email server on the Administration page (see Email Server Configuration on page 78).

Forward. Select one or more alarms, click Forward, and then specify a destination from the list of configured destinations. Destinations are displayed here if at least one alarm destination is configured on the Alarm Overview page. This forwarding option is a one-time forward and will send only the alarm data you've selected on the Alarm Monitor.

Click Close ( ) to close the window and exit the Alarm Monitor.

Alarm DetailsThe Alarm Details page provides an extension of the information seen on the Alarm Monitor, including the alias information (if available), the IP address, card information, and the alarm description. Times displayed on the Alarm Details page are in GMT.

Alarm Details. The Alarm Details column provides a detailed list of events that occurred or actions taken for that alarm. Click the Include empty fields in display option to expand the list to show all options or fields that were not populated.

Alarm Occurrences. The Alarm Occurrences column provides alarm history, including the date and time of each alarm, the severity, and the value assigned to the occurrence.

Action Summary. This column summarizes actions taken on alarms, including changes in alarm assignment and alarm acknowledgements, and lists which user was responsible for the action.

Click Alarm Monitor to close the Alarm Details page and return to the Alarm Monitor.


Working with Alarms

Filtering the Alarm MonitorYou can filter the alarms displayed on the Alarm Monitor. Filters are unique to each user and user session. Administrator stores the filter for one user session.

To filter Alarm Monitor entries:


2 Click View Alarm Monitor.

3 If necessary, click to open the filter fields on the page.

4 Specify any combination of the following:

Alarm Start and/or End Date.

Number of occurrences greater than.

Alarm ID. Click the Select Alarm ID or Enter Alarm ID radio button and specify the number assigned to the alarm.

Resource.

Severity greater than.

Value greater than.

5 After selecting or entering information, click Apply Filter.

Click Clear Filter to erase the values selected or entered in the criteria fields.

Configuring Alarm Severity Definitions and Thresholds

Defining an alarm severity through Administrator, whether specifically for an alarm from a single resource or globally for all alarms of the same type, assigns a severity threshold level which overrides the severity level assigned by the resource.

As the resource thresholds are assigned by the value of the statistic, the numbers that are entered in severity threshold configurations are the value of the statistic (at the sampling time).

User Guide 125

Chapter 11

Severity DefinitionDefining an alarm severity through Administrator, whether specifically for an alarm from a single resource or globally for all alarms of the same type, assigns a severity threshold level which overrides the severity level assigned by the resource.

Through the Alarms > Define Severity page, you can define an overriding severity threshold level for a specific resource or for an alarm type.

After defining severity thresholds, you can also edit existing threshold levels through the Severity Definition list. You cannot edit the alarm name or description, you may only edit the severity threshold level using the fields on the right side of the screen.

Setting Alarm Severity Definition

To set severity thresholds:

1 Click Alarms, then click Severity Definition.

2 Check This is a Resource Specific Severity Definition to define a threshold for an alarm generated from one resource only. If this is not selected, you’ll be setting threshold levels for the alarm type, regardless of which resource the alarm is triggered on.

a If This is a Resource Specific Severity Definition is selected, specify a resource from the enabled Select Resource field.

3 Select an alarm type from the list provided in Select Alarm ID.

4 Enter the desired low and high numbers in the appropriate threshold fields. All fields must be populated. The low fields are automatically populated with the High value entered in the preceding field.

5 Click Add.

After clicking Add, the settings are entered into the Severity Definitions list.

NOTE: If you have configured resource thresholds for an alarm type, resource threshold values will always override any threshold values set for the same alarm type.


Working with Alarms

Editing Alarm Severity DefinitionsEdit an Alarm Severity Definition by selecting it from the list on the Alarms > Severity Definitions page. After the entry is selected, change the desired values in the pane on the right, and click Save. Clicking Cancel restores the previous values.

Automating AlarmsAlarm automation allows you to specify or define additional events or actions for alarms generated from an external source (such as Sniffer Distributed Agents). Additional actions include escalating the severity of an alarm, email notifications, running a trace file capture on the resource that triggered the alarm, and deleting the alarm from the system.

Viewing the Alarm Automation ListClick the Alarms tab, then click Automation to open the Automation Action List page and review previously defined automation settings, if any.

The following information and options are provided for each entry in the list:

Name. Entered when creating automation criteria.

Criteria. Detailed description of the trigger criteria specified on the Automated Actions page.

Action. The action specified to occur after the event happens.

Delete. Click Delete to remove the automated event from the system.

NOTE: In order to edit an automated event, you must select an automated alarm and then modify it accordingly in the pane on the right.

Adding Automated Alarm CriteriaAdding automated alarm criteria allows you to specify additional action(s), if any, you would like to occur when an alarm of a specified type or from a specified location is triggered.

For example, it may be normal for one alarm to be triggered on a resource 5 times in one day. This may not be that important to note. However, if that alarm is triggered 5 times in one hour, you may want to be notified of this occurrence. Set up alarm automation to create a new alarm type so that you are notified one time that the alarm has been triggered multiple times, as opposed to receiving multiple notifications that a single alarm has been triggered.

User Guide 127

Chapter 11

To add automated alarm criteria:

1 Click the Alarms tab, then click Automation.

2 In the Criteria section, enter a name for the new criteria you are specifying.

3 Select the action you want to happen if the criteria specified for the alarm occur. Actions include:

Change Severity. Changing the severity allows you to increase or decrease the alarm level by one. When selected, the Select Severity drop-down box appears, with options to increase and decrease severity. If an alarm meets the specified criteria, the alarm will be escalated (increased) or decreased as specified. If the escalated severity is higher than 5, the highest severity is also escalated. If another event occurs with lesser severity, the current severity reflects the new severity while the highest severity remains at the previous value. The Alarm Monitor displays the current severity and the Alarm Details page displays the severity at the given moment in time.

Delete. Select the option to remove the item from the list provided on the Alarm Monitor and to remove the alarm data from the database.

Forward. This option is only displayed here if at least one alarm destination is configured on the Alarm Overview page. The alarm forwarder provided on this page sends an alarm notification to all configured destinations. This forwarding option is a one-time forward and will send only the alarm data you've selected on this page. This option will not start the alarm forwarder if it is currently not running. When you select this actions, the Community and Version fields display. Specify the trap community string (the default is "public") and the SNMP version (enter “1” or “2”) of the trap that Administrator sends (the default is “1”).

Create Alarm. Administrator will create a new alarm based on the criteria you have specified. The new alarm is sent to the configured list of alarm forwarding destinations. This feature is useful to minimize the alarm traffic from Administrator to other alarm notification recipients. When you select this actions, the Community and Version fields display. Specify the trap community string (the default is "public") and the SNMP version (enter “1” or “2”) of the trap that Administrator sends (the default is “1”).


Working with Alarms

IMPORTANT: The Create Alarm action will fail if the time settings on the Administrator Appliance and the resource machine are not synchronized.

Send Email. Enter the email address of the person you would like to notify. For email to function properly, enter the IP address of the email server on the Administration page (see page 78).

Run Capture. If an alarm is received from a resource managed by Administrator, you have the option to run a capture on this resource to investigate the alarm.

IMPORTANT: You cannot specify the Run Capture alarm automation option without having an existing Analysis session and template available. To use the Run Capture option from this page, you must first create an auto-capture session using an existing Analysis template (or create a new template during the session configuration and save the template) from the Analysis > Overview page. Once this is in the system, you will have the alarm automation option to run a capture using the information detailed in the session and/or template.

4 Specify the alarm criteria using any combination of the following options. Options here indicate that the action you select in Step 3 will occur if the following conditions are met:

Severity. Specify greater than or equal to (> =), less than or equal to (< =), or equal to (=) and then select a severity level [Any, or Critical (5) to Normal (1)] from the drop-down menus. An automated event will occur if the alarm severity meets the criteria specified.

To determine the severity level, Administrator looks at the resource-specified severity, the global threshold, and the resource threshold. The default severity level is the resource-specified severity (if no other severities are specified). A global threshold overrides the resource severity. A global severity is used to categorize alarms as severity 1 to 5. Resource thresholds override global thresholds for the resource, and in doing so, override all severities. To set a resource threshold, a global threshold must first be set up for the Alarm ID.

A resource-specified threshold is used by the resource to determine whether an alarm should be sent. Administrator cannot edit or display this threshold value. Administrator only reports the severity level itself.

User Guide 129

Chapter 11

Number of Occurrences Exceed. Enter numbers in the fields provided. For example, enter 5 time within 20 minutes. An automated event will occur if the alarm occurs more than five (5) times within a 20-minute period.

Select the resource.

Select the Alarm ID.

5 Click Add.


12
Enabling Third-par ty Tools to Receive Alarms
The information in this section provides an overview of how to configure third-party applications to accept alarms (traps) from Administrator:

Communicating with Third-party Alarm Applications on page 131

Configuring HP Open View on page 131

Configuring Tivoli Enterprise Manager on page 133

Communicating with Third-party Alarm Applications

For supported third-party applications to open and read alarm data sent by Administrator, access the SNIFFER_MIB.MIB file located in the C:\Program Files\Network General\Enterprise\Mibs directory on the Administrator Appliance. Run the SNIFFER_MIB.MIB file through a MIB compiler one time. After compiling the file, place the compiled MIB file in the appropriate directory of the third-party application (either manually or by remote network access).

Configuring HP Open ViewPerform the following to enable HP Open View to accept alarms (traps) from Administrator.

To enable HP Open View to receive alarms from Administrator:

1 From the machine where you have installed HP Open View Network Node Manager 6.2, go to Start > Programs > HP OpenView > Network Node Manager to open HP Open View Network Node Manager.

2 In HP Open View Network Node Manager, click Options from the main window and select Load/Unload MIB's: SNMP.

3 Load the Sniffer-MIB.mib file from the following directory located on the Administrator Server:

C:\Program Files\Network General\Enterprise\Mibs

4 Click Load to load the MIB file.

User Guide 131

Chapter 12

5 After the “MIB successfully loaded“ message, click OK to close the Load/Unload MIBs window.

6 Click Options and select Event Configuration.

7 Select nainPOManagerTrap from the Enterprises list.

8 Double-click the event: ALM_NAI_FORWARDED_EVENT

9 Click the Event Message tab and select the “Log and display in category” action, and then specify “Application Alert Alarms” from the display category drop-down list.

10 From the Severity drop-down list, set the correct severity for Administrator Alarms. Normal is the default severity.

11 From the Event Log Message drop-down list, set the event log message as $*

12 Close the Event Configuration Window. When asked to save changes to the trapd.conf, save the changes and exit.

Specifying HPOV NNM as a Configured DestinationAfter configuring HP OV NNM to accept alarms from Administrator, specify HPOV NNM as a configured destination through the Administrator interface.

1 Log into your Administrator installation and click Alarms.

2 From the Alarms Overview page, configure HP OV NNM as a configured destination to forward alarms. See Configuring the Alarm Forwarder on page 121 for detailed instructions.

NOTE: After successfully completing the instructions in Configuring HP Open View and Specifying HPOV NNM as a Configured Destination, you can view alarms in the HP Open View Alarms viewer.


Enabling Third-party Tools to Receive Alarms

Configuring Tivoli Enterprise ManagerPerform the following to enable Tivoli Enterprise Manager to receive SNMP traps from Administrator. This example is based on the MIB referenced in Communicating with Third-party Alarm Applications on page 131. The instructions are subject to change if the MIB definition changes.

NOTE: You must have the TEC SNMP Adapter installed and running.

To enable Tivoli Enterprise Manager to receive alarms from Administrator:

1 Update the tecad_snmp.oid file with MIB information from the SNIFFER_MIB.MIB file. See Communicating with Third-party Alarm Applications on page 131 for MIB file location.

Be sure to place this information in numerical ascending order within the file as shown in the following example:

#Enterprise Administrator MIB

#"nPO" "1.3.6.1.4.1.3401.1"

"OriginalEnterpriseOID" "1.3.6.1.4.1.3401.1.1"

"OriginalTrapNumber" "1.3.6.1.4.1.3401.1.2"

"OriginalTrapText" "1.3.6.1.4.1.3401.1.3"

"naiTrapDescription" "1.3.6.1.4.1.3401.1.4"

"naiTrapValue" "1.3.6.1.4.1.3401.1.5"

"naiTrapReceiveTime" "1.3.6.1.4.1.3401.1.6"

"naiSeverityLevel" "1.3.6.1.4.1.3401.1.7"

"naiSeverityDescription" "1.3.6.1.4.1.3401.1.8"

"naiAgentIP" "1.3.6.1.4.1.3401.1.9"

"naiAgentPortNumber" "1.3.6.1.4.1.3401.1.10"

"naiAgentCardInterfaceID" "1.3.6.1.4.1.3401.1.11"

"naiAgentLocation" "1.3.6.1.4.1.3401.1.12"

"naiOffenderIPAddress" "1.3.6.1.4.1.3401.1.13"

"naiOffenderDNSName" "1.3.6.1.4.1.3401.1.14"

"naiOffenderMACAddress" "1.3.6.1.4.1.3401.1.15"

"naiHostName" "1.3.6.1.4.1.3401.1.16"

User Guide 133

Chapter 12

2 Update the tecad_snmp.cds file with corresponding Administrator trap information. Ensure the fields under the SELECT statement are in the same order as they appear in the trap, following the example below.

CLASS nPOManagerTrap

SELECT

1: ATTR(=,$ENTERPRISE), VALUE(PREFIX, "1.3.6.1.4.1.3401.1") ;

2: ATTR(=,"OriginalEnterpriseOID") ;

3: ATTR(=,"OriginalTrapNumber") ;

4: ATTR(=,"OriginalTrapText") ;

5: ATTR(=,"naiTrapReceiveTime") ;

6: ATTR(=,"naiSeverityLevel") ;

7: ATTR(=,"naiAgentIP") ;

8: ATTR(=,"naiAgentPortNumber") ;

9: ATTR(=,"naiAgentCardInterfaceID") ;

10: ATTR(=,"naiAgentLocation") ;

11: ATTR(=,"naiOffenderIPAddress") ;

12: ATTR(=,"naiOffenderDNSName") ;

13: ATTR(=,"naiOffenderMACAddress") ;

14: ATTR(=,"naiTrapDescription") ;

15: ATTR(=,"naiTrapValue") ;

16: ATTR(=,"naiSeverityDescription") ;

17: ATTR(=,"naiHostName") ;

FETCH

1: IPNAME($SOURCE_ADDR);

MAP

hostname=$F1;

EnterpriseOID = $V2 ;

TrapNumber = $V3 ;

TrapText = $V4 ;

TrapReceiveTime = $V5 ;

SeverityLevel = $V6 ;

AgentIP = $V7 ;

AgentPortNumber = $V8 ;

AgentCardInterfaceID = $V9 ;

AgentLocation = $V10 ;

OffenderIPAddress = $V11 ;

OffenderDNSName = $V12 ;

OffenderMACAddress = $V13 ;

TrapDescription = $V14 ;

TrapValue = $V15 ;


Enabling Third-party Tools to Receive Alarms

SeverityDescription = $V16 ;

HostName = $V17 ;

severity = "CRITICAL";

origin = $V11 ;

END

3 Update the tecad_snmp.baroc file in the rulebase to define a class in TEC for the Administrator traps following the example below.

TEC_CLASS :

nPOManagerTrap ISA SNMP_Trap

DEFINES{

sub_source: default = "nPOMgr";

severity: default = CRITICAL;

EnterpriseOID: STRING;

TrapNumber: INT32;

TrapText: STRING;

TrapDescription: STRING;

TrapValue: INT32;

TrapReceiveTime: STRING;

SeverityLevel: INT32;

SeverityDescription: STRING;

AgentIP: STRING;

AgentPortNumber: INT32;

AgentCardInterfaceID: STRING;

AgentLocation: STRING;

OffenderIPAddress: STRING;

OffenderDNSName: STRING;

OffenderMACAddress: STRING;

HostName: STRING;

};

END

4 Redistribute the SNMP adapter using the Tivoli Desktop.

5 Re-compile and reload the TEC rulebase using the Tivoli Desktop.

User Guide 135

Chapter 12


13
Accessing Activi ty Logs andGenerating Data Logs
This section provides the following overview to accessing and viewing system activity records and system data for the Administrator server, including:

Viewing and Filtering the Activity Log on page 137

Recorded Activities and Events on page 139

Activity Log Data Purging on page 164

Generating Data Logs on page 165

Generating Report Files on page 166

Viewing and Filtering the Activity LogAdministrator server activities and events sent by managed resources are captured and displayed in the Activity Log. See Table 13-2 for a complete list.

Users with administrative permissions are allowed to read all log entries related to the activities recorded on the server. Users without administrative permissions are not allowed access to read any log entries.

Activities include the following:

User activities. User log ins, failed log ins, and user session tracking.

Activities on resources. Product updates, configuration changes, cloned resource configurations, licensing, and failed resource authorizations.

MultiSegment Intelligence activities. Session creation and capture initiation.

Viewing Activity LogsView activity log entries by clicking the Activity Log tab. Click Refresh List ( ) to retrieve and view the latest entries.

See Recorded Activities and Events on page 139 for detailed information on activities recorded on this page.

See Filtering Activity Logs on page 138 for information about filtering and limiting the entries shown in the log at one time.

User Guide 137

Chapter 13

NOTE: With the exception of MultiSegment Intelligence capture logging, events in the Activity Log are displayed in Pacific Standard Time (PST). For MultiSegment Intelligence capture logging, Administrator uses the local time of the resource as a reference point for simultaneous captures against multiple resources.

Filtering Activity LogsFilter activity logs to isolate or drill-down to specific data contained in the Activity Log.

To filter activity logs:

1 Click the Activity Log tab.

2 If necessary, click to open the filter fields on the page.

3 Enter any combination of the following information:

Starting Date and Ending Date. Select the desired dates from the drop-down fields provided to see activity log entries for a specific time period.

Source. Enter the source of the activity. Sources include enterprise and WebConsole.

Category. Enter the category of the activity. Categories include System, Authentication, SWUpdates (software updates), Scheduled Updates, Remote Update, OS Patch Status, and MultiTrace. See Table 13-1 for a complete list.

Sub-Category. Enter the sub category of the activity. Sub-categories include Session Manager, Authentication, or Loader.

Event. Enter the description of the event that occurred. For example, enter User Authentication or Session Manager to view user access or log outs. See Table 13-2 for a complete list.

User. Enter a valid Administrator user name.

Host. Enter a session IP address.

4 Click Apply Filter.

5 Use the << Previous and Next >> links on the top-right corner of the log to navigate through multiple log pages. These links will be disabled if the Activity Log is only one page in length.


Accessing Activity Logs and Generating Data Logs

Removing Activity Log Filters

To return to an unfiltered activity log, click Clear Filter on a filtered Activity Log Overview page. This returns you to the unfiltered, default activity log.

Recorded Activities and EventsAdministrator records internal events and event notifications received from managed resources (Visualizer and InfiniStream installations) to the Administrator database on the Administrator server.

The managed resource sends an HTTPS request to Administrator Appliance. The request contains the appropriate information for the log entry, e. g. category, sub-category, description, etc. The events are then displayed on the Activity Log page. The Source column in the display include enterprise (representing events occurring on the Administrator server), as well as Visualizer and InfiniStream events. Visualizer and InfiniStream messages are first logged on the resource itself and then notification is sent to the Administrator server.

NOTE: For Visualizer and InfiniStream events, the Source column displays the IP address of the resource which sent the notification to Administrator.

Recorded Administrator ActivitiesEvents specific to the Administrator server and reported by Administrator on the Activity Log page are provided in the following table. For all events listed, the source will display “administrator.” Categories are detailed in the following table. The entries in the Category column of Table 13-1 are links to detailed event listings for that category provided in Table 13-2.

Table 13-1. Activity Log Categories

Category Description

Activity Log Events related to operations actually carried out on the activity log itself.

Alarm This category covers certain actions Administrator may take upon receipt of an alarm. A user with Administrator administrative rights may specify one or more actions and associate those actions with one or more specific types of alarms.

Authentication Events and operations associated with authentication and authorization of Administrator users.

User Guide 139

Chapter 13

Auto Downloads Events and operations associated with Administrator's automatic patch download and distribution feature.

Auto Sniffer Downloads

Events and operations associated with the downloading of individual Sniffer software update packages.

File Sharing Events and operations associated with Administrator sharing of files among the managed resources.

MultiTrace Events and operations associated with the processing of analysis sessions. An analysis session consists of one or more traces (.CAP or .CAZ files containing captured traffic) and the results derived from processing that set of traces, classifying the captured frames into specific flows, and so on.

OS Patch Status Events and operations associated with Administrator's checking of OS patch status for managed resources.

Replication Events and operations associated with Administrator database replication.

Remote Update Events and operations related to the Administrator "software update" feature.

Scheduled Update

Events and operations associated with scheduled software updates.

Note: Messages associated with ad hoc updates are covered in the Remote Update category, and possibly by activity log messages in other categories.

Scheduled Remote Updates

Events and operations associated with scheduled software updates. Administrator and/or the managed resources may use this category in lieu of the Remote Update or Scheduled Update categories.

Security Events and operations associated with Administrator system security. This includes user authentication related to processing requests sent by managed resources.

Attempting to Send Update

Events and operations related to software update service requests coming from managed resources.

System General Administrator events and operations.

User Events and operations associated with Administrator users and user roles.

Administrator This category covers general events and operations associated with Administrator itself, and not covered by any other more specific categories or sub-categories.





Detailed Activity Log Entries

Session Management

Events and operations associated with the management of Administrator user sessions. For each Administrator user who successfully logs in, there exists one user session, sometimes referred to as a browser session.

Configuration Events and operations associated with configuration of Administrator itself.

Auto downloads now

Progress messages for automatic patch downloads.



Table 13-2. Activity Log Entries

Category Sub-Category Events

Activity Log Maintenance Activity log purging completed. Administrator has purged old events from the activity log.

Alarm Take Action

(If an alarm occurs that triggers an Administrator action, and the action fails for some reason, Administrator will log a “Take Action” event.)

Forward alarm. Administrator failed to forward an alarm. The event type field indicates that this is an error. The event description field identifies the alarm and indicates that the alarm could not be forwarded.

Send email. Administrator failed to send an email notice announcing an alarm. The event type field indicates that this is an error. The event description field identifies the alarm and indicates that the associated email notice could not be sent.

User Guide 141

Chapter 13

Authentication User Authentication

(Authentication for all users. The authentication may occur on behalf of a person logging in via web browser, or on behalf of a managed resource attempting an operation that requires a valid user name and password combination.)

AAA succeeded. Authentication (AAA) success. The event field and description will both contain the name of the successfully authenticated user. Note: Normally, this message and message User (name) is logged in will always appear as a pair. If this message appears but message User (name) is logged in does not, then Administrator successfully authenticated the user, but for some reason Administrator could not create or initialize a normal log-in session for that user.

Access denied. Authentication (AAA) failure. The description field contains details of why access was denied, e. g.user expired or lacked required authorization beyond simple authentication.

User (name) is logged in. A completely successful authentication (AAA). The event text contains the user name. Normally, this message and message AAA succeeded will always appear as a pair. A user cannot be logged in without first being successfully authenticated.

Auto Downloads

Download Sniffer XMLs

(Events related to the downloading and processing of XML files describing Sniffer patches.)

Failed. XML file downloading failed. The description field contains additional details.

Failed to access Network General website for Sniffer downloads. XML file downloading failed specifically because Administrator could not access the Network General patch distribution web site.

Incorrect Service Contract/Passwd. XML file downloading failed because the service contract ID and password combination is incorrect. A user with Administrator administrative rights must have previously specified and saved the service contract ID and password.

Succeeded. XML file downloading succeeded.

Auto Downloads

Auto downloads

(This sub-category covers non-download events and operations associated with Administrator's automatic patch download and distribution feature.)

Auto downloads Task. The Administrator background task for the download and distribution feature has started up. Normally this occurs only once, at Administrator service start-up time.





Auto Downloads

Download OS XMLs

(Events related to the downloading and processing of XML files describing Windows patches, as opposed to Sniffer patches.)

Failed to download. XML file downloading failed. The description field contains additional details.

Successfully downloaded. XML file downloading succeeded.

Auto Downloads

Sniffer Contract Validation

(Events and operations related to the validation of the user-supplied combination of service contract ID and password.)

Failed to access Network General website for Sniffer Contract Validation. Administrator was unable to contact the Network General web site to validate the service contract ID and password.

Auto Downloads

Sniffer Contract Validation not accessible

(Failures occurring due to inaccessibility of the Network General web site.)

Failed. The service contract validation failed.

Note: Some parts of Administrator will log an event in this sub-category in lieu of Failed to access Network General website for Sniffer Contract Validation within the Sniffer Contract Validation sub-category.)

Auto Downloads

Access of Sniffer Contract Validation

(Reports successful validation of a customer service contract.)

Succeeded. The service contract validation succeeded.


<An actual folder name>

(Here the sub-category field indicates the actual name of the folder being downloaded.)

Successfully downloaded. The folder named in the sub-category field was successfully downloaded.


SW Folder Name

(Events and operations associated with failed downloads of packages.)

Failed::Error with CSL/EXE file count. The download failed due to incorrect package content. Administrator expected the package to contain a CSL file (an update script) and an associated EXE file, but the package did not meet that requirement.

Failed. The download failed for some reason other than incorrect package content. The description field contains additional details.

File Sharing File delete

(Events associated with the deletion of one or more shared files.)

File has been deleted. One or more shared files have been deleted. The description contains the name(s) of deleted file(s).



User Guide 143

Chapter 13

File Sharing FileUpload

(Events associated with the uploading of one or more files which will be shared among the managed resources.)

Uploaded file is not a valid file. The uploaded file is not valid for sharing. The description contains additional details.

MultiTrace Auto Capture

(Events and operations associated with MultiSegment auto-captures performed by Administrator in order to obtain traces for analysis.)

Capture started. An auto-capture has successfully completed all necessary initialization and that the associated managed resource has actually begun capturing traffic.

Capture Stopped. An auto-capture has successfully terminated.

Starting capture. Capture start-up is in progress; initialization has begun but is still in progress, and has not yet either completed successfully or failed.

Stopping capture. Capture stoppage is in progress; the managed resource has received the “stop capture” command, but the operation has not yet either completed successfully or failed.

MultiTrace Session Management

(Events and operations associated with MultiSegment analysis sessions, excluding auto-capture events.)

Create Session. A user has created an analysis session. The description contains additional details.

MultiTrace Session Preprocessing

(Events and operations associated with actual trace processing through MultiSegment.)

Begin Preprocessing. Session preprocessing has begun; the description field contains the session ID (integer) and the session name.

Preprocessing Cancelled. A user with Administrator administrative rights has manually cancelled session preprocessing; the description field contains the session ID (integer) and the session name.

Preprocessing Failure. Session preprocessing has failed for some reason; the description field contains the session ID (integer) and the session name. Additional details of the failure may be found in the log associated with that particular session, which is accessible by opening the session from the Analysis > Overview page.

Preprocessing Success. Session preprocessing completed successfully; the description field contains the session ID (integer) and the session name.

OS Patch Status

Status Report The OS Patch Status is being checked.





Replication Status The “event” field of this log entry indicates the replication status as either “OK” or “Lost connection.”

Replication Configuration Configured remote replication host. A user with administrative rights configured a new remote replication host via the Administration > Overview page, and that the change has been successfully committed to the Administrator DB. The description includes the IP address or DNS name of the newly configured remote host.

Remote Update Cannot send update Events indicating that Administrator could not send a software update to a managed resource.

Remote Update ProcessServerScript

(File copying operations associated with delivery of the software update package contents to the managed resource.)

Remote file(s) copy to resource failed. Administrator failed to copy the package contents to the managed resource.

Remote file(s) copy to resource succeeded. Administrator successfully copied the package contents to the managed resource.

Remote Update Software Update

(Events associated with software update operations other than actual file or package copying.)

Sent software update command to resource. Administrator has sent a software update command to the managed resource. Normally, the resource will then perform the update in response to the command. The update must have been delivered by Administrator prior to issuing the software update command.

Scheduled Update

Attempting to Send Update This indicates that Administrator has tried to send an update to a managed resource. No result, positive or negative, can yet be determined.

Scheduled Update

Failed to send Administrator failed to send the software update to the managed resource.

Scheduled Update

Successfully Sent Administrator successfully sent the software update to the managed resource.

Scheduled Remote Updates

SendUpdates

(Reporting software update status messages.)

DB connection is null. The software update processing code could not connect to the Administrator database to retrieve information about the update package or its contents.



User Guide 145

Chapter 13

Security CommandServlet

(Events reported by the Administrator command servlet. The command servlet handles all incoming HTTPS requests sent by managed resources, including requests to log messages in the activity log on the resource's behalf.)

User (name) is authenticated. The user name supplied with the request is valid and has authenticated successfully. The event text contains the user name.

User (name) is not authenticated. The user name supplied with the request is invalid and has not authenticated successfully. The event text contains the user name.

SWUpdates CommandServlet

(The event is logged by the Administrator command servlet.)

Requested file not found. Administrator could not find a file requested by the software update service on the managed resource which sent the request.





System Add Resource

(Events related to Administrator resource discovery.)

Can not add resource. The Administrator logs this event when discovering a Visualizer if the Visualizer is monitoring interfaces which are not managed by the discovering Administrator. The “event” field contains the address of the Visualizer.

Failed to add. There is no known resource at a particular address. Nothing responded to the discovery probe. The “event” field contains the address which was probed.

License limit prevents adding resource. A discovered resource could not be added because Administrator has reached its current limit on the maximum allowable number of manageable resources. The event field contains name and address of the resource which could not be added.

Starting multiple discovery. Administrator has started discovery within a user-specified address range.

Multiple discovery complete. Administrator has probed all addresses in the user-specified address range and has obtained results, e. g. resource found or not found, for all such probes.

Starting discovery from seed file. Administrator has started resource discovery based on a user-supplied seed file. The seed file specifies host names and/or IP addresses at which the Administrator might find responsive, manageable resources.

Seed file is empty. This event indicates an error; the user-supplied seed file contained no host names and/or IP addresses.

Completed discovery from seed file. Administrator has probed all hosts listed in the user-specified seed file and has obtained results, e. g. resource found or not found, for all such probes.

<Event is a resource name>. A resource was successfully discovered and added. The event field is the resource name; the description field reports the successful addition.

System User Manager

(Events and operations associated with Administrator user management.)

Remove User. A user with Administrator administrative rights has deleted a user from Administrator. The description indicates the deleted user.



User Guide 147

Chapter 13

System Resource Manager Resource added or deleted. The “event” field for this log entry will identify the resource by name and address, and indicates whether that resource was added or deleted. This is in addition to the possible events with sub-categories corresponding to resource deletion and addition. see Delete Resources and Add Resources for details.

System Resource Manager Image deployment job successfully sent to the target. This event indicates that a user:

• Selected a resource in the Resources > Overview page.

• Clicked the Deploy Image button.

• Specified the resource's Windows computer name.

• Selected an image deployment job and successfully queued it up for that target.

The description identifies the target and the deployment job applied to it.

System Resource Manager Imaging job name is null or empty. This event indicates that the user failed to select a valid image deployment job, or for some reason the job name could not be read properly from the UI.

The description identifies the affected target (resource).

System Resource Manager Target computer name is null or empty. This event indicates that the user failed to specify a Windows computer name for a resource to be reimaged, or for some reason the computer name could not be read properly from the UI.

The description identifies the affected target (resource).

System Delete Resources The “event” field for this log entry will contain the name of the deleted resource.

System Add Resources The “event” field for this log entry will contain the address of the newly added resource.

System Config Console

(Events and operations associated with the Administrator configuration console.)

Configuration Unsuccessful. The “description” field indicates the resource for which configuration was unsuccessful.





System Configuration Cloning

(Events and operations associated with the Administrator “clone configuration” capability.)

Cloning Failure. The configuration cloning operation failed.

Cloning Success. The configuration cloning operation succeeded.

System Peer Manager

(Events and operations associated with Administrator communities, and the Administrator systems which are members of those communities.)

Server removed from community. The Administrator server being removed from the community is part of a replicating pair. In such a case, the other Administrator server in that pair will also be removed from the community.

Failed to remove server from community. Administrator tried and failed to remove an Administrator server, other than itself, from a community. The event field contains the server ID for the system which could not be removed.

Failed to remove this server from community. Administrator tried and failed to remove itself from the community of which the Administrator server is currently a member.

This server removed from community. The Administrator server has successfully removed itself from the community of which it was formerly a member.

Failed to add (address) to community. Administrator failed to add an Administrator server other than itself to a community. The event text contains the address of the system which could not be added.

Added replicating pair (address 1) / (address 2). Administrator successfully added a replicating pair of Administrator servers to a community. The event text contains both addresses in the replicating pair. Those are internal addresses, which is important to keep in mind for NAT setups.

Added new peer (address). Administrator successfully added a new individual Administrator server to a community. The event text contains the address of the successfully added system.



User Guide 149

Chapter 13

System Registrar

(Events and operations associated with resource registration. This registration occurs when Administrator has discovered a manageable resource, and when Administrator needs to refresh its cached information about a managed resource.)

Failed to register with resource. Administrator registration failed for a particular resource. The event text contains the address of the resource for which registration failed.

Failed to register with resource at <address> via URL <url>. Administrator registration failed for a particular resource. The event text contains the address of the resource for which registration failed, and the URL (the request) with which Administrator attempted to register.

Resource is already managed. The resource is already managed by some other Administrator system.

System Session Manager The “event” field for this log entry will indicate the user who has logged out.

System Access Control

(Events and operations related to IP-based access control, and to Administrator enforcement thereof.)

Access Control Type is updated to Allow Only. A user with Administrator administrative rights has configured Administrator's IP-based access control to “allow only”. Administrator will only allow access from addresses explicitly specified in the access control list.

Access Control Type is updated to Disallow Only. A user with Administrator administrative rights has configured Administrator's IP-based access control to “disallow only”. Administrator will disallow access from addresses explicitly specified in the access control list.

IP address has been removed from IP List. An address has been removed from the Administrator access control list. The description contains the removed address.

IP addresses have been removed from IP List. More than one address has been removed from the Administrator access control list.

IP address has been added to IP List. An address has been added to the Administrator access control list.





System Loader

(Events and operations associated with the Administrator loader. The loader's function is to start background tasks and threads upon Administrator service start-up.)

Server started. Administrator has started up.

Server stopped. Administrator has shut down.

Can not load object. The loader could not successfully start an Administrator component. The description indicates the object that could not be loaded.

System None

(Events and operations used in pinging resources and in managing Visualizers.)

Failed to ping resource. A managed resource did not respond to Administrator's ping request. The event field indicates address of the non-responsive resource. The Administrator ping is a product-specific request for updated resource status. Do not confuse it with the standard ICMP ping (ICMP echo request).

Resource version change. A managed resource has undergone a change in software version, e. g. an upgrade. The event string contains the resource address and the old and new SW version identifiers (e. g. “resource (name) at (address) has a new version…" etc.).

Added interface(s) to Visualizer at address. A user with sufficient Visualizer privilege has added interfaces to a Visualizer being managed by Administrator. The event string contains the address of the Visualizer system.

Removed interface(s) from Visualizer at address. A user with sufficient Visualizer privilege has removed interfaces from a Visualizer being managed by Administrator. The event string contains the address of the Visualizer system.

Visualizer at address has new tech limit. A managed Visualizer has a new tech limit. The event string contains the address of the Visualizer system.

Visualizer at address has new license count. A managed Visualizer has a new license count. The new value may be greater than or less than the previous value. The event string contains the address of the Visualizer system.



User Guide 151

Chapter 13

System Service restart Administrator service restarted. A user with administrative rights has intentionally restarted the Administrator service by means of the Restart Sniffer Enterprise Administrator button on the Administration > Overview page. The description reports the IP address of the browsing client from which the user restarted the service.

User Role Configuration

(Events and operations associated with defining, modifying, and deleting Administrator user roles.)

Role Creation. A user with Administrator administrative rights has created a new role. The description contains the new role name.

Role could not be deleted. A user tried to delete a user role, but could not do so because one or more existing users have that role assigned to them. Administrator will not allow deletion of a role which is currently in use.

Role Deletion. A user with Administrator administrative rights has successfully deleted a user role.

Administrator Reboot Resource Administrator has sent a reboot request to a managed resource. The event field for this log entry will contain the address of the rebooted resource.

Session Management

Terminate Session The event field for this log entry will indicate the user whose session has been terminated.

Configuration Overview

(Events and operations associated with the Administrator parameters on the Administration > Overview page.)

Email Destination. An email destination has been added or deleted. The type field contains either “add” or “delete” as appropriate. The description field contains the email destination which was either added or deleted.

Configuration Email Test

(Events associated with the “Send Test Email” button which sends a test message to all the currently defined email recipients, using the current email (SMTP) server configuration.)

Test email has been successfully sent. The “Send Test Email” operation completed successfully. This only indicates that Administrator successfully sent the message. Administrator has no way of verifying whether the intended recipient(s) actually got the test email.

Could not send a test email. Administrator could not send the test email. This may be due to incorrect email server configuration in Administrator, or in the email server itself. It may also be due to an error in the interaction between Administrator and the configured email server.





Recorded Visualizer ActivitiesThe following possible activities are events occurring on the Visualizer resource and sent to the Administrator server. After receiving notification from Visualizer, Administrator displays these events on the Administrator's Activity Log page. In the examples provided, data values are shown in bold.

Auto downloads now

Auto downloads now

(Progress messages for automatic patch downloads.)

Auto downloads now. One or more automatic patch downloads have occurred. Other activity log messages report the success or failure of individual download operations.



Table 13-3. Recorded Visualizer Events

Event Category

Events Log Example

User access and authentication.

User logs in to Visualizer directly or through Administrator.

'User <user_name> is logged in.'

Note: A similar message is sent on logout.

Enable/Disable Baseline

Visualizer user enables or disables a baseline for an entity (through the Visualizer interface on the Network Overview tab > Application Analysis and Network Analysis pages).

'Baseline is disabled for the following entity : InstrumentationPoint - <iPoint>, Application - <appname>, Subnet Pair - <subnetpair1> - <subnetpair2>'.

Data Purging Visualizer user modifies data purge settings for any of the data groupings: Adhoc - Raw, 15 Min Aggregation, 60 Min Aggregation data groupings (through the Visualizer interface on the Administration tab > Tune Database page > Edit Purge Settings)

Purge Setting of <category> is updated with value <n> Day(s).

Data Granularity

Visualizer user modifies logging granularity settings for any of the data types: Application Intelligence, Global Statistic, Matrix, and Virtual Circuit (through the Visualizer interface on the Administration tab > Tune Database page > Edit Logging Granularity).

Logging Granularity of <data type> is <Enabled/Disabled> with value <n>.

User Guide 153

Chapter 13

Recorded InfiniStream ActivitiesThe following possible activities are events occurring on the InfiniStream resource and sent to the Administrator server. After receiving notification from InfiniStream, Administrator displays these events on the Administrator's Activity Log page.

In the following table, the Event Category lists four “modules” that interact with the ICE that will trigger a log message to be sent to Administrator:

PAM module (authentication on the ICE). PAM authentication reports messages when a user attempts to use the PAM module for user authentication. Events that trigger log messages are successful logins and unsuccessful login attempts.

InfiniStream Console. Events on the ICE that will generate log messages are: Valid logins, invalid logins, log outs, local user additions, local user deletions, stream configuration changes, capture filter changes, mining filter applications, and mining details.

Filtering Visualizer user applies an application filter (through the Visualizer interface on the Administration tab > Tune Database page > Filter By Application).

User applies an IP Range Filter (through the Visualizer interface on the Administration tab > Tune Database page > Filter By IP Range).

Application / IP Range Filter is updated.

Note: The Applications and IP Range data values are not sent to Administrator.

Critical Entity Visualizer user adds or deletes a new Critical entity (through the Visualizer interface on the Administration tab> Configurations page> Managing Critical Entities).

The following critical entity is <added/deleted> : Server : <server IP> , Application : <application name>.

Table 13-3. Recorded Visualizer Events

Event Category

Events Log Example



The managing Sniffer Enterprise Administrator. All communication from Administrator is sent to Administrator in a log message. This includes valid and invalid communication attempts using the CommandInterpreter CGI program. Invalid commands are simply reported as having been attempted and the IP address that they were attempted from. Valid commands consist of: discovery, health check, os_stats, ping, registration, update, and reboot. On startup of ice_admind, which is the daemon which communicates with CommandInterpreter, which is what Administrator uses to communicate with the ICE, a log message is sent indicating "ice_admind startup on the ICE" for the description.

Sniffer Enterprise Visualizer. All communication with Sniffer Enterprise Visualizer is logged as a single entry for each communication.

Table 13-4. Recorded InfiniStream Events

Module Originating Event

Events Information Contained in Log

PAM module Invalid user name/password On the receipt of an invalid user name/password combination, the PAM module generates the message where:

Source = the IP address of the remote host attempting to connect

Category = Authentication

Subcategory = Login'

Event = Invalid PAM Login Attempt

Type = Invalid Login Attempt

Host = the IP address of the ICE

User = Administrator

Description = Pam_ngc_administrator: Invalid Login attempt for <user_name>

User Guide 155

Chapter 13

PAM module Valid user name/password On the receipt of a valid user name/password combination, the PAM module sends the log message where:

Source = the IP address of the remote host attempting to connect


Subcategory = Login'

Event = Valid PAM Login

Type = Valid Login


User = The user name that was authenticated

Description = Valid Login using PAM

InfiniStream Console

Invalid login attempts Invalid login attempts will provide the log message where:

Source = IP Address of the login attempt


Subcategory = Console Login

Event = Invalid Login

Type = Invalid Console Login


User = The user name that was attempted to be logged in as

Description = Invalid Console Login attempt for <user_name> from <IP address of the connecting console>


Valid login attempts Valid login attempts will provide the log message where:

Source = IP Address of the person logging in


Subcategory = Console Login

Event = Valid Login

Type = Valid Console Login



Description = Valid Console Login for <user_name> from <the IP address of the connecting console>







Log outs Log outs can occur when the user closes the connection from the console, closes the console connection, or there is an error that causes the link to drop. These messages provide the log information where:

Source = IP Address of the person logged in


Subcategory = Console Logout

Event = Console Disconnect

Type = Console Disconnect



Description = Console connection closed for <user_name> from <the IP address of the connecting console>


Local user additions Local user additions provide the log information where:

Source = IP Address of the person doing the change

Category = Console

Subcategory = Administration

Event = User Added: <user_name>

Type = User Added: <user_name>


User = The user that did the adding

Description = <authenticated user> added user: <user_name>




User Guide 157

Chapter 13


Local user deletions Local user deletions provide the log information where:


Category = Console

Subcategory = Administration

Event = User deleted: <user_name>

Type = User deleted: <user_name>


User = The user that did the adding

Description = <authenticated user> deleted user: <user_name>


Stream configurations Stream configuration changes provide the log message with:


Category = Console

Subcategory = Configuration Change

Event = Stream Config File Applied

Type = Stream <ID> config change


User = The user that made the change

Description = <authenticated user> Applied the stream config file for <stream # that was modified>


Stream mining Mining a stream provides the log message of:

Source = IP Address of the person doing the mining

Category = Console

Subcategory = Mining

Event = Data Segment Mined

Type = Stream <ID> mined


User = The user that did the mining

Description = <authenticated user> mined <stream # that was modified> from <beginning time> to <ending time>







Applying a mining filter Applying a mining filter will not be able to tell the activity log reader exactly what filter was used because of the format of the filter and the size of the description file. However, it will provide whether a filter was used on a mining session, or if all data was grabbed. The message that it sends is:

Source = IP Address of the person doing the mining

Category = Mining

Subcategory = Mining Filter Applied

Event = Mining Filter Applied

Type = Mining Filter Applied


User = The user that did the mining

Description = <authenticated user> applied a mining filter for <stream # that was modified>


Configuration file changes Configuration files are changed when users alter the behavior of the ICE in regards to a stream. The message that this generates is:


Category = Console

Subcategory = Configuration Change

Event = Stream Configuration Change

Type = Stream Configuration Change from Console


User = The user that did the change

Description = The contents of the configuration file




User Guide 159

Chapter 13


Capture filter changes Capture filters are changed when users alters the capture filter for the stream. The message that this generates is:


Category = Console

Subcategory = Capture Filter Change

Event = Stream Capture Filter Change

Type = Stream Capture Filter Change from Console


User = The user that did the change

Description = The contents of the Capture filter file






Recorded Administrator and Visualizer ActivitiesTable 13-5. Recorded Administrator and Visualizer Events



Sniffer Enterprise Administrator

CommandInterpreter command

When a command is received over the CommandInterpreter CGI Interface, a log message is generated consisting of:

Source = IP Address of the source of the command

Category = Administrator

Subcategory = Administrator Command

Event = the command that was attempting to be executed

Type = the command that was attempting to be executed


User = Administrator

Description = Administrator Executed Command from <remote host>


Software updates - initiated Software updates and reboots provide additional logging because of the seriousness of the command. Software Updates provide three additional logs. They consist of:


Category = Infinistream

Subcategory = Update

Event = Software Update Request Received

Type = Software Update


User = the user name passed into the CGI App

Description = Software Update Initiated

User Guide 161

Chapter 13


Software updates - update executed




Event = Software Update Details

Type = Software Update Details



Description = The output to stdout that is captured when the update is executed


Software updates - update complete




Event = Software Update Completed

Type = Software Update



Description = Software Update Completed


Invalid reboot attempts (from unauthorized user)



Subcategory = Reboot

Event = Reboot attempt from unauthorized Administrator user

Type = Reboot attempt


User = Invalid Session ID

Description = Reboot attempt by Sniffer Enterprise Administrator

Table 13-5. Recorded Administrator and Visualizer Events






Invalid reboot attempts (from authorized user)




Event = Reboot attempt from unauthorized Administrator user

Type = Reboot attempt


User = User attempting to reboot

Description = Reboot attempt by Sniffer Enterprise Administrator


Valid reboot attempts Valid reboots provide the log message of:




Event = Reboot from Administrator

Type = Reboot


User = The user doing the rebooting

Description = Reboot by Sniffer Enterprise Administrator

Sniffer Enterprise Visualizer

All communication with Sniffer Enterprise Visualizer is logged as a single entry for each communication.

The format for this audit log message consists of:


Category = Visualizer

Subcategory = Visualizer Configuration

Event = Visualizer Update from <Visualizer>: <command executed>

Type = the Access method used to access vizcgi. This consists of /nidataconfig/, /ATTACH, /DETACH, and /UPDATE


User = Visualizer

Description = <the details of the command>

Note: The event is normally changes in data logging granularity on a Visualizer appliance.

Table 13-5. Recorded Administrator and Visualizer Events



User Guide 163

Chapter 13

Saving and Printing Activity Log DataYou can save and print activity log data through Administrator. The Activity Log Overview page provides two ways to save and/or print information summarized in the Activity Log:

Export to CSV. Click to export Administrator System log entries into a CSV formatted file that you can open for viewing or download and save. Saved files will open in Excel if you have Excel installed on your client system.

Print. Click to open a text file in a separate browser window containing a summary of current log entries. Print this page using browser menu options.

Activity Log Data PurgingThe Activity Log page does not allow the deletion of any audit records displayed on the page or otherwise stored on the Administrator server. Administrator provides a mechanism for authorized users (users with administrator permissions) to edit the purge interval for Activity Log entries stored on the Administrator server through the Administration page (accessed through the Administration tab). If desired, the audit records stored on the Administrator server can be purged daily, weekly, monthly, or never. By default, Activity Log entries are purged from the Administrator server daily.

Before data purging, the log is exported to CSV format and saved to a file in the C:\Program Files\Network General\Enterprise\Tomcat\bin directory. The file name will indicate the date of the purged entries. For example: nPOManagerActivityLog2006-01-13.csv

NOTE: For a replicating pair, we recommend setting up Activity log purging on either the primary or the secondary server, but not both.

To specify Activity log data purging:

1 Click the Administration tab.

2 Within the Server Control section, select one of the following options. All times specified are GMT.

Never. The Activity log is not purged automatically.

Daily. Daily data purging occurs every day at 1:00 AM.



Weekly. Weekly data purging data occurs every Monday at 1:00 AM.

Monthly. Monthly data purging occurs on the first day of each month at 1:00 AM.

3 Click Save.

Generating Data LogsData logs are available for the Administrator server and Sniffer Distributed Agents. See:

Generating Data Logs for the Administrator Server on page 165

Generating Data Logs for Sniffer Distributed Agents on page 165

Generating Data Logs for the Administrator ServerThe Get System Logs option at the bottom of the System Summary pane on the Administration > System Status page allows you to download system files to be used by Network General Technical Support in the event you have to troubleshoot Administrator activities.

Clicking Get Logs downloads MultiSegment Intelligence, Administrator, and Tomcat log information. If you would like to also download replication status and additional system information, check the desired option(s) before clicking Get Logs. Please note, adding one or both options may increase the download time.

After clicking Get Logs, open or save the contents of the zip file to your local system.

Generating Data Logs for Sniffer Distributed Agents

NOTE: The following applies to Sniffer Distributed Agent resources only.

From the Resources > Details pane, you may have two MERTool options: Get log to Server and Get log to Browser. The MERTool is designed to work with Sniffer Distributed Agents and is used to collect necessary data that Network General Technical Support may need to investigate issues.

IMPORTANT: Run the MERTool only if requested by Tech Support.

User Guide 165

Chapter 13

If you would like data collected on the Agent, the Agent needs to have the MERTool installed. Manually run the tool on the Agent first (Administrator cannot fetch data from the Agent until a file is created on the Agent). From the Agent, execute C:\NAI\MerTool\Mer (this has a .vbs extension). This creates a file called sdagent.tgz in C:\NAI\Mertool.

From Administrator, clicking Get log to Server fetches the sdagent.tgz file from the Agent and places it on the Administrator Appliance. Clicking Get log to Browser fetches the sdagent.tgz file from the Administrator Appliance and makes it available to the browsing client.

NOTE: You can also generate system log files for Administrator activities using the Get Logs link available on the Administration > System Status page. See Generating Data Logs for the Administrator Server on page 165 for more information.

Generating Report FilesAdministrator provides reporting functionality by formatting resource, user, domain, or activity log data into a file that can be used to create a report.

To view and save report files:

1 Click the Resources, Users, Domains, or Activity Log tab.

2 From those pages, you have the following options:

Export to CSV. Click to export data into a CSV formatted file that you can open for viewing or download and save. Saved files will open in Excel if you have Excel installed on your client system.

Print. Click to open a text file in a separate browser window containing a summary of current data. Print this page using browser menu options.

NOTE: If you have applied a filter to the Activity Log Overview page, only the filtered information will appear in the report output.


A
Error Messages, FAQs, and Troubleshooting Tips
The information in this section contains tips for various error and session log entries seen in Administrator, as well as general product troubleshooting.

Log and Error Messages on page 167

General Troubleshooting on page 168

Database Replication Troubleshooting on page 188

Log and Error MessagesThe following sections provide information about common log and error messages seen during Administrator operations.

Resource Log Messages on page 167

Authentication and Security Messages on page 168

Resource Log MessagesThe following table summarizes common log messages seen in the Administrator resource discovery process.

Table A-1. Resource Log Messages

Log Message Possible Resolution

Resource or Agent status unknown.

This indicates that the resource (or the Agent host) is unreachable or unresponsive.

Administrator sends an ICMP ECHO (ping) request to the Agent host every 15 minutes to see if the Agent host is reachable on the network.

If the ping succeeds, Administrator sends an HTTPS request to the resource to see if the resource itself is responsive.

If the request succeeds, Administrator sends the resource a series of commands to register itself and retrieve resource information (topology, version, etc.).

See Connection Issues on page 172 for more information.

User Guide 167

Appendix A

Authentication and Security MessagesThe following tables summarizes error messages a user may see upon trying to log in through the Administrator Login page.

General TroubleshootingThe following tables provide tips for possible issues seen during Administrator operations. Issues are grouped in the following areas:

Third-party Software Issues on page 169

Connection Issues on page 172

Resource Discovery and Resource Management on page 177

Authentication and Authorization Settings on page 179

Alarm Management on page 182

Software Updates on page 184

Remote Reimaging on page 185

Replication on page 186

Table A-2. Authentication Error Messages

Error Message Possible Resolution

Access denied. Login disabled.

The user has been marked as “invalid” by an administrative user.

Access denied. Login expired.

The user's expiration date has passed. An administrative user other than the expired user may reset that date if desired.

Access denied. No authorization.

The user authenticated successfully but lacked explicit authorization to use Administrator.

Please enter a user name and password.

Both fields were empty. Administrator log-in requires a valid, non-empty user name and password.

Please enter a user name.

The user tried to log in with a password but without specifying a user name.

Please enter a password. The user tried to log in with a user name but without specifying a password.



Third-party Software Issues

Table A-3. General Troubleshooting - Third-party Software Issues

Issue or Error Possible Resolution

Security warning repeatedly appears when navigating through the Administrator pages.

You have not installed the ActiveX Control. If you do not install the Network General ActiveX Control, you will not be able to perform certain “connect” operations such as launching SniffView Console (or Win32 Console) for connection to a resource (interface).

If you decline to install the ActiveX Control, you will continue to see a security warning unless you either (a) allow the control to be installed, or (b) change your browser security settings in Internet Explorer.

To change this option, go to Tools > Internet Options…, and click the Security tab. Click Custom Level… for the current security zone. Check and/or adjust the settings under ActiveX Controls and plug-ins. For example, if the setting for “Download signed ActiveX controls” is set to “Prompt” you will see the pop-up. If you trust signed controls, you can set that to “Enable” to prevent the pop-up and allow automatic installation of the control.

Also see ActiveX Control not updated. on page 170.

The resource table in the Resources > Overview page displays “undefined.”

or

The “Connect” icon will appear for a resource (interface) which does not support the “connect” operation, or the icon will not appear for an interface which supports connection.

The ActiveX Control is not installed on the browsing client.

Other possible causes:

(a) user declined to install the ActiveX Control.

(b) The browsing client's Internet Explorer security settings are preventing ActiveX Control installation.

For (a), accept installation of the control. For (b), check the IE settings for “ActiveX Controls and plug-ins” as described in Security warning repeatedly appears when navigating through the Administrator pages. on page 169. Also see ActiveX Control not updated. on page 170.

Which ActiveX Control version do I have?

To check the current ActiveX Control version, perform the following:

1. Open Windows Explorer (not Internet Explorer) and navigate to C:\WINDOWS\Downloaded Program Files.

2. If the "NGShell Control" object exists in that folder, right-click it and select Properties. Within the property panel, click the Version tab.

User Guide 169

Appendix A

How do I uninstall the ActiveX Control?

To completely unregister and remove the Network General ActiveX Control from a browsing client, perform the following:

1. In a command prompt window, change directory (cd) to C:\WINDOWS\Downloaded Program Files.

2. If the file "NGShell.ocx" is present in that folder, execute the following command:

regsvr32 /u NGShell.ocx

3. Open Windows Explorer and navigate to C:\WINDOWS\Downloaded Program Files

4. If the "NGShell Control" object exists in that folder, right-click it and select Remove.

ActiveX Control not updated.

Update an existing copy of the control in case you need to reinstall it for whatever reason.

1. Open a Windows Explorer window.

2. Navigate to C:\WINDOWS\Downloaded Program Files

3. If there is an object named "NGShell Control" in that folder, right-click it and either:

a. Click Update or

b. Click Remove and then log into Administrator (opening the Resources > Overview page should force the reinstallation of the updated control). It is NOT sufficient to remove the control by dragging it to the recycle bin.

The security settings must also be correct *for the right browser zone.* For example, if you are accessing Administrator as a "trusted site," you will have to adjust those settings for the zone in which their browser is actually accessing Administrator. Adjusting the ActiveX-related settings for the "Local intranet" or "Internet" security zones will not be sufficient.





ActiveX Control not installing or updating automatically.

(you are not prompted to install the ActiveX Control on the browsing client even though the Control installed with Administrator is known to be a newer version.)

Verify this by checking the control version by navigating to C:\WINDOWS\Downloaded Program Files, right-clicking the ActiveX Control (if present), select Properties, and then click the Version tab.

Force an update by right-clicking on the NGShell control object and selecting Update, or by removing the control and allowing the browser to reinstall it.

In the rare event that Internet Explorer will not automatically download or install the control, or present the prompt asking you to do so, restart Windows on the browsing clients.

The ActiveX Control is up-to-date but the resource table in the Resources > Overview page continues to display "undefined."

Do not use special characters and double or single quotes in the agent note. In MySQL, delete resourceIDs whose Agent note field contains either a single quote or double quotes.

Ensure that your browser is configured to display JavaScript errors so that this problem can readily reveal itself. If the symptom appears, configure the browser so that JavaScript errors will appear in the usual pop-up form.

Error backing up data. In the rare case that you have a large number of MultiSegment Intelligence sessions and trace files to back up, you may encounter a MySQL limitation. In this case, manually back up your data. Instructions are provided in the Sniffer Enterprise Administrator Installation Guide.



User Guide 171

Appendix A

Connection Issues

Table A-4. General Troubleshooting - Connection Issues


Unable to discover or ping managed resources, or update resource status.

Errors when attempting to authenticate resources through Administrator.

The Windows XP SP2 firewall may be enabled. The firewall may also turn back on after a reboot, despite manually turning it off before the reboot. Or, the firewall is running with an incorrect or incomplete exception list.

To verify issues with the firewall, look for dropped connections from resources in the Administrator Appliance’s Windows firewall log located in C:\WINDOWS\pfirewall.log

Check the Web or WWW Publishing service in the Control Panel > Administrative Tools > Services on the Appliance is set to Automatic and is running.

Unable to connect to the Administrator Appliance.

This may occur if you’re entering a URL with an IP address instead of a name for the host portion. If you're accessing your Administrator by IP address and you're working in a DHCP environment, the Administrator server's IP address may change if it reboots. As a result, URLs relying on the old IP address will become obsolete.

Use of IP address in the URL is not recommended for DHCP environments. We recommend using the Administrator server name rather than the Administrator server IP address in the URL.

Unable to launch SniffView (Win32 Console) for Sniffer Distributed 4.5x Agents.

To connect to Sniffer Distributed 4.5x Agents you must have the “common console” installed on your client system. For 4.5x versions, the “common console” is included in the standard SniffView (Win32 Console) installation. See “Installing the Console Software” in the Sniffer Distributed 4.5 Getting Started Guide for detailed instructions.



Unable to connect to Agent from Administrator.

• Try direct connection to the Agent: https://ipofagent/isniffer

• Check what ports are being allowed on the firewall if Administrator is behind one.

• Check the Web or WWW Publishing service in the Control Panel > Administrative Tools > Services on the Appliance is set to Automatic and is running.

• Check the sma.prop file on the Agent (C:\Program Files\NAI\DSProAgentNT\Program\isniffer\ propData). Make sure the file is not read-only.

[Management Server]

primaryLocation=<Administrator host>

backupLocation=<Administrator host>

useSnifferCentral=false/true <being managed by Administrator>

[Connection]

secure=true/false <depends on Agent version 4.3 true 4.2 and below false>

port=443/80 <appropriate port for https>

Note: If the sma.prop file has defaulted to the default version, enter the following URL on both the Agent’s browser and from the Administrator Appliance to see if it will update the file. Replace <ipofagent> with the IP address of the Agent. Replace <ipofNPOM> with the IP address of the Administrator Appliance. Parentheses are not needed for HTTPS.

https://<ipofagent>/isniffer/isniffer.dll?DispatchCmd&33025&ServerIPAddress-<ipofNPOM>|ServerType-Primary|useSnifferCentral-yes|Location-\nPOManager|Protocol-https|Port-443|



User Guide 173

Appendix A

HTTP Error 500. When this error is presented on a page, try the following:

• Reload the page (F5).

• If the error occurred during a specific operation other than simply navigating to a page, retry that operation. For example, if the error occurred while attempting to delete two or more MultiSegment Intelligence sessions, try to delete the sessions again after reloading the page from which you requested the action.

• Restart the Sniffer Enterprise Administrator service.

• Reboot the Administrator Appliance.

• Access the error log for further troubleshooting. To access the log, right-click in the area where the HTTP 500 exception appears and select View Source. Copy and paste this information into the body of an email and send it to Technical Support for analysis.

Unknown status error. This indicates that the resource (or the Agent host) is unreachable or unresponsive.

Administrator sends an ICMP ECHO (ping) request to the resource host every 15 minutes to see if the resource host is reachable on the network.

If the ping succeeds, Administrator sends an HTTPS request to the resource to see if the resource itself is responsive.

If the request succeeds, Administrator sends the resource a series of commands to register itself and retrieve resource information (topology, version, etc.).

See Connection Issues on page 172 for more information.

Error: Not enough info. This error usually means that Administrator is trying to connect to the resource without providing the session ID to the resource. This happens when Administrator thinks the resource is a different version than it really is.

To resolve this error, reboot the resource. If rebooting does not resolve the error, view the sniffer_server.log for further analysis. The sniffer_server.log is available at: C:\Program Files\Network General\Enterprise\TOMCAT\ logs\stdout.log





Administrator defaults to using HTTP.

Administrator establishes an HTTPS (port 443) connection to the resource every 15 minutes to maintain connectivity. If HTTPS communication fails, Administrator defaults to using HTTP.

Slow connection to resource.

HTTP POSTS are visible when capturing communication between Administrator and the Agent. The Agent is using ping to make sure the Administrator machine is accessible. Starting with Sniffer Distributed release 4.5, this has been removed.

Hot fixes have been released for Agent versions 4.30.012, 4.30.025, and 4.30.525. Contact Technical Support for information on acquiring various hot fixes.

Failed to connect to a resource which is added to Administrator with its DNS name on the Resources page from a client system which is in different sub network out of DNS server control.

If the Administrator client is unable to reach the DNS server used by both Administrator and the resource during the discovery process, the client will not be able to connect to a resource using its DNS name. Use the IP address of the resource instead.

Resources not managed properly.

For Administrator to properly manage a resource, the device name must exactly match the name of the adapter card. Ensure that the device name and adapter card match (view the Details pane on the Resources > Overview page).

Connection error: Client outside of firewall logged into Administrator inside a firewall and trying to connect to agent outside of firewall.

If you have a mixed NAT and non-NAT environment (some Administrators in the community are behind NAT firewall(s), and others are not), it is recommended to add external addresses to the resources outside of the firewall(s). This ensures connectivity to resources in various combinations such as the error scenario provided. These external addresses should be the same as internal addresses.

Attempt to generate a request for a new Administrator license causes a blank browser window instead of the save/cancel dialog box.

Administrator specifies a storage path to which the Administrator service does not have access (based on the user credentials with which the service is operating).

Provide credentials with the correct permissions for the Administrator service, then restart the service.



User Guide 175

Appendix A

When attempting to load a license, the license does not load even though it is valid.

The validity of the license is known because:

• the license was previously loaded on the same system

• the hardware signature in the request matches the hardware signature in the license and you have confirmed that the request was generated on the correct system.

Administrator specifies a storage path to which the Administrator service does not have access (based on the user credentials with which the service is operating).

Provide credentials with the correct permissions for the Administrator service, then restart the service.





Resource Discovery and Resource Management

Table A-5. General Troubleshooting - Resource Discovery and Management


Unable to discover resource.

Possible resolutions:

• Make sure that you can ping the resource.

• Check the Web or WWW Publishing service in the Control Panel > Administrative Tools > Services on the Appliance is set to Automatic and is running.

• Check the directory C:\program files\nai\dsproagentnt\program\isniffer\sms and make sure that the file called discover.xml is present.

• For remote resources, increase the connection time out to 1000 seconds through the Connection Timeout (Server Control option) on the Administration > Overview page.

• Alternately, access C:\Program Files\Network General\Enterprise\Tomcat\shared\Classes on the Administrator Appliance and change the logging level to debug in the trace.properties file.

Look for the line that starts like 'log4j.rootCategory=info,R' and change this to 'log4j.rootCategory=debug, stdout, R'. Save the file and reboot Administrator.

• Perform the following test from a client browser: Enter the URL: https://ipofagent/nai/discover.xml. You should see HTML output. After this, if discovery is still not taking place, get the log files under C:\windows\system32. The files should look something like sniffer_server.log*

User Guide 177

Appendix A

Unable to discover NAT resources.

While adding or discovering a NAT resource, enter the resource name in the external address field as normal, and discover the resource.

Notes:

• After the discovery of a NAT resource, click the Resources tab to reveal the external addresses. The displayed addresses will be the external addresses if you are connected as an external user. Administrator automatically detects if you are connected as an external user.

• If you are connected as an external user, you will not be able to connect to resources which have only internal addresses.

• If you want to connect to NAT resources as an external user, you have to edit the resource and add an external address.

A resource address is displayed as “None” by some servers in the community.

The resource is likely behind an NAT firewall. Add resource's external address. If this happens when you are logged into an Administrator that is not separated from the resource by firewall, it is likely that resource is managed by a wrong Administrator that is separated from it by a firewall. This is not a supported configuration. Change the resource's ownership to an Administrator that is in the same LAN with the resource.

Table A-5. General Troubleshooting - Resource Discovery and Management




Authentication and Authorization Settings

Table A-6. General Troubleshooting - Authentication and Authorization Settings


What is the difference between authentication and authorization?

Authentication verifies that you, the user, are really who you say you are. One way to verify that is to present valid credentials, such as a user name and a password.

Authorization gives you, the user, the right to do something. In some situations, it's possible that not all users with valid log-ins will be granted the right to use Administrator.

The Administrator local database will only do authentication and access control, but some third party authentication servers can do all three.

Not all AAA (Authentication, Authorization and Access Control) protocols support explicit authorization. In those cases, successful authentication implicitly includes authorization (the right) to use Administrator.

If both the local database and an external authentication server are enabled and the Access Denial Must Be Unanimous option is checked, which authentication server is checked first?

The Access Denial Must Be Unanimous option has no effect at all on which server is checked first.

If there is an authentication server ID cached for a particular user, then that server is always checked first. If there is no such cached server ID, then the order of checking is the order in which the DB returns the list of servers, as the result of a SELECT statement.

So, for example, if there is a cached AAA server for a certain user and that user's cached AAA server is an external authenticator, Administrator will consult that authenticator first.

Think of local DB authentication this way: Administrator itself is just another authenticator which only supports its own DB lookup. No RADIUS or TACACS+ or LDAP or Windows Domain, just DB lookup. The AAA logic treats all authenticators alike. Administrator is just one more face in the AAA crowd.

User Guide 179

Appendix A

If the user name and password does not exist in the first authentication server checked, does it roll over to the next configured server?

This is where the Access Denial Must Be Unanimous option comes in. If that option is enabled, the AAA logic will try all enabled servers until either (a) one authenticator grants access or (b) all enabled authenticators either deny access or time out.

If that option is disabled, then denial by that first authenticator means access denied. Note that denial is not the same thing as a timeout.

How is the next server to be checked determined?

By the order of the enabled servers in the original list. See page 179.

What happens if the first authentication server checked is not responding to Administrator’s request?

If the authenticator is not responding (i.e. timing out), that's neither access granted nor access denied. It's just no decision either way.

If an authenticator times out, Administrator either:

a. Tries the next enabled server (if there are any left we haven't tried), or

b. Stops (because there are no enabled servers left to try).

If all the enabled external authentication servers time out, then typically we'll fall back to local DB authentication.

What is the default time out parameter or setting?

By default it's 10 seconds. This is configurable when you configure a new authentication server, or edit the details of an existing server under the Administration > Authentication page.

If we reach the timeout, do we default back to checking the local DB?

If an authenticator times out, Administrator either:

a. Tries the next enabled server (if there are any left we haven't tried), or

b. Stops (because there are no enabled servers left to try).

If all the enabled external authentication servers time out, then typically we'll fall back to local DB authentication. Don't forget you can have more than one enabled external authenticator.

If the third party authentication server goes back on line, how does Administrator know this?

There is no active checking, no polling or pinging, etc. It is whether the external authenticator is responsive when Administrator tries to talk to it.

Since external authenticators are normally used for more than just Administrator, the assumption is that users within that network would become aware that the authenticator is down and would fix it.





Can you outline the pros and cons of enabling both local DB and a third party authentication server?

Pros:

• Can fall back to DB if external AAA server is unresponsive.

• Can add externally authenticated users one by one as they log in to Administrator.

• External AAA can be made significantly more secure compared to Administrator DB lookup.

• User names and passwords are consistent within the customer's enterprise, since normally the external AAA server would be used for more than just Administrator authentication.

Cons:

• One possible disadvantage is, if the external authenticator is unresponsive, authentication itself may be delayed by the amount of time it takes to conclude that the server is not responding. The maximum possible time for that for each server is the number of retries times the length of the timeout interval. But that depends on changing network or server status. It's not really an inherent disadvantage of enabling both local and remote AAA. And besides, both retries and timeout are configurable, so the customer can fine-tune those as needed to minimize that potential delay.

A user lacking authorization can still log into Administrator even when Administrator requires explicit authorization.

In a scenario where a user has successfully logged in at a time when Administrator does not require authorization, and during the existing user session an administrator changes the Administrator settings to require authorization, the user previously logged in is considered authorized as well as authenticated.

After making changes to authorization and authentication settings, we strongly recommend reviewing the list of active user sessions and identifying users who may not be allowed to log in again under the new settings. If necessary, terminate the active sessions and/or adjust the user settings accordingly.



User Guide 181

Appendix A

Alarm Management

Authenticated users who also have authorization cannot log into Administrator when Administrator requires Administrator authorization.


• The authentication protocol you are using may not support authorization. For example, Windows Domain Authentication does not support authorization.

• Values incorrectly provided by the third-party authenticator. Check or re-confirm the configured third-party authentication server values. For example, for a RADIUS server, the crucial values are: vendor ID = 3401, attribute ID = 1, and possible attribute values = 0 (not authorized) or 1 (authorized)

For a TACACS+ server, the crucial values are (case as shown, no punctuation or quotation): service = npoMgr, protocol = unknown



Table A-7. General Troubleshooting - Alarm Management


No alarms from any managed resources are seen by Administrator.

The Alarms count has stopped on the Alarm Monitor.


• Check that the listening port is not conflicting (see the tomcat log). If conflict has been identified, resolve it and restart the Administrator appliance.

• Check the Windows Firewall settings for your network connection. If the firewall is enabled but does not allow an exception for traffic arriving on UDP port 162, you will not see any alarms.

• Check that alarms are being sent by the Sniffer Distributed Appliance. Capture the traffic coming out of the resource and see if the captured traffic contains any alarms (SNMP traps) directed to port 162 of the Administrator system.

• Check the SNMP configuration options for the Sniffer Distributed Appliance. See SNMP settings on the Agent are not configured. on page 183. Also refer to topics about setting up alarms and sending SNMP traps in the Sniffer Distributed documentation.



SNMP settings on the Agent are not configured.

Before alarms from Sniffer Distributed Appliances can be forwarded to Administrator, you must first configure the SNMP settings on the Agent.

1 On the Sniffer Distributed Agent, access one of the following configuration consoles:

- Config Console

- ProbViewer

- Config Agent dialog box from the SniffView Configure menu

2 Within the SNMP Tab or page, add a new Trap Destination and port number (the IP address of your Administrator Appliance and the alarm listening port {162}).

3 Click OK / Save Changes.

Log entry indicates damage has been done to a database file (event_summary_live) that contains one of the main Alarm tables.

This issue comes from stopping a machine (rebooting) before MySQL finished writing the files corresponding to the database.

The way to fix this is to use a standard MySQL utility (located in mysql\bin folder) called: myisamchk. Run this utility from the DOS mode as follows:

1 cd c:\mysql\bin

2 c:\mysql\bin\myisamchk.exe c:\mysql\data\snifferdb\event_summary_live

This command will produce diagnostic output. At the end of this output there will be something like:

MyISAM-table 'event_summary_live' is corrupted

Fix it using switch "-r" or "-o"

Then type:

c:\mysql\bin>myisamchk.exe -o c:\mysql\data\snifferdb\event_summary_live

Table A-7. General Troubleshooting - Alarm Management


User Guide 183

Appendix A

Software Updates

Table A-8. General Troubleshooting - Software Updates


Error Message: SEA Agent is Missing on this Resource

A necessary component to enable the feature is not installed on the Sniffer Distributed Agent. This component can be installed by pushing an update package out to the resource. See SEA Agent is Missing on page 58 for detailed information.

Remote update failed. In general, first view update status entries in the Administrator Activity Log:

• Update results are displayed as “WebAutoUpdate Progress Report.”

• Filter on the Category of “RemoteUpdate.” This shows the progress of the script autoupdate that was executing on the target host. Hover over an entry in the Log and view detailed information for that entry on the right.

• To view the Agent Code uploaded, filter on the User of “SoftwareUpdate.”

• Looks for update completions by filtering on the Event of “Resource.“ The IP address listed within the Event entry represents the target Agent.

Also check the following:

• Check the connection between the Administrator Appliance and the resource.

• Access the Resource stores file(s) retrieved from the Administrator software update package in C:\Program Files\NAI\DSProAgentNT\Program\ Repository. The presence of update script file (filename.csl) in the ...\Repository directory implies a problem was encountered during the resource update. Save content of .csl file for debugging.



Remote Reimaging

Table A-9. General Troubleshooting - Remote Reimaging


“No connection could be made because the target machine actively refused the connection.”

If this error appears during the remote reimage process:

• Check that the XP SP2 firewall is disabled.

• Disable all Anti-virus applications operating on the target system before deploying a new image (to the target system). Any anti-virus or security product that protects against boot sector replacement adversely affects the Altiris DOS client (BootWorks).

• The firewall may be running with an incorrect or incomplete exception list.

Existing options files do not re-authorize Agents.

After performing a reimage, you must re-authorize the Sniffer Distributed Agents. Re-authorizing Agents using earlier options file(s) is not supported at this time.

The W3C service may not start automatically on the Agent after reimaging is complete.

Start the service on the Agent by either (a) connecting to the Agent via Remote Desktop and restarting the W3C service or (b) running the Altiris Client on the Agent and running a script to restart the W3C service.

You may also need to configure the service to start automatically after the Agent reboots. You can configure this through the Properties page for the service, accessible from the Windows Services Control Panel on the Agent.

“No imaging jobs could be found.”

Possible causes include:

• Incorrect “sa” password configured for the Deployment Server database.

• Database connection succeeded but no jobs are defined. Make sure the Remote Reimaging Toolkit (RRT) has been installed successfully.

User Guide 185

Appendix A

Replication

Table A-10. General Troubleshooting - Replication


Replication stoppage.

The primary is fine. The secondary is blocked when trying to apply an activity log update from the primary.

The cause is logging in on the secondary before replication has completely started. That log-in creates an activity log entry on the secondary, which results in an update conflict, and therefore a stoppage, when the secondary tries to apply updates propagated from the primary.

Allow sufficient time for replication to start up to avoid this problem. Additionally, after loading the primary snapshot on the secondary, the secondary's Enterprise Administrator service starts up. Allow enough time (1 - 2 minutes) for that service to properly initialize replication before logging in on the secondary.

Also see Database Replication Troubleshooting on page 188 for detailed information and additional procedures for database replication.

Error on the primary system reads: “Primary console - System error 109 occurred. Pipe has ended.”

Secondary system displays: slave_sql_running = no, read_master_log_pos not equal to exec_master_log_pos

Allow enough time for replication to initialize itself before attempting to load a snapshot, or allow enough time for replication to initialize itself before attempting to perform other replication-critical operations such as invoking the “stopAdminSvc” script.

This error may also be seen during a replication stoppage. See “Replication stoppage” tips in this table for additional information.

ERROR 2003: Can't connect to MySQL Server on localhost

This message may be seen while setting up replication for a mixed pair of old hardware and new hardware. This will be seen only with “software-only” installations. Appliances with pre-installed software will not see this error.

The cause is running out of “ephemeral ports.” The situation is described in more detail in the MySQL documentation. See:

http://dev.mysql.com/doc/refman/5.0/en/can-not-connect-to-server-on-windows.html

Update the Windows registry and restart Windows as described in the MySQL article.



During the initial loading of the primary snapshot on the secondary system, the secondary may occasionally see an update conflict due to startup-time logging by the Administrator services.

This seems to be somewhat more likely in "mixed pairs” (for example, old hardware and new hardware) where one system is significantly slower than the other.

Cause:

Relative timing between snapshot loading (which starts up the secondary Administrator service) and the restart of the primary Administrator service (which was shut down for initial snapshot creation and loading).

Result:

A one-way replication stoppage on the secondary.

Next steps:

Recover from the stoppage in the documented way (re-do the creation of a primary snapshot and the loading of that snapshot on the secondary system).

Make sure to allow about one minute between snapshot loading on the secondary and the Administrator service restart on the primary.

Table A-10. General Troubleshooting - Replication


User Guide 187

Appendix A

Database Replication TroubleshootingTo troubleshoot suspected replication issues, please review the following sections:

Verifying Replication on page 188

Database Recovery Procedure on page 189

Loading a Database Snapshot on page 190

Recovering from a Replication Stoppage on page 191

Collecting Information for Unresolved Replication Issues on page 193

Converting a Secondary System to a Primary System on page 193

Converting a Replicating System to a Standalone System on page 194

NOTE: Also review the troubleshooting tips provided in Replication on page 186. See Table A-10.

Verifying ReplicationTo verify replication status, execute C:\mysql\bin\replStatus.bat on each system (both primary and secondary). Save the results in a plain text file, then open the file to view the contents and examine the following:

Slave threads. Check each system's output from SHOW SLAVE STATUS. Normal replication processing will show the following:

Slave_IO_Running = "Yes"

Slave_SQL_Running = "Yes"

Value of Read_Master_Log_Pos = Value of Exec_master_log_pos

Master_Host = the replication partner (the other system). In some cases, incorrect network interface configuration at one end will cause the opposite end to show Master_Host as itself. Another symptom of such a network interface problem is the ability to ping in one direction, e. g. primary to secondary, but not the opposite direction.

System threads. Check each system's output from SHOW PROCESSLIST. Normal replication processing will show the following:

One "Binlog Dump" thread with state equal or similar to "Has sent all binlog to slave; waiting for binlog to be updated"



One "Connect" thread with state equal or similar to "Waiting for master to send event"

A second separate "Connect" thread with state equal or similar to "Has read all relay log; waiting for the I/O slave thread to update it"

Synchronization. Compare each end's Position value from SHOW MASTER STATUS with the opposite end's Read_Master_Log_Pos value from SHOW SLAVE STATUS.

In normal replication processing, each end's master log Position should always equal the opposite end's Read_Master_Log_Pos.

User Privileges. Examine each system's output from SELECT * FROM mysql.User.

Make sure the right users (root and replUser) have the correct privileges for the correct hosts.

Database Recovery ProcedureIn the event of a conflicting update which has caused replication to stop, you may need to create a snapshot of the primary database and then load that snapshot onto the secondary machine.

There are certain trade-offs involved in deciding when to create a database snapshot. Before creating a snapshot, please note the following:

A small snapshot, taken early, will be more quickly created and loaded. However, the replication I/O threads will take longer to catch up, in proportion to how much the database has grown between snapshot creation and replication recovery. Furthermore, an old snapshot may end at replication coordinates which no longer exist. This could happen if someone has purged the remote system's old binary logs after the snapshot was created.

A snapshot taken at the time of the conflicting update will minimize the time needed for the replication I/O threads to catch up. However, that snapshot will be larger, so it will be proportionately slower to create and slower to load.

The recommended "best practices" are (a) once everything is running smoothly, create a snapshot of each system (primary and secondary) right after initial replication set up and verification, (b) create a snapshot of a system whenever you purge that system's MySQL binary logs, and (c) create a snapshot of a system right after reloading that system in the course of performing replication recovery.

IMPORTANT: If you entered the name of the replication partner in the Administration > Overview page, use that name when executing

User Guide 189

Appendix A

createSnapshot in the following instructions. Likewise, if you entered the IP address for the replicating partner, use that IP address for createSnapshot.

To create a database snapshot:

1 On the secondary machine, execute C:\mysql\bin\createSnapshot.bat to create a current snapshot of the primary database.

For example, if the primary system's IP address is 1.2.3.4 and the database root password is rootPassword, execute C:\mysql\bin\createSnapshot 1.2.3.4 rootPassword. The database snapshot will end up in C:\mysql\bin\remoteSnapshot.sql on the secondary system.

Loading a Database SnapshotAfter creating a database snapshot as detailed in the Database Recovery Procedure, please perform the following to load the snapshot.

IMPORTANT: Allow enough time (1 - 2 minutes) for replication to initialize itself before attempting to perform other replication-critical operations such as loading a snapshot.

To load a database snapshot:

1 Stop the Sniffer Enterprise Administrator service and the MySQL replication slave on the primary system.

For example, if the primary database root password is rootPassword, execute C:\mysql\bin\stopAdminSvc rootPassword.

2 On the secondary system, execute C:\mysql\bin\loadSnapshot.bat to load the previously created database snapshot.

For example, if the database root password is rootPassword and by default, createSnapshot.bat saves the result in 'remoteSnapshot.sql', execute C:\mysql\bin\loadSnapshot remoteSnapshot rootPassword.

NOTE: This action stops the secondary Sniffer Enterprise Administrator service, loads the database snapshot, and then restarts the secondary Sniffer Enterprise Administrator service.



3 Start the MySQL replication slave and the Sniffer Enterprise Administrator service on the primary system.

For example, if the primary database root password is rootPassword, execute C:\mysql\bin\startAdminSvc rootPassword.

4 Verify the replication following the guidelines in Verifying Replication on page 188.

Recovering from a Replication StoppageIf replication is stopped at one end, the normal recovery procedure is to load a snapshot of the primary database onto the secondary system. However, in a situation where the primary and the secondary systems lose and regain network connectivity with one another, there are additional factors to consider.

If replication status is still good (no conflicting updates at that point), there's no problem and no recovery is needed. If replication status is stopped, decide which database you would like to keep from the backup snapshots you have created (see Configuring Database Replication, Step 7 on page 77). Load the snapshot you have decided to keep onto the system where you have decided to overwrite the database. At this point, you can reverse the machine roles if you prefer. If you are only recovering from a stoppage and both the machines are healthy otherwise, you do not need to reverse the machine roles.

However, if backup snapshots are not available and the secondary database is deemed “better” than the primary database, then switch machine roles—the original primary system will become the secondary and vice versa—and load a snapshot of the new primary system's database onto the new secondary system.

For the following procedure to be successful, the two databases must have the same ‘root’ password.

NOTE: When converting the secondary to the primary, after loading the database snapshot, either (a) restore the previously backed-up contents of the original primary system's Storage Path to the new primary system's Storage Path, or (b) modify the new primary's Storage Path setting on the Administration > Overview page to match the original primary system's setting. Scenario (b) is recommended if your Storage Path is on a shared drive or location, external to both Administrator systems. The same must be done when converting the primary to the secondary.

To switch machine roles and re-load the primary database:

1 Stop the Sniffer Enterprise Administrator service on the primary system.

User Guide 191

Appendix A

2 Stop the Sniffer Enterprise Administrator service on the secondary system.

3 Back up the primary and secondary Storage Path contents before switching system types. The Storage Path location is specified on the Administration > Overview page.

4 Run convertToSecondary <IP Address> on the primary system.

NOTE: When you run convertToSecondary on the primary machine, specify the IP address of the secondary machine in the command. Using a primary system with an address of 1.2.3.4 and a secondary system with an address of 5.6.7.8 as an example, the command for running convertToSecondary on the primary system would be: convertToSecondary 5.6.7.8

5 Run convertToPrimary <IP Address> on the secondary system.

NOTE: When you run convertToPrimary on the secondary machine, specify the IP address of the primary machine in the command. Using a primary system with an address of 1.2.3.4 and a secondary system with an address of 5.6.7.8 as an example, the command for running convertToPrimary on the secondary system would be: convertToPrimary 1.2.3.4

6 Create a snapshot of the new primary database system.

7 Load that snapshot on the new secondary system.

8 Start the Sniffer Enterprise Administrator service on the new primary system.

9 Verify the replication status on the primary system. See Verifying Replication on page 188.

10 If the replication status is good, then both primary and secondary Administrator services are running. The service on the secondary will have been started as a result of executing Step 7.

NOTE: In some cases there may be a replication stoppage detected at this point. If so, first try restarting the Sniffer Enterprise Administrator service on the [new] secondary system. If the stoppage persists, apply the standard recovery/resynchronization procedure, i.e. load a snapshot of the [new] primary onto the [new] secondary system.



Collecting Information for Unresolved Replication IssuesIf for some reason the replication troubleshooting tips do not resolve an issue you are experiencing, collect the following information from the System Summary pane on the Administration > System Status page and contact Technical Support. Ensure you have checked Replication logs before clicking Get Logs. After clicking Get Logs, open or save the contents of the zip file to your local system. See Generating Data Logs for the Administrator Server on page 165 for additional information.

Collect this data from both Administrator systems (primary and secondary) unless otherwise requested by Technical Support.

Converting a Secondary System to a Primary SystemIf the unlikely event that a primary system fails, we recommend converting the secondary system to a primary system.

For the following procedure to be successful, the two databases must have the same ‘root’ password. Make sure to supply the correct MySQL root password if your password is not the default password.

NOTE: When converting the secondary to the primary, after loading the database snapshot, either (a) restore the previously backed-up contents of the original primary system's Storage Path to the new primary system's Storage Path, or (b) modify the new primary's Storage Path setting on the Administration > Overview page to match the original primary system's setting. Scenario (b) is recommended if your Storage Path is on a shared drive or location, external to both Administrator systems. The same must be done when converting the primary to the secondary.

To convert a secondary system to a primary system:

1 Stop the Sniffer Enterprise Administrator service on the secondary system.

2 Run convertToPrimary <IP Address> on the secondary system.

NOTE: When you run convertToPrimary on the secondary machine, specify the IP address of the primary machine in the command. Using a primary system with an address of 1.2.3.4 and a secondary system with an address of 5.6.7.8 as an example, the command for running convertToPrimary on the secondary system would be: convertToPrimary 1.2.3.4

User Guide 193

Appendix A

3 Start the Sniffer Enterprise Administrator service on the new primary system.

NOTE: If you get a new Appliance to replace the failed primary system, make that new box a secondary system with respect to the system that was converted.

Converting a Replicating System to a Standalone SystemThe following instructions are provided in the rare case that you would like to return a replicating pair back to standalone systems. When splitting a replicating pair, you should convert both to standalone systems, and then keep one database and reset (blank out) the other one.

To convert a replicating pair to standalone systems:

1 Log into Sniffer Enterprise Administrator as a user with administrative permissions.


3 On the Administration > Overview page, enter 127.0.0.1 in the Replicating with Host (IP/DNS) field.

4 Click Save.

5 Log out of Administrator.

6 Stop the Sniffer Enterprise Administrator service.

7 In the Command Prompt window, enter:

C:\mysql\bin\convertToStandalone.bat MySQL root password

For example, if the MySQL root password is ADMIN1, enter:

C:\mysql\bin\convertToStandalone.bat ADMIN1

8 After converting the replicating systems to stand-alone systems, you must clean out one of the Sniffer Enterprise Administrator databases. For example, to clean out the database of the former secondary system, execute the following in a command on that system:

C:\MySQL\bin\ResetDatabase ADMIN1

Make sure to enter the correct MySQL root password in the command line.

This ensures that the former secondary system does not attempt to manage the resources formerly managed by the replicating pair.



9 Restart the Sniffer Enterprise Administrator service.

10 On the Administrator system where you did not reset the database, go to the Administration > Community page and remove the formerly-replicating Administrator (the system on which you reset the database) from the community.

User Guide 195

Appendix A


Index

AAccess Control, 80

Access denial must be unanimous, 103

accessing

Config Console, 45

Users list, 84

Active Sessions, 17

ActiveX Control, 37, 169, 171

Activity Log Purging Option, 69

activity logs

Administrator events, 161

CSV data, 164, 166

data purging, 164

detailed list of entries, 141

filtering, 138

InfiniStream events, 154

printing, 164

recorded events, 139

saving, 164

viewing, 137

Visualizer events, 153, 161

adding

authentication servers, 105

automated alarms, 127

destinations (forward alarms), 121

domains, 113

external addresses for resources, 23

multiple resources, 23

resources, 21

single resource, 23

users, 85

additional licenses, 28

addresses

external (for NAT), 23

internal for resource, 38

Administration page options, 67, 101

administrative users, 19

Administrator

activity log events, 139

Administrator (service), 79

Administrator activity log events, 161

Administrator authentication, 106

alarm applications (third-party), 131

Alarm Monitor

filtering, 125

viewing, 122

alarms

adding automated alarms, 127

automating, 127

automation criteria, 129

Automation List, 127

configuring thresholds, 125

defined, 119

forwarding, 121

overview page, 120

removing forwarding destinations, 122

summary, 120

Alarms Overview page, 120

Allow only addresses in list, 81

Applying

software updates, 51

applying updates and patches manually, 56

audience for User Guide, 11

Authentication

about, 101

Administrator, 106

LDAP, 109

RADIUS, 107

TACACS+, 108

Windows Domain, 108

authentication

adding servers, 105

configuring servers, 105

deleting servers, 109

User Guide 197

editing servers, 106

servers, 102

settings, 103

Auto Downloads, 55

Auto OS Patch Distribution, 56

Automatic Patch Distribution, 56

Automatic Patch Download, 54

automating alarms

about, 127

Automation Criteria, 129

Automation List (alarms), 127

CClone Configuration, 46

community, 52

defined, 59

deleting replicating pair, 64

deleting servers, 64

editing servers, 63

NAT environment, 62

replicating pairs, 62

Compliance, resource, 38, 41

Config Console, accessing, 45

configuring

Administrator, 67, 101

alarm thresholds, 125

authentication, 101


database replication, 74

Email Server, 78

resources, 45

third-party alarm applications

HP Open View, 131

Tivoli Enterprise, 133

Connect icon conditions, 37

connecting to resources, 37

Connection Timeout, 69

Create Alarm (alarm criteria), 128

creating

user roles, 87

criteria for alarms, 127

CSV files, 166

CSV in resource discovery, 26

CSV sample for resource discovery, 27

current licenses, 29

Ddata purging for activity logs, 164

Database Recovery Procedure, 189

database recovery procedure, 189

Database Replication, 72

database snapshot, 190

deleting


domains, 117

replicating pair from community, 64

resources, 42

scheduled software updates, 54

servers from community, 64

users, 96

destinations, alarm forwarding, 122

detailed activity log entries, 141

device name editing, 38

Disallow only addresses in list, 81

discovering resources, 21

domains

adding, 113

defined, 111

deleting, 117

editing properties, 115

Domains list, 113

Eediting


device name, 38

domain properties, 115

internal address (resources), 38

roles, 93

servers in community, 63


user profiles, 94

email server, configuring, 78

enable

automatic patch downloads, 55


Enable Remote Authentication of Unknown Users, 104

Enterprise Administrator permissions (roles), 90

Enterprise Administrator Server Information, 18

Enterprise Visualizer

permissions (roles), 90

error

SEA Agent is Missing, 57 to 58

error messages, 167

Escalate Severity, 128

events, activity log, 139

External addresses, 23

external file storage path, 78

Ffeatures, new, 11

File Management, 99

File Storage path, 70 to 71

File Storage path (external), 78

File Transfer Rate, 69

files, shared, 99

filtering

activity logs, 138

Alarm Monitor, 125

filters

shared, 99

Forward Alarm (alarm criteria), 128

forward alarms

adding destinations, 121

removing destinations, 122

Hhealth check (system), 42

HP Open View, configuring, 131

Iicons, status for resources, 39

Inactive time, 67

InfiniStream


InfiniStream activity log events, 154

Internal Address, resource, 38

LLDAP authentication, 109

license files, 29

licensing

issues with Replication, 73

obtaining additional licenses, 28

Licensing Web site, 30

loading

database snapshot, 190

loading license files, 29

Mmanaged resources, 33

managing

shared files, 99

manually applying updates and patches, 56

members of Community, 59

membership, NetVigil,permissions

NetVigil, 95

MERTool, 165

multiple resource discovery, 24, 26

MultiSegment Intelligence


NNAT

external addresses, 23

NAT (Communities in NAT environment), 62

navigation bar, 12

NetVigil

membership, 95

Network General Enterprise service, 79

new features for this release, 11

non-administrative users, 19

OOS Patch Distribution, 56

OS patch status, 39

Ppasswords

security guidelines, 86

Patch Download, 54

User Guide 199

patch status icons, 39

pending software update packages, 54

permissions (roles), 88, 91

Preferences, 19

printing

reports, 166

Product Licensing Web site, 30

profiles

see user profiles

properties, resources, 38

Proxy settings, 68

purge, activity log, 69

RRADIUS authentication, 107

Recovering from a Replication Stoppage, 191

recovery procedure (database), 189

removing

destinations (alarm forwarder), 122

resources, 42

users, 96

replicating pair

deleting from community, 64

Replication

licensing issues, 73

overview, 72

Status, 72

status, 78

replication

converting systems, 193

Replication logs, 165

replication troubleshooting, 193

reports

getting report files, 166

user, 97

request license process, 29

Require Remote Authorization, 103

resource discovery, 26

Resource Refresh Interval, 69

resources

adding, 21

Clone Configuration, 46

compliance, 41

configuring, 45

connecting to, 37

definition of managed resources, 33

deleting, 42

details, 38

discovering, 21

discovery, 26

internal address, 38

licenses, 28

patch status, 39

properties, 38

Resources list, 36


status icons, 39

Resources page overview, 14

restarting the Administrator Service, 79

resume network connection interruption, 57

roles

about, 87

creating, 87

domain specific, 91

editing, 93

setting permissions, 88

Run Capture (alarm criteria), 129

Sscheduled software updates, 54

scheduling

automatic patch downloads, 55


SEA Agent, 57 to 58

security

passwords, 86

Send Email (alarm criteria), 129

Server Control Options, 69

server information, 18

service, restarting Administrator, 79

Session Control, 67

setting

Session Control, 67

Shared File Storage Path, 70

shared files and filters, 99

Sniffer Distributed permissions (roles), 89


Sniffer Distributed resource software updates, 48

Sniffer Enterprise Administrator service, restarting, 79

SNMP traps, 119

software updates

applying, 51

community, 52

editing, 53

remote software updates, 48

scheduling, 51

uploading, 50

software updates (scheduled)

viewing or deleting, 54

specifying

alarm criteria, 129

status icons for resources, 39

strong passwords, 86

system health, 42

System Information, 165

System Summary, 17 to 18

TTACACS+ authentication, 108

terminating user sessions, 19

third-party alarm applications, 131

thresholds

configuring for alarms, 125

Tivoli Enterprise, configuring, 133

Total licenses, 29

Total session time, 67

troubleshooting, 56, 167

UUnanimous Access Denial, 104

unreachable (resource), 39

updates

applying software updates, 51

editing software updates, 53

scheduling, 51


uploading software updates, 50

updates within, 52

uploading

files (shared files), 100


Use Proxy, 68

user authentication

see Authentication

user roles

see roles

user sessions

active users, 17

terminating, 19

users

adding, 85

administrative, 19

deleting, 96

non-administrative, 19

profiles, 94

reports, 97

roles, 87

Users list, 84

viewing active sessions, 17

using

MERTool, 165

ranges for Access Control, 81

wild card in resource discovery, 26

VVerifying Replication, 188

viewing

activity logs, 137

Alarm Monitor, 122

current license status, 29

Domains list, 113

members of Community, 59

Resources list, 36

scheduled software updates, 54

Users list, 84

Visualizer


Visualizer activity log entries, 153

Visualizer activity log events, 161

WWeb site, licensing, 30

User Guide 201

What’s New?, 11

wild cards in resource discovery, 26

Windows Domain authentication, 108


test

Documents