If the spreadsheet was the essential application for accounting and massification of personal computers, MS Windows® operating system was the graphical interface that turned work into something more pleasant and paved the way for web browsers for the Internet as we know it today.

Today, in Pandora FMS blog, we discuss:

Windows Event Monitoring and Pandora FMS

Decades ae gone by but there is always a joke, among us computer scientists, that prevails in time:

“This is the year of Linux on our desktops”.

I actually think that, in the end, it is a statement that comes with a flaw from the very beginning:

The kernel (Linux in this case) has little to do with the graphical interface, the actual thing is that the applications that go along with Linux, such as GNU/Linux, are the combinations that should take their place in hundreds of millions of computers in our homes and jobs.

The MS Windows® operating system (OS), despite losing ground with Android/Linux on our mobile phones, still has it still going on on desktop computers and in the field of video games it keeps its position, faring pretty well.

Many say that desktop personal computers will disappear. I personally think that we will connect the monitor, keyboard and mouse to our cell phones at home and at the office.

But today MS Windows has a stronghold in its market position and for Pandora FMS it has implied a series of very special considerations for its monitoring.

The  overview

Monitoring with Pandora FMS can be done both remotely and locally and the MS Windows® OS is no exception. Remote monitoring can be performed through SNMP and  through WMI.

*If you are new to monitoring, I recommend you to take a few minutes to learn about Pandora FMS Basics.

For local monitoring install a small program, which is called Pandora FMS Software Agent.

Once installed in MS Windows®, the modules to collect the most relevant information (disk usage, RAM consumption, etc.) will already be installed by default.

If what you need to monitor is the basics of MS Windows® the Open version of Pandora FMS is more than enough for the task.

Windows® event monitoring

The amount of applications for MS Windows® is humongous but in a way it is easy to monitor applications and even processes, since we have a special instruction for the Software Agent called module_Proc. 

This instruction is able to tell us, either immediately or every certain period of time whether a program or process is running.

*If you want to find out more about this Pandora FMS feature, visit our video tutorial Monitor processes or applications in Windows.

So far all this is the basics for monitoring MS Windows®.

And in the case of Pandora FMS Enterprise version you can “transfer” normal events to events in Pandora FMS, which can generate alerts and warnings for us to take the necessary actions, or let Pandora FMS restart the software vital to our work or business.

* The latter is known as Watchdog: if an application for any reason stops in MS Windows®, it is re-launched and executed.

Analyzing the causes

Simplifying as much as possible:
So far we can say that we are working on true and false, on ones and zeros.

But often it is called on to us to analyze under what conditions an application collapses or find out why it does not start.

If all that related information had to be seen on your screen you simply would not be able to work with so many interruptions. For that reason there are event registries and working with them implies more specialization on Pandora FMS behalf.

MS Windows® presents an advantage as a privative software for its monitoring and it is that its events and corresponding logs are centralized after a certain routine or standard way.

Monitoring an individual event

Pandora FMS offers the instruction module_logevent that uses Windows® API and offers better performance than data collection by means of WMI.

You will obtain data from the event logs from Windows itself.

Along with additional instructions, it offers the ability to monitor very specific events identified by the fields Log Name, Source, Event ID and Level.

Remember I told you they’re standardized?

Well, in Log name they are well defined by:

• Application.
• Security.
• Installation.
• System.
• Forwarded events.

And you must use one of them for the instruction module_source, which is mandatory in the module to be created in Pandora FMS Software Agent.

Up to this point we have only discussed simple modules of Pandora FMS agents but, depending on your needs all the above can also be done as a complement or Pandora FMS plugin.

The difference is to place module_type async_string when it is a data module and module_type log when it is a plugin.

Plugins offer flexibility as they can return multiple data at the same time, unlike Pandora FMS modules that only return a specific, normalized data type in Pandora FMS.

This is important for what we will see below:
The instruction module_regexp which has as a parameter an event log file (.log) on which you will search for keywords with the instruction module_pattern.

This is necessary because there are old applications that keep their own separate event log, although in other regards they do not escape the Windows log. 

*We explained this in detail in our tutorial video « Windows modules logevent and regexp ».

Monitoring an event channel

En MS Windows® algunos log que no están en el registro de eventos del propio Windows, pueden ser recogidos mediante los canales de registros de eventos (Windows Event Log channel  o simplemente log channels) con una instrucción especial lla

In MS Windows®, some logs that are not in Windows event log can be collected using the Windows event log channels with a special instruction called module_logchannel that does not carry any parameters but then uses module_source<channel_name> together with module_eventtype (event type), module_eventcode (event code) and even module_pattern to search by keyword. 

*For more details, our video tutorial «Windows modules: Logchannel |Pandora FMS|» quickly explains this feature.

However, I said that we are looking for or investigating the cause of some problem or inconvenience in an application that runs on MS Windows®, but the examples I have given are specific and go directly to monitor a particular point.

Alright so…

How do we do it if we don’t know exactly what we’re looking for?

Elasticsearch and log mass collection

What I needed to explain is that if you use a plugin to collect logs you must install, together with Pandora FMS, a powerful tool called Elasticsearch.

Which uses a non-relational database capable of storing and classifying all this large amount of information.

*It is well explained, again, in another tutorial video called “ Log Collector in Pandora FMS “)

But don’t think Pandora FMS just delegates the work, no:

From Elasticsearch you may go back to Pandora FMS to generate alerts and reports that you scheme and then create in Pandora FMS to finally understand what the conditions and precise values are when an application fails (or has peak workload values, or is “doing nothing”, etc.).

Conclusions

He resI have summed it up as much as possible and I recommend that you watch the tutorials over and over again until you fully understand and are able to put it into practice installing both Pandora FMS and Elasticsearch. If you have any problems, check the official documentation, which is extensive on the topic “Log monitoring and collection.”

The history of this blog explaining what is what in the world of technology is long, we admit. Maybe one day we’ll release a compilation episode, sort of a cabaret musical thing, with all the info and even some special guests, why not! Meanwhile we also tell you what Active Directory is.

Do you already know what Active Directory is? We’ll tell you!
Both the LAN networks in general and Active Directory particularly, in a world as interconnected as this, are essential.

Private corporations, public institutions, private users like you… We all want to connect our computers and get the best Internet access we possibly can. And for this there is nothing like Active Directory. We ourselves use it!

Active Directory (AD or Active Directory) is a very useful tool (by Microsoft) that gives us directory services on a LAN.

Among its many virtues, we find that it provides us with a service, located on one or more servers, with the possibility of creating objects such as users, computers or groups to manage credentials.

A su vez nos ayuda a administrar las políticas de toda la red In turn, it helps us manage the policies of the entire network on which the server is located.

(User access management, customized mailboxes…)

Active Directory is a tool designed and redesigned by Microsoft for the working environment. That is, it works better in the professional field with great computer experts and ample technological resources.

(To manage multiple equipment, updates, installations of new and complex programs, centralized files, remote work …)

However, how does it work?
Ya We already know what it is, but how does Active Directory work?

The first we need to know are the network protocols that Active Directory uses:

• LDAP.
• DHCP.
• KERBEROS.
• DNS.

The second? Well, roughly, we will have before us some kind of database. A database where the information of the authentication credentials of the users of a network will be stored, in real time!

That way you will have all the teams joined together under a central element.

If you enter the Active Directory server, you’ll find a user made up by the common fields (Name, Surname, Email…).

This user corresponds to a specific group, which has certain advantages.

When users try to login, they will find a lock screen, and that will be the time to enter their credentials. On the other hand, the client will request the credentials from the Active Directory server, where they have been entered by the user, to be verified. That’s when the user will be able to log in normally and will have access to the files and resources that are allowed.

Hay al menos una cosa buena de todo esto, y esa es que si el There is at least one good thing about all of this, and that is that if the computer where you are working breaks down, because of the classic overturned coffee or the confusing lightning that comes through the window and attacks your PC, with Active Directory, all you would have to do is change to another computer connected to the network. Away, of course, from any window or unstable coffee.

Conclusions
Active Directory is an active directory created by Microsoft as a directory service on a distributed computer network. It uses several protocols.

These include LDAP, DNS, DHCP, and Kerberos.

Es un servicio establecido enIt is a service established on one or more servers, where you may create users, computers or groups, in order to manage logins on computers connected to the network. Also the administration of policies throughout the network.

And that’s it!

Nothing too complex, as you can read!

Remote network monitoring is a technical specialty that was born almost at the same time as networks themselves. Since then, many strategies have emerged when it comes to monitoring network elements.

In this article we will talk about the current techniques based on SNMP polling and network statistic collection through Netflow, and we will also mention outdated systems such as RMON.

Most techniques are purpose-oriented, so they are especially useful. Some more modern ones use combined techniques to offer higher control and network knowledge.

What advantages does each one of them offer?

What is remote network monitoring?

Remote network monitoring consists of detecting and knowing the status of any device connected to the network.

It can be network-specific hardware (such as a router, server, printer) or a specialized device (such as a probe or IoT element).

Simple, right?

Then let’s talk about the different techniques you have to monitor a network remotely.

Basic Remote Network Monitoring Techniques

Often this monitoring takes place through basic techniques.

With basic techniques we mean something as well known as pinging and checking whether the computer responds to the network.

What is pinging? It is a communication mechanism that allows you to find out whether a computer is connected and responds when you “knock” on its door.

To use it you just have to know its IP address.

Other basic techniques include measuring latency times (network lagging) or packet loss (network packet loss).

Advanced Remote Network Monitoring Tool – Netflow

The most common and already much more network specific techniques include the use of the SNMP protocol (Simple Network Monitoring Protocol) that helps to obtain specific information from devices connected to the network: number of connections, incoming traffic through its network interface, firmware version, CPU temperature, etc.

Something that, if we use technical terms, is known as SNMP polling.

Other tools use protocols from the Netflow family (JFlow, SFlow, Netflow) to obtain statistical information about network usage.

This statistical information is incredibly useful to be able to analyze the use of the network, detect bottlenecks and, above all, to have a clear vision of what the communication flows between the different elements of a network are.

Advanced Network Remote Monitoring Techniques – RMON

There is an almost obsolete protocol called RMON. However, it is worth mentioning, because we can still find it in some installations.

This protocol used a technology network monitoring technology that listened to the wire to obtain statistical information using a specific SNMP agent. Something like what Netflow does.

Advanced Remote Network Monitoring Tools – SNMP Traps

On the other hand, most devices still use SNMP TRAPS to report incidents in asynchronous mode.

Although it is a very old method, it is still used today as a monitoring method on almost all network devices.

Not to be mistaken with the SNMP Polling that we discussed at the beginning!

Benefits of Network Monitoring

The most important and simple benefit is to find out the status of the network:

• Whether it is active
• Whether it is overloaded
• Which devices have the most traffic
• What kind of traffic is circulating over the network
• Bottlenecks
• Jams
• …

An example of a traffic flow diagram captured with Pandora FMS could be the following:

Most network management and monitoring systems automatically detect connected systems and draw a network map representing the network.

The most advanced tools allow you to update that map in real time and see even the physical connections between interfaces (known as a link-level topology or Layer 2).

For example, like this automatic network map generated with Pandora FMS:

Some systems incorporate what is known as IPAM (IP Address Management) and, at the same time, monitor the network status, allowing IP addressing to be mapped and controlled so that you know which networks are free and how they are used.

How does a remote network monitoring service work?

Generally, a tool like this one has a central server that allows you to detect systems and launch network tests (ping, icmp, snmp) to find out the status of each device. 

To know the network in detail through its network flows in real time, you will need to configure the network routers and switches with the Netflow protocol and send that information to a Netflow collector. Although only professional medium/top-range network equipment supports the use of Netflow.

If you use an advanced monitoring tool, it will have its own Netflow collector.

Sometimes it is necessary to monitor devices that are in inaccessible networks, so intermediate polling servers, called proxies or satellites, are used.

These secondary servers perform network scans and monitoring on the devices nearby, and then send the collected data to a central system.

But what do we do with all this numerical data?

It is essential that the monitoring tool you use has graphs, reports and visual screens to display that data.

If we’re already talking about the top-of-the-range tools, those visual network maps will allow you to manually correct and add the details you need to manage those networks.

What are the best remote network monitoring software?

The professional tools that cover SNMP, Netflow, network maps and IPAM that work best today are:

• SolarWinds
• Whatsup Gold
• Pandora FMS

Although they differ from each other in several respects, you may cover all your monitoring needs with any of them.

Would you like to know more about remote network monitoring tools? Then this will no doubt interest you:

Best network monitoring systems

Not all market tools cover these areas.

Some only support basic SNMP, but do not support Netflow. Others do not have good discovery or map editing capabilities and most of them do not have IPAM features. 

The basic thing a good network monitoring tool should have is:

• SNMP v1, v2 and v3 capabilities
• To be able to use proxy servers
• SNMP Trap Collection
• Device Discovery
• Map drawing

We already live in a post-apocalyptic future that has nothing to envy to great franchises like Mad Max or Blade Runner.

Proof of this are pollution, pandemics and the fact that your most intimate secrets can be violated because your most impenetrable slogans are in a database of leaked passwords.

Do you feel that pinch? It’s fear and cruel reality knocking at your door at the same time.

But, well, let’s stand by. Just as Mel Gibson or Harrison Ford would do in their sci-fi plots. Let a hard guy grimace get drawn on your face, adjust your pistol grip and put on comfortable shoes. Help us and help yourself answer this question:

Are you in a database of leaked passwords?

You already know that periodically, the security of large companies that store hundreds of data, including your passwords, is violated with total impunity.

We have repeated it countless times: No one is free from evil because, friends, evil never rests. And on top of that, there are no superheroes for these things.

That is why we will try to guide you to check, in a simple way, whether you and your passwords are in a database of leaked passwords.

That way you will find out whether you are safe or you already have to start thinking about coming up with new and original passwords.

*Remember: 

No matter how far-fetched and armored it may seem, from time to time you will have to check if it has been leaked. We do not want anyone with bad intentions to use them and take advantage of some of the services you have hired or, directly, steal your information. 

To guide you in this search what we will do is start by checking your emails. We will check whether they are included in some of these databases of leaked passwords. That way we will not only reveal if these have been filtered, but also the rest of the accounts in which you repeat the same username and password over and over again.

Is all this necessary?

Between you and me, it’s easier to memorize a password than to try it with hundreds. That’s why you repeat the same one since your teenage days! Damn it… maybe even since you met messenger and Terra chat. 

But this is a very dangerous thing! If someone has already obtained your old hotmail email and the password you used in it, and that you may continue to use, what they will do is, apart from appropriating your email, is to use that information to enter other platforms or services where you continue to use the same username and password as in that hotmail. 

Once you know whether any of the credentials that you usually repeat have been leaked, you will have in your hand the option to change them both on the site that has been violated and in the rest of the places where you use them. 

How do we do it?

To find out whether the passwords of any of the websites in which you have registered have been violated and filtered, you just have to go to:

haveibeenpwned.com

A portal that is responsible for collecting information from password databases filtered throughout the Internet.

*The page is quite intuitive. It works as a search engine. As the main Google page. So calm down.

Let’s go with a small list of steps to follow:

1. Enter haveibeenpwned.com.
2. Go to the main text box. In there type the email account you want to verify. You will be immediately shown the accounts or platforms, linked to it, that have been breached.
3. If after typing your email and pressing enter, the screen turns green, you are in luck, your email has not been involved in any massive leak.
4. However, if the screen turns to a maroon shade… Shit! The password linked to that email has been leaked! What’s more, the very attentive page will tell you where. Below you will see a list of websites where you used to enter with that email and where the passwords have been stolen.
5. Go change passwords! Both from your email and from all the pages that appeared to you. Well, and the rest where you may be using the same username and password that you used with the compromised accounts.

Conclusions

We know it’s a hassle to change passwords every once in a while, but so is it to have your account stolen and impersonate you by putting a horrible profile picture. This among many other unmentionable bad deeds that can be done. Now that you can check whether you’re in one of those leaked password databases, we leave it to you.

SNMP protocol, whose first version was officially released on 1990 and means Simple Network Management Protocol, is the easiest and simplest way a sysadmin has in order to manage and diagnose problems inside his network devices.

Let’s see what is, how snmp works and why this simple protocol is the essential key for a smooth network environment.

What is SNMP?

In the most general terms, network monitoring means the use of available communication protocols to collect information on the status of communication systems, whether they be routers, land line communications or cell phones. Among them, SNMP raises as the most used monitoring tool.

---

---

As we previously said, SNMP works as a mechanism of communication between network devices and a network administrator. Routers, switches, servers, printers…, most of every and each network device supports SNMP protocol. Not only with informative purposes, but also to perform different actions inside those devices (such as remote configuration).

How does SNMP work?

Belonging to the application layer (7th layer of the OSI model), allows communication between network devices. Those known as SNMP agents (request receivers) work in a set of predefined UDP ports, known as SNMP port or SNMP ports. Request receiving port (sent by any available port) is UDP 161 and UDP 162 is used to receive notifications (also known as SNMP trap port).

SNMP protocol works in two different ways: SNMP polls and traps. Polling consists of launching remote queries, either actively or on demand, carrying out operation queries synchronously. Traps, meanwhile, are messages sent by SNMP devices asynchronously, according to changes or events, to configured addresses.

To get the most out of SNMP monitoring, it’s best to use both modes when setting up a monitoring system.

SNMP versions

SNMP currently has three different protocol versions, gathered in different RFCs over time (since first ones on 1988, until today).

Those versions are:

1. SNMPv1 – defined in RFC 1155, 1156 and 1157, defines the way SNMP works.
2. SNMPv2 – communication and security improvements of first version. It has two subversions, one on which security is community based (version SNMP2c, RFCs 1901 and 1908), and one on which security is user based (version SNMPv2u, RFCs 1909 and 1910).
3. SNMPv3 – this third version, which includes and improves security and encryption, has struggled to find a market. The SNMP v3 is defined in RFC 3411 and 3418 and, since 2004, SNMPv3 is known as the actual standard protocol version.

SNMP alerts

Therefore, after knowing how SNMP protocol works, it is clear that one of its main uses are the alerts generated by all devices. Two types can be found in a SNMP monitoring network: synchronous alerts, those requested by an agent SNMP request (known as SNMP polling alerts), and asynchronous alerts, without agent request (known as SNMP traps or snmtraps).

This alert and notification system is the true key of SNMP protocol used in network monitoring tools base their operation of custom alerts. For example, in Pandora FMS we handle a wide range of custom alerts that can be triggered based on these SNMP alerts.

Now lets discuss in more detail what are and how monitoring works based on SNMP polling and SNMP traps.

SNMP trap monitoring

First configure your devices to send traps when specific circumstances are met, and secondly set up a tool that can collect the SNMP traps it receives, whether it be a machine with the necessary services, or a piece of monitoring software. How you configure the SNMP devices will depend on the manufacturer’s model and the device itself, and is carried out from a management interface accesible via a browser and its IP address.

Traps can be received in Linux by using the demon snmptrapd, installed as follows, e.g. on CentOS systems:

# yum install net-snmp-utils net-snmp-libs net-snmp

In our example we’re going to use Pandora FMS to receive and process the SNMP traps. If you already have a Pandora FMS server installed you won’t need any new dependencies, but you’ll have to enable it to receive the traps. Search for snmpconsole in the pandora_server.conf file and enable it as follows:

snmpconsole 1

Once the SNMP traps console is enabled Pandora FMS will be able to receive and process them and display them in the corresponding section:

To ensure the incoming traps are arriving correctly, you can consult the corresponding log file, usually at: /var/log/snmptrapd.log.

SNMP trap alerts

Alerts can also be configured via SNMP monitoring for the traps we prepared. In this case they won’t function in the same way as any other module, unlike with SNMP polling, but instead are based on filtering rules. Using these rules we can identify traps belonging to other devices, filter the contents of said trap, OID, etc..

In the next screenshot you can see various alerts created with different filtering options, and actions checking that everything is working fine:

SNMP polling monitoring

The protocol works by launching a query against an IP address and requires a specific parameter: the SNMP community string, an alphanumeric chain used to authorize the operation, and which adds an extra layer of security. When an SNMP check is launched against a compatible device, you get a list containing a lot of data that can be difficult to interpret at first:

# snmpwalk –v 1 –c public 192.168.50.14

monitorizacion snmp

Each line returned by snmpwalk has an OID (object identifier) and corresponds to a piece of data determined by the device. To better understand what the values returned by the SNMP check are, you can install the system manufacturer’s MIBs (management information base). MIBs are libraries that translate these numeric chains into a legible format allowing us to interpret the data.

Let’s look at some data we’ve got back after executing an SNMP check with the MIBs installed:

There are also web sites where you can consult any of these OIDs in case of doubt. If you know the OIDs you want to monitor, you can carry out the query like this by indicating the alphanumeric code that appears after the IP address in question:

monitorizacion snmp

# snmpwalk –v 1 –c public 192.168.1.50 IF-MIB::ifPhysAddress.2

Done like this, only the values of the SNMP object queried will be shown, so if you have a monitoring tool the data will be included in the different checks. In this case, we created a basic SNMP monitoring for a few devices using Pandora FMS, and the result is as follows:

SNMP polling alerts

Once data collection on modules via SNMP polling is being carried out, we can create alerts on Pandora FMS for those modules, executing actions proactively in function of the thresholds we’ve configured, and they work in the same way as any other alerts for any modules on Pandora FMS.

SNMP modules in Pandora FMS

We built Pandora FMS as a flexible monitoring software, capable of monitoring devices, infrastructures, applications, services and business processes. Among them, we have a complete SNMP module.