In DomainScan, monitors and responses are fully separated, as well as separated from devices. This means that monitor and responses can be deployed really fast.



The monitor

Monitors are the part of the monitor-response model that supervises the device or user.

A single monitor can perform a single check, but at any number of devices, which means that it’s necessary to make a monitor for each situation one wants to supervise (or monitor).

The event

When a monitor detects that the situation is not as it is supposed to be, an event is created.

This event contains information about which monitor that created the event, as well as why it were created and on what device or user the situation occurred.

The response

Responses are optional, but without a response DomainScan can not do anything about a situation other than report that an event has occurred.

Responses are small units that can perform an action in case of events.
That can be sending an email alert or execute a script, process or program. The response must be assigned to devices or users in the same way that monitors are assigned.

The response will only be executed if the event meets the trigger conditions for the response.

DomainScan features a number monitors types, which can be used to monitor almost anything.

If a monitor does not behave as intended (i.e. the monitor fails) then an event is created with information about what monitor, what device, and finally the actual event.

The monitor is not responsible for any further processing; due to the fact that it is nothing more than a monitor.
DomainScan will show that the event occurred, but unless a Response is created (and triggered), then nothing else happens to that event.

The following monitor types can be created

Disk and Memory monitor	Monitor that the available memory or disk space doesn’t go below a given threshold (absolute or relative). Individual partions can be monitored.
IP range monitor	A monitor that can scan one or more ports on a range of devices. The devices do not need to be known devices by DomainScan.
SNMP monitor	A monitor that can query the SNMP interface for information. The returned value can be compared to a reference value.
WMI monitor	A monitor that can query the WMI interface for information. The returned value can be compared to a reference value.
User monitor	Monitor that users do not exceed the number of allowed logins simultaneously (which may indicate that the account is being abused), or monitor if unwanted users do log in.

All monitors can be assigned to either domains or devices/users.

In the first case, all devices/users will automatically include the monitor in the scan (unless domain assigned monitors are turned off for that particular device/user)

There is also a special purpose monitor – the IP Range monitor. This monitor works in the same way that the Port monitor does, except that it can monitor a range of devices, which may not be included in DomainScan.

To create a monitor, 4 steps must be completed:

1 – Define monitor type and name.

2 – Define settings specific to the monitor type.

3 – Event setup.

4 – Select target devices (not for IP Ranges).


Name
The name of the monitor (max 32 characters).

Monitor type
The monitor type.
Depending on the type of the monitor, one can also specify `Connect as´.

Pause
If set, then the monitor will not run. Any events that were created by this monitor, prior to the monitor being paused, will be treated as cleared events.

Template
If the monitor is to be a template monitor for other monitors, enable this option.
The template monitor does not use any license units, and can be used to create monitors faster.

Options

Monitor disk usage
If set, then the monitor will monitor the device and warn if free disk space falls below the warning and notification levels that set in the Disk Usage panel.

Monitor memory usage
If set, then the monitor will monitor the device and warn if free memory drops below the warning and notification levels that set in the Memory Usage panel.

Only monitor upon audit
Check this option if it’s not necessary to monitor the disk or memory usage constantly. This will lower the impact on monitored devices.
However, when a monitor has been triggered, then the monitor continuously until the event has been cleared.

Only run on WMI capable devices
Select this option to force that the monitor will only execute on devices that supports WMI (i.e. devices with Windows).
By enabling this option, one may reduce the number of devices where the monitor tries to execute. On the other hand, one may risk that a monitor may miss a devices which was otherwise capable of being monitored.

Disk usage

Monitor absolute values
Set the warning and notification level for the amount of free space, in gigabytes, that must be on the monitored device.

Monitor relative values
Set the warning and notification level for the amount of free space, relative to size of the disk, that must be on the monitored device

Monitor individual disk partitions
Enable this option to monitor each individual partition on the monitored device.


Warning and notification

When the notification level has been reached, then DomainScan will issue an event with a severity level that is half of what’s been set for the monitor.
Furthermore, no responses will be triggered and the event will appear as a notification.

When the warning level has been reached, then DomainScan will issue a normal event with the severity level that is set for the monitor, and responses can be triggered, if there’s any assigned to the device.

Memory usage

Monitor absolute values
Set the warning and critical level for the amount of available memory, in megabytes, that must be on the monitored device.

Monitor relative values
Set the warning and critical level for the amount of available memory, relative to size of the memory, that must be on the monitored device

Ports

Select the ports that this monitor must scan.

Options
Here, one can enter specific TCP ports that are not currently defined in the port list. Any port can be entered, and if one selects a port that is already defined, then this port will be selected.

The SNMP (Simple Network Management Protocol) is a management layer and a part of the TCP/IP protocol suite. SNMP can be used to manage and monitor network equipment though a standardized protocol.

SNMP is a standard protocol on virtually all managed switches, routers, firewalls, and the protocol is implemented in all major operating systems – including Windows, Linux and Mac OS.

DomainScan uses the SNMP interface that is supplied by Windows, which is SNMP v2 compliant.

To prompt the SNMP interface for data, an object identifier (OID) must be sent to the device. For more information about OID’s, see the SNMP browser.


Query

Enter the OID to send to the device.
DomainScan extracts the data part of the returned information, and the data will be compared to the value that is defined in the response section.

Response

Here, one must specify how the monitor must interpret the value that is returned from the SNMP query.

DomainScan can perform a set of comparisons against the value, which will then determine whether or not that the monitor is OK or if an event must be created.

Monitor mode
Set how the monitor works. There are 4 options:

Use individual user settings	If selected, then the monitor will compare the current login count with the allowed number of logins that are defined for each user. An event will be created for each user that exceeds the number of allowed simultaneously logins.
Warn, if user is online	If selected, then the monitor will create an event if the monitored user is online.
Warn, if the user is a local user	If selected, then the monitor will create an event if the monitored local user is logged into a device.
Use defined maximum	If selected, then the monitor will compare the login count for users with the value that is defined by the monitor.

User notification

Warn users, that the number of simultaneously logins is exceeded
If enabled, then the user will retrieve a notification that the login count has exceeded the allowed number of logins.
However this option is not enabled, if the monitor is set to Warn if user is online or Warn, if the user is a local user.

Notify by ‘Send message’
If enabled, then the notification text will be sent to all devices where the user is logged in. The notification is sent via the Messenger service (Not the same as MSN/Windows Messenger).

Notify by mail
If enabled, then DomainScan will create an email and send it to the user (in case that emails are enabled for the user). The mail will be formatted as displayed below.

The WMI (Windows Management Instrumentation) is a management interface that is used by Windows.

WMI is based on non-proprietary protocols (CIM / WBEM) that is also used by other operating systems, like Linux, which makes it possible to use the WMI interface to query non-Windows based computers (An open source WMI-WBEM gateway can be found here).

WMI is divided into several namespaces, where the namespace called cimv2 is the most used namespace, because it is the namespace where hardware and OS information can be extracted (processor, motherboard, user, memory, service information, etc).

Other namespaces are defined in order to provide other kind of information (Microsoft uses seperate namespaces for all recent bigger software releases – for instance, a namespace is defined for the purpose of managing Office 2003 via the WMI interface).

To query the WMI interface for data, a WQL string must be sent to the WMI manager on the monitored device. For more information about this WQL, see the WMI browser.


Query

Namespace
Select the namespace from where you wish to fetch information.

Query
Enter the WQL to send to the device. See 'WMI query creation' below for details.

Only run on WMI capable devices
Select this option to force that the monitor will only execute on devices that supports WMI (i.e. devices with Windows).
By enabling this option, one may reduce the number of devices where the monitor tries to execute. On the other hand, one may risk that a monitor may miss a devices which was otherwise capable of being monitored.

Response

Here, one must specify how the monitor must interpret the value that is returned from the WMI query.

DomainScan can perform a set of comparisons against the value, which will then determine whether or not that the monitor is OK or if an event must be created.

Login as

If an alternative login is needed in order to gain access to the monitored device, then it can be created in Security and selected here.


WMI query creation

A query must comply with the following syntax:



Description (optional)
In case that the query returns a number of rows, then one can select a column that can be used to identify the row – see the picture below.

Value
The name of the column that contains the value that is used for comparison with Compare to. If the query returns more than one row, then DomainScan will evaluate all rows against the Compare to value, and create an event upon a single failure.


Condition (optional)
If one wishes to limit the number of rows that is returned from a WMI query, one can narrow down the search by supplying a WHERE statement.

Note: The allowed syntax of 'WHERE' differ slightly in different versions of Windows, so for details about supported queries, see the WQL page at the Microsoft website.

Ports

Select the ports that this monitor must scan.

Options
Here, one can enter specific TCP ports that are not currently defined in the port list. Any port can be entered, and if one selects a port that is already defined, then this port will be selected.

IP range

Define the range of IP addresses that this monitor must scan.

An IP range monitor will scan up to 127 consecutive addresses. If the range is known to contain one or more “holes”, exceptions can be enabled. Simply check the exceptions box, and click on the IP addresses that are to be excluded from the scan.

Each IP device in an IP range will use one license unit. If the same IP address is a part of several IP monitors then the IP address will occupy license units. To avoid this, it is recommended to add the device to DomainScan as a user defined device. Click here for more information.

Event details

Event severity
The severity of the monitor. The severity level can be set arbitrary.




Consecutive failures before a response can be triggered
Specify the number of times that the monitor can occur before a response can be triggered. The default is 0, which means that the response can be triggered immediately

Create an event if target is offline
Instructs the monitor to issue an event if the target device is offline.

Notify when the event is cleared
An event is cleared notification will be created once the event is cleared.

Write event information to the event log
If enabled, events will be written to the CSV formatted information log.

Response triggers

Allow this monitor to trigger process responses
If set, then the monitor can trigger process-responses.

Allow this monitor to trigger email responses
If set, then the monitor can trigger email-responses.

Monitor targets
(This window is not available for IP range monitors)

Select the devices where the monitor is to run on.

To assign the monitor to an entire domain, click the domain, and the monitor will automatically be assigned to all devices in the domain (unless domain monitors are disabled on specific devices).

Once a monitor is defined, it is possible to test it from within DomainScan. (unless it’s a user or a disk/memory monitor).

To do so, select a monitor on the overview page and click Test.

By default, then DomainScan will test monitor against the local computer, and the result will be shown in the Details panel.

However, one can test the monitor against any known device. To select a target device, click on the arrow to the right of Test and click on the device to test against.

It is possible to import or export monitors.

Import

To import a monitor, select File -> Import. Then select the monitor file that you wish to import and select open.
DomainScan will then parse the file and insert it into the monitor list.

Note: In case that a monitor with the same name exists, then the imported monitor will be appended with a (2).

Import as template

This option works just as 'Import', but the imported monitor will be injected as a template.

In order to use a template monitor, one must create a normal monitor based upon the monitor. This can be done via the Templates menu.

Export

To export a monitor, select a monitor on the overview page and select File -> Export. Then select a name for the monitor file, and select save.

Note: Usage information is not exported.