GH Software (c) GHIT ApS

In DomainScan, monitors and responses are fully separated, as well as separated from devices. This means that monitor and responses can be deployed really fast.

DomainScan monitor-response model

The monitor

Monitors are the part of the monitor-response model that supervises the device or user.

A single monitor can perform a single check, but at any number of devices, which means that it’s necessary to make a monitor for each situation one wants to supervise (or monitor).

The event

When a monitor detects that the situation is not as it is supposed to be, an event is created.

This event contains information about which monitor that created the event, as well as why it were created and on what device or user the situation occurred.

The response

Responses are optional, but without a response DomainScan can not do anything about a situation other than report that an event has occurred.

Responses are small units that can perform an action in case of events.
That can be sending an email alert or execute a script, process or program. The response must be assigned to devices or users in the same way that monitors are assigned.

The response will only be executed if the event meets the trigger conditions for the response.

To summarize, a monitor-response is created by:

1: Create a monitor with the Monitor Wizard
2: Create a response with the Response Wizard
3: Assign both monitor and response to a device (or a number of devices)

Monitors up

DomainScan features a number monitors types, which can be used to monitor almost anything.

If a monitor does not behave as intended (i.e. the monitor fails) then an event is created with information about what monitor, what device, and finally the actual event.

The monitor is not responsible for any further processing; due to the fact that it is nothing more than a monitor.
DomainScan will show that the event occurred, but unless a Response is created (and triggered), then nothing else happens to that event.

Important: In case that it is desired that DomainScan acts on an event, then a Response must be created. For more information about creating and using Responses, please click here

Monitor types up

The following monitor types can be created

Disk and Memory monitor	Monitor that the available memory or disk space doesn’t go below a given threshold (absolute or relative). Individual partions can be monitored.
IP range monitor	A monitor that can scan one or more ports on a range of devices. The devices do not need to be known devices by DomainScan.
SNMP monitor	A monitor that can query the SNMP interface for information. The returned value can be compared to a reference value.
WMI monitor	A monitor that can query the WMI interface for information. The returned value can be compared to a reference value.
User monitor	Monitor that users do not exceed the number of allowed logins simultaneously (which may indicate that the account is being abused), or monitor if unwanted users do log in.

All monitors can be assigned to either domains or devices/users.

In the first case, all devices/users will automatically include the monitor in the scan (unless domain assigned monitors are turned off for that particular device/user)

There is also a special purpose monitor – the IP Range monitor. This monitor works in the same way that the Port monitor does, except that it can monitor a range of devices, which may not be included in DomainScan.

Note	Each device in an IP Range monitor require 1 license unit.

Setup up

1 - Monitor name and type up

To create a monitor, 4 steps must be completed:

1 – Define monitor type and name.

2 – Define settings specific to the monitor type.

3 – Event setup.

4 – Select target devices (not for IP Ranges).

Name
The name of the monitor (max 32 characters).

Monitor type
The monitor type.
Depending on the type of the monitor, one can also specify `Connect as´.

Pause
If set, then the monitor will not run. Any events that were created by this monitor, prior to the monitor being paused, will be treated as cleared events.

Template
If the monitor is to be a template monitor for other monitors, enable this option.
The template monitor does not use any license units, and can be used to create monitors faster.

2 - Disk and Memory monitor up

Options

Monitor disk usage
If set, then the monitor will monitor the device and warn if free disk space falls below the warning and notification levels that set in the Disk Usage panel.

Monitor memory usage
If set, then the monitor will monitor the device and warn if free memory drops below the warning and notification levels that set in the Memory Usage panel.

Only monitor upon audit
Check this option if it’s not necessary to monitor the disk or memory usage constantly. This will lower the impact on monitored devices.
However, when a monitor has been triggered, then the monitor continuously until the event has been cleared.

Only run on WMI capable devices
Select this option to force that the monitor will only execute on devices that supports WMI (i.e. devices with Windows).
By enabling this option, one may reduce the number of devices where the monitor tries to execute. On the other hand, one may risk that a monitor may miss a devices which was otherwise capable of being monitored.

Disk usage

Monitor absolute values
Set the warning and notification level for the amount of free space, in gigabytes, that must be on the monitored device.

Monitor relative values
Set the warning and notification level for the amount of free space, relative to size of the disk, that must be on the monitored device

Monitor individual disk partitions
Enable this option to monitor each individual partition on the monitored device.

Example
If a warning is to be triggered if the free disk space drops below 5 GB on a partition, then the monitor will create an event if the free space on any of the partition on the device drops below 5GB.
Without this option, an event will only be triggered if the combined free disk space across all partitions drops below 5GB.

Warning and notification

When the notification level has been reached, then DomainScan will issue an event with a severity level that is half of what’s been set for the monitor.
Furthermore, no responses will be triggered and the event will appear as a notification.

When the warning level has been reached, then DomainScan will issue a normal event with the severity level that is set for the monitor, and responses can be triggered, if there’s any assigned to the device.

Tip	Create a WMI monitor to monitor partitions individually.

Memory usage

Monitor absolute values
Set the warning and critical level for the amount of available memory, in megabytes, that must be on the monitored device.

Monitor relative values
Set the warning and critical level for the amount of available memory, relative to size of the memory, that must be on the monitored device

2 - Port monitor up

Ports

Select the ports that this monitor must scan.

Options
Here, one can enter specific TCP ports that are not currently defined in the port list. Any port can be entered, and if one selects a port that is already defined, then this port will be selected.

Note	If one doesn’t select any ports, then the monitor will simply test that the device is online.

2 - SNMP Monitor up

The SNMP (Simple Network Management Protocol) is a management layer and a part of the TCP/IP protocol suite. SNMP can be used to manage and monitor network equipment though a standardized protocol.

SNMP is a standard protocol on virtually all managed switches, routers, firewalls, and the protocol is implemented in all major operating systems – including Windows, Linux and Mac OS.

DomainScan uses the SNMP interface that is supplied by Windows, which is SNMP v2 compliant.

To prompt the SNMP interface for data, an object identifier (OID) must be sent to the device. For more information about OID’s, see the SNMP browser.

Query

Enter the OID to send to the device.
DomainScan extracts the data part of the returned information, and the data will be compared to the value that is defined in the response section.

Response

Here, one must specify how the monitor must interpret the value that is returned from the SNMP query.

DomainScan can perform a set of comparisons against the value, which will then determine whether or not that the monitor is OK or if an event must be created.

Note	DomainScan will always create an event if the query doesn’t return any data.

2 - User monitor up

Monitor mode
Set how the monitor works. There are 4 options:

Use individual user settings	If selected, then the monitor will compare the current login count with the allowed number of logins that are defined for each user. An event will be created for each user that exceeds the number of allowed simultaneously logins.
Warn, if user is online	If selected, then the monitor will create an event if the monitored user is online.
Warn, if the user is a local user	If selected, then the monitor will create an event if the monitored local user is logged into a device.
Use defined maximum	If selected, then the monitor will compare the login count for users with the value that is defined by the monitor.

User notification

Warn users, that the number of simultaneously logins is exceeded
If enabled, then the user will retrieve a notification that the login count has exceeded the allowed number of logins.
However this option is not enabled, if the monitor is set to Warn if user is online or Warn, if the user is a local user.

Notify by ‘Send message’
If enabled, then the notification text will be sent to all devices where the user is logged in. The notification is sent via the Messenger service (Not the same as MSN/Windows Messenger).

Notify by mail
If enabled, then DomainScan will create an email and send it to the user (in case that emails are enabled for the user). The mail will be formatted as displayed below.

Subject
[DomainScan notification]: Too many logins detected for your account.
Body
[Username] is currently logged into 3 devices, which exceeds the number of 2 allowed simultaneously logins.

-> labpc13
-> ws_floor3
-> kiosk_pc44
--------------------------------
[Warning to send]
--------------------------------

This is an automated mail created by DomainScan. Please do not reply to this message, but contact your IT department for further information.

2 - WMI Monitor up

The WMI (Windows Management Instrumentation) is a management interface that is used by Windows.

WMI is based on non-proprietary protocols (CIM / WBEM) that is also used by other operating systems, like Linux, which makes it possible to use the WMI interface to query non-Windows based computers (An open source WMI-WBEM gateway can be found here).

WMI is divided into several namespaces, where the namespace called cimv2 is the most used namespace, because it is the namespace where hardware and OS information can be extracted (processor, motherboard, user, memory, service information, etc).

Other namespaces are defined in order to provide other kind of information (Microsoft uses seperate namespaces for all recent bigger software releases – for instance, a namespace is defined for the purpose of managing Office 2003 via the WMI interface).

To query the WMI interface for data, a WQL string must be sent to the WMI manager on the monitored device. For more information about this WQL, see the WMI browser.

Query

Namespace
Select the namespace from where you wish to fetch information.

Query
Enter the WQL to send to the device. See 'WMI query creation' below for details.

Only run on WMI capable devices
Select this option to force that the monitor will only execute on devices that supports WMI (i.e. devices with Windows).
By enabling this option, one may reduce the number of devices where the monitor tries to execute. On the other hand, one may risk that a monitor may miss a devices which was otherwise capable of being monitored.

Response

Here, one must specify how the monitor must interpret the value that is returned from the WMI query.

DomainScan can perform a set of comparisons against the value, which will then determine whether or not that the monitor is OK or if an event must be created.

Note	DomainScan will always create an event if the query doesn’t return any data.

Login as

If an alternative login is needed in order to gain access to the monitored device, then it can be created in Security and selected here.

WMI query creation

A query must comply with the following syntax:

SELECT [description,] value FROM namespace [WHERE condition]

Description (optional)
In case that the query returns a number of rows, then one can select a column that can be used to identify the row – see the picture below.

Value
The name of the column that contains the value that is used for comparison with Compare to. If the query returns more than one row, then DomainScan will evaluate all rows against the Compare to value, and create an event upon a single failure.

Condition (optional)
If one wishes to limit the number of rows that is returned from a WMI query, one can narrow down the search by supplying a WHERE statement.

Note: The allowed syntax of 'WHERE' differ slightly in different versions of Windows, so for details about supported queries, see the WQL page at the Microsoft website.

2 - IP Range monitor up

Note	If one doesn’t select any ports, then the monitor will simply test that the device is online.

IP range

Define the range of IP addresses that this monitor must scan.

An IP range monitor will scan up to 127 consecutive addresses. If the range is known to contain one or more “holes”, exceptions can be enabled. Simply check the exceptions box, and click on the IP addresses that are to be excluded from the scan.

Each IP device in an IP range will use one license unit. If the same IP address is a part of several IP monitors then the IP address will occupy license units. To avoid this, it is recommended to add the device to DomainScan as a user defined device. Click here for more information.

3 - Event setup up

Event details

Event severity
The severity of the monitor. The severity level can be set arbitrary.

Increase the severity after each consecutive failure
Enable this option to increase the severity by one for each time that the monitor fails on a device.

Example
If a monitor is created with an initial severity value of 50, then the first event will have a severity value of 50. The next event will have a value of 51, then 52 and so on. This can be used to trigger 2 or more responses that trigger on different severity levels.

One scenario could be a initial warning at level 50 to the normal hardware support team, and if the event is not cleared after 5 scans (at level 55) another response could be triggered that notifies the executive manager.

Consecutive failures before a response can be triggered
Specify the number of times that the monitor can occur before a response can be triggered. The default is 0, which means that the response can be triggered immediately

Create an event if target is offline
Instructs the monitor to issue an event if the target device is offline.

Notify when the event is cleared
An event is cleared notification will be created once the event is cleared.

Write event information to the event log
If enabled, events will be written to the CSV formatted information log.

Response triggers

Allow this monitor to trigger process responses
If set, then the monitor can trigger process-responses.

Allow this monitor to trigger email responses
If set, then the monitor can trigger email-responses.

4 - Targets up

Monitor targets
(This window is not available for IP range monitors)

Select the devices where the monitor is to run on.

To assign the monitor to an entire domain, click the domain, and the monitor will automatically be assigned to all devices in the domain (unless domain monitors are disabled on specific devices).

Responses up

Two types of responses can be created – email responses and responses that execute a process (any program, script or file can be selected to be executed).

Example scenario

If a monitor is created to check that the Active Directory service is running on all directory servers, then an event is created for each server where the monitor detects that the particular service isn’t running.

Because of the fact that the Active Directory service is crucial to directory enabled domains, it must be running. Therefore, DomainScan can, with the aid of a Response, be set to restart the server automatically in case of events.

Furthermore, DomainScan can run several Responses with different threshold conditions, which can be used to alert backup-personnel in case that the event continues to be present (i.e. the restart does not succeed).

Example scenario 2. Multiple responses

Several responses can be triggered by a single event. And by adjusting the trigger conditions for each Response, one can achieve a cascade of actions for each event.

Pretend the above example, but where the scenario is that the administrator crew must first be warned about the stopped Directory service, so that they can solve the condition manually (1).
And then, if the condition lasts for more than 15 minutes, then a restart must be issued (2).
Finally, if the issue isn’t resolved within 30 minutes, then a distress message must be sent out to the entire IT department, and maybe even an external support company (3).

This scenario can be solved easily by creating 3 responses, with slightly trigger different conditions.

Each response must be set to react to the same severity level, and occurrence must also be equal. The only condition that is to be altered between responses in this scenario is the ‘Time’ condition, which must be set to:

(1)
0 minutes for the initial Mail Response.
This response, which is triggered immediately when the event has occurred, simply informs the administrator crew that the Directory service is not running.

(2)
15 minutes for the Process Response
This response will be triggered when the condition has lasted for 15 minutes, and the Response must be set to execute a statement that restarts the server (i.e. by executing the Shutdown command or a batch file).

(3)
30 minutes for the distress Mail Response
This response is similar to the first response, only with the exception that the list of mail recipients is larger.

Note. (1) and (2) and (3) will all be triggered after each scan cycle once the event has lasted for at least 30 minutes, which means that all 3 responses will be executed by DomainScan until the issue has been resolved.

Response types up

The following response types can be created:

Email
A response type that will send a message with an event description to one or more email-addresses.
Process
Launch a file, a batch file, a command or any other process that can be executed – for instance a vbscript that starts an automated failover process.

To setup a response, 4 steps need to be completed.

1: – Define response name and type.

2: – Define trigger conditions.

3: – Define settings specific to the response type.

4: – Select target devices.

Setup up

1 - Response name and type up

Name
The name of the response.

Type
The response type.

Pause
If set, then the response will not be triggered.

Template
If the response is to be a template response for other response, enable this option.

2 - Trigger conditions up

Triggers conditions

Severity
The severity level that must be met by the event to trigger the execution of the response.

Time (min)
The time, in minutes, that the event must have been active before the response is executed.

Occurrence
The number of times that the same event must occur, before the response is triggered.

The event must meet
Set if the event must meet all or just a single of the parameters in the above conditions.
By default, ‘any’ is set.

Monitor filter

Respond to events from any monitor
This type of response can be triggered by any monitor, as long as the trigger conditions are met.
This is the default response behavior.

Only respond to events from approved monitors
('Paired response')

With this setting, one must specify which monitors that can trigger this response.
This must be done on each device or user where the response is deployed.

Respond to

Response to device events (enabled by default)
If unchecked, then this response will not be triggered by device events.

Response to user events (enabled by default)
If unchecked, then this response will not be triggered by user events.

Note: It’s not possible to uncheck both options.

3 - Process up

The process response can be used to execute a program, restart a server or a service, starts a recovery process or any other process that will be useful to run in case of a critical error.

Due to the fact that the process is executed by Windows, there is no limit to the type of process that can be executed, as long as it can be executed by Windows.

Note	The process will be executed with the same username/password as is defined for the DomainScan Service. The executed process will therefore be subject to the same security limitations as DomainScan (if any).

Also, the process, that is to be executed, will be executed by DomainScan Service, with no interaction with the user desktop.
Therefore, it is not recommended to start a program that either expects user input or runs as a GUI program, due to the fact that it will not be visible, but it will still be launched and consume resources.

For instance, if a Response is created that starts Notepad upon events, then Notepad will be launched, but it will not be visible to the user.

Process to run
The program or file to execute.

Startup directory (optional)
The folder from where the process will be executed.

Parameters (optional)
If the process expects one or more parameters, then enter the parameter string here.

Max parameter length
If the parameter length is not to exceed a certain number of characters, then one can set the max here. A value between 0 and 65536 can be selected, where the value 0 means that the length of the string is not checked.

If the length value is set, then the string will be truncated in case of the parameter being longer that the max value.

Parameters
If one needs to add custom parameters to the Parameters string, then one can use these inserts. Then, once the response is to be executed, DomainScan will translate the insert parameter before the response is executed.

The translation is as follows:

Incident device name	%name	Insert the name of the device where the event occurred
Incident device description	%des	Insert the description of the device where the event occurred
Monitor name	%name	Insert the name of the monitor that created the event.
Event severity	%severity	Insert the event severity
Event date	%date	Insert the current date as yyyy-mm-dd
Event time	%time	Insert the current date as hh:mm

Example

For instance, if the Response is to restart the mail server in case of fatal events, then it can be done remotely (on systems where the Shutdown command is implemented) by executing the process ‘shutdown –r –f -m \\mailserver –c “DomainScan Service restart process”’.

To create this process, enter shutdown in the process to run line, and ‘shutdown –r –f -m \\mailserver –c “DomainScan Service restart process”’ in the parameters line.

Optionally, enter the path to the shutdown program in the startup directory line.

3 - Email up

Addresses

Enter one or more email addresses that are to receive the event message if the Response is executed.

Server settings

By default the Response will use the SMTP server settings that are set in Preferences, but in case a different SMTP server are to be used (for instance, if the response is to be executed when the primary mail server is non-responding), then the alternate server can be assigned here.

Connect as
If an alternative login is needed in order to gain access to the mail server, then it can be created in Security and selected here.

4 - Targets up

Response targets

Select the devices where the Response is to run on.

To apply the Response to an entire domain, simply click the domain, and the Response will automatically be assigned to all devices in the domain (unless domain monitors are disabled on specific devices).