Supported Monitors and Tests

A monitor is a process that runs one or more categories of tests with similar functions. Each type of test is identified by the name of the monitor that runs it and the Test Subtype, a unique identifier within the monitor.

For example, the Port Monitor can run tests of several subtypes: FTP, HTTP, HTTPS, IMAP, IMAPS, etc. When you create a new FTP test for a device, NetVigil uses the test's Test Type/Subtype combination (Port/FTP) to look up provisioning information for this category of tests.

NetVigil provides standard monitors for network, servers, applications and URL transactions. (You can easily add new monitors with the plugin framework described in Chapter 27, "Plugin Monitors". Efficient and multi-threaded, the standard monitors are designed to minimize the impact of traffic monitoring on your network. The use of NetVigil tests does not result in a significant increase in resource utilization for the devices being polled because default time intervals are set to provide an accurate picture of device functioning without burdening the system.

NetVigil is designed to work with SNMP agents such as Empire, UCD, or BMC Patrol, and recognizes MIBs from a variety of standard devices such as Compaq servers and Cisco routers. Note that while information can be gathered from a device's private MIB, some MIBs do not provide enough information to enable the same array of tests that a standard SNMP agent would allow.

NetVigil's SNMP monitor is an extremely fast, multi-threaded poller with support for 64bit counters where available and also account for the rollover of 32bit counters. Multiple SNMP queries to the same host are sent in the same SNMP packet for speed and optimization. An alternate SNMP port can be queried instead of the default if needed.

In addition to using NetVigil's standard monitors or creating new ones to poll for data, you can insert numeric data into the system is via the External Data Feed (EDF) described in Chapter 24, "External Data Feed (EDF) Reference". NetVigil can also accept SNMP traps and scan log files for specific patterns (regular expressions) via the Message Handler which is described in Chapter 7, "Message Handler for Traps & Logs"

D.2 Available Monitors

D.2.1 Network Monitors

Frame Relay & ATM

Measure parameters on frame relay and ATM circuits such as DLCI status, discards, traffic, FECN, BECN.

Firewalls

Monitor firewall parameters such as Packets accepted, rejected, drops, active connections for IP/FTP/HTTP etc.

Wireless Access Points

Monitor WLAN access point metrics such as wireless client count, neighbor count, SSID broadcasts, encapsulation errors, associations, duplicate sequence, WEP key mismatch, SSID mismatch.

BGP Route Monitor

RIP Routing Monitor

OSPF Routing Monitor

The OSPF neighbor states are listed below in order of progressing functionality:

Down: This is the initial state of a neighbor conversation. It indicates that there has been no recent information received from the neighbor. On non-broadcast networks, Hello packets may still be sent to "Down" neighbors, although at a reduced frequency.

Attempt: This state is only valid for neighbors attached to non- broadcast networks. It indicates that no recent information has been received from the neighbor, but that a more concerted effort should be made to contact the neighbor. This is done by sending the neighbor Hello packets at intervals of HelloInterval.

Init: In this state, an Hello packet has recently been seen from the neighbor. However, bidirectional communication has not yet been established with the neighbor (i.e., the router itself did not appear in the neighbor's Hello packet). All neighbors in this state (or higher) are listed in the Hello packets sent from the associated interface.

2-Way: In this state, communication between the two routers is bidirectional. This has been assured by the operation of the Hello Protocol. This is the most advanced state short of beginning adjacency establishment. The (Backup) Designated Router is selected from the set of neighbors in state 2-Way or greater.

ExStart: This is the first step in creating an adjacency between the two neighboring routers. The goal of this step is to decide which router is the master, and to decide upon the initial DD sequence number. Neighbor conversations in this state or greater are called adjacencies.

Exchange: In this state the router is describing its entire link state database by sending Database Description packets to the neighbor. Each Database Description Packet has a DD sequence number, and is explicitly acknowledged. Only one Database Description Packet is allowed outstanding at any one time. In this state, Link State Request Packets may also be sent asking for the neighbor's more recent advertisements. All adjacencies in Exchange state or greater are used by the flooding procedure. In fact, these adjacencies are fully capable of transmitting and receiving all types of OSPF routing protocol packets.

Loading: In this state, Link State Request packets are sent to the neighbor asking for the more recent advertisements that have been discovered (but not yet received) in the Exchange state.

Full: In this state, the neighboring routers are fully adjacent. These adjacencies will now appear in router links and network links advertisements.

RMON2 Protocol Metrics

Measure traffic statistics for TCP, UDP, ICMP, ssh, telnet, http, pop3, imap, dns and snmp using RMON2 MIB.

Voice over IP

Measure delay, packet loss and jitter metrics such as response time, packet loss, positive & negative, out of sequence and late arrivals.

ICMP Packet Loss

Verify that the network hosts are available and reachable via the network and also indicate if reachability is degraded. Five packets are sent, and the packet loss is reported as a percentage.

ICMP Round Trip Time

Measure the response time (in milliseconds) of ICMP ping packets to detect network latency. 5 packets are sent in each pass and the average of these five packets is calculated for each test.

Bandwidth Utilization

Measure the traffic (bytes) transmitted between each test interval, and calculate the percentage utilization based on the maximum bandwidth of the interface.

Throughput on Network Interface

Interface Errors

Calculate CRC error rate and discards (per minute) calculated by the delta between sample intervals.

Load Balancer

Monitor Virtual server and real server status, connections, traffic, failover cable status for load balancers such as the Cisco Local Director.

LAN Switches

Measure VLAN traffic, buffer allocation failures, traffic per port, CRC errors and environment parameters such as chassis temprature, fan status, power supply.

SNMP Traps

Customizable trap handler which assigns a severity to received traps based on a customizable configuration file and inserts into the system.

D.2.2 Server Monitors

CPU load

Report on the percentage of CPU in use (average over past minute) to detect overloaded servers. Note that occasional spikes in CPU load is normal.

Disk space

Physical Memory Usage

Measure percentage of physical memory used. Note that some operating systems use any `available' physical memory for I/O buffers and hence the percentage of physical memory used will always be high.

Virtual Memory

Paging/Memory Swapping

Report on the number of page swaps per unit time. Paging is a normal phenonmenon, but excessive swapping is bad and indicates that the system requires additional physical memory.

Process & Thread Count

RPC Portmapper

Check if the RPC portmapper is running (a better alternative to icmp ping for an availability test).

LAN Manager

Report metrics such as authentication failures, system errors, I/O performance, concurrent sessions.

Compaq Insight Manager

Report metrics such as RAID controller information, temperature, fan, power supply, CPU load and network interface utilization.

Printers

UPS

Monitor battery status, capacity, battery temperature, voltage and output status on UPSs.

D.2.3 Application Monitors

Oracle database

Monitor database status, transaction rate, disk reads & writes, page reads & writes, out of space errors, query rate, committed transactions, aborted transactions, table status, table utilization, datafile reads & writes, replication status, listener status, SID connections.

Apache Web Server

Report on web server traffic, utilization, requests per second, average data bytes per request

Object Oriented (OODB) OQL query

Measures query response time; Required input: legitimate username, password, database name, and proper OQL query syntax.

LDAP database query

Connects to any directory service supporting an LDAP interface and checks whether the directory service is available within response bounds and provides the correct lookup to a known entity. Required input: base, scope and filter.

Generic SQL query

Measures SQL query response time and returned data value for Oracle, Sybase, SQL Server, Postgres, MySQL using JDBC. Other database queries can be monitored by editing the netvigil.xml file, provided there is a JDBC driver (jar file) that can be monitored.

Microsoft SQL Server

Measure the status, page reads, TDS packets, threads, page faults, connected users, lock timeouts, deadlocks, cache hit ratio, disk space utilization, transaction rate, log space utilization, replication rate.

Microsoft Exchange Server

Measure traffic, ExDS statistics, Address book Connections, ExDS metrics, MTS, LDAP queries, queue, SMTP connections, failed connections, thread pool usage, failures, disk operations.

Microsoft Internet Information Server

Monitor the traffic, files transferred, active users, active connections, throttled requests, rejected requests, 404 errors, and breakdown on the request types (GET, POST, HEAD, PUT, CGI).

DHCP Monitor

Check if DHCP service on a host is available, whether it has IP addresses available for lease and how long it takes to answer a lease request. On Microsoft DHCP servers, additional metrics such as statistics on discover, release, ack, nak requests.

Citrix

Measures zone elections, application resolutions, datastore traffic, dynstore traffic, cache statistics.

Lotus Notes

Mail queue size, undeliverable mail count, avg mail delivery time, transaction rate, active & rejected user sessions, database pool, active web sessions, etc.

Sendmail

URL transaction monitor

Measures time to complete an entire multi-step URL transaction. Can fill forms, clicks on hyperlinks, etc. Works with proxy and also supports https.

HTTP

Monitors the availability and response time of HTTP Web servers. Checks for error responses, incomplete pages.

HTTPS

Secure HTTP- This monitor supports all of the features of the HTTP monitor, but also supports SSL encapsulation, in which case the communication is encrypted using SSLv2/SSLv3 protocols for increased security. The monitor will establish the SSL session and then perform HTTP tests to ensure service availability.

SMTP Server

Simple Mail Transport Protocol - Monitors the availability and response time of any mail transport application that supports the SMTP protocol (Microsoft Exchange, Sendmail, Netscape Mail.)

POP3 Server

Monitors the availability and response time of POP3 E-mail services. If legitimate username and password is supplied, will login and validate server response.

IMAP4 Server

Internet Message Access Protocol - Monitors the availability and response time of IMAP4 E-mail services. If legitimate username and password is supplied, will login and validate server response.

IMAPS

Secure IMAP- This monitor supports all of the features of the IMAP monitor, but also supports SSL encapsulation, in which case the communication is encrypted using SSLv2/SSLv3 protocols for increased security. The monitor will establish the SSL session and then perform IMAP tests to ensure service availability.

FTP Server

File Transport Protocol - Monitors the availability and response time of FTP port connection. Connection request sent, receives OK response and then disconnects. If legitimate username and password is supplied, will attempt to login and validate server response.

NNTP News Server

Connects to the NNTP service to check whether or not Internet newsgroups are available, receives OK response and then disconnects.

Generic Port

Monitor the response time for any TCP port, and report a failure if supplied response string is not matched in the server reply.

NTP

Monitors time synchronization service across the network by querying the NTP service on any server and returning the stratum value. If the stratum is below the configured thresholds, an error is reported.

RADIUS

Remote Authentication Dial-In User Service (RFC 2138 and 2139) - performs a complete authentication test against a RADIUS service, checking the response time for user logon authentication to the ISP platform. Required input: secret, port number, username and password.

DNS

Domain Name Service (RFC 1035) - uses the DNS service to look up the IP addresses of one or more hosts. It monitors the availability of the service by recording the response times and the results of each request.

D.2.4 Custom Monitors

External Data Feed (EDF) Monitors

Use the EDF Server to insert numeric values into NetVigil via a socket interface. The inserted data is treated as if it were collected using standard monitors. See Chapter 24, "External Data Feed (EDF) Reference"

Message Handler

Plugin Monitor Framework

You can write a custom monitor as a Java class, or as an external script/programming in any programming language. See Chapter 27, "Plugin Monitors"

D.3 WMI Variables Supported

NetVigil can collect monitoring data from Windows computers directly using the native WMI interface. The following is the partial list of WMI parameters collected by NetVigil. Please note that the WMI variables library is continously being updated, so please contact Fidelia for the latest list of WMI parameters supported by Fidelia NetVigil.

D.4 SNMP MIBs Supported

D.4.1 RFC/Standard MIBs

The table that follows lists the standard MIBs supported by NetVigil. Support for new MIBs is continuously being added into NetVigil, so please contact Fidelia if you do not see a vendor MIB listed in this table.

Table D.1 Windows WMI Variables
Application	Supported Tests
SQL Server	Active Transactions Transaction Rate Log Cache Hit Ratio Log Space Used Lock Average Wait Lock Requests Lock Deadlocks Batch Requests Compilations Users Connected Users Logging In/Out Auto Param total/failed/safe
IIS	Total traffic File transfers Active connections Anonymous users Authenticated Users HTTP Operations GET/POST/PUT/HEAD/ISAPI Not Found Errors
DHCP	Request Discover Release Offer Pack Nack
Host	Disk Space CPU Physical Memory Virtual Memory Number of users Number of Processes Thread count Context Switches File R/W operations
Network	Interface Utilization Interface Traffic Interface Discards Interface Errors

Table D.2 RFC/Standard MIBs
MIB	Supported Tests
RFC1514 - Host Resources MIB	Disk Space Utilization Physical Memory Utilization Swap/Virtual Memory Utilization CPU Load Running Application/Process Count Logged In User Count
RFC1253 - OSPF Version 2	OSPF {neighbor} Status OSPF {neighbor} Errors OSPF External LSA OSPF LSA Sent/Received
RFC1657 - Border Gateway Protocol (BGP-4)	BGP {neighbor} Status BGP {neighbor} Updates Sent/Received BGP {neighbor} FSM Transitions
RFC1724 - RIP Version 2	RIP Route Changes RIP {interface} Updates Sent RIP {neighbor} Bad Routes Received
RFC1697 - Relational Database Management	{rdbms} Status {rdbms} Disk Space Utilization {rdbms} Transaction Rate {rdbms} Disk Reads/Writes {rdbms} Page Reads/Writes {rdbms} Out Of Space Errors
RFC1759 - Printer MIB	Printer Status Printer Paper Capacity Printer Door Status
RFC2115 - Frame Relay DTE	Frame Relay {dlci} Status Frame Relay {dlci} FECN/BECN Frame Relay {dlci} Discards/DE Frame Relay {dlci} Traffic In/Out
RFC2021 - RMON2	ICMP traffic (byte rate) TCP traffic UDP traffic SSH Telnet HTTP SMTP POP3 IMAP DNS SNMP
RFC2863 - Interfaces Group MIB	{interface} Status {interface} Utilization In/Out {interface} Traffic In/Out {interface} Packets In/Out {interface} Discards In/Out {interface} Errors In/Out

D.4.2 Vendor-Specific MIBs

Table D.3 Vendor-Specific MIBs
MIB	Supported Tests
APC UPS	UPS Battery Status UPS Battery Capacity UPS Battery Temperature UPS Voltage UPS Output Status
Checkpoint FW-1	Packets Accepted Packets Rejected Packets Dropped Packets Logged CPU Utilization
Cisco Wireless Access Points	Wireless Client count Neighbor Access Point count SSID Broadcast count Wireless Nodes roamed Wireless Associations Wireless Disassociations Wireless Reassociations Encapsulation/Decapsulation Errors Duplicate Sequence WEP Key Mismatch SSID Mismatch
Cisco Local Director	Virtual {server}:{port} Status Virtual {server}:{port} Connections Virtual {server}:{port} Traffic In/Out Virtual {server}:{port} Packets In/Out Real {server}:{port} Status Real {server}:{port} Connections Real {server}:{port} Traffic In/Out Real {server}:{port} Packets In/Out Failover Cable Status
Cisco PIX Firewall	Firewall Status Active IP Connections Active FTP Connections Active HTTP Connections Active HTTPS Connections Active SMTP Connections Active H.323 Connections Active NetShow Connections Active NFS Connections
Cisco Router/Catalyst Switch	{interface} CRC Errors Backplane Utilization VLAN Traffic In/Out VLAN Error In/Out CPU Utilization Memory Utilization Buffer Allocation Failure Chassis Temperature Fan Status Power Supply Status Module Status
Cisco SAA agent	Icmp Echo Response Time Jitter Response time Jitter Positive/Negative Jitter Packet Loss Jitter Out of Sequence Jitter Late Arrival
Compaq Insight Manager	Network Interface Status Network Interface Utilization In/Out Network Interface Alignment Error In/Out Network Interface FCS Error In/Out CPU Utilization Disk Space Utilization RAID Controller Status RAID Array Chassis Temperature RAID Array Fan Status RAID Array Power Supply Status
Foundry Network Router/Switch	CPU Utilization Chassis Temperature Fan Status Power Supply Status
HP/UX	Disk Space Utilization Physical Memory Utilization Swap/Virtual Memory Utilization CPU Load Running Application/Process Count Logged In User Count
LAN Manager (Windows Only)	Windows Login Errors System Errors Workstation I/O Response Active Connections
Microsoft DHCP Server	Available Address In Scope DISCOVER Request Received REQUEST Request Received RELEASE Request Received OFFER Response Sent ACK Request Received NACK Request Received
Microsoft Exchange Server	Traffic In/Out ExDS Access Violations ExDS Reads ExDS Writes ExDS Connections Address Book Connections LDAP Queries MTS SMTP Connections Failed Connections Queue Delivered Mails Looped Mails Active Users Active Connections Xfer Via IMAP Xfer Via POP3 Thread Pool Usage Disk Operation (delete) Disk Operation (sync) Disk Operation (open) Disk Operation (read) Disk Operation (write)
Microsoft Internet Information Server (IIS)	Incoming/Outgoing Traffic Files Sent/Received Active Anonymous Users Active Authenticated Users Active Connections GET Requests POST Requests HEAD Requests PUT Requests CGI Requests Throttled Requests Rejected Requests Not Found (404) Errors
Microsoft SQL Server	{database} Status {database} Page Reads/Writes {database} TDS Packets {database} Network Errors {database} CPU Utilization {database} Threads {database} Page Faults {database} Users Connected {database} Lock Timeouts {database} Deadlocks {database} Cache Hit Ratio {database} Disk Space Utilization {database} Transaction Rate {database} Log Space Utilization {database} Replication Rate
Oracle 8/9i Database	DB {database} Status DB {database} Disk Utilization DB {database} Transaction Rate DB {database} Disk Reads/Writes DB {database} Page Reads/Writes DB {database} OutOfSpace Errors DB {database} Query Rate DB {database} Committed/Aborted Transactions Table {table} Space Utilization Table {table} Status Datafile {file} Reads Datafile {file} Writes Replication Status Listener Status SID Connections
Sun Solaris	System Interrupts Swap In/Out to Disk CPU Load
NET-SNMP (formerly UCD-SNMP)	Disk Space Utilization Physical Memory Utilization Swap/Virtual Memory Utilization CPU Load System Interrupts Swap In/Out to Disk Block I/O Sent/Received System Load Average