In this blog I will briefly outline how we made an entry in the ACL (access control list) on our router to block the RBN host 221.192.8.90 from sending anything onto our network. I discussed the attack in my last blog on Russian Business Network – Detecting Cybercrime with NetFlow. Read more »
Michael Patterson
Are you getting a lot of syslogs and want to filter what you are being alerted on?
Logalot, a Centralized Log Management application, has policy management features that allow you to filter on the incoming logs and alert based on the type, the number, or content of the logs.
For this blog post, I will be focusing on the triggers for sending alerts based on the number of incoming logs.
It was a cold day in March, colder than usual for this time of year. The phone rang and it was Jon telling me that his router wasn’t performing well and was having issues. They all have an issue in this city. Some are big and some are small, but they all have issues. As for Jon, his issue was big and that’s why he called me… I’m Jimmy D, the Cisco NetFlow Detective.
His story was the same old song; everyday around a specific time, his network would slow down and the CPU on is his router would peg at 90%. He needed to know why, and fast. His company was getting ready to release a hot new piece of software and they needed the bandwidth to support it.
He had taken the first step; he was already monitoring his bandwidth with Scrutinizer. But Jon needed more. He needed to know what times his CPU utilization was high and what traffic patterns occurred during that time. If this was a perfect world, he would also be alerted when it happened.
“Let’s go get a cup of coffee.” I said.
“Jon, we can trend your CPU utilization via SNMP with Denika. We can also set up alarms and alerts in both Scrutinizer and Denika. We can also capture syslogs from the router with Logalot. All this information can be tied together to give us a better picture and possibly point out a pattern.”
“Awesome, that’s what I was looking for! Can you help me?” he replied.
“Sure Jon, I’m the NetFlow detective, that’s what I do.”
Later that day, we took some time to set up both products. I explained how the process worked and what we were looking for. I let him know that although we can store this data forever, We were specifically interested in the next 24 hours. I was positive that our culprit would strike again.
He let me know that he would call me the next day.
“Jimmy, I just got an alert!” said Jon.
“Lets look at what it said.” I asked.
It was 5:01 p.m. and I wasn’t surprised. Nasty things, like rats and bad packets, show up quickly. After a few minutes of searching, I could see a pattern and it wasn’t pretty.
“I believe that I found your issues Jon.”
I looked at the time of the CPU spikes in Denika’s SNMP reports. We then looked at the Layer 3 traffic reports within Scrutinizer. I compared the timeframes and quickly saw the traffic matched.
“We now know it is a user. So now let’s find out who it is. To do so, we can drill down through the IP addresses in Scrutinizer and find out what IP is causing the traffic. Here you go Jon, are you ready to see who is hogging your bandwidth and causing the high CPU utilization?”
In one click, I quickly resolved the top talkers and saw that it was jenny.abcorp.com.
“Oh no, that’s my girlfriend!” said Jon, “Can we tell who she was talking to?”
We quickly changed to the conversations destination and could see that she was uploading 6 gigs of information to cbacorp.com at 5 p.m. every day. Jon knew the rest of the story because it was a common one. Geek programmer meets cute Russian model who thinks he is Superman, but soon finds out that he had been taken by a pretty face. She was uploading the latest builds of their hot new software to the competitors. She was a spy.
“Thank you Jimmy, you saved our company.” said Jon.
“Don’t sweat it kid. My job is to shed some light in a dark world…”
Most of these names and happenings in this story are true. Some have been changed to protect the innocent.
____________________________________One of our customers called wanting to know if he could send customized e-mail notifications to the network administrators in charge of different groups of devices within Scrutinizer.
Here’s the situation:
The customer has about five different groups broken down by region like North America, Asia Pac, Europe, and so forth. These regions are managed by different teams of administrators in those areas.
When a problem arises on a device in Scrutinizer, he wants e-mails sent to the response team in charge of that area and of that device. He didn’t want the team to be bombarded with redundant e-mails of the problem.
The solution is to install the Logalot add-on to the Scrutinizer server and configure its notification engine to intelligently route notifications any way you want.
Logalot is a policy-based log manager that can listen for syslogs coming from Scrutinizer when an alarm is triggered. We can create a Logalot policy for each device in a group that would send an e-mail to the person or group responsible for the device that has triggered the alarm. We can even color code each device policy the same way for each group for easy identification and management on the Logalot Bulletin Board and policy manager. Logalot is also flexible enough so that you can configure it to send notifications every 5 minutes, or only once until it’s resolved.
Logalot can do much more than just process Scrutinizer notifications. It can receive syslogs, SMTP, and SNMP Trap messages from any device as well as monitor Windows Event logs.
For more tips about setting up e-mail notifications see this post about sending alerts from alarms generated by Scrutinizer. And go here for more tips about Scrutinizer, including a sneak peek of Scrutinizer version 7, and Scrutinizer class map reporting.
Raul J Duran
If you have forgotten your password, or just would like to change your MySQL password for Denika, Logalot or Scrutinizer, then here are some tips on how to reset your MySQL password.
1) Stop the MySQL service.
2) From a command prompt navigate to the SOEmysqlbin folder. (or scrutinizermysqlbin)
3) Run the following command: “mysqld-nt.exe –skip-grant-tables“. This will start the mySQL server running and the command prompt will appear to hang; this is normal.
4) Open another command prompt and navigate to the same folder as step 2.
5) Run the following command: “mysql -u root mysql“. This will bring up a command line MySQL session and the prompt will change to mysql>.
6) Copy and paste the following command: “UPDATE user SET Password=PASSWORD(‘mynewpassword’) where user=’root’;”
<ENTER>
** where mynewpassword is your new password
7) You should see the following output:
Query OK, 2 rows affected (0.05 sec)
Type “quit”, and you will return to a command prompt.
9) Enter “mysqladmin shutdown”. You will see the other command session return to the prompt.
10) Start the mySQL service and dependent services.
11) Write down your new password so you don’t have to go through these steps again. 
Milton
One question that has been asked repeatedly by customers is, “Can I send email notifications from alarms generated by Scrutinizer?”
And the answer is a resounding, “Yes, you can!”.
However, it does require another of our products, which can be installed right over Scrutinizer. This add-on product is Logalot, our Centralized Log Management application. There is a free version of Logalot is available, which may be sufficient for your immediate needs. Installation and configuration takes a mere matter of minutes and is further simplified with the assistance of one of our Presales Support Engineers.
Read more »
