How Orion NPM monitors your network

The Orion NPM system is a database-driven web application which operates on top of Microsoft .NET server technologies. Microsoft Internet Information Services (IIS) is the web service for the Orion Dashboard and Microsoft SQL Server is the database backend for all information gathered from network devices and servers.

Devices are added to the Orion NPM database either manually by IP address or DNS name, or automatically by using the Network Sonar Wizard. Once a device has been added to Orion NPM, it is polled for data by Orion NPM on a predefined timer, or counter. An internal process consistently runs in the background on the Orion NPM server that checks when to "kick off" the polling engine depending on the time set for a device in the counter. When that time has been reached, the device is polled.

Orion NPM monitors a network using industry-standard protocols to poll data from network devices on a regular basis. The protocols used by Orion NPM to gather network information are Simple Network Management Protocol (SNMP), Windows Management Instrumentation (WMI), Internet Control Message Protocol (ICMP), and Syslog. Depending on the device, Orion NPM will use an appropriate protocol to gather information. For gathering data from a Cisco switch, Orion NPM would use SNMP or ICMP. To gather data from a Windows server, it may use WMI. The following diagram is a simple example of how Orion NPM monitors a network and how that information is presented:

It is important to understand not only how Orion NPM operates, but also understand the technologies, standards, and protocols that it uses. The next few sections describe several standard network monitoring protocols and how Orion NPM uses them.

Simple Network Management Protocol (SNMP)

SNMP is the most commonly used protocol for gathering monitoring data from computer systems and network devices and it consists of three components: managed devices, agents, and network management systems. A managed device could be a switch, router, server, or any other type of network device that has an SNMP agent. An SNMP agent is software on a device that translates data to SNMP-compatible language for transmission across a network to a network management system, such as SolarWinds Orion NPM. SNMP has been around almost since the beginning of the modern computer age and has gone through several revisions.

SNMP is an IETF-standardized protocol and operates in one of two ways; the manager/agent model, and traps. In the manager/agent model, an SNMP agent is configured on a device to allow SNMP communication between itself and an SNMP manager. The SNMP manager periodically grabs the device's information from the SNMP agent. SNMP can gather an endless list of information from a network device such as memory usage, CPU utilization, power supply usage, syslog messages, humidity sensors, and so on.

Most SNMP traffic is initiated by the SNMP manager, but SNMP traps can be configured on an SNMP agent to directly alert the management system of some type of abnormality, such as high CPU usage in a server or maxed-out bandwidth usage from an interface in a router. The information an SNMP trap transmits to alert an SNMP manager of a problem depends on what is defined in its Management Information Base (MIB). Some vendors offer a utility to create custom MIBs for SNMP agents for a particular device.

Orion NPM can use all three iterations of the SNMP protocol; Version 1, Version 2c, and Version 3. Versions 1 and 2c are still considered the de-facto standards of SNMP by many and follow a simple community-based way of authentication using a defined IP port, community string, and/or a read/write community string. SNMPv3 builds on SNMPv2 and offers more robust security options.

SNMP agents are typically disabled by default and must be configured manually by an administrator. The best thing about SNMP is that it is found in virtually every single manageable network device and operating system on the planet so it makes sense that Orion NPM would utilize SNMP extensively.

Windows Management Instrumentation (WMI)

WMI is a management framework built into all modern Windows operating systems which grants administrative visibility to almost every aspect of the Windows OS. Management applications or administrative scripts can be created to view or manipulate components of Windows using WMI in a variety of programming languages. The most common type of administrative scripts that take advantage of WMI are VBScript and Windows PowerShell. Applications such as SolarWinds Orion NPM can make programmatic WMI calls to a Windows computer to access direct information about the operating system such as its IP address, MAC address, SNMP information, event logs, active and non-active services, and more. WMI can gather the same type of information from a computer that an SNMP agent can. Microsoft has a built-in security model for WMI, so before you go querying data from a Windows computer you need to make sure you have the proper access on that computer to do so.

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol is more affectionately referred to as ICMP and it is one of the core protocols of the TCP/IP suite. ICMP allows network devices to send errors, control information, and informational messages to and from network device. PING may be the most commonly used command-line tool in most operating systems that best showcases the ICMP protocol.

Syslog

Syslog is another IETF-standardized protocol for event notification messages. It allows a network device to send event logs and event notifications to an event collection system, usually called a Syslog server or Syslog collector. Almost every network device and network server has its own internal logging system. Using syslog, it is possible to have a device automatically forward its event logs across the network to a Syslog server. Orion NPM has its own built-in Syslog server and stores retrieved syslog messages in its SQL Server database.