How closely are you monitoring?

You can't expect to have efficient systems unless you monitor them. But the trick is knowing what to monitor and then how to monitor it, says Stewart Baines.

It's 8pm on a Sunday night and for some unknown reason traffic in your computing infrastructure is deviating from normal. If it carries on, it's going to bring down a critical component of your network and cause a business process to fail. The question is, are you on top of it?

Effective system monitoring is one of the most necessary functions for an IT department but also one of the most difficult. Many companies don't even know what's on the network, much less understand what it's doing.

Effective asset management, using a combination of automated discovery and manual cataloguing, is a useful foundation for any monitoring project, although some forms of monitoring can be done without it.

An infrastructure can be monitored at different points, using different techniques. Plug an SNMP (simple network management protocol) or RMON (remote monitoring) agent into a node on the network to get an idea of what it's doing, or use network flow analysis to pick up information about what's being sent over the wire.

A PC will give systems management tools a certain amount of information back through the Windows management instrumentation (WMI) built into Windows, says David Solin, R&D solutions architect within the CTO's office at software vendor BMC.

WMI is Microsoft's implementation of the common information model published by industry consortium Desktop Management Task Force, and is the gateway for management tools to find out about a PC's status and potentially change it. However, you may still need a software agent for more detailed information, Solin says.

"It depends on what you're doing with the information down the road," explains Solin. "If you're just monitoring what's going on in the network then you could just go ahead and get the flow data. If you need to be able to monitor what's happening on devices and deploy new configurations, then you might want an agent."

Deeper insight

A software agent might help IT departments monitor the capacity of a RAID array, for example, or assess how many empty CPU cycles an underused server was burning through.

On the other hand, Bruce Potter, security expert and founder of security consultancy Ponte Technologies, says network flow analysis can reveal interesting things about how people and applications are using the network.

"Network flow analysis can look deeper into your network than a typical firewall can, without the unwieldy audit trail. Management and control sessions can be easily analysed to look for after-hours access that doesn't match normal usage patterns," Potter says, adding administrators might be surprised to find out how much peer-to-peer and instant messaging traffic there is on their networks.

Systems management tools will often include the necessary monitoring functions to let IT managers view many different facets of a computing infrastructure, from the lower levels of the computing stack, where IP traffic is routed around, all the way up to the application layer, where software inputs can have a significant effect on system performance.

"In Unicenter [CA's systems management service], there are technologies that measure in great detail database performance, down to the level of identifying poorly-written SQL statements that are slowing down performance," says Simon Perry, CA's vice president for EMEA technical sales in security management. "It goes all the way down to the bread and butter about how a CPU is running."

Setting a baseline

Once an organisation has worked out what to monitor - and how - it can begin collecting data and establish a baseline, which represents normal operations in the area being monitored.

That baseline could cover capacity, performance or behaviour, or could be a record of an initial system configuration over time. The baseline may change and, depending on the volatility of the metric being measured, may have to be reassessed on an ongoing basis.

The baseline is important so that IT staff can detect anomalies and take the necessary action. It can also be used in areas such as capacity planning, explains Bob Alcorn, chief operating officer at data centre hosting company NFrame.

"We have a healthcare provider growing its storage area network requirements by a bunch of gigabytes per month," he says. "The same thing is true for a particular application - as you watch it, you may find yourself running out of memory. We look for those kinds of anomalies and provide it in a report card for the customers."

Effective monitoring will help a company fight immediate fires by raising the alert when parameters deviate from the norm. But it's also a useful way to build up a longer-term picture of how an infrastructure's operational requirements are evolving - and what must be done to meet them.