“Write an article called ‘Getting Started with Splunk.’”
I reply:
“What, you think I know all this stuff? This really would be a getting started article.”
But here it is and WOW is Splunk cool!
My only experience with Splunk up to a couple days ago was seeing a T-shirt with “Log is my copilot”. I knew it had something to do with gathering log files and making them easier to read and search. In about an hour I had gone to Splunk’s website to research the product, downloaded and installed it, and started viewing logs from my own system. The Splunk folks have made getting their product into their customer’s hands easy and getting started even easier.
What is Splunk?
Simply put, Splunk can gather just about any kind of data that goes into a log (system logs, website metrics, etc.) into one place and make viewing that data easy. It’s accessed via web browser so it’s accessible on any computer or mobile device such as an iPad.
What do I need to run Splunk?
Practically any common operating system today can run Splunk: Mac OS X, Linux, Windows, FreeBSD and more.
How much does Splunk cost?
Don’t worry about that right now. Download and install the free version. It takes minutes to install and is a no-brainer. Let’s get started.
Getting Splunk
IT managers and directors may be interested in watching the introductory and business case videos with the corporate speak (“operational intelligence” anyone?) and company endorsements. Techs will be interested in getting started. Right on their home page is a big green Free Download button. Go there, click it and locate the downloader for your OS of choice. I downloaded the Mac OS X 10.7 installer to test (and installed it on OS X 10.8 without any issues).
This does require a sign-up to create an account. It takes less than a minute to complete. After submitting the information the 100 MB download begins right away.
While waiting for the download…
When the download is on its way the Splunk folks kindly redirect to a page with some short videos to watch while waiting. Watch this first one called Getting data into Splunk. It’s only a few minutes and this is the first thing to do after getting into Splunk.
Installing and starting Splunk
The download arrives as a double-clickable Apple Installer package. Double-click and install it. Toward the end it opens a simple TextEdit window with instructions for how to start, stop and access the newly installed Splunk site.
Files are installed in /Applications/splunk and resemble a UNIX file system.
Open the Terminal application found in /Applications/Utilities and run the command /Applications/splunk/bin/splunk start. If this is the first time running Splunk it prompts to accept its license agreement. Tap the spacebar to scroll through and read the agreement or type “q” to quit and agree to the license.
Accepting the agreement continues to start Splunk where it displays some brief setup messages.
The setup then provides the local HTTP address for the newly installed Splunk site. Open this in a web browser to get to the login screen. The first login requires that the administrator account password be reset.
Following along with the Getting data into Splunk video, Splunk will need some information. Mac OS X stores its own log files. Let’s point to those.
Click the Add Data link to begin.
Since Mac OS X’s log files are local to the machine, click A file or directory of files.
Click Next to specify local files.
This opens a window that exposes not only Mac OS X’s visible folders but its invisible folders as well. Browse to /var/log/system.log and click the Select button.
For now, opt to skip previewing the log file and click Continue.
Now, let’s opt to monitor not only the system.log file but the entire /var/log folder containing dozens of other log files as well. Note that Splunk can watch rotated and zipped log files too. Click Save to finish adding logs.
Let’s start searching!
The Search window initially displays a list of all logs Splunk is monitoring. To narrow the search change the time filter drop down menu to Last 60 minutes. This will make the results a little easier to see on a system that’s only been running a short while.
Now, search for install*. Splunk will only search for the word “install” without providing the asterisk as a wildcard character. Splunk supports not only wildcard searches but booleans, parentheses, quotes, etc. It will return every instance recorded in the logs that matches the search criteria. It also creates an interactive bar chart along the top of the page to indicate the number of occurrences found for the search at particular times.
To further refine the search, Option+click most any word in the log entries below and Splunk will automatically add the necessary syntax to remove an item. In this case the install* search returned install, installer and installd. Option+clicking installd changed the search criteria to install* NOT installd.
Now what?
Continue exploring the videos to understand Splunk’s possibilities and take advantage of its Splunk Tutorial, which is available online as well as in PDF format for offline viewing. They do a great job leading users through setup and creating reports.
Still asking about price? Good.
The free version remains free but doesn’t include many features that really make it sing such as monitoring and alerts, multiple user accounts and support beyond the Splunk website. Cost depends primarily on the amount of data you want to suck into Splunk and have it watch. It’s not cheap but for an enterprise needing to meet certain service level requirements it beats browsing through multiple servers trying to find the right log with the right information.
FYI, putting together this 1,000-word article probably took me 10 times longer than performing the Splunk install itself and beginning to learn it. It’s really well-done and easy to use. Splunk makes getting started simple.
If you ever find yourself in the unfortunate situation of having to recover a corrupted SharePoint server fear not! What used to be a manual and very tedious process is now quite manageable with a little bit of code and basic knowledge of SharePoint server.
The reason that this process can be so tricky is because SharePoint stores all it’s files in a SQL database and while that provides much more functionality than a straight file server it also increases the complexity of backing up and recovering files located within it.
Luckily, there is a small script that can be run on the server that exports all data within a SharePoint database. The following are the steps you can use to recover your documents from a crashed SharePoint server.
Here are the basic steps to getting your docs.
Backup your database(s)
Create a temp database in your default SQL containter
The first thing you’ll need to do is open up your SQL Manager and create a backup of the DB you’re wanting to save. Normally you need to connect to \\.\pipe\MSSQL$Microsoft##ssee\sql\query and then you’ll see the correct SharePoint databases. In this example, the database is called STS_SERVER_1 but yours will likely be different. Right click this database and back it up to a single file. Telling it to go to 2 backup files can cause problems.
Step 2:
Close and reopen the SQL Manager but this time connect to the default server. In my case it is “Server\SQLEXPRESS” Once inside here navigate to databases, right click and then hit restore. I named my database “TEMP_DB” but feel free to name it whatever you like. Select the backup file you just created and start the restore.
Step 3:
Download this code to your desktop and save it as spdbex.cs. You’ll need to change 2 variables inside the code. Look for this part near the top of the code.
Assuming everything went ok you should be able to just type in the program name and then you’ll be good to go. This will put all files that were stored in your SharePoint database into the current folder and sub folder.
Note: Meta data and file versions are not preserved during this restore.
When approaching a task with an inkling to automate, sometimes you find an open source project that fits the bill. But the creator will work within constraints, and often express their opinion of what’s important to ‘solve’ as a problem and therefore prioritize on: a deployment tool is not necessarily a patch management tool is not necessarily a configuration management tool, and so on. One of the things I’ve dealt with is trying to gauge the intent of a developer and deciding if they are interested in further discussion/support/development of a given project. Knowing why one decision was made or another can be helpful in these situations. In that category of things I wish someone could have written so I could read it, here’s the design decisions behind the sonOfBackupRestoreScripts project I’ve been toying with as an add-on to DeployStudio(heretofore DS), which you can hopefully understand why I am not releasing as an official, supportable tool in it’s current bash form after reading the following.
I’ve adapted some of the things Google used in their outline for Simian as a model, to give this some structure.
Project Objective:
To move user home folders and local authentication/cached credentials between workstations in a customizable and optimized manner, preserving the integrity of the data/user records as much as possible
Overview:
For speed and data integrity, rsync is used to move selections of the users home folder(minus caches, trash, and common exclusions made by Time Machine). To increase portability and preserve mac-specific attributes, a disk image is generated to enclose the data. The user account information is copied separately and helpful information is displayed at the critical points as it moves from one stage to another and during the backup itself.
Requirements: DeployStudio Server / NetBoot
DS, as a service, enables an infrastructure to run the script in, and automounts a repository to interact with over the network. Meant to work optimally with or without a NetBoot environment, an architecture assumption being made during development/testing is wired ethernet, with the use of USB/Thunderbolt adapters if clients are MacBook Airs. Even old minis can function fine as the server, assuming the repo is located on a volume with enough space available to accept the uncompressed backups.
Implementation Details: Major Components / Underlying Programs
- source/destination variables
Parameters can be passed to the script to change the source/destination of backups/restores with the -s(for source) and -d(…) switches and then a path that is reachable by the NetBooted system.
- hdiutil
A simple sparsediskimage is created which can expand up to 100GBs with the built-in binary hdiutil. The file system format of that container is JHFS+, and a bunch of other best practices, cobbled together from Bombich’s Carbon Copy Cloner(heretofore CCC) and InstaDMG, are employed.
- cp
The cp binary is used to just copy the user records from the directory service the data resides on to the root of the sparseimage, and the admin group’s record is copied into a ‘group’ folder. If hashes exist in /var/db/shadow/hash, which is how passwords were stored previous to 10.7, those are moved to a ‘hashes’ folder.
- rsync
A custom, even more current build of rsync could be generated if the instructions listed here are followed. Ideally, a battle-tested version like the one bundled with CCC’s ccc_helper.app (/Applications/Carbon\ Copy\ Cloner.app/Contents/MacOS/ccc_helper.app/Contents/MacOS/rsync, which is actually a heavily customized rsync version 3.0.6) could be used, but it’s output isn’t easy to adapt and see an overview of the progress during a CLI transfer. Regardless, the recommended switches are employed in hopes to get a passing grade on the backupBouncer test. The 3.0.7 version bundled with DS itself (/Applications/Utilities/DeployStudio\ Admin.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Tools/rsync, which for whatever reason is excluded when the assistant creates NetBoot sets) was used during development/testing.
-Exclusions
The Users folder on the workstation that’s being backed up is what’s targeted directly, so any users that have been deleted or subfolders can be removed with the exclusions file fed to the rsync command, and without catch-all, asterisk(*) ‘file globbing’, you’d need to be specific about certain types of files you want to exclude if they’re in certain directories. For example, to not backup any mp3 files, no matter where they are in the user folders being backed up, you’d add - *.mp3 Additional catch-all excludes could be used, as detailed in the script, which specifically excludes ipsw’s(iOS firmware/OS installers) like this: --exclude='*.ipsw'
-Restore
Pretty much everything done via both rsync and cp are done in reverse, utilizing the source/destination options, so a backup taken from one machine can easily be chosen to restore to another.
Security Considerations:
Very little security is applied during storage. Files are transferred over password-protected AFP, so a separate server and repo could be used to minimize potential access by whoever can access the main DS service. Nothing encrypts the files inside the sparseimages, and if present, the older password format is a hash that could potentially be cracked over a great length of time. The home folder ACL’s and ownership/perms are preserved, so in that respect it’s secure according to whoever has access to the local file systems on the server and client.
Excluded/Missing Features:
(Don’t You Wish Every Project Said That?)
Hopefully this won’t sound like a soul-bearing confession, but here goes:
No checks are in place if there isn’t enough space on destinations, nor if a folder to backup is larger than the currently hard-coded 100GB sparseimage cap (after exclusions.) Minimal redirection of logs is performed, so the main DS log can quickly hit a 2MB cap and stop updating the DS NetBoot log window/GUI if there’s a boatload of progress echo’d to stdout. The process to restore a users admin group membership(or any other group on the original source) is not performed, although the group’s admin.plist can be queried after the fact. Nor is there even reporting on Deleted Users orphaned home folders if they do actually need to be preserved, by default they’re just part of the things rsync excludes. All restrictions are performed in the Excludes.txt file fed to rsync, so it cannot be passed as a parameter to the script.
And the biggest possible unpleasantness is also the #1 reason I’m not considering continuing development in bash: UID collisions. If you restore a 501 user to an image with a pre-existing 501 user that was the only admin… bad things will happen. (We’ve changed our default admin user’s UID as a result.) If you get lucky, you can change one user’s UID or the other and chown to fix things as admin before all heck breaks lose… If this isn’t a clean image, there’s no checking for duplicate users with newer data, there’s no filevault1 or 2 handling, no prioritization so if it can only fit a few home folders it’ll do so and warn about the one(s) that wouldn’t fit, no version checking on the binaries in case different NetBoot sets are used, no fixing of ByHostPrefs(although DS’s finalize script should handle that), no checks with die function are performed if the restore destination doesn’t have enough space, since common case is restoring to same HD or a newer, presumably larger computer. Phew!
Wrapup:
The moral of the story is that the data structures available in most of the other scripting languages are more suited for these checks and to perform evasive action, as necessary. Bash does really ungainly approximations of tuples/dictionaries/hash tables, and forced the previous version of this project to perform all necessary checks and actions during a single loop per-user to keep things functional without growing exponentially longer and more complex.
Let’s look forward to the distant future when this makes it’s way into Python for the next installment in this project. Of course I’ve already got the name of the successor to SonOfBackupRestoreScripts: BrideOfBackupRestoreScripts!
318 Inc. CTO Charles Edge and Solutions Architect alumni Zack Smith were back at the MacSysAdmin Conference in Sweden again this year, and the slides and videos are now available! All the 2012 presentations can be found here, and past years are at the bottom of this page.
Avid Unity environments are still common these days because the price for Avid’s ISIS SAN is tremendously high. While a Unity typically started anywhere from $50,000 to $100,000, a typical ISIS starts around the same price even though the ISIS is based on more typical, less expensive commodity hardware. The ISIS is based on common gigabit networking, whereas the Unity is based on fibre channel SCSI.
Avid Unity systems come in two flavors. Both can be accessed by fibre channel or by gigabit ethernet. The first flavor is all fibre channel hardware. The second uses a hardware RAID card in a server enclosure with a sixteen drive array and shares that storage over fibre channel and/or gigabit ethernet.
Components in a fibre channel only Unity can be broken down so:
Avid Unity clients
Fibre channel switch
Fibre channel storage
Avid Unity head
Components in a chassis-based Unity are:
Avid Unity clients
Fibre channel switch
Avid Unity controller with SATA RAID
The fibre channel only setup can be more easily upgraded. Because such setups are generally older, they typically came with a 2U rackmount dual Pentium 3 (yes, Pentium 3!) server. They use a 2 gigabit ATTO fibre channel card and reliability can be questionable after a decade.
The Unity head can be swapped for a no-frills Intel machine (AMD doesn’t work, and there’s not enough time in the world to figure out why), but one must take care to be careful about video drivers. Several different integrated video chips and several video cards have drivers which somehow conflict with Unity software, so sometimes it’s easier to simply not install any drivers since nothing depends on them. The other requirements / recommendations are a working parallel port (for the Unity dongle), a PCIe slot (for a 4 gigabit ATTO fibre channel card) and 4 gigs of memory (so that Avid File Manager can use a full 3 gigabytes).
The fibre channel switch is typically either a 2 gigabit Vixel switch or a 4 gigabit Qlogic 5200 or 5600 switch. The older Vixel switches have a tendency to fail because there are little heat sinks attached to each port chip which face downward, and after a while sometimes a heat sink or two fall off and the chip dies. Since Vixel is not in business, the only replacement is a Qlogic.
The fibre channel storage can be swapped for a SATA-fibre RAID chassis so long as the chassis supports chopping up RAID sets into many smaller logical drives on separate LUNs. Drives which Avid sells can be as large as 1 TB if using the latest Unity software, so dividing up the storage into LUNs no larger than 1 TB is a good idea.
Changing storage configuration while the Unity has data is typically not done due to the complexity and lack of proper understanding of what it entails. If it’s to be done, it’s typically safer to use a client or multiple clients to back up all the Unity workspaces to normal storage, then reconfigure the Unity’s storage from scratch. If that is what is done, that’s the best opportunity to add storage, change from fibre channel drives to RAID, take advantage of RAID-6, et cetera.
Next up is how Avid uses storage. The Unity essentially thinks that it’s given a bunch of drives. Drives cannot easily be added, so the only time to change total storage is when the Unity will be reconfigured from scratch.
The group of all available drives is called the Data Drive Set. There is only one Data Drive Set and it has a certain number of drives. You can create a Data Drive Set with different sized drives, but there needs to be a minimum of four drives of the same size to make an Allocation Group. Spares can be added so that detected disk failures can trigger a copy of a failing drive to a spare.
Once a Data Drive Set is created, the File Manager can be started and Allocation Groups can be created. The reasoning behind Allocation Groups is so that groups of drives can be kept together and certain workspaces can be put on certain Allocation Groups to maximize throughput and/or I/O.
There are pretty much two different families of file access patterns. One is pure video streaming which is, as one might guess, just a continuous stream of data with very little other file I/O. Sometimes caching parameters on fibre-SATA RAID are configured to have large video-only or video-primary drive sets (sets of logical volumes cut up from a single RAID set) are set to optimize streams. The other file access pattern would be handling lots of little files such as audio, stills, render files and project files. Caching parameters set for optimizing lots of small random file I/O can show a noticeable improvement, particularly for the Allocation Group which has the workspace on which the projects are kept.
Workspaces are what they sound like. When creating a workspace, you decide which Allocation Group that workspace will exist. Workspaces can be expanded and contracted even while clients are actively working in that workspace. The one workspace which matters most when it comes to performance is the projects workspace. Because Avid projects tend to have hundreds or thousands of little files, an overloaded Unity can end up taking tens of seconds to simply open a bin in Media Composer which will certainly affect editors trying to work. The Attic is kept on the projects workspace, too, unless explicitly set to a different destination.
Although Unity systems can have ridiculously long uptimes, like any filesystem there can be problems. Sometimes lock files won’t go away when they’re supposed to, sometimes there can be namespace collisions, and sometimes a Unity workspace can simply become slow without explanation. The simplest way to handle filesystem problems, especially since there are no filesystem repair tools, is to create a new workspace, copy everything out of the old workspace, then delete the old workspace. Fragmentation is not checkable in any way, so this is a good way to make a heavily used projects workspace which has been around for ages a bit faster, too.
Avids have always had issues when there are too many files in a single directory. Since the media scheme on Avids involves Media Composer creating media files in workspaces on its own, one should take care to make sure that there aren’t any single directories in media workspaces (heck, any workspaces) which have more than 5,000 files. Media directories are created based on the client computer’s name in the context of the Unity, so if a particular media folder has too many items, that folder can be renamed to the same name with a “-1″ at the end (or “-(n+1)”).
Avid has said that the latest Media Composer (6.0.3 at the time of this writing) is not compatible with the latest Unity client (5.5.3). This is not true and while certain exotic actions might not work well (uncompressed HD, large number of simultaneous multicam, perhaps), all basic editing functions work just fine.
Finally, it should be pointed out that when planning ways to back up Unity workspaces, Windows clients are bad candidates. Because of the limitation on the number of simultaneously mounted workspaces being dependent on the number of drive letters available, Windows clients can only back up at most 25 workspaces at a time. Macs have no limitation on the number of workspaces they can mount simultaneously, plus Macs have rsync built in to the OS, so they’re a more natural candidate for performing backups.
A joint project of the International Association of Chiefs of Police
and
The United States Secret Service
Recognizing Potential Evidence:
Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized peronal data assistant, to the smallest electronic chip storage device. Images, audio, text, and other data on these media can be easily altered or destroyed. It is imperative that investigators recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices, and guidelines.
Answers to the following questions will better determine the role of the computer in the crime:
Is the computer contraband or fruits of a crime?
For example, was the computer software or hardware stolen?
Is the computer system a tool of the offense?
For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, or printer?
Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
For example, is a drug dealer maintaining his trafficking records in his computer?
Is the computer system both instrumental to the offense and a storage device for the evidence?
For example, did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?
Once the computer’s role is known and understood, the following essential questions should be answered:
Is there probable cause to seize the hardware?
Is there probable cause to seize the software?
Is there probable cause to seize the data?
Where will this search be conducted?
For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
If Law Enforcement officers remove the computer system from the premises, to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?
Considering the incredible storage capacities of computers, how will experts search this data in an efficient and timely manner?
Preparing For The Search and/or Seizure
Using evidence obtained from a computer in a legal proceeding requires:
Probable cause for issuance of a warrant or an exception to the warrant requirement.
CAUTION: If you encounter potential evidence that may be outside of the scope of your existing warrant or legal authority, contact your agency’s legal advisor or the prosecutor as an additional warrant may be necessary.
Use of appropriate collection techniques so as not to alter or destroy evidence.
Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.
Conducting The Search and/or Seizure
Once the computers role is understood and all legal requirements are fulfilled:
1. Secure The Scene
Officer Safety is Paramount.
Preserve Area for Potential Fingerprints.
Immediately Restrict Access to Computers/Systems; Isolate from Phone, Network, as well as Internet, because data can be accessed remotely on the system in question.
2. Secure The Computer As Evidence
If the computer is powered “OFF”, DO NOT TURN IT ON, under any circumstances!
If the computer is still powered “ON”…
Stand-alone computer (non-networked):
Photograph screen, then disconnect all power sources; Unplug from back of computer first, and then proceed to unplug from outlet. System may be connected to a UPS which would prevent it from shutting off.
Place evidence tape over each drive slot.
Photograph/Diagram and label back of computer components with existing connections.
Label all connectors/cable ends to allow for reassembly, as needed.
If transport is required, package components and transport/store components always as fragile cargo.
Keep away from magnets, radio transmitters, and otherwise hostile environments.
Networked or Business Computers: Consult a Computer Specialist for Further Assistance!
Pulling the plug on a networked computer could severely damage system.
Disrupt legitimate business.
Create liability for investigators or law enforcement personnel.
DISCLOSURE:
THIS TECH JOURNAL ENTRY BY 318, INC. IS FOR REFERENCE ONLY.
THIS DOCUMENT SHOULD NOT BE USED VERBATIM TO CONDUCT ACTIVE FORENSIC INVESTIGATIONS NOR BE USED AS A LEGAL PRECEDENT OR REPLACEMENT FOR ESTABLISHED FORENSIC PRACTICES ESTABLISHED IN YOUR JURISDICTION. PLEASE FOLLOW PROPER LEGAL AND FORENSIC INVESTIGATION PROCEDURES AS ESTABLISHED BY YOUR CITY, COUNTY, AND STATE!
318, INC. SHALL NOT BE HELD LIABLE. USE OF THIS DOCUMENT IS AT YOUR OWN RISK!
In our last episode spelunking a particularly shallow trough of bash goodness, we came across dollar sign substitution, which I said mimics some uses of regular expressions. Regex’s are often thought of as thick or dense with meaning. One of my more favorite descriptions goes something like, if you measured each character used in code for a regex in cups of coffee, you’d find the creators of this particular syntax the most primo, industrial-strength-caffeinated folks around. I’m paraphrasing, of course.
Now copy-pasta-happy, cargo-culting-coders like myself tend to find working code samples and reuse salvaged pieces almost without thinking, often recognizing the shape of the lines of code more than the underlying meaning. Looping back around to dollar sign substitution, we can actually interpret this commonly used value, assigned to a variable meaning the name of the script: ${0##*/}
Okay children, what does it all mean? Well, let’s start at the very beginning(a very good place to start): ${0}The dollar sign and curly braces force an evaluation of the symbols contained inside, often used for returning complex series of variables. As an aside, counting in programming languages starts with zero, and each space-separated part of the text is defined with a number per place in the order, also known as positional parameters. The entire path to our script is given the special ‘seat’ of zero, so this puts the focus on that zero position.
Regrouping quickly, our objective is to pull out the path leading up to the script’s name. So we’re essentially gathering up all the stuff up to and including the last forward slash before our scripts filename, and chuckin’ them in the lorry bin. ${0##*}To match all of the instances of a pattern, in our case the forward slashes in our path, we double up the number signs(or pound sign for telcom fans, or hash for our friends on the fairer side of the puddle.) This performs a “greedy” match, gobbling up all instances, with a star “globbing”, to indiscriminately mop up any matching characters encountered along the way. ${0##*/}Then we cap the whole mess off by telling it to stop when it hits the last occurrence of a character, in this case forward slash. And that’s that!
Pardon the tongue-in-cheek tone of this quick detour into a bash-style regex-analogue… but to reward the masochists, here’s another joke from Puppet-gif-contest-award-winner @pmbuko:
Email from a linux user: “Slash is full.” I wanted to respond: “Did he enjoy his meal?”
Previously in our series on commonly overlooked things in bash, we spoke about being specific with the binaries our script will call, and mentioned conventions to use after deciding what to variable-ize. The rigidity and lack of convenience afforded by bash starts to poke through when we’re trying to abstract re-usable inputs through making them into variables, and folks are commonly tripped up when trying to have everything come out as intended on the other side, when that line runs. You may already know to put quotes around just about every variable to catch the possibility of spaces messing things up, and we’re not even touching on complex ‘sanitization’ of things like non-roman alphabets and/or UTF-8 encoding. Knowing the ‘order of operation expansion’ that the interpreter will use when running our scripts is important. It’s not all drudgery, though, as we’ll uncover features available to bash that you may not have realized exist.
For instance, you may know curly braces can be used did you know there’s syntax to, for example, expand to multiple extensions for the same filenames by putting them in curly braces, comma-separated? An interactive example(with set -x) cp veryimportantconfigfile{,-backup} + cp veryimportantconfigfile veryimportantconfigfile-backup
That’s referred to as filename (or just) brace expansion, and is the first in order of the (roughly) six types of expansion the bash interpreter goes through when evaluating lines and ‘token-ized’ variables in a script.
Since you’re CLI-curious and go command line (trademark @thespider) all the time, you’re probably familiar with not only that you can use tilde(~) for a shortcut to the current logged-in users home directory, but also that just cd alone will assume you meant you wanted to go to that home directory? A users home gets a lot of traffic, and while the builtin $HOME variable is probably more reliable if you must include interaction with home directories in your script, tilde expansion (including any subdirectories tagged to the end) is the next in our expansion order.
Now things get (however underwhelmingly) more interesting. Third in the hit parade, each with semi-equal weighting, are
a. the standard “variable=foo, echo $variable” style ‘variable expressions’ we all know and love,
b. backtick-extracted results of commands, which can also be achieved with $(command) (and, worse came to worse, you could force another expansion of a variable with the eval command)
c. arithmetic expressions (like -gt for greater than, equal, less than, etc.) as we commonly use for comparison tests,
and an interesting set of features that are actually convenient (and mimic some uses of regular expressions), called (misleadingly)
$. dollar sign substitution. All of the different shorthand included under this category has been written about elsewhere in detail, but one in particular is an ad-hoc twist on a catchall that you could use via the ‘shell options’, or shopt command(originally created to expand on ‘set‘, which we mentioned in our earlier article when adding a debug option with ‘set -x‘). All of the options available with shopt are also a bit too numerous to cover now, but one that you’ll see particularly strict folks use is ‘nounset‘, to ensure that variables have always been defined if they’re going to be evaluated as the script runs. It’s only slightly confusing that a variable can have an empty string for a value, which would pass this check. Often, it’s the other way around, and we’ll have variables that are defined without being used; the thing we’d really like to look out for is when a variable is supposed to have a ‘real’ value, and the script could cause ill affects by running without one – so the question becomes how do we check for those important variables as they’re expanded?
A symbol used in bash that will come up later when we cover getopt is the colon, which refers to the existence of an argument, or the variables value (text or otherwise) that you’d be expecting to have set. Dollar sign substitution mimics this concept when allowing you to ad hoc check for empty (or ‘null’) variables by following a standard ‘$variable‘ with ‘:?’ (finished product: ${variable:?})- in other words, it’s a test if the $variable expanded into a ‘real’ value, and it will exit the script at that point with an error if unset, like an ejector seat.
Moving on to the less heavy expansions, the next is… command lookups in the run environments PATH, which are evaluated like regular(western) sentences, from left to right.
As it traipses along down a line running a command, it follows that commands rules regarding if it’s supposed to expect certain switches and arguments, and assumes those are split by some sort of separation (whitespace by default), referred to as the Internal Field Separator. The order of expansion continues with this ‘word splitting’.
And finally, there’s regular old pathname pattern matching – if you’re processing a file or folder in a directory, it find the first instance that matches to evaluate that – pretty straightforward. You may notice we’re often linking to the Bash Guide for Beginners site, as hosted by The Linux Documentation Project. Beyond that resource, there’s also videos from 2011(iTunesU link) and 2012(youtube) Penn State Mac Admins conference on this topic if you need a refresher before we forge ahead for a few more posts.
The default shell for Macs has been bash for as long as some of us can remember(as long as we forget it was tcsh through 10.2.8… and before that… there was no shell, it was OS 9!) Bash as a scripting language doesn’t get the best reputation as it is certainly suboptimal and generally unoptimized for modern workflows. To get common things done you need to care about procedural tasks and things can become very ‘heavy’ very quickly. With more modern programming languages that have niceties like API’s and libraries, the catchphrase you’ll hear is you get loads of functionality ‘for free,’ but it’s good to know how far we can get, and why those object-oriented folks keep telling us we’re missing out. And, although most of us are using bash every time we open a shell(zsh users probably know all this stuff anyway) there are things a lot of us aren’t doing in scripts that could be better. Bash is not going away, and is plenty serviceable for ‘lighter’, one-off tasks, so over the course of a few posts we’ll touch on bash-related topics.
Some things even a long-time scripter may easily overlook is how we might set variables more smartly and _often_, making good decisions and being specific about what we choose to variable-ize. If the purpose of a script is to customize things in a way that’s reusable, making a variable out of that customization (say, for example, a hostname or notification email address) allows us to easily re-set that variable in the future. And in our line of work, if you do something once, it is highly probable you’ll do it again.
Something else you may have seen in certain scripts is the PATH variable being explicitly set or overridden, under the assumption that may not be set in the environment the script runs in, or the droids binaries we’re looking for will definitely be found once we set the path directories specifically. This is well-intentioned, but imprecise to put it one way, clunky to put it another. Setting a custom path, or having binaries customized that could end up interacting with our script may cause unintended issues, so some paranoia should be exhibited. As scientists and troubleshooters, being as specific as possible always pays returns, so a guiding principle we should consider adopting is to, instead of setting the path and assuming, make a variable for each binary called as part of a script.
Now would probably be a good time to mention a few things that assist us when setting variables for binaries. Oh, and as conventions go, it helps to leave variable names that are set for binaries as lowercase, and all caps for the customizations we’re shoving in, which helps us visually see only our customized info in all caps as we debug/inspect the script and when we go in to update those variables for a new environment. /usr/bin/which tells us what is the path to the binary which is currently the first discovered in our path, for example ‘which which’ tells us we first found a version of ‘which’ in /usr/bin. Similarly, you may realize from its name what /usr/bin/whereis does. Man pages as a mini-topic is also discussed here. However, a more useful way to tell if you’re using the most efficient version of a binary is to check it with /usr/bin/type. If it’s a shell builtin, like echo, it may be faster than alternatives found at other paths, and you may not even find it necessary to make a variable for it, since there is little chance someone has decided to replace bash’s builtin ‘cd’…
The last practice we’ll try to spread the adoption of is using declare when setting variables. Again, while a lazy sysadmin is a good sysadmin, a precise one doesn’t have to worry about as many failures. A lack of portability across shells helped folks overlook it, but this is useful even if it is bash-specific. When you use declare and -r for read-only, you’re ensuring your variable doesn’t accidentally get overwritten later in the script. Just like the tool ‘set’ for shell settings, which is used to debug scripts when using the xtrace option for tracing how variables are expanded and executed, you can remove the type designation from variables with a +, e.g. set +x. Integers can be ensured by using -i (which frees us from using ‘let’ when we are just simply setting a number), arrays with -a, and when you need a variable to stick around for longer than the individual script it’s set in or the current environment, you can export the variable with -x. Alternately, if you must use the same exact variable name with a different value inside a nested script, you can set the variable as local so you don’t ‘cross the streams’. We hope this starts a conversation on proper bash-ing, look forward to more ‘back to basics’ posts like this one.
The Luggage is shaping up to be the go-to packaging software for Mac Admins. Getting started can be daunting for some, though, so I’ve narrated a video taking you through the steps required to set it up. Not included:
- Getting a Mac developer.apple.com account (while this process can mostly be done for free, it’s the best and easiest way if you do have access)
- Downloading the tools from the Mac Dev Center (Command Line Tools and Auxiliary Tools for Xcode)
- Choosing your favorite text editor (no emacs vs vi wars, thanks)
Did your Office 2010 DVD go missing? Let’s see, you open the drawer it’s supposed to be in and an evil Gremlin jumps out at you, using broken pieces of the DVD as shanks flying this way and that, trying to cut your eyes out! Well, we tried to tell you not to feed the cute little guys… Or maybe it got scratched while being prodded by aliens who abducted it to try and steal Microsoft’s source code. Maybe it’s just stuck inside that huge Lego castle that you just can’t bring yourself to tear down to get at it…
Whatever the problem, fret not (once you seek medical attention for the fireball that crashed to Earth, burning just your disk or escape from the black hole that sucked your DVD into a vortex, miraculously leaving that New Kids on the Block CD in the place of your disk)! Microsoft has a solution for you. To download a fresh, new file that you can burn to a DVD, just go to this site and enter your serial number:
It was the pleasure of two 318′ers to attend and present at PSU Mac Admins Conference last month, and lickety-split, the videos have been made available! (Slides should appear shortly.) Not only can you pass the time away with on-demand streaming from YouTube, you can also download them for offline access (like the plane) at the iTunesU channel. Enjoy the current most popular video!
As the bucket-loads of package providers in Puppet may lead you to believe, if we do not study history we are doomed to repeat it. Or more to the point, there is no shortage of projects focused on solving the same ‘how do I get the bits of code I want to execute on a machine installed’ issue. Mac Sysadmins have used Fink and (originally named DarwinPorts) MacPorts to acquire various open source software and unix tools not bundled with the operating system. A disadvantage many people found in those projects was the reliance on developer tools and compile time to actually go through the build-from-source process, which brings us to the news that was brought to our attention this weekend, via the Twitter: MacPorts now hosts pre-built archives for Lion, which are used automatically when available. There are a few caveats (e.g. it would only be available to the projects with compatible licensing), but this functionality was added for Snow Leopard mid-last year, along with another interesting development: you can host your own custom pre-built archives on a local network as described here.
All of this is to say that if you thought the game was over and competing projects like Homebrew had won… then you haven’t been paying attention to all those innovators, putting more tools in our belts.
Speaking of optimizations in package management, while MacPorts can generate packages once you’ve acquired the source or binary archive, another project called Rudix goes one step further and hosts packages of the software it offers on googlecode. It specifically won’t build from source, but its packages are meant to include all the necessary dependencies, and like other managers it can be driven from the command line, and uninstall as necessary. No more excuses not to have iperf or mtr when you need it, and if you’d rather have a little more control over the version of ssh-copy-id than what Homebrew provides, you can use a project like the Luggage.
One of the harder aspects of building systems consistently in a repeatable fashion is that you often need a checklist to follow in order to maintain that consistency. Therefore, we’ve started an Xsan Installation Checklist, which we hope will help keep all the i’s dotted and t’s crossed. Feel free to submit any items we should add to the checklist and also feel free to use it to verify the configuration of your own Xsans.
Preparation
[ ] Work out ahead of time how permissions will be dealt with:
Active Directory
Open Directory
Local Clients in same group with different UIDs.
[ ] If Active Directory is already in place, verify that system are bound properly.
[ ] If Open Directory is already in place, verify that system are bound properly.
[ ] If Open Directory is not already in place, configure Open Directory.
[ ] All client Public interfaces should have working forward and reverse DNS resolution.
Fibre Channel (Qlogic)
[ ] Update Qlogic firmware to latest on all switches.
[ ] Set nicknames for all devices in the fabric.
[ ] Export the nicknames.xml file and give to customer or import to workstation running Qlogic San Surfer.
[ ] Set the domain IDs on the Qlogic. Different Domain ID for each switch.
[ ] Set port speed manually on Qlogic and clients. Don’t use auto-negotiation.
[ ] Configure the appropriate Qlogic port properties for Targets (Storage) and Initiators (Clients).
Targets
Device Scan On
I/O Streamguard Off
Initiators
Device Scan Off
I/O Streamguard On
[ ] Avoid fully populating Qlogic 9200 blades, only use 8-12 ports of each blade to avoid flooding backplane.
[ ] If the switch has redundant power, plug each PS into different circuits.
[ ] Split HBA (client port) and storage ports across switches, i.e. port 0 on switch 1, port 1 on switch 2.
Storage (Promise)
[ ] Update Controller firmware to latest version
[ ] If client has a spare controller, update that as well. Also label box with updated firmware number
[ ] Work out LUNs for MetaData/Journal and Data (MD should be RAID 1, Data should be RAID 5 or 6)
FileMaker Pro 12, Go and Server were all released to the public in early April 2012. Each product brings its own set of new features. First and foremost is the new .fmp12 file format. It is the first file format update since version 7 of FileMaker which added multiple tables per file. This file format update feels more incremental but will introduce a number of changes for environments as they upgrade into the latest version. All the recently released products require this new file format.
Filemaker Pro 12 and Pro 12 Advanced
These are the workhorses of the Filemaker world. Much of the interface remains familiar to user of FileMaker 11 and earlier. Most of the updates in the FileMaker Pro client are related to layout and display. Version 12 provides new visual updates including gradients, alpha channel support, rounded ends on data fields and image slicing. Guides for common screen sizes for both Desktop and iOS devices will make layout designers much happier by reducing the number of times you’ll need to go back and forth between Layout and Browse while tweaking a layout to see if you’ve exceeded the display dimensions. Additional visual goodies in the new version include rounded buttons and hover states. All these visual goodies make Filemaker 12 appear much like CSS-3 webpages.
Containers are now treated a bit differently. You can specify default locations for files stored in containers. This option is selected in FILE:MANAGE:CONTAINERS. Container files also have additional options when defining them as fields in the database. In Field Options:Storage, there is a new section for Containers where you can specify the default location, and whether or not the file is encrypted (by choosing Secure Storage or Open Storage).
Real World Performance.
Working on a client file, conversion from .fp7 to .fmp12 took about 15 minutes for a 650MB file with around 700K records in it. Conversion was smooth and the resulting file opened and appeared and parsed ok, both in terms of schema, data, scripts and security. A script for parsing through some text fields for an automated data migration takes about 13 minutes to run in FileMaker Advanced 11 and FileMaker Advanced 12. Performance appears to be substantially similar among the clients without making further changes, although given some of the new features of 12, it is entirely possible to get far better performance, especially if you have a 64 bit system.
Filemaker Server and Server Advanced
FileMaker Server packs perhaps the biggest change in a 64 bit engine on the backend. This will make FileMaker Server Admins much happier. This means that FileMaker Server will be able to address much larger datasets natively in RAM, without paging them to disk. Also of interest to the FileMaker Database administrator is new progressive backups which should allow for a better balance between performance of the database and protection of the data. Backup and plugins have now been spun out to their own processes so a problem with either backup or a problematic plugin won’t take down your whole FileMaker Server.
Containers in databases hosted on the server will also now support progressive downloads so that you won’t need to wait for an entire video to download before you can start watching it. This will be a boon to iOS users. Which leads me to the final piece of the new FileMaker 12 triumvirate.
FileMaker Go
FileMaker Go also sports many of the new features of its siblings. Support for the .fmp12 is the biggest change, but not the only change. Also of interest is the ability to both print and export records. This will make FileMaker Go much more attractive as a client for users out in the field. No longer will you need to have FileMaker on a laptop or desktop to get outputs for clients or hard copies for signatures. The final coup de grace for Filemaker Go is its price, free from the App Store. FileMaker Go still requires a database created with Filemaker Pro or Advanced 12. FileMaker Go doesn’t provide the tools for developing a database as that’s not really what it’s meant to be. Once developed, the database can either be hosted on the iOS device itself or FileMaker Server for collaboration with other users (both iOS and FileMaker Client users). Databases hosted locally, as may be the case if you have users going offline, can then be synchronized to the server when the device comes back online (which may require some custom work to get just right).
FileMaker 12 Pro, Advanced, Server and Server Advanced are available as either a boxed product or a download from www.filemaker.com. FileMaker Go is available as a free download from the App Store. 318 is a FileMaker partner and our staff are enthusiasts of the product. If you need help or want to discuss a migration to the latest version FileMaker, please feel free to contact your Professional Services Manager, or sales@318.com if you do not yet have one.
A MIB is a Management Information Base. It is an index based upon a network standard that categorizes data for a specific device so that SNMP servers can read the data.
Where to Obtain VMware vSphere MIBs
VMware MIBs are specific to VMware Version, you can try to use the ESX MIBs for ESXi. They can be downloaded from http://downloads.vmware.com. Click on VMware vSphere > find the version of ESX that you are running under “Other versions of VMware vSphere” (the latest version will be the page that you’re on). Click on “Drivers & Tools”. Then click on “VMware vSphere x SNMP MIBs” where “x” is your version.
Use your favorite CLI text editor and edit /etc/snmp/snmpd.conf
Erase everything in it.
Add in the following and save it:
load 99 99 99 syslocation ServerRoom syscontact “ESX Administrator” rocommunity public view systemview included .1.3.6.1.4.1.6876 proxy -v 1 -c public 127.0.0.1:171 .1.3.6.1.4.1.6876
Change “syslocation” and “syscontact” to whatever you want
Save your work
Configure snmpd to autostart: chkconfig snmpd on
Allow SNMP through firewall: esxcfg-firewall –e snmpd
Start the SNMP daemon: service snmpd start
Restart the mgmt-vmware service: service mgmt-vmware restart
Determining OID
OID’s are MIB specific variables that you can instruct an SNMP server monitor to look for. These variables can be determined by reading the MIBs. One tool that assists with doing this is MIB Browser by iReasoning Networks http://tl1.ireasoning.com/mibbrowser.shtml. MIB Browser can run on Windows, Mac OS X, and Linux/UNIX. To obtain the appropriate OID’s:
Load the MIBs in MIB Browser by going to File > Load Mibs
Manually comb through to find the OID you want (it will be connected to a string that will be similar to wording used in VSphere).
Loaded MIB for VMWARE-RESOURCES-MIB into MIB Browser
Searched for “Mem” (Edit > Find in MIB Tree), found “vmwMemAvail”, the OID for this is .1.3.6.1.4.1.6876.3.2.3.0 (use the OID shown in the dropdown that is near the menu in the MIB Browser – it will show the full OID which will sometimes include a “0″ at the end that the OID listed towards the bottom of the window will not)
Add OID into remotehost.cfg (or linux config file) file in Nagios
define service{ use generic-service ; Inherit values from a template host_name ESX4_1 service_description Memory Available check_command check_snmp!-C public -o .1.3.6.1.4.1.6876.3.2.3.0 -m all }
host_name: the name of the device (whatever you want to call it) service_description: the name of the service you are monitoring (whatever you want to call it) check_command: -C is to define the community SNMP string, -o is to define the OID to read, -m is to define which MIB files to load – to be more specific, for this example you can narrow “-m all” to “-m VMWARE-RESOURCES-MIB.MIB”
Once you’ve done the above you should be able to monitor “Memory Available” for ESX through Nagios. Repeat the procedure, changing steps where applicable for the specific OID you want to monitor. If you have questions, or need assistance, please contact 318, Inc. at 1-877-318-1318.
When working with complex code, configuration files, or just plain text, using Version control (or VC for short) should be like brushing your teeth. You should do it regularly, and getting into a routine with it will protect you from yourself. Our internet age has dragged us into more modern ways of tracking changes to and collaborating on source code, and in this article we’ll discuss the web-friendly and social ways of hosting and discovering code.
One of the earliest sites to rise to prominence was Sourceforge, which is now owned by the company behind Slashdot and Thinkgeek. Focused around projects instead of individuals, and offering more basic VC systems, like… CVS, Sourceforge became a site many open source developers would host and/or distribute their software through. Lately, Sourceforge seems to be on the wane, as it is found to be redirect and advertising-heavy.
When Google wanted to attract more attention to its open source projects and give outsiders a way to contribute, it opened code.google.com in 2005. In addition to SVN, Mercurial (a.k.a. Hg) was available as an alternative VC option in 2009, as it was the system adopted by the Python language, whose creator is an employee at Google, Guido van Rossum. Hg was one of the original Distributed Version Control Systems, DVCS for short, and the complexity of such a system could feel ‘bolted-on’ when using Google for hosting (especially in the cloning interface), and its recent introduction of Git as an option mid last year brings this feeling out even more.
Bitbucket was another prominent early champion of Hg, and its focus, like those previously mentioned, is also on projects. Atlassian, the company behind it, are real titans in the industry, as the stewards of the Jira bug-tracking software, Confluence wiki, HipChat web-based IM/chatroom service, and have recently purchased the mac DVCS GUI client SourceTree. Even more indicative of the fast-paced and free-thinking approach of how Atlassian has done business is their adoption of Git late last year as an option for Bitbucket, going so far as to guide folks to move their Hg projects to it.
But the 900-pound gorilla in comparison to all of these is Github, with their motto, ‘Social Coding’. Collaboration can tightly couple developers and make open source dependent on the approval or contributions of others. In contrast, ‘Forking’ as a central concept to Git makes this interdependency less pronounced, and abstracts the project away to put more focus on the individual creators. Many words have already been spent on the phenomenon that is Git and Github by extension, just as its Rails engine enjoyed in years past, so we’ll just sign off here by recommending you sign up somewhere and join the social coding movement!
Microsoft has released the Beta 2 version of System Center Configuration Manager (SCCM) aka System Center 2012. SCCM is a powerful tool that Microsoft has been developing for over a decade. It started as an automation tool and has grown into a full-blown management tool that allows you to manage, update, and distribute software, license, policies and a plethora of other amazing features to users, workstation, servers, and devices including mobile devices and tablets. The new version has been simplified infrastructure-wise, without losing functionality compared to previous versions.
SCCM provides end-users with a easy to use web portal that will allow them to choose what software they want easily, providing an instant response to install the application in a timely manner. For Mobile devices the management console has an exchange connector and will support any device that can use Exchange Active Sync protocol. It will allow you to push policies and settings to your devices (i.e. encryption configurations, security settings, etc…). Windows phone 7 features are also manageable through SCCM.
The Exchange component sits natively with the configuration manager and does not have to interface with Exchange directly to be utilized. You can also define minimal rights for people to just install and/or configure what they need and nothing more. The bandwidth usage can be throttled to govern its impact on the local network.
SCCM will also interface with Unix and Linux devices, allowing multiple platform and device management. At this point, many 3rd party tools such as the Casper Suite and Absolute Manage also plug into SCCM nicely. Overall this is a robust tool for the multi platform networks that have so commonly developed in today’s business needs everywhere.
To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.
To try an explain this further let’s say we have and internal interface with an IP address of 10.0.0.1 that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.
Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.
For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.
Lets look at the the examples below:
You will see we are in the configuration terminal mode
-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of 192.0.43.10 equals port 80.
So this example tells us that our access control list named ACL will allow any inside traffic out the host address of 192.0.43.10 that is internet traffic.
Later you will notice that your statement will look like this on the ASA
ASA(config)access-list acl extended permit tcp any host 192.0.43.10 www
Notice how “eq 80″ default http traffic changed automatically to www) This is common on Cisco ASA devices).
Setting up the Windows Firewall to run on Windows client systems can be tedious when done en masse. But using a Group Policy (GPO) to centrally manage systems can be a fairly straight forward process. First, decide which firewall rules you want to implement. Then, manually configure them and test them out on a workstation to verify it works the way you want it to. This process has been documented at http://techjournal.318.com/?p=1092.
Once you know the exact settings you’d like to deploy, create an Organizational Unit and put computer accounts (or other OUs/security groups) to be governed by this policy in the new OU. Once you have all of your objects where you’d like them, it’s time to create a GPO of the settings (which should be applied to one machine and tested before going wide across a large contingent of systems). To do so, go to the policy server and Features from within Server Manager to expand Group Policy Management.
From Group Policy Management, expand the appropriate Forest and Domain and then right-click Group Policy Objects, clicking New at the contextual menu. Then provide a name for the new GPO (e.g. Windows Firewall Policy) and click on OK. In the Group Policy Management screen, click on Group Policy Objects and then right-click on Firewall Settings for Windows Clients. Click on Edit to bring up the Group Policy Management Editor.
At the Group Policy Management Editor, right-click Firewall Settings for Windows Clients policy, and select its Properties. Click on the Disable User Configuration settings check box and at the Confirm Disable dialog box, click on the Yes button and click OK when prompted.
In the Group Policy Management Editor open Policies from Computer Configuration. Then expand on Windows Settings and then on Security Settings and finally Windows Firewall with Advanced Security. Here, click on Windows Firewall with Advanced Security for the LDAP GUID for your domain. Then open Overview to verify that each network location profile lists the Windows Firewall state as not configured.
Click on Windows Firewall Properties and under the Domain Profile tab, use the drop-down list to set the Firewall state to On. Then, click on OK and verify the Windows Firewall is listed as On.
Once you’ve created the GPO, go to the OU and click on Link an Existing GPO. Here (the list of GPOs), select the new GPO and test it on a client by running gpupdate or rebooting the client. To verify that the GPO was applied, open the Windows Firewall with Advanced Security snap-in and right-click on Windows Firewall with Advanced Security on Local Computer, selecting Properties from the contextual menu. If the setting is listed as On then the policy was created properly!
It is important to remember that of the two aspects to the software, the CrashPlan client does all the heavy lifting. It scans the local file system, filters and applies other rules as set on the server, compresses and encrypts the data, and finally transfers it either to a destination across the network or to a local ‘folder’(attached drive, etc.) The second portion of the software is the server process that accepts data from each of the clients and tracks everything in a database.
Knowing Your Requirements
Scaling an environment that is backing up to near-unlimited, cloud-based storage is just a matter of having sufficient licenses and internet bandwidth to maintain uploads from multiple clients at once. CrashPlan Pro allows for businesses to store smaller sets of data with pricing per computer, as well. Organizationally, however, the Pro version is not meant for environments with over 200 users. It lacks other features, including integration with directory services and backup seeding/guest restoring/and reporting flexibility.
Embrace the Enterprise with PROe
In addition to getting those features which are missing from the ‘Pro’ level, CrashPlan PROe can work well in environments that are concerned about disaster recovery and would like to host secondary destinations. In these situations there are further considerations to take into account:
Data: Even with the compression applied to files, you’ll need to gauge a significantly larger amount of storage for data than will be backed up at the time of deployment, and have an understanding of how your retention policy will affect your storage needs as time goes on and/or clients are added. A great feature of the REST API available only to the PROe version is that usage can be dynamically gauged.
‘User’ Accounts: It is often the case that there is a subset of pre-approved users for inclusion, which can easily be imported into the CrashPlan PROe servers database, or linked from LDAP. For certain computers and situations, however, the software would more appropriately be allocated by the role the computer performs. Alerting and monitoring is one concern when changing how the account is tied to the computer, but more crucial to understand is when customers are allowed to restore their own files; backing up many computers under the same account can become a security liability (this can be administratively locked out.)
Master-Slave Configuration: For multiple locations, a slave server can be allocated within an organization to more flexibly allocate computers. Just like seeding a backup, an entire slave server can be seeded with the contents of any other server under a Master, and clients will pick up right where they left off.
These are just a few examples of the considerations to take into account when deciding if CrashPlan PROe is right for your environment. For more information, please contact your Professional Services Manager or sales@318.com if you do not yet have one.
A firewall is a barrier between you and the Internet at large that filters information that your computer can receive. Companies usually have firewalls in place to keep certain kinds of websites, people, and information from being accessed from outside their networks, keeping sensitive info safe, and you focused on the job. Your home computer and/or modem can have a firewall built-in as well, acting as the gateway to your home network and the Internet.
NOTE: you might not be able to use a third party application until you add the application to the list of allowed programs.
Here is an explanation of the different options you can modify and customize:
Add a program to the list of allowed programs:
Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
Click Change settings. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
Select the check box next to the program you want to allow, select the network locations you want to allow communication on, and then click OK.
If an application needs a specific port that this being blocked you can also allow port traffic by:
Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
In the left pane, click advanced settings. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
Follow the instructions in the New Inbound Rule wizard.
Block all incoming connections, including those in the list of allowed programs: this setting blocks all unsolicited attempts to connect to your computer. Use this setting when you need maximum protection for your computer, such as when you connect to a public network in a hotel or airport, or when a computer virus is spreading over the network or Internet. Word of caution with this setting, you wont be notified when Windows Firewall blocks programs. When you block all incoming connections, you can still view most websites, send and receive e‑mail, and send and receive instant messages.
Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
Check the box that says to block all incoming connections.
Notify me when Windows Firewall blocks a new program
If you select this check box, Windows Firewall will inform you when it blocks a new program and give you the option of unblocking that program.
Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
Select the box that says “Notify me when Windows Firewall blocks a new program”
Turn off Windows Firewall (not recommended)
This step is not recommended unless your system administrator has implemented another application to provide protection for your network.
Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
Note: If some firewall settings are unavailable and your computer is connected to a domain, your system administrator might be controlling these settings through Group Policy or third party application like Symantec Endpoint Protection.
If you have trouble allowing other computers to communicate with your computer through Windows Firewall, you can try using the Incoming Connections troubleshooter to automatically find and fix some common problems.
Open the Incoming Connections troubleshooter by clicking the Start button, and then clicking Control Panel.
In the search box, type troubleshooter, and then click Troubleshooting. Click View all, and then click Incoming Connections.
Note: Some material in this article was referenced from Microsoft directly from: http://windows.microsoft.com/en-US/windows7/Allow-a-program-to-communicate-through-Windows-Firewall
Note: Stay tuned for more information about setting up Windows Firewall Using a GPO!
Most of us know that Cisco can be a bit complicated and sometimes things happen that are not so forgiving. One of those is losing a password on a Cisco device. The downside to this is if you did not know that you could reset the password using a console cable you might be freaking out thinking you might have to reset to factory defaults. Well thank you Cisco for providing a backdoor to their devices. Now for each device the commands and procedures can be slightly different, so you will want to look up from Cisco the password recovery steps for you specific device. In the example I will show you the steps on how to reset the password on a Cisco ASA 5505 using Terminal from a Macbook.
First thing you will need to have on all the Cisco devices is Console port access. For this reason it is important to ensure there are strict physical security measures in place. Access to the device allows someone to have access to the procedures that I am about to list, which can give them unwanted entry to your device.
1.Connect to the device using the console port\cable. The cable is usually an RJ45 to Serial so on my Macbook I don’t have a serial port so I use a serial to USB adapter. All my configurations are than done in terminal. If you’re on a PC you can use your telnet application or the MS-DOS CMD window.
Using a Macbook with the serial to USB adapter requires I use the “Screen /dev/tty.KeySerial1 9600” command to be able to use terminal as my telnet window. This will allow you to view the bootup of the device as soon as it has power.
2. Now shutdown the ASA, and power it back up. During the startup messages, press and hold the “Escape” key when prompted to enter ROMMON.
3. To update the configuration register value, enter the following command:
rommon #1> confreg 0x41
4. To have the ASA ignore the startup configuration during its startup, enter the following command
rommon #1> confreg
The ASA will display the current configurations register value, and will prompt you to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
5. Take note of the current configuration register value (it will be used to restore later). At the prompt enter “Y” for yes and hit enter.
The ASA will prompt you for new values.
6. Accept all the defaults, except for the “disable system configuration?” value; at that prompt, enter “Y” for yes and hit enter.
7. Reload the ASA by using entering:
rommon #2> boot
The ASA loads a default configuration instead of the startup configuration.
8. Enter privileged EXEC mode by entering:
hostname> en
9. When prompted for the password press “Enter” so the password will be blank.
10. Next Load the startup config by entering:
hostname# copy startup-config running-config
11. Enter global configuration mode by using this command:
hostname# config t
12. Change the passwords in the configuration by using these commands, as necessary:
What is Virtual Desktop Infrastructure (VDI)? VDI is technology that enables you to connect to a host’s shared repository of virtualized environments and then allows you to run them on your computer or device, but still utilizing the host’s resources. In other words, it allows you to connect to an OS dedicated to you using your local device as a remote (read: thin) client.
The difference between VDI and Terminal Services or a traditional Citrix setup is that in a Terminal Server or Cirix setup, many users are connecting to a server, sharing the resources of the server, and are all still under the same end-user OS layer and hardware ecosystem. Using VDI, each user has a dedicated virtual machine running a workstation OS, now only under the same hardware ecosystem. Some VDI tools can then be synchronized to the local workstation and run offline as well, leveraging the local systems resources.
Mac OS X was initially left out of the virtual desktop infrastructure space. But with the introduction of VMware View 4.5, users of the Apple-based platform get a chance to dabble in leveraging a virtualized desktop infrastructure in much the same way that users of other platforms can. With VMware View Client for Tech Preview, Mac users can leverage PCoIP (PC over IP) instead of only relying on Remote Desktop for connecting to their virtual desktops. The current offerings of the VMware View Client for OS X do not offer the same type of features as the Windows version, but VMware is working on matching those features across their clients.
Citrix has its own implementation of VDI called XenDesktop. XenDesktop is similar in its offerings to VMware View and is another enterprise class option in VDI implementation. OS X can connect to the virtual desktop through Citrix Receiver. A difference bewteen the two would be the protocol which is used to deliver the best virtualized desktop expeirence. While VMware View uses PCoIP (UDP Based), Citrix XenDeskop uses HDX (High Definition Experience) which is TCP based. Both do a good job at connecting to their respective virtual desktop using different protocols, and both also support using Remote Desktop to connect to the virtual desktop.
Mokafive is a newcomer into the VDI scene, geared specifically to the Mac OS X platform. Mokafive takes a different spin on VDI, and sets up the virtual desktop to utilize the resources of the local device instead of a centralized server (it should be noted though, that both XenDesktop and VMware View now offer that same capability, each with its own unique implementation). Mokafive does so from a Mokefive server using a desktop virtual machine called a LivePC that it uses as a “golden image” (a master virtual machine that’s used for deployment). One of its main strengths is it’s easy to understand and use.
With all of the VDI options that are out, there’s an acronym that’s being used called BYOC (Bring Your Own Computer). With this idea, companies may begin to allow more employees to bring their Macbooks to work and then run the corporate virtual desktop on their Macbooks without the IT staff having to be too concerned about line of business application compatibility on OS X since it will just run on the corporate virtual desktop. Choosing the VDI to do this for your company seems to be more of a question of which solution lines up best with your current infrastructure/familiarity vs. simplicity. If you would like to discuss VDI or other forms of virtualization with 318, please contact your Professional Services Manager or sales@318.com if you do not yet have one.
In the routing world, NAT stands Network Address Translation while PAT stands for Port Address Translation. To many they’re going to be pretty similar while to others they couldn’t be more different.
When you have an Internet connection for your business network you are usually given a range of public static IP addresses. With these addresses you can use your Cisco router to use NAT technology, which will allow you to map an external address to an internal address (NAT is One to One addressing). Your NAT router translates traffic coming into and leaving your private network so it works in both directions.
Let’s say your computer has an IP address of 192.168.1.1 and the Router has a public IP address of 76.80.219.86. If you go to the Internet from your 192.168.1.1 address, it will be translated to the 76.79.219.86 address using the NAT protocol, which will allow you to communicate external your network. It also allows for the return of that data and the opposite to happen when data returns to 76.80.219.86 it will translate back to your 192.168.1.1 address to receive the information to your system with the address of 192.168.1.1.
Port Address translation is almost the same thing but it allows you to specify the TCP or UDP protocol (port) to be used. Let’s pretend you need to access a mail server at your network from externally. Most likely your port will be the standard SMTP port 25. Assuming it is you would configure the router to allow traffic from port 25 external your network to come through to your mail server’s port 25, thus sending and receiving e-mail. You can also use PAT to define traffic from a specific port to translate to a different port. For example if you have to use port 25 for an external mail client but you have a custom port of 26 internally to the mail server. You can define a Static PAT rule that can define all outside port 25 traffic will route to port 26 internally allowing port 25 traffic to reach your mail server on port 26.
*Note: PAT works hand in hand with NAT and is linked to the public and internal IP addresses. With PAT You may route many to one addressing (i.e. all internal addresses go out a single Public IP address for internet using port 80).
Just a quick note, came across this tip today for another way to get to the (hidden in Lion) Library folder: from the Finder’s Go menu, hold down Option.
Most of the Mac Techies I know have a boot drive, or set of drives, capable of running a variety of tools. Many of those drives are geared towards repairing problems on file systems, fixing operating systems and installing software. But what many don’t have are boot volumes for Windows, or cross platform tools in a heterogenous environment.
I used to refer to these, in addition to my tools for the Mac to be my Bat-Belt. On the Mac platform, this usually included Disk Warriror, a clean operating system of each revision, a bootable DeployStudio imaging with installers for operating systems, Disk Rescue and a number of other tools. But what kind of other tools should we be looking at for other platforms? Let’s start with SpinRite.
SpinRite is a tool from Steve Gibson, that runs about $80. It’s probably the best disk repair tool I’ve used for the supported file systems and can go as low level as scanning disks at the platter. The sector tests and file system tests thought, are unparalleled for the platform. I’ve seen SpinRite take weeks to run but it always gets the job done (if it’s possible to do so)!
Next, I’d make sure to have a copy of the Ultimate Boot CD. This little bugger is easy to use, has a number of tools included that resolve issues with systems and allows techs to add, remove or alter files on supported file systems. You can resolve a number of malware problems that crop up, fix file systems (a little overlap with SpinRite is a good thing, here), diagnose operating system problems and it all runs from a self-contained optical disk.
Combatting Malware and Spyware is a big part of many of the jobs for a Windows tech. It often requires multiple tools in your Bat-Belt but the first tool in my arsenal is a program called Combofix. It’s in active development and goes through an exhaustive set of checks and tests to find any malicious files. Once started, it scans and auto deletes suspicious files and is usually able to fix all but most infected machines. You can run this tool in safe mode if a machine is too badly infected to boot into windows normally.
The 80′s are “in” again and this is true with malware too as there’s been a resurgence of MBR viruses in the wild. If you encounter a machine that combofix or other AV tools can’t repair then an MBR issue is a likely cause. The next tool in the list is called TDSSKiller. Made by Kapersky labs this free tool is a uni-task program that only repairs infected MBR’s. It’s quick and can usually repair a bad MBR without needing to boot off another medium.
In the case that a machine is FUBAR’d you may need to boot off another drive and scan for issues. The two tools I use are the Kaspersky Rescue Disk and the Microsoft Standalone System Sweeper. Both are free and scan the entire system for MBR issues and infected executables. These can take a long time to run so unless you’re doing something else it’s best to run these over night or start thinking about doing a system reinstall.
If we’re all doing our jobs and making recommendations we’re going to run into the situation where we need to clone systems from one drive to another. There are a number of tools to do this both paid for and free that get the job done nicely. In the paid for dept Acronis True Image Home is a great tool that does just what you’d expect, clone a drive from one to the other. It automagically resizes the drive to fit the newer larger one too so no need to worry about repartitioning. On the free side we have linux based Clonezilla. It does all the same things as Acronis but with a clunkier interface (yay ncurses!). The only caveat with clonezilla is that is sometimes doesn’t resize the drive to fit the new partition properly and that brings us to our next tool, GParted. This is another linux boot cd that can resize partitions non destructively. I use this in combination with clonezilla but it’s still definitely useful as a standalone tool.
It’s a rare day when I encounter a windows user who doesn’t want their machine to run faster. Thankfully there’s a scientific reason why windows boxes tend to run slower over time and it’s called OS rot. Unfortunately the best fix for this is also the one that takes the longest and that’s to reinstall windows & every program on the system. If a client doesn’t want to do this then we can use the following tools to alleviate some of the issues.
Pcdecrapifier is a tool used to automate the uninstallation of unwanted programs. It’s useful to run on brand new systems (full of preloaded garbage-ware) as well as older machines where you just want to easily get rid of some of the accumulated crapola.
Also in the cleanup category is CCleaner. This tool can tidy up the registry, remove many different sets of cache files as well as remove a lot of misc. unwanted items on the system. There are too many options to state so download it and check it out for yourself!
Finally we have our misc list of utilities that pretty much do one thing but do it very well. Best of all, they’re free. Most don’t need much of a discussion so I’ll rifle through them real quick in list form:
The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).
Bring your device into configuration mode 318ASA>en
Brings the device into enable mode
318ASA#config t
Change to configuration terminal mode
318ASA(config)#
The ASA is now ready to be configured when you see (config)#
Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default) 318ASA(config)# interface Vlan 1
Configure interface VLAN 1 318ASA(config-if)# nameif inside
Name the interface inside
318ASA(config-if)#security-level 100
Set’s the security level to 100
318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address
318ASA(config-if)#no shut
Make sure the interface is enabled and active
Configure the external interface VLAN (This is your WAN\internet connection) 318ASA(config)#interface Vlan 2
Creates the VLAN2 interface
318ASA(config-if)# nameif outside
Name’s the interface outside
318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).
318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface
318ASA(config-if)#no shut
Enable the outside interface to be active.
Enable and assign the external WAN to Ethernet 0/0 using VLAN2 318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings
318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2
318ASA(config-if)#no shut
Enable the interface to be active.
Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default). 318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings
318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.
To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface 318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0
***NOTE for ASA Version 8.3 and later*** Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:
318ASA(config)#nat (inside,outside) dynamic interface
Configure the default route (for this example default gateway is 76.79.219.81) 318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1
Last but not least verify and save your configurations. If you do not save your configurations you will have to.
Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.
By default, users in Exchange 2010 appear in the Global Address List (aka GAL), or are available for lookup by users within the Exchange organization. You can suppress these so that you create a mailbox that is not seen by any old user. You might want to do this so that a sales, info or other generic externally facing mailboxes aren’t used by your internal users.
In order to hide a user from the Exchange Global Address List, open the Exchange Management Console and click on the Organization Configuration node. Click on Mailbox to bring up a list of mailboxes for the forest and then double-click on a mailbox you’d like to hide from the Global Address List. Next, click on the General tab and you will see a checkbox for Hide from Exchange address lists. Check that box and click on Apply to suppress the account from the Global Address List.
Qlogic switches can be configured via a built-in Web-based administration tool, or via their Command Line Interface over a serial connection. The Web-based tool is the fastest and easiest method of getting one up and running.
By default, Qlogic switches have an IP address of 10.0.0.1. The default username is “admin”, and the default password is “password”. Set your computer’s IP address to 10.0.0.2, with a Subnet Mask of 255.255.255.0 and no router/gateway. Open a web browser – Firefox is your best option – and go to 10.0.0.1. The Java applet will prompt a security warning – please confirm that the applet can control your computer. It won’t do anything bad.
On first logging in, you will be warned that the default password has not been changed. Please change the password. It’s very easy for somebody to make your fibre fabric not work right. Once you have done so, configure the IP address of the switch.
Please check and see if a firmware update is available for the switch before proceeding any further with setup. It’s definitely going to be easiesr to get a firmware update applied before you’ve got an Xsan using your fabric. Go to Qlogic’s Support Site and click on Switches, then Fibre Channel Switches, choose the correct model, and click “Go”.
Devices on a fibre network are identified by their World Wide Name, or WWN. WWNs are guaranteed to be universally unique, which is a good thing, but they’re not designed to be read by humans. That’s why Qlogic lets you assign Nicknames to your devices. You should assign meaningful and easily decipherable Nicknames to all of your devices. Go to Fabric, and then Nicknames. You’ll see a list of all the WWNs (including vendor information), and which port they’re connected to. Double-click in the “Nickname” box, enter what you like, and when you’re done, click “Apply”. Accurate and comprehensible Nicknames make everything else easier, particularly the next step, which is Zoning.
Communication on a Fibre Channel network is controlled by Zones. In order for Fibre Channel devices to see one another (e.g. for clients to see storage), they must be in a zone together. In a small environment, it’s feasible to create a single zone, and place all devices in that zone. However, it isn’t necessary for Xsan clients and controllers to be able to communicate via Fibre Channel – all of their communication happens across the Metadata Network. If you want the best performance, then, it’s best to separate the devices logically into multiple zones to avoid excessive traffic on the Fibre Channel network. Devices can be added directly to a zone, or they can be grouped into Aliases, which can then be added to a zone.
As an example, imagine an environment with 15 Xsan clients, 2 Metadata controllers, and 2 Promise E-Class arrays. The clients need to communicate with the Promise storage, and the controllers do as well, but the clients and controllers don’t need to communicate with one another. Three aliases should be created and two zones should be created: one alias for each class of device, and one zone for each necessary communications channel.
Aliases
clients: Contains all Xsan clients
controllers: Contains both Metadata controllers.
storage: Contains both Promises
Zones
XsanControllers: Contains the controllers and storage aliases
XsanClients: Contains the clients and storage aliases
Zones are contained in Zone Sets. Many Zone Sets can be configured, but only one Zone Set can be active at any time. Once you’ve created zones for your devices, put all those zones into a Zone Set, and make sure that you activate that Zone Set when you’re finished with your configuration changes.
Storage devices and clients on a Fibre Channel network present themselves to the switch differently, and require configuration specific to their role. There are port properties that need to be set to provide the best performance. Xsan controllers and clients are “Initiators”, and storage devices are “Targets”. Device Scan, when enabled, queries every newly connected device to determine whether or not it is a Target or an Initiator. I/O Streamguard attempts to prevent disruption by suppressing some types of communication between initiators. Since we know what every device will be, and what port they’re on, we can set Device Scan and I/O Streamguard appropriately and avoid the excess traffic.
Initiators:
Enable I/O Streamguard
Disable Device Scan
Targets:
Disable I/O Streamguard
Enable Device Scan
Once you have your Nicknames, Zones, and port settings configured, you switch should be ready for use, and you can move on to configuring your storage, clients, and controllers.
