CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
5. Page 5
How do you know what is
going on in your network? Is
it healthy or is it about to
crash?
Network administrators hate to be surprised by
failures in their networks—especially ones that could
have been foreseen and, therefore, forestalled. How
do they keep from being surprised? They enact a
plethora of procedures and tools to monitor their
networks and keep track of how they are behaving.
Network monitoring I.
7. Page 7
Network monitoring I.
– Log files.
» All operating systems offer a means of viewing events that
occur to that specific machine.
• This includes networking equipment.
» Some applications have been developed to monitor systems
and networks that also generate log files (among other actions).
» Log files can be used to help pinpoint when a problem occurred
and help to narrow down the cause of an issue.
» Log files can also be used to help create a baseline of network
behavior.
» Log files can usually be classified as being: system logs,
general logs, or history logs.
• As a general rule, log files are an after-the-fact means of
monitoring the network and are not very good for real time
analysis, partially due to the amount of information that they
generate.
8. Page 8
Network monitoring I.
– Event viewer.
» Windows Server and most other Windows operating systems
use this tool to keep track of and to log events. The most
important logs contained in the tools are: Application, Security,
and System logs.
– Application logs.
» Contain events triggered by the actions of applications.
• For example, LiveUpdate will create log entries based on
actions taken.
– Security logs.
» Contain events triggered by security events.
• For example, logs are created for successful and
unsuccessful logon attempts.
– System logs.
» Contain events triggered by Windows system components.
• For example, when drivers start or fail to start, a log entry will
be created.
9. Page 9
Network monitoring I.
– Syslog.
» Developed in the 1980s, provides devices that normally would
not be able to communicate with a means of delivering
performance and problem information to system administrators.
» Permits there to be separation between the software that
generates the message, the storage of the message, and the
software that analyzes the generated message.
• This allows syslog to be highly configurable and has allowed it
to continue to be a vital tool for monitoring networks.
» The Internet Engineering Task Force (IETF) standardized
syslog in 2009.
» It generates log messages based on the types of service and
includes a severity level from zero (most severe) to seven
(least severe).
» Syslog can generate a lot of log messages, most network
administrators configure it so that they only get alerted when a
minimum severity level has been reached.
• Network administrators may receive alerts via SMS or email.
10. Page 10
Network monitoring I.
– SNMP (Simple Network Management
Protocol).
» An application layer (OSI model Layer 7) protocol used to
monitor and manage a network’s health.
» Network or systems administrator configures monitors—often
called traps—on devices that view the operation of a specific
item (e.g., is the interface up or down?).
• The monitors periodically communicate with a network
management station (NMS) through GET messages that the
NMS sends out.
• The response from the monitors is stored in a Management
Information Base (MIB), which is a type of log file.
• The administrator can configure the monitors with SET
messages sent from the NMS.
» When an event occurs (the interface goes down), the trap is
tripped and the event is logged.
• It can be configured to just log the event or it can be
configured to contact a network administrator (via email or
SMS).
» This ability provides a more real time monitoring method.
11. Page 11
Network monitoring I.
– SIEM (Security information and event
management).
» A term for software products and services that combine
security information management (SIM) and security event
management (SEM).
• SIEM may be provided by a software package, a network
appliance, or as a third party service.
» It is used as a means of monitoring and providing real-time
analysis of security alerts.
• This is an example of the SEM functionality.
» It can be used to as a tool to analyze long-term data and log
files.
• This is an example of the SIM functionality.
» Can be highly configured to the needs of the individual network
needs.
12. Page 12
Network monitoring I.
As network administrators are responsible for keeping the network up and
running, they hate to be surprised by network failures—especially ones they
could have foreseen and, therefore, have forestalled. To prevent this, they
will deploy a variety of tools to keep track of the network’s health and
behavior.
Topic
The why of network
monitoring.
Summary
Log files are an important tool that network administrators can use to track
how their network and systems are running. Almost all operating systems
are capable of generating log files, which are usually a more passive and
after-the-fact type of monitoring. Event Viewer is a Microsoft tool used to
track and organize log files. Syslog was created in the 1980s to provide a
method of communication between devices that would not normally
communicate. Syslog events are rated on a scale of zero to seven, based
on the severity of the event (with zero being the most severe). SNMP is a
protocol that takes a more active approach in monitoring the network and
systems. With SNMP, a trap is set on a device. When the trap is tripped, a
message is sent to the NMS, which stores the event in the MIB. Depending
on the severity, a message may be sent to an administrator via SMS or
email.
Tools for monitoring the
network.
14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.