Monitor user activity with SolarWinds User Device Tracker

Recently SolarWinds released version 2.5 of their User Device Tracker product and because I had started reviewing the previous version, I thought it might make sense to start over again with the newest release. 

A summary of information collected by UDT

User Device Tracker summary info

 

What is User Device Tracker?

User Device Tracker is a server based application that monitors network environments to return information about connected user accounts and computers.  It will quickly tell you where a computer is connected and how it attaches to the core switching infrastructure within your environment and even the UserID of the account logged on.

The usefulness isn’t so much in tracking everyday employees, the people that come in every day from 8-5 and work at the same workstation.  This product is useful in helping track down rogue computers that may attach to the network and keeping track of where they are located.

For example, a vendor for another department comes into your organization to work on some new piece of equipment.  The new equipment requires a network connection which was barely mentioned when the discussions around purchasing the equipment came up.  On installation day, the vendor has hooked everything up and wants to test it.  To do so, a wireless router is attached to the network and the new equipment plugged in there to allow for a laptop to be used in testing.

The problem here is multifaceted.  The single vendor connecting to test and configure equipment purchased is one thing, but to connect a wireless access point to a network that is potentially unsecured is entirely different.  Doing that opens up a network to a host of potential issues like many rogue users and viruses and the list goes on…

User device tracker can locate these devices and their users on the network and tell you which switch port they plugged in to on which switch.  This will help you track them down or if nothing else connect to the switch and disable the port to ensure that no rogue activity is allowed.

How do I configure it?

Once the install completes, which I found to be a bit slow in the 2.5 release, the console will open and begin an initial configuration wizard.  The wizard, called the Network Sonar Wizard, is designed to provide the application with overview information about your network environment and credentials that may be needed to access certain things on the network.  The areas covered by the wizard include:

SNMP: Provide any SNMP community information that may be needed on your network, some general defaults are included

Windows: Provide Windows Credentials for your environment to allow information to be gathered from servers and other Windows based PCs using WMI

Network: At this point in the wizard you will need to define your network and enter any IP ranges that UDT should be monitoring.

Discovery Settings:  Here the timeout settings for discovering devices on the network are configured.  Adjust the sliders for each value, or enter the number of milliseconds or retries needed for each. Because detailed information is being requested, nodes that only respond to ping/ICMP will not be helpful. These nodes can be ignored.

Discovery Scheduling: Here you can specify how often you would like the discovery to run and if it should run when the wizard completes, the default is to run once and run right away.

As the discovery gets underway, a list of discovery attempts will be displayed showing the last discoveries run, scheduled results, and a discovery ignore list which contains nodes that were specifically ignored.

Once the Sonar wizard has completed it may take some time to execute the discovery, depending on the size of your network and the types of devices detected.

How do I view UDT information?

Once some devices have been discovered and imported into your UDT environment you can view information by selecting the Device Tracker tab and then Device Tracker Summary.  Because UDT plugs into other SolarWinds products, like Orion NPM, it is visible from the NPM web portal if installed alongside NPM.  NPM is not required to use UDT.

The dashboard screen displayed under summary will show the discovered nodes as well as the total ports used on the network. When Windows servers are queried, Active Directory can return the user logon information found in your environment to show which user accounts are logging on at which computers.  Further information and drill down can be provided to display the path from the user account and workstation back to the core switch.

Configuring Alerts and Watches

UDT will allow you to monitor a device to be told where it has connected to the network.  For example, I work in a Windows environment with a few laptops used primarily across the office for presenting and meetings.  Even though the devices are available to be reserved and tracked in a groupware calendar, they frequently are off somewhere for days.  Using UDT to track down the MAC addresses could tell me where the computer connects to the network, to which access point or switch which would point me right to it.  Gathering the user logon info would probably get me pretty close as well, but two methods are sometimes better than one.

Ad-Hoc Reporting

Details for the selected node

Detailed information for a specific node

User Device Tracker supports ad-hoc reports created by searching gathered data.  Selecting the Ad-hoc reporting tab under device tracker and will display results of searches made by the application against its data. You can select to include only active connections in the results or also to include historical data.

What is the cost to license it?The cost to license up to 2500 ports is $1795.  Which really doesn’t seem too bad, however when you consider how fast switch ports and other devices add up, the idea of being mindful of usage or being prepared to continually upgrade as the application becomes more ingrained is something that you need to be ready for. More information about the User Device Tracker application and its licensing can be found here.

Overall thoughts Using these reports and information about devices connected to your network is a great way to keep track of just what items have connected.  For me it was somewhat eye opening the first time I went looking for other devices.  There weren’t a lot of rogue things, but printers or other things that I forgot were deployed showed up right away. Depending on the size and complexity of your network, this tool will certainly be helpful in chasing down devices, but it may be cost prohibitive in some cases.  I would recommend getting the 30 day trial of the application and giving it a run in your environment to see if it truly is the right application for your use.

Disclosure: SolarWinds provided User Device Tracker licensing for me to complete this review. SolarWinds has no access to the content of this review, nor did they commission it. They do however sponsor this blog. The review of User Device Tracker is something I chose to do because I had seen a demo of the product and was curious about how it worked. I also wanted to see if it was really as straightforward as the demo.