Intel,Altiris Group

Back to Library

Part 1 - Using Out-of-Band Events and Alerts with Intel vPro Technology 

Feb 10, 2011 08:47 PM

In the world of server management, IPMI within a baseband management controller along with the sending\receiving of SNMP alerts may be a familiar reference point.   A subset of this capability exists within the Intel vPro Technology platform, allowing for out-of-band management alerts to occur based on a short list of hardware and software events.   The Event Manager of the Notification Server used by Symantec Management Platform has built-in capabilities to receive and respond to these alerts.   This article provides an introduction on the possibilities of using out-of-band alerts.

Out-of- Band Alerts Introduction

Knowing whether the host operating system has stopped responding or that the case has been opened on a remote system is difficult unless someone is present and able to interact with the system.   These types of events can be detected by a management controller within the physical hardware.   If an event occurs, an alert is sent to a defined IP address.   The defined location is based on subscriptions set within the management engine.   The alert includes specific codes including the alert type, unique system identifier (i.e. UUID), the IP address of the system, and so forth.   The receiving system interprets the alert based on rules, matching codes, and so forth.   If a response is defined, the receiving system acts accordingly.   This sequence is shown in the simplified diagram below.

A brief explanation to the above image:

  • Step 1 – A list of defined alerts with subscription data is applied to the target clients via TaskServer job (1:many) or Resource Manager (1:1)
  • Step 2 – When an event with an alert subscription occurs on the target Intel vPro Technology client, an SNMP trap or WS-Event message is sent to the Notification Server
  • Step 3 – The Event Manager within Notification Server receives and analyzes the alert message.
  • Step 4 – If an automated response is defined via filter rules, the Notification Server performs the indicate action.

A snapshot of the above sequence is shown via the Event Console image below.   The event console will automatically refresh and can be filtered to show specific types or timestamps of alerts.   In the example below, a number of alerts were generated to demonstrate the possibilities of out-of-band alerts.

Here is a brief explanation of the captured alerts shown:

  • Password Attack – More than 3 failed logon attempts to Intel AMT on the target device.   This may occur due to an incorrect configuration, mistyping of the password, or malicious intent.
  • Operating System Hung – Although the system is powered on, no activity between the host operating system and the hardware has occurred.   This may help to identify a problematic system.
  • Chassis Intrusion – The case has been opened on the system.  
  • AMT Notification – This is a custom alert signaling that the user is requesting assistance.   This alert can be generated via a pre-boot key sequence or via a utility in the host operating system.

Other alerts and events can occur from Intel vPro technology systems such as change to the network link state of the system.   Some alerts may occur multiple times within a small interval of time.   Some experimentation may be required to identify the desired alerts for the environment, how to appropriately filter (i.e. designate a true alert versus a false-positive), associated rules or response actions, and so forth.   The remainder of this article will provide brief insights into each of these steps.

Alert Subscriptions

First – a subscription to the specific events must be made for an alert to be triggered.   Within the TaskServer is an existing task to Update Out-of-Band alert settings.   Use this job to define and apply alert subscriptions for several Intel AMT configured systems at one time.   The default task is located under the Real-Time Console Infrastructure as shown below.

If you compare the above screenshot with your own Altiris 7.x installation, you may observe a few additional event filters have been added.   By clicking the “Add” button a complete list of Intel® AMT and DASH alerts is shown. 

The next screenshot shows the “Update Out-of-Band Alert” task being assigned to target client systems.   Appropriate Connection Credential settings must be used for Intel AMT and WS-MAN authentication if both protocols are represented in the alert setting task.   The sample list of systems represents several generations of the Intel vPro Technology since the out-of-band events and alerts functionality has existed since 2006.

Once the task has completed successfully, the defined alert subscriptions have been applied to the target systems

Validating the Out-of-Band Alerts

Approximately 17 alerts can be set and subscribed within the Intel vPro Technology platform.   To see exactly what alerts are in place or to make individual system modifications, open the Resource Manager for a target client.   Ensure that the Connection Profile includes the appropriate Intel AMT protocol credentials.

Once the Resource Manager opens, select View > Real-Time.   Expand the Real-Time Systems Manager tree on the left, followed by Management Operations.   Select Manage Alerts.    The resulting screen on the right is populated based on what is obtained in real-time from the target client system.

The screenshot below provides additional insights:

  • Total and available space for alerts within the target platform
  • Alerts that have been subscribed and to what address notification should be sent
  • Ability to directly add\remove specific alerts for the target platform

The above view can be helpful in troubleshooting or customizing an individual client.

With the desired event subscriptions to generate associated alerts, a few simple tests can be done.   

  • To force a system to hang or bluescreen, try the SysInternals utility NotMyFault
  • To generate a Password attack, attempt to login to the WebUI of a target client (http://ipaddress:16992) using the wrong UserID and password.   Several failed attempts will be required.
  • Reboot the target client and a series of Link Up alerts will be generated.
  • On a desktop client, remove the cover to the case for a Cover Open alert.
  • Note: Some events like Cover Open are dependent on the OEM’s specific implementation.

As each test is completed, an entry will occur in the Event Log of the Intel vPro Technology system.   Using correct login credentials for the WebUI of the target client, the event log can be viewed similar to the example below.

If a particular event has an associated alert subscription, this appear in the Event Console of the Notification Server.   The main event console showed earlier in this article can be used and filtered to find all events for a target system.    Alternatively, with the Resource Manager Home page will show all alerts for the specific device as shown in the screenshot below.

If the alerts are showing in the Event Console, then the subscription and associated event have worked correctly in the target environment.

In the next article, an alert rule will be defined to automate the response or action for a defined event.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Terry Cutler
Mar 04, 2011 02:00 PM

If you have a PDF printer in your client (i.e. CutePDF or similar), click on the print icon at the bottom and direct that device.

Attached PDF is an example for this article.

Note: the 3rd article in this series includes a video.   If you'd like to view via YouTube - the link is http://www.youtube.com/watch?v=5VD7wAky3aU

Migration User
Mar 02, 2011 11:58 AM

any chanmce of creating this in pdf as i would very much like to read it when i have time and am not inundated with work related demands.

Related Entries and Links

No Related Resource entered.