(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2013/0111018 A1
`(43) Pub. Date:
`May 2, 2013
`Ammons et al.
`
`US 2013 011 1 018A1
`
`(54)
`
`(75)
`
`(73)
`
`(21)
`(22)
`
`(60)
`
`PASSIVE MONITORING OF VIRTUAL
`SYSTEMS USINGAGENT-LESS, OFFLINE
`INDEXING
`
`Inventors: Glenn S. Ammons, West Chester, PA
`(US); Ahmed M. Azab, Raleigh, NC
`(US); Vasanth Bala, Rye, NY (US);
`Sastry S. Duri, Yorktown Heights, NY
`(US); Todd W. Mummert, Danbury, CT
`(US); Darrell C. Reimer, Tarrytown,
`NY (US); Lakshminarayanan
`Renganarayana, Elmsford, NY (US);
`Xiaolan Zhang, Chappaqua, NY (US)
`
`Assignee:
`
`INTERNATIONAL BUSINESS
`MACHINES COPORATION, Armonk,
`NY (US)
`Appl. No.: 13/527,948
`
`Filed:
`
`Jun. 20, 2012
`
`Related U.S. Application Data
`Provisional application No. 61/552.797, filed on Oct.
`28, 2011.
`
`Publication Classification
`
`(51) Int. Cl.
`G06F 5/73
`(52) U.S. Cl.
`USPC .......................................................... 709/224
`
`(2006.01)
`
`(57)
`ABSTRACT
`Aspects of the present invention provide a solution for pas
`sively monitoring a computer system. In an embodiment, a
`virtual server is accessed by an indexing agent that is con
`tained in an indexing appliance. The virtual server is located
`on a physical server and is one of a plurality of virtual system
`instances on a common physical server. The indexing appli
`ance is separate from the virtual server and, as Such, the
`indexing agent is not executed within the virtual server, itself.
`The indexing agent retrieves a virtual image of the virtual
`server and indexes the virtual image to extract features indica
`tive of changes in the virtual server. These features are ana
`lyzed to perform passive monitoring of the virtual server.
`Since the indexing appliance is separate from the virtual
`server for which passive monitoring is being performed, the
`indexing agent can perform the retrieving and the indexing
`without utilizing agents executing within the virtual server.
`
`
`
`212
`
`210
`
`
`
`214
`
`
`
`230
`
`X2
`
`&
`
`WIZ, Inc. EXHIBIT - 1040
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`May 2, 2013
`
`Sheet 1 of 6
`
`US 2013/0111018 Al
`
`
`
`
`
`
`
`
`
`
`VIRTUAL IMAGE
`
`
`
`
`
`
`ACCESSOR MODULE 142
`
`VIRTUAL SERVER
`
`
`
`
`
`
`
`COMPONENT
`PROCESSING
`
`
`
`
`PROGRAM 140
`
`PASSIVE MONITORING
`
`
`
`
`MEMORY 110
`
`
`
`
`
`
`
`COMPUTING DEVICE 104
`
`COMPUTER SYSTEM 102
`
`Figure 1
`
`
`
`
`
`
`
`
`
`
`COMPONENT
`
`
`
`
`
`
`
`
`
`
`
`
`Vv
`
`
`
`
`
`
`
`120
`USER
`
`
`
`
`
`
`
`
`
`
`EXTRACTED FEATURES
`VIRTUAL IMAGE
`
`
`
`
`
`
`
`
`
`
`
`
`
`STORAGE SYSTEM 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ANALYZER MODULE 148
`
`VIRTUAL IMAGE
`
`INDEXING MODULE 14
`
`VIRTUAL IMAGE
`
`RETRIEVER MODULE 144
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`May 2, 2013
`
`Sheet 2 of 6
`
`US 2013/0111018 Al
`
`230
`
`
`
`
`
`
`
`
`
`
`2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`210
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`216
`
`
`
`
`
`
`
`
`
`
`Figure 2
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`May 2, 2013 Sheet 3 of 6
`May 2, 2013 Sheet 3 of 6
`
`US 2013/0111018 A1
`US 2013/0111018 Al
`
`
`
`
`
`
`
`F?Z (GIOVINI) XHOVLS GIRIVAALHOS
`
`
`
`ZETMOSIANAdAHNOLLVZITVO.LUIA
`
`
`
`Z?Ž HOSIAHGHdAH NOILVZITIVQ L'HIA
`
`
`
`
`
`£ 9.InáI
`
`0cz__7 €WNSLy
`'tre(LUVUOTad)AAISSVd|OFZSNOLLVOI'IddVINAVDNIMOLINOW
`
`
`
`
`
`
`
`
`
`
`PEC(ADVINDMOVLSAUNVMA.LAOS
`
`
`
`
`
`SE7CHAANAS-FAM/ASVAGAVMATAIGIA
`
`
`
`
`
`957 INGILSAS ONI LVRIGIJO
`
`
`
`9€7INA.LSASDNLLVYAdO
`
`

`

`Patent Application Publication
`
`May 2, 2013
`
`Sheet 4 of 6
`
`US 2013/0111018 Al
`
`342
`
`340
`
`CNCATAON CA Chet
`
`
`
`
`
`
`
`
`
`
`
`
`
`TAA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` 0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Virtual Image
`
`
`
`
`
`
`
`332
`
`/
`
` 310
`
`
`
`Figure 4
`
`AN
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`N
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`_
`
`Features
`Extracted
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Software Stack
`Pre-Configured
`
`
`
`
`
`
`
`
`System
`Storage
`
`318
`
`
`
`
`\
`
`352
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`May 2, 2013 Sheet 5 of 6
`May 2, 2013 Sheet 5 of 6
`
`US 2013/0111018 A1
`US 2013/0111018 Al
`
`
`
`
`HONVHDINVITdANOOD
`
`WONVHDINVITANOOD
`
`“NONTVINAGIDOV
`00r__7”
`
`“NONSNODITTVIN
`— NON TWOLNOHOITOOV
`
`
`(H?NVHO JLNVITI,IIANOO — NON
`S[]OIOITVIAN
`ATAVIddOOV
`SCHONVHO
`SHDNVHO
`
`GHT|{{IVIL, IGIOOV
`
`
`(H?NVHO JLNVITI, IIANOO
`
`TySMOVLS
`
`[#7 SXIOWLS GIGIRI[15)I HINOO-CHRICH
`
`§ONS
`
`GWaNSOLNOD “Wad
`
`
`
`
`
`
`
`
`
`
`
`VZI?7 VIVOI XHOVILS
`
`VelVIVOMOVLS
`
`aclrVLVGMOVLS
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`May 2, 2013 Sheet 6 of 6
`May 2, 2013 Sheet 6 of 6
`
`US 2013/0111018 A1
`US 2013/0111018 Al
`
`00s__7”
`
`
`TVALDUIAXUONI
`
`TVÍTALRILA XHOINI
`
`GIOVIAI
`HOVAI
`
`GIZATIVNV
`AZAXIVNV
`
`
`
`HOVALTVOLATA
`
`
`
`
`
`GIOVINI TVQ JLRHIA
`
`
`
`HOVALTVOLATA
`
`
`
`
`
`GIOVINI TVQ JLRHIA
`
`
`
`
`TVOLDYIASSHOOV
`
`TVÍTALRILA SSCHOOV
`
`RICHARIGIS
`UHANAS
`
`CHACHIRIJLGIRI
`WAATHLAY
`
`9WINS
`
`
`

`

`US 2013/011 1 0 18 A1
`US 2013/0111018 Al
`
`May 2, 2013
`May2, 2013
`
`PASSIVE MONITORING OF VIRTUAL
`PASSIVE MONITORING OF VIRTUAL
`SYSTEMS USINGAGENT-LESS, OFFLINE
`SYSTEMS USING AGENT-LESS, OFFLINE
`INDEXING
`INDEXING
`
`CROSS-REFERENCE TO RELATED
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`APPLICATIONS
`0001. This patent application claims the benefit of co
`[0001] This patent application claims the benefit of co-
`pending U.S. Provisional Application No. 61/552,797, filed
`pending U.S. Provisional Application No. 61/552,797,filed
`on Oct. 28, 2011, which is hereby incorporated herein by
`on Oct. 28, 2011, which is hereby incorporated herein by
`reference.
`reference.
`0002 This patent application is related to patent applica
`[0002] This patent applicationis related to patent applica-
`
`tion filed concurrently herewith, Ser. No.
`, Attorney
`tion filed concurrently herewith, Ser. No.
`, Attorney
`Docket Number YOR9201 10713US1, entitled PASSIVE
`Docket Number YOR920110713US1, entitled PASSIVE
`MONITORING OF VIRTUAL SYSTEMSUSING EXTEN-
`MONITORING OF VIRTUAL SYSTEMS USING EXTEN
`SIBLE INDEXING.
`SIBLE INDEXING.
`
`accompanying agent, increases, the impact of the agents on
`accompanying agent, increases, the impact of the agents on
`the capacity, function and/or communications of the com
`the capacity, function and/or communications of the com-
`puter system increases, and these agents use resources that
`puter system increases, and these agents use resources that
`could otherwise be devoted to the designed function of the
`could otherwise be devoted to the designed function of the
`computer system.
`computer system.
`
`TECHNICAL FIELD
`TECHNICAL FIELD
`0003. The subject matter of this invention relates generally
`[0003] The subject matterofthis inventionrelates generally
`to computer systems management. More specifically, aspects
`to computer systems management. Morespecifically, aspects
`of the present invention provide a solution for improved pas
`of the present invention provide a solution for improved pas-
`sive monitoring in a complex virtual environment.
`sive monitoring in a complex virtual environment.
`
`SUMMARY
`SUMMARY
`0008. In general, aspects of the present invention provide
`[0008]
`In general, aspects of the present invention provide
`a solution for passively monitoring a computer system. In an
`a solution for passively monitoring a computer system. In an
`embodiment, a virtual server is accessed by an indexing agent
`embodiment,a virtual server is accessed by an indexing agent
`that is contained in an indexing appliance. The virtual server
`that is contained in an indexing appliance. The virtual server
`is located on a physical server and is one of a plurality of
`is located on a physical server and is one of a plurality of
`virtual system instances on a common physical server. The
`virtual system instances on a commonphysical server. The
`indexing appliance is separate from the virtual server and, as
`indexing appliance is separate from the virtual server and, as
`Such, the indexing agent is not executed within the virtual
`such, the indexing agent is not executed within the virtual
`server, itself. The indexing agent retrieves a virtual image of
`server, itself. The indexing agentretrieves a virtual image of
`the virtual server and indexes the virtual image to extract a set
`the virtual server and indexesthe virtual image to extract a set
`of features indicative of changes in the virtual server. One or
`of features indicative of changesin thevirtual server. One or
`more of these extracted features are analyzed to perform
`more of, these extracted features are analyzed to perform
`passive monitoring of the virtual server. Since the indexing
`passive monitoring of the virtual server. Since the indexing
`appliance is separate from the virtual server for which passive
`applianceis separate from the virtual server for which passive
`monitoring is being performed, the indexing agent can per
`monitoring is being performed, the indexing agent can per-
`form the retrieving and the indexing without utilizing agents
`form theretrieving and the indexing withoututilizing agents
`BACKGROUND
`BACKGROUND
`executing within the virtual server.
`executing within the virtual server.
`0004. In the electronic environment of today, computer
`0009. A first aspect of the invention provides a method for
`[0004]
`In the electronic environment of today, computer
`[0009]Afirst aspect of the invention provides a method for
`passively monitoring a computer system, comprising: access
`systems undergo constant changes. In order to keep up with
`systems undergo constant changes. In order to keep up with
`passively monitoring a computer system, comprising: access-
`these changes, it is important that users of these systems be
`ing a virtual server by an indexing agent that is contained in an
`these changes, it is important that users of these systems be
`ing a virtual server by an indexing agent that is contained in an
`able to monitor the systems. Monitoring can be classified into
`indexing appliance separate from the virtual server, the Vir
`able to monitor the systems. Monitoring can be classified into
`indexing appliance separate from the virtual server, the vir-
`several different types, including active monitoring and pas
`tual server being one of a plurality of virtual system instances
`several different types, including active monitoring and pas-
`tual server being one ofa plurality of virtual system instances
`sive monitoring. Passive monitoring includes any observation
`ona common physical server, retrieving a virtual image of the
`sive monitoring. Passive monitoring includes any observation
`onacommonphysical server; retrieving a virtual image ofthe
`that does not modify a computer system. To this extent, pas
`virtual server by the indexing agent; indexing the virtual
`that does not modify a computer system. To this extent, pas-
`virtual server by the indexing agent; indexing the virtual
`sive monitoring can include Scanning a file system to perform
`image by the indexing appliance to extract a set of features
`sive monitoring can include scanning a file system to perform
`image by the indexing appliance to extract a set of features
`a compliance check, Scanning a registry to determine which
`indicative of changes in the virtual server; and analyzing at
`a compliance check, scanning a registry to determine which
`indicative of changes in the virtual server; and analyzing at
`applications are currently installed on the system, security
`least one of the set of features to perform passive monitoring
`applications are currently installed on the system, security
`least one oftheset of features to perform passive monitoring
`scanning, file system inspection, license usage monitoring,
`of the virtual server, wherein the retrieving and the indexing
`scanning, file system inspection, license usage monitoring,
`of the virtual server, wherein the retrieving and the indexing
`are performed without utilizing agents executing within the
`and the like. In contrast, activities, such as patching, applying
`and thelike. In contrast, activities, such as patching, applying
`are performed without utilizing agents executing within the
`a security update, etc., that involve modification of the com
`virtual server.
`virtual server.
`a security update, etc., that involve modification of the com-
`puter system are referred to as active monitoring.
`0010. A second aspect of the invention provides a system
`puter system are referred to as active monitoring.
`[0010] A secondaspectof the invention provides a system
`for passively monitoring a computer system, comprising: a
`0005 Standardization can be an asset in effective systems
`[0005]
`Standardization can be an asset in effective systems
`for passively monitoring a computer system, comprising: a
`management. Standardization of a data center helps custom
`physical server having a plurality of virtual system instances
`management. Standardization of a data center helps custom-
`physical server having a plurality of virtual system instances
`operating thereon; and an indexing appliance operating on the
`ers control maintenance costs by limiting the number of dif
`ers contro] maintenancecosts by limiting the numberofdif-
`operating thereon; and an indexing appliance operating on the
`physical server, which performs a method comprising: using
`ferent variations of systems running in the data center. This
`ferent variations of systems running in the data center. This
`physical server, which performs a method comprising: using
`an indexing agent that is contained in the indexing appliance
`allows costs to grow in proportion to the number of different
`allows costs to grow in proportion to the numberofdifferent
`an indexing agent that is contained in the indexing appliance
`Software configurations rather than in proportion to the num
`to access a virtual server from among the plurality of virtual
`software configurations rather than in proportion to the num-
`to access a virtual server from amongthe plurality of virtual
`ber of different instances of those configurations.
`systems instances, the virtual server being separate from the
`ber of different instances of those configurations.
`systemsinstances, the virtual server being separate from the
`indexing appliance; retrieving a virtual image of the virtual
`0006 To realize some of the benefits of standardization,
`[0006]
`To realize some of the benefits of standardization,
`indexing appliance; retrieving a virtual image ofthe virtual
`server by the indexing agent; indexing the virtual image by
`providers of a computer system can insure that all deployed
`providers of a computer system can insurethatall deployed
`server by the indexing agent; indexing the virtual image by
`the indexing appliance to extract a set of features indicative of
`instances begin their lifecycle from one or more standard
`instances begin their lifecycle from one or more standard
`the indexing appliance to extract a set of features indicative of
`“images' or pre-configured software stacks. However, once
`changes in the virtual server, and analyzing at least one of the
`“images” or pre-configured software stacks. However, once
`changes in thevirtual server; and analyzing at least one ofthe
`set of features to perform passive monitoring of the virtual
`an instance begins execution, it can deviate from this stan
`an instance begins execution, it can deviate from this stan-
`set of features to perform passive monitoring of the virtual
`server, wherein the retrieving and the indexing are performed
`dardized state due to changes within the instance. These
`dardized state due to changes within the instance. These
`server, wherein the retrieving and the indexing are performed
`without utilizing agents executing within the virtual server.
`changes can be accidental, intentional but without harmful
`changes can be accidental, intentional but without harmful
`withoututilizing agents executing within the virtual server.
`intent, or malicious in nature. In any case, these con-compli
`0011. A third aspect of the invention provides a computer
`intent, or malicious in nature. In any case, these con-compli-
`[0011] A third aspect of the invention provides a computer
`program product embodied in a computer readable medium
`ant deviations can cause the particular instance not to function
`ant deviations can cause theparticularinstance notto function
`program product embodied in a computer readable medium
`correctly and/or can affect the efficiency of the instance
`for implementing a method for passively monitoring a com
`correctly and/or can affect the efficiency of the instance
`for implementing a method for passively monitoring a com-
`within the overall computer system, possibly impacting other
`puter system, the method comprising: accessing a virtual
`within the overall computer system, possibly impacting other
`puter system, the method comprising: accessing a virtual
`instances and/or the overall efficiency of the computer sys
`server by an indexing agent that is contained in an indexing
`instances and/or the overall efficiency of the computer sys-
`server by an indexing agent that is contained in an indexing
`tem.
`appliance separate from the virtual server, the virtual server
`tem.
`appliance separate from the virtual server, the virtual server
`being one of a plurality of virtual system instances on a
`0007 Existing solutions for providing drift detection and
`[0007] Existing solutions for providing drift detection and
`being one of a plurality of virtual system instances on a
`other passive monitoring services use agents that must be
`common physical server; retrieving a virtual image of the
`other passive monitoring services use agents that must be
`common physical server; retrieving a virtual image of the
`virtual server by the indexing agent; indexing the virtual
`installed inside every system instance. These agents periodi
`installed inside every system instance. These agents periodi-
`virtual server by the indexing agent; indexing the virtual
`image by the indexing appliance to extract a set of features
`cally scan some or all portions of the file system of the
`cally scan some or all portions of the file system of the
`image by the indexing appliance to extract a set of features
`indicative of changes in the virtual server; and analyzing at
`instance and send the scanned informationto a centralserver.
`instance and send the Scanned information to a central server.
`indicative of changes in the virtual server; and analyzing at
`least one of the set of features to perform passive monitoring
`However, as the number of instances, and each instance's
`However, as the number of instances, and each instance’s
`least one oftheset of features to perform passive monitoring
`
`

`

`US 2013/011 1 0 18 A1
`US 2013/0111018 Al
`
`May 2, 2013
`May2, 2013
`
`of the virtual server, wherein the retrieving and the indexing
`of the virtual server, wherein the retrieving and the indexing
`are performed without utilizing agents executing within the
`are performed without utilizing agents executing within the
`virtual server.
`virtual server.
`0012. A fourth aspect of the present invention provides a
`[0012] A fourth aspect of the present invention provides a
`method for deploying an application for passively monitoring
`methodfor deploying an application for passively monitoring
`a computer system, comprising: providing a computer infra
`a computer system, comprising: providing a computerinfra-
`structure being operable to: access a virtual server by an
`structure being operable to: access a virtual server by an
`indexing agent that is contained in an indexing appliance
`indexing agent that is contained in an indexing appliance
`separate from the virtual server, the virtual server being one of
`separate from the virtualserver, the virtual server being one of
`a plurality of virtual system instances on a common physical
`a plurality of virtual system instances on a commonphysical
`server; retrieve a virtual image of the virtual server by the
`server; retrieve a virtual image of the virtual server by the
`indexing agent; index the virtual image by the indexing appli
`indexing agent; indexthe virtual image by the indexing appli-
`ance to extract a set of features indicative of changes in the
`ance to extract a set of features indicative of changes in the
`virtual server; and analyze at least one of the set of features to
`virtualserver; and analyze at least one oftheset of featuresto
`perform passive monitoring of the virtual server, wherein the
`perform passive monitoring of the virtual server, wherein the
`retrieving and the indexing are performed without utilizing
`retrieving and the indexing are performed without utilizing
`agents executing within the virtual server.
`agents executing within the virtual server.
`0013 Still yet, any of the components of the present inven
`[0013]
`Still yet, any ofthe componentsofthe present inven-
`tion could be deployed, managed, serviced, etc., by a service
`tion could be deployed, managed, serviced, etc., by a service
`provider who offers to implement passive monitoring in a
`provider who offers to implement passive monitoring in a
`computer system.
`computer system.
`0014 Embodiments of the present invention also provide
`[0014] Embodiments ofthe present invention also provide
`related systems, methods and/or program products.
`related systems, methods and/or program products.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`0015 These and other features of this invention will be
`[0015] These and other features of this invention will be
`more readily understood from the following detailed descrip
`morereadily understood from the following detailed descrip-
`tion of the various aspects of the invention taken in conjunc
`tion of the various aspects of the invention taken in conjunc-
`tion with the accompanying drawings in which:
`tion with the accompanying drawings in which:
`0016 FIG. 1 shows an illustrative computer system
`[0016]
`FIG. 1
`shows an illustrative computer system
`according to embodiments of the present invention.
`according to embodiments of the present invention.
`0017 FIG. 2 shows a virtualized datacenter environment
`[0017]
`FIG. 2 showsa virtualized datacenter environment
`according to embodiments of the invention.
`according to embodiments of the invention.
`0018 FIG.3 shows an example virtual server according to
`[0018]
`FIG. 3 shows an examplevirtual server according to
`embodiments of the invention.
`embodiments of the invention.
`0019 FIG. 4 shows an example server having an indexing
`[0019]
`FIG. 4 shows an example server having an indexing
`appliance according to embodiments of the invention.
`appliance according to embodiments of the invention.
`0020 FIG. 5 shows example comparison analyses accord
`[0020] FIG.5 shows example comparison analyses accord-
`ing to embodiments of the invention.
`ing to embodiments of the invention.
`0021
`FIG. 6 shows an example flow diagram according to
`[0021]
`FIG. 6 shows an example flow diagram according to
`embodiments of the invention.
`embodiments of the invention.
`0022. The drawings are not necessarily to scale. The draw
`[0022] The drawingsare not necessarily to scale. The draw-
`ings are merely schematic representations, not intended to
`ings are merely schematic representations, not intended to
`portray specific parameters of the invention. The drawings are
`portray specific parameters ofthe invention. The drawingsare
`intended to depict only typical embodiments of the invention,
`intendedto depict only typical embodimentsofthe invention,
`and therefore should not be considered as limiting the scope
`and therefore should not be considered as limiting the scope
`of the invention. In the drawings, like numbering represents
`of the invention. In the drawings, like numbering represents
`like elements.
`like elements.
`
`DETAILED DESCRIPTION
`DETAILED DESCRIPTION
`0023. As indicated above, aspects of the present invention
`[0023] As indicated above, aspects of the present invention
`provide a solution for passively monitoring a computer sys
`provide a solution for passively monitoring a computer sys-
`tem. In an embodiment, a virtual server is accessed by an
`tem. In an embodiment, a virtual server is accessed by an
`indexing agent that is contained in an indexing appliance. The
`indexing agent that is contained in an indexing appliance. The
`virtual server is located on a physical server and is one of a
`virtual server is located on a physical server and is one of a
`plurality of virtual system instances on a common physical
`plurality of virtual system instances on a commonphysical
`server. The indexing appliance is separate from the virtual
`server. The indexing appliance is separate from the virtual
`server and, as Such, the indexing agent is not executed within
`server and, as such, the indexing agentis not executed within
`the virtual server, itself. The indexing agent retrieves a virtual
`the virtual server, itself. The indexing agentretrieves a virtual
`image of the virtual server and indexes the virtual image to
`imageof the virtual server and indexes the virtual image to
`extract features indicative of changes in the virtual server.
`extract features indicative of changes in the virtual server.
`These features are analyzed to perform passive monitoring of
`These features are analyzed to perform passive monitoring of
`the virtual server. Since the indexing appliance is separate
`the virtual server. Since the indexing appliance is separate
`
`from the virtual server for which passive monitoring is being
`from the virtual server for which passive monitoring is being
`performed, the indexing agent can perform the retrieving and
`performed,the indexing agent can perform the retrieving and
`the indexing without utilizing agents executing within the
`the indexing without utilizing agents executing within the
`virtual server.
`virtual server.
`0024 Turning to the drawings, FIG. 1 shows an illustrative
`[0024] Turning to the drawings, FIG. 1 showsanillustrative
`environment 100 for passively monitoring a computer sys
`environment 100 for passively monitoring a computer sys-
`tem. To this extent, environment 100 includes a computer
`tem. To this extent, environment 100 includes a computer
`system 102 that can perform a process described herein in
`system 102 that can perform a process described herein in
`order to passively monitor a computer system. In particular,
`order to passively monitor a computer system.In particular,
`computer system 102 is shown including a computing device
`computer system 102 is shown including a computing device
`104 that includes a passive monitoring program 140, which
`104 that includes a passive monitoring program 140, which
`makes computing device 104 operable to passively monitor a
`makes computing device 104 operable to passively monitor a
`computer system by performing a process described herein.
`computer system by performing a process described herein.
`0025 Computing device 104 is shown including a pro
`[0025] Computing device 104 is shown including a pro-
`cessing component 106 (e.g., one or more processors), a
`cessing component 106 (e.g., one or more processors), a
`memory 110, a storage system 118 (e.g., a storage hierarchy),
`memory 110, a storage system 118 (e.g., a storage hierarchy),
`an input/output (I/O) interface component 114 (e.g., one or
`an input/output (I/O) interface component 114 (e.g., one or
`more I/O interfaces and/or devices), and a communications
`more I/O interfaces and/or devices), and a communications
`pathway 112. In general, processing component 106 executes
`pathway 112. In general, processing component 106 executes
`program code. Such as passive monitoring program 140,
`program code, such as passive monitoring program 140,
`which is at least partially fixed in memory 110. To this extent,
`whichis at least partially fixed in memory 110. To this extent,
`processing component 106 may comprise a single processing
`processing component 106 may comprise a single processing
`unit, or be distributed across one or more processing units in
`unit, or be distributed across one or more processing units in
`one or morelocations.
`one or more locations.
`0026 Memory 110 also can include local memory,
`[0026] Memory 110 also can include local memory,
`employed during actual execution of the program code, bulk
`employed during actual execution of the program code, bulk
`storage (storage 118), and/or cache memories (not shown)
`storage (storage 118), and/or cache memories (not shown)
`which provide temporary storage of at least some program
`which provide temporary storage of at least some program
`code in order to reduce the number of times code must be
`code in order to reduce the number of times code must be
`retrieved from bulk storage 118 during execution. As such,
`retrieved from bulk storage 118 during execution. As such,
`memory 110 may comprise any known type of temporary or
`memory 110 may comprise any knowntype of temporary or
`permanent data storage media, including magnetic media,
`permanent data storage media, including magnetic media,
`optical media, random access memory (RAM), read-only
`optical media, random access memory (RAM), read-only
`memory (ROM), a data cache, a data object, etc. Moreover,
`memory (ROM), a data cache, a data object, etc. Moreover,
`similar to processing unit 116, memory 110 may reside at a
`similar to processing unit 116, memory 110 mayreside at a
`single physical location, comprising one or more types of data
`single physical location, comprising one or more types ofdata
`storage, or be distributed across a plurality of physical sys
`storage, or be distributed across a plurality of physical sys-
`tems in various forms.
`tems in various forms.
`0027. While executing program code, processing compo
`[0027] While executing program code, processing compo-
`nent 106 can process data, which can result in reading and/or
`nent 106 can process data, which can result in reading and/or
`writing transformed data from/to memory 110 and/or I/O
`writing transformed data from/to memory 110 and/or I/O
`component 114 for further processing. Pathway 112 provides
`component114 for further processing. Pathway 112 provides
`a direct or indirect communications link between each of the
`a director indirect communications link between each of the
`components in computer system 102. I/O interface compo
`components in computer system 102. I/O interface compo-
`nent 114 can comprise one or more human I/O devices, which
`nent 114 can comprise one or more humanI/O devices, which
`enable a human user 120 to interact with computer system
`enable a humanuser 120 to interact with computer system
`102 and/or one or more communications devices to enable a
`102 and/or one or more communications devices to enable a
`system user 120 to communicate with computer system 102
`system user 120 to communicate with computer system 102
`using any type of communications link.
`using any type of communicationslink.
`0028. To this extent, passive monitoring program 140 can
`[0028]
`To this extent, passive monitoring program 140 can
`manage a set of interfaces (e.g., graphical user interface(s),
`managea set of interfaces (e.g., graphical user interface(s),
`application program interface, and/or the like) that enable
`application program interface, and/or the like) that enable
`human and/or system users 120 to interact with passive moni
`human and/or system users 120 to interact with passive moni-
`toring program 140. Users 120 could include system admin
`toring program 140. Users 120 could include system admin-
`istrators and/or clients utilizing resources in a virtual data
`istrators and/or clients utilizing resources in a virtual data
`center environment 200 (FIG. 2), among others. Further, pas
`center environment 200 (FIG. 2), amongothers. Further, pas-
`sive monitoring program 140 can manage (e.g., store,
`sive monitoring program 140 can manage (e.g.,
`store,
`retrieve, create, manipulate, organize, present, etc.) the data
`retrieve, create, manipulate, organize, present, etc.) the data
`in storage system 118, including, but not limited to a virtual
`in storage system 118, including, but not limited to a virtual
`image 152 and/or extracted features 154, using any solution.
`image 152 and/or extracted features 154, using any solution.
`0029. In any event, computer system 102 can comprise
`[0029]
`In any event, computer system 102 can comprise
`one or more computing devices 104 (e.g., general purpose
`one or more computing devices 104 (e.g., general purpose
`computing articles of manufacture) capable of executing pro
`computing articles of manufacture) capable of executing pro-
`gram code, Such as passive monitoring progr