addmi 16.5-discovery troubleshooting

© 2009 BMC Educational Services

Discovery Troubleshooting

Understanding the Discovery Access Page


Outline

Monitoring Discovery Current/Recent Runs Discovery Dashboard Credential/Slave usage feedback

Troubleshooting Discovery Metadata page Specific Reports

Additional Discovery Reference Material Appendix A Appendix B


Introduction

Keeping Foundations access to your environment in tip top shape is important for the best quality data

This module covers how tomonitor Foundation’s Accessand how to troubleshootproblems



Understanding the Discovery Access Page


Understanding the Discovery Access view

The Discovery Access view is the key page for troubleshooting discovery

It provides a summary view of the Directly Discovered Data for this access Device Type Session Results Methods and Scripts used Script Failure Feedback


Terminology – UNIX Scripts

Method / Script


Terminology – Windows Scripts

Method / Script


Discovery Access Page

Data is summarised into collapsible sections


Endpoint section

Shows data about when and why an endpoint was accessedLinks to related Host nodesDevice Summary field to improve contextNext and Previous Accesses


Device Summary Field - Examples

Example Device Summary fields from a range of device types


Status section

Shows data about the state of the Discovery Access Session Results only appear if there have been failures establishing a

session


Status section - Examples

Example Status sections from a variety of scenarios


Status section – Detail on UNIX

Click on the link to see the session results in sequence


Status section – Detail on Windows

Click on the link to see the session results in sequence


Discovery Details section

Shows the credential/slave used if for successful discovery Also shows if the data came from a scanning appliance or from scanner

files


Standard Discovery section

Shows the outcome of “Standard Discovery” That is the discovery we do automatically for a Host even without

patterns loaded


Standard Discovery – Details (1)

Click through to see discovery results



Status shows the overall status



Shows the script that succeeded



Summarises up any script failure reports



Shows successful access route



The increased detail is needed to reflect the complexity of Windows discovery More Scripts Multiple access routes during the same scan


Additional Discovery section

Records discovery done by patternsSlightly different as these methods can be called multiple times by

many different patterns


Integrations section

Integrations (SQL Discovery currently) has a dedicated section


Mapping to Platform Page

The information on the Discovery Access page has been arranged to allow you to find the commands on the Platform Pages.



First use the device summary to find the right platform



The use the Method



The use the Method, Access



The use the Method, Access, Script



For WMI there is an extra page showing the script



First use the device summary to find the right platform



For UNIX the scripts are common across ssh/telnet/rlogin


Understanding Script Failures

Any script that fails to return useful output will be logged as a Script Failure

Sometimes this is normal behaviour as in methods with more than one script scripts are tried in priority order


Script Failures – Details (1)

Script name



Access



Slave Used



Error Message



Specific Reports


Discovery Conditions

Look for specific conditions where action can be taken to improve data quality

Links to vendor patches and additional detail on the Tideway website


Discovery Conditions – Locations (1)

In the Discovery Tab



On the Discovery Dashboard



On impacted Hosts


Possible Process To Port Issues

A frequent area of discovery troubleshooting is gather Process to Port connections

This data assist in understanding network dependencies and improves the detail of the Automatic Grouping

There is a specific report available to assist We will also cover how to instrument UNIX scripts for further

troubleshooting


Port to Process – Locations (1)

In the Discovery Tab


Port to Process– Locations (2)

On the Discovery Dashboard


Port to Process– Locations (3)

Contextual reports on the Discovery Run


Instrumenting UNIX Script

Edit the script to add instrumentation Doesn’t happen out of the box

Precede the command with tw_capture tw_capture <name> <command> [<args>..] <name> needs to be a unique identifier within that script

tw_capture will record the exit code and stderr

This will result in a CommandFailure node being created and linked to the discovery result But ONLY if the command fails


CommandFailure Details

tw_capture can be used in a pipeline or subprocess (e.g. backticks)

The /tmp directory must be writeable for the feature to be enabled Otherwise you will get a CommandFailure with the message “Unable to

write to /tmp”

tw_capture can also be used in scripts run from TPL patterns


CommandFailure attributes

command_name The name given to tw_capture

status The exit code (integer)

error Any text written to stderr


CommandFailure: Enable

tw_capture <name> <command> [<args>..]<name> needs to be a unique identifier within that script

If used with PRIV_XXXX the tw_capture must go first tw_capture lsof_i PRIV_LSOF lsof -l -n -P -F ptPTn -i 2>/dev/null


CommandFailure – Results (1)


CommandFailure – Results (2)


Other useful discovery reports (1)

Which Host IPs didn’t update last access? “Host Endpoints Not Updating” report Filters just to Host devices

Which Host IPs had session establishment issues last access? “Host Endpoints With Session Issues” report Filters out first access to any IP to remove initial noise on deployment



What Hosts were scanned but not accessed at last access? “Possible Endpoint Host Devices (Detailed)” report Includes both the raw OS estimate list and the discovery refined

classification

What other devices have been scanned? “Possible Endpoint Non Host Devices” report Includes both the raw OS estimate list and the discovery refined

classification INCLUDES ‘Other’, ‘Embedded’ and ‘Unknown’ OS Classes Handy for displaying the non Host device discovery Also handy for checking for heavily firewalled Hosts!



What other IPs should be scanned? “Seen but unscanned IPs” report “Seen but unscanned IPs with Ports” report

More detail for investigation but start with summary Shows a count of the IPs that the system has seen connections to but

has not accessed


Further Resourses

Tideway’s Online Documentation: http://www.tideway.com/confluence/display/81/Discovery

Tideway Foundation

Version 7.2

Documentation

Title

addmi 16.5-discovery troubleshooting

Technology

discovery results

successful discovery

discovery tab

discovery access page

discovery details section

standard discovery details

discovery access view

standard discovery section