Discovery Troubleshooting Understanding the Discovery Access Page
Outline <ul><li>Monitoring Discovery </li></ul><ul><ul><li>Current/Recent Runs </li></ul></ul><ul><ul><li>Discovery Dashbo...
Introduction <ul><li>Keeping Foundations access to your environment in tip top shape is important for the best quality dat...
Discovery Troubleshooting Understanding the Discovery Access Page
Understanding the Discovery Access view <ul><li>The Discovery Access view is the key page for troubleshooting discovery </...
Terminology – UNIX Scripts <ul><li>Method  /  Script </li></ul>
Terminology – Windows Scripts <ul><li>Method  /  Script </li></ul>
Discovery Access Page <ul><li>Data is summarised into collapsible sections </li></ul>
Endpoint section <ul><li>Shows data about when and why an endpoint was accessed </li></ul><ul><li>Links to related Host no...
Device Summary Field - Examples <ul><li>Example Device Summary fields from a range of device types </li></ul>
Status section <ul><li>Shows data about the state of the Discovery Access </li></ul><ul><ul><li>Session Results only appea...
Status section - Examples <ul><li>Example Status sections from a variety of scenarios </li></ul>
Status section – Detail on UNIX <ul><li>Click on the link to see the session results in sequence </li></ul>
Status section – Detail on Windows <ul><li>Click on the link to see the session results in sequence </li></ul>
Discovery Details section <ul><li>Shows the credential/slave used if for successful discovery </li></ul><ul><ul><li>Also s...
Standard Discovery section <ul><li>Shows the outcome of “Standard Discovery” </li></ul><ul><ul><li>That is the discovery w...
Standard Discovery – Details (1) <ul><li>Click through to see discovery results </li></ul>
Standard Discovery – Details (2) <ul><li>Status shows the overall status </li></ul>
Standard Discovery – Details (3) <ul><li>Shows the script that succeeded </li></ul>
Standard Discovery – Details (4) <ul><li>Summarises up any script failure reports </li></ul>
Standard Discovery – Details (5) <ul><li>Shows successful access route </li></ul>
Standard Discovery – Details (6) <ul><li>The increased detail is needed to reflect the complexity of Windows discovery </l...
Additional Discovery section <ul><li>Records discovery done by patterns </li></ul><ul><li>Slightly different as these meth...
Integrations section <ul><li>Integrations (SQL Discovery currently) has a dedicated section </li></ul>
Mapping to Platform Page <ul><li>The information on the Discovery Access page has been arranged to allow you to find the c...
Mapping to Platform Page <ul><li>First use the device summary to find the right platform </li></ul>
Mapping to Platform Page <ul><li>The use the Method </li></ul>
Mapping to Platform Page <ul><li>The use the Method, Access </li></ul>
Mapping to Platform Page <ul><li>The use the Method, Access, Script </li></ul>
Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
Mapping to Platform Page <ul><li>First use the device summary to find the right platform </li></ul>
Mapping to Platform Page <ul><li>For UNIX the scripts are common across ssh/telnet/rlogin </li></ul>
Understanding Script Failures <ul><li>Any script that fails to return useful output will be logged as a Script Failure </l...
Script Failures – Details (1) <ul><li>Script name </li></ul>
Script Failures – Details (1) <ul><li>Access </li></ul>
Script Failures – Details (1) <ul><li>Slave Used </li></ul>
Script Failures – Details (1) <ul><li>Error Message </li></ul>
Discovery Troubleshooting Specific Reports
Discovery Conditions <ul><li>Look for specific conditions where action can be taken to improve data quality </li></ul><ul>...
Discovery Conditions – Locations (1) <ul><li>In the Discovery Tab </li></ul>
Discovery Conditions – Locations (2) <ul><li>On the Discovery Dashboard </li></ul>
Discovery Conditions – Locations (3) <ul><li>On impacted Hosts </li></ul>
Possible Process To Port Issues <ul><li>A frequent area of discovery troubleshooting is gather Process to Port connections...
Port to Process – Locations (1) <ul><li>In the Discovery Tab </li></ul>
Port to Process– Locations (2) <ul><li>On the Discovery Dashboard </li></ul>
Port to Process– Locations (3) <ul><li>Contextual reports on the Discovery Run </li></ul>
Instrumenting UNIX Script <ul><li>Edit the script to add instrumentation </li></ul><ul><ul><li>Doesn’t happen out of the b...
CommandFailure Details <ul><li>tw_capture can be used in a pipeline or subprocess (e.g. backticks) </li></ul><ul><li>The /...
CommandFailure attributes command_name The name given to tw_capture  status The exit code (integer) error Any text written...
CommandFailure: Enable <ul><li>tw_capture <name> <command> [<args>..] </li></ul><ul><ul><ul><li><name> needs to be a uniqu...
CommandFailure – Results (1)
CommandFailure – Results (2)
Other useful discovery reports (1) <ul><li>Which Host IPs didn’t update last access? </li></ul><ul><ul><li>“ Host Endpoint...
Other useful discovery reports (2) <ul><li>What Hosts were scanned but not accessed at last access? </li></ul><ul><ul><li>...
Other useful discovery reports (3) <ul><li>What other IPs should be scanned? </li></ul><ul><ul><li>“ Seen but unscanned IP...
Further Resourses <ul><li>Tideway’s Online Documentation: </li></ul><ul><ul><li>http://www.tideway.com/confluence/display/...
Upcoming SlideShare
Loading in …5
×

Addmi 16.5-discovery troubleshooting

701 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
701
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • A quick revision of the terminology: A Method is an overall logical method to achieve discovery of a related set of information. Within each method there is one or more Script that contains the knowledge of how to recover this information. In the case of UNIX these are actual shell scripts. The shell scripts can recover a number of properties and adapt to the slight differences between platforms.
  • Windows discovery is very slightly different. Rather than using the facility of a scripting shell the Methods contain several atomic scripts to recover elements of information needed by each method.
  • Device summary field behaves slightly differently depending what was found so that the best summary information is given for full discovery, probe discovery and across device types. All data is recovered from the DDD below
  • Device summary field behaves slightly differently depending what was found so that the best summary information is given for full discovery, probe discovery and across device types. All data is recovered from the DDD below
  • It will be normal behaviour on initial scans as Foundation works out what credentials and slaves to use that there will be session results. Session Results are logged sequentially – the hidden timeindex field can be used to reconstruct this sequence. Normally the successful session does not create a Session Result to save storage, but if there have been failures it will
  • Note that we always try UNIX login ahead of Windows if our cached results do not work – UNIX fails a lot quicker so this is more efficient
  • Notice that the credential from the scanner appliance is not a link – the credential is local to the scanning appliance so cannot be resolved on the consolidation appliance.
  • The status column is driven by the failure_reason attributes and is the legacy technique of feedback retained as a summary.
  • The script can be looked up on the Platforms page in Administration. If no script is recorded then none succeeded, the exception being geNames as a DNS query is so simple it doesn’t have a script!
  • There are considerably more scripts on Windows. This reflects the evolving proprietary methods across Windows versions but also the difference between the UNIX scripts trying several techniques internally. Neither is better or worse, they’re just different. Note that even using the preferred WMI access we still have to use other techniques to gather network connection details as these are not available via WMI.
  • Additional discovery is summarised by rolling up in the status column (driven by failure_reason) Script failure reports are reflect upwards and summarised.
  • On most platforms need to add specific privilege elevation Some platforms need additional software (lsof) UNIX scripts can be instrumented as they are *all* shell scripts and we have a function that can capture stdin/stdout. Windows scripts cannot be instrumented as there is no equivalent and they use a variety of techniques. This is partially mitigated as the Windows scripts tend to be much more atomic than the Unix ones.
  • UNIX scripts only. Use sparingly and in general do not leave on in production – if large amounts of data are captured from standard error it can impact the system due to increase load on storage.
  • After editing the discovery script and scanning the host we have now captured the command failure Click on the link to view result details
  • LSOF is not installed on this host in a place that the user we used could find
  • Addmi 16.5-discovery troubleshooting

    1. 1. Discovery Troubleshooting Understanding the Discovery Access Page
    2. 2. Outline <ul><li>Monitoring Discovery </li></ul><ul><ul><li>Current/Recent Runs </li></ul></ul><ul><ul><li>Discovery Dashboard </li></ul></ul><ul><ul><li>Credential/Slave usage feedback </li></ul></ul><ul><li>Troubleshooting Discovery </li></ul><ul><ul><li>Metadata page </li></ul></ul><ul><ul><li>Specific Reports </li></ul></ul><ul><li>Additional Discovery Reference Material </li></ul><ul><ul><li>Appendix A </li></ul></ul><ul><ul><li>Appendix B </li></ul></ul>
    3. 3. Introduction <ul><li>Keeping Foundations access to your environment in tip top shape is important for the best quality data </li></ul><ul><li>This module covers how to monitor Foundation’s Access and how to troubleshoot problems </li></ul>
    4. 4. Discovery Troubleshooting Understanding the Discovery Access Page
    5. 5. Understanding the Discovery Access view <ul><li>The Discovery Access view is the key page for troubleshooting discovery </li></ul><ul><li>It provides a summary view of the Directly Discovered Data for this access </li></ul><ul><ul><li>Device Type </li></ul></ul><ul><ul><li>Session Results </li></ul></ul><ul><ul><li>Methods and Scripts used </li></ul></ul><ul><ul><li>Script Failure Feedback </li></ul></ul>
    6. 6. Terminology – UNIX Scripts <ul><li>Method / Script </li></ul>
    7. 7. Terminology – Windows Scripts <ul><li>Method / Script </li></ul>
    8. 8. Discovery Access Page <ul><li>Data is summarised into collapsible sections </li></ul>
    9. 9. Endpoint section <ul><li>Shows data about when and why an endpoint was accessed </li></ul><ul><li>Links to related Host nodes </li></ul><ul><li>Device Summary field to improve context </li></ul><ul><li>Next and Previous Accesses </li></ul>
    10. 10. Device Summary Field - Examples <ul><li>Example Device Summary fields from a range of device types </li></ul>
    11. 11. Status section <ul><li>Shows data about the state of the Discovery Access </li></ul><ul><ul><li>Session Results only appear if there have been failures establishing a session </li></ul></ul>
    12. 12. Status section - Examples <ul><li>Example Status sections from a variety of scenarios </li></ul>
    13. 13. Status section – Detail on UNIX <ul><li>Click on the link to see the session results in sequence </li></ul>
    14. 14. Status section – Detail on Windows <ul><li>Click on the link to see the session results in sequence </li></ul>
    15. 15. Discovery Details section <ul><li>Shows the credential/slave used if for successful discovery </li></ul><ul><ul><li>Also shows if the data came from a scanning appliance or from scanner files </li></ul></ul>
    16. 16. Standard Discovery section <ul><li>Shows the outcome of “Standard Discovery” </li></ul><ul><ul><li>That is the discovery we do automatically for a Host even without patterns loaded </li></ul></ul>
    17. 17. Standard Discovery – Details (1) <ul><li>Click through to see discovery results </li></ul>
    18. 18. Standard Discovery – Details (2) <ul><li>Status shows the overall status </li></ul>
    19. 19. Standard Discovery – Details (3) <ul><li>Shows the script that succeeded </li></ul>
    20. 20. Standard Discovery – Details (4) <ul><li>Summarises up any script failure reports </li></ul>
    21. 21. Standard Discovery – Details (5) <ul><li>Shows successful access route </li></ul>
    22. 22. Standard Discovery – Details (6) <ul><li>The increased detail is needed to reflect the complexity of Windows discovery </li></ul><ul><ul><li>More Scripts </li></ul></ul><ul><ul><li>Multiple access routes during the same scan </li></ul></ul>
    23. 23. Additional Discovery section <ul><li>Records discovery done by patterns </li></ul><ul><li>Slightly different as these methods can be called multiple times by many different patterns </li></ul>
    24. 24. Integrations section <ul><li>Integrations (SQL Discovery currently) has a dedicated section </li></ul>
    25. 25. Mapping to Platform Page <ul><li>The information on the Discovery Access page has been arranged to allow you to find the commands on the Platform Pages. </li></ul>
    26. 26. Mapping to Platform Page <ul><li>First use the device summary to find the right platform </li></ul>
    27. 27. Mapping to Platform Page <ul><li>The use the Method </li></ul>
    28. 28. Mapping to Platform Page <ul><li>The use the Method, Access </li></ul>
    29. 29. Mapping to Platform Page <ul><li>The use the Method, Access, Script </li></ul>
    30. 30. Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
    31. 31. Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
    32. 32. Mapping to Platform Page <ul><li>For WMI there is an extra page showing the script </li></ul>
    33. 33. Mapping to Platform Page <ul><li>First use the device summary to find the right platform </li></ul>
    34. 34. Mapping to Platform Page <ul><li>For UNIX the scripts are common across ssh/telnet/rlogin </li></ul>
    35. 35. Understanding Script Failures <ul><li>Any script that fails to return useful output will be logged as a Script Failure </li></ul><ul><li>Sometimes this is normal behaviour as in methods with more than one script scripts are tried in priority order </li></ul>
    36. 36. Script Failures – Details (1) <ul><li>Script name </li></ul>
    37. 37. Script Failures – Details (1) <ul><li>Access </li></ul>
    38. 38. Script Failures – Details (1) <ul><li>Slave Used </li></ul>
    39. 39. Script Failures – Details (1) <ul><li>Error Message </li></ul>
    40. 40. Discovery Troubleshooting Specific Reports
    41. 41. Discovery Conditions <ul><li>Look for specific conditions where action can be taken to improve data quality </li></ul><ul><li>Links to vendor patches and additional detail on the Tideway website </li></ul>
    42. 42. Discovery Conditions – Locations (1) <ul><li>In the Discovery Tab </li></ul>
    43. 43. Discovery Conditions – Locations (2) <ul><li>On the Discovery Dashboard </li></ul>
    44. 44. Discovery Conditions – Locations (3) <ul><li>On impacted Hosts </li></ul>
    45. 45. Possible Process To Port Issues <ul><li>A frequent area of discovery troubleshooting is gather Process to Port connections </li></ul><ul><li>This data assist in understanding network dependencies and improves the detail of the Automatic Grouping </li></ul><ul><li>There is a specific report available to assist </li></ul><ul><ul><li>We will also cover how to instrument UNIX scripts for further troubleshooting </li></ul></ul>
    46. 46. Port to Process – Locations (1) <ul><li>In the Discovery Tab </li></ul>
    47. 47. Port to Process– Locations (2) <ul><li>On the Discovery Dashboard </li></ul>
    48. 48. Port to Process– Locations (3) <ul><li>Contextual reports on the Discovery Run </li></ul>
    49. 49. Instrumenting UNIX Script <ul><li>Edit the script to add instrumentation </li></ul><ul><ul><li>Doesn’t happen out of the box </li></ul></ul><ul><li>Precede the command with tw_capture </li></ul><ul><ul><li>tw_capture <name> <command> [<args>..] </li></ul></ul><ul><ul><li><name> needs to be a unique identifier within that script </li></ul></ul><ul><li>tw_capture will record the exit code and stderr </li></ul><ul><li>This will result in a CommandFailure node being created and linked to the discovery result </li></ul><ul><ul><li>But ONLY if the command fails </li></ul></ul>
    50. 50. CommandFailure Details <ul><li>tw_capture can be used in a pipeline or subprocess (e.g. backticks) </li></ul><ul><li>The /tmp directory must be writeable for the feature to be enabled </li></ul><ul><ul><li>Otherwise you will get a CommandFailure with the message “Unable to write to /tmp” </li></ul></ul><ul><li>tw_capture can also be used in scripts run from TPL patterns </li></ul>
    51. 51. CommandFailure attributes command_name The name given to tw_capture status The exit code (integer) error Any text written to stderr
    52. 52. CommandFailure: Enable <ul><li>tw_capture <name> <command> [<args>..] </li></ul><ul><ul><ul><li><name> needs to be a unique identifier within that script </li></ul></ul></ul><ul><li>If used with PRIV_XXXX the tw_capture must go first </li></ul><ul><ul><li>tw_capture lsof_i PRIV_LSOF lsof -l -n -P -F ptPTn -i 2>/dev/null </li></ul></ul>
    53. 53. CommandFailure – Results (1)
    54. 54. CommandFailure – Results (2)
    55. 55. Other useful discovery reports (1) <ul><li>Which Host IPs didn’t update last access? </li></ul><ul><ul><li>“ Host Endpoints Not Updating” report </li></ul></ul><ul><ul><li>Filters just to Host devices </li></ul></ul><ul><li>Which Host IPs had session establishment issues last access? </li></ul><ul><ul><li>“ Host Endpoints With Session Issues” report </li></ul></ul><ul><ul><li>Filters out first access to any IP to remove initial noise on deployment </li></ul></ul>
    56. 56. Other useful discovery reports (2) <ul><li>What Hosts were scanned but not accessed at last access? </li></ul><ul><ul><li>“ Possible Endpoint Host Devices (Detailed)” report </li></ul></ul><ul><ul><li>Includes both the raw OS estimate list and the discovery refined classification </li></ul></ul><ul><li>What other devices have been scanned? </li></ul><ul><ul><li>“ Possible Endpoint Non Host Devices” report </li></ul></ul><ul><ul><li>Includes both the raw OS estimate list and the discovery refined classification </li></ul></ul><ul><ul><li>INCLUDES ‘Other’, ‘Embedded’ and ‘Unknown’ OS Classes </li></ul></ul><ul><ul><li>Handy for displaying the non Host device discovery </li></ul></ul><ul><ul><li>Also handy for checking for heavily firewalled Hosts! </li></ul></ul>
    57. 57. Other useful discovery reports (3) <ul><li>What other IPs should be scanned? </li></ul><ul><ul><li>“ Seen but unscanned IPs” report </li></ul></ul><ul><ul><li>“ Seen but unscanned IPs with Ports” report </li></ul></ul><ul><ul><ul><li>More detail for investigation but start with summary </li></ul></ul></ul><ul><ul><li>Shows a count of the IPs that the system has seen connections to but has not accessed </li></ul></ul>
    58. 58. Further Resourses <ul><li>Tideway’s Online Documentation: </li></ul><ul><ul><li>http://www.tideway.com/confluence/display/81/Discovery </li></ul></ul>Tideway Foundation Version 7.2 Documentation Title

    ×