Opsview Knowledge Center

Auto Discovery

Overview of Auto Discovery in Opsview Monitor

This section will cover Auto Discovery, including an overview of what it is, how it works, how to configure scans and more.

You need to have CONFIGUREHOSTS permission to access the Auto-Discovery application, otherwise the standard error page will be displayed.

What is Auto Discovery and How Does it Work?

Auto Discovery is a section within the 'Settings' menu that provides you with the ability to automatically discover and profile Hosts detected on specified networks. These hosts can then be added into the Opsview Monitor configuration.

The initial 'Auto Discovery > Scan Management' window

The initial 'Auto Discovery > Scan Management' window

The initial window above is referred to as the 'Scan Management' window; this is where scans are configured, viewed and deleted. Users can also choose to configure the 'Settings' for Auto Discovery here.

Auto Discovery 'tool bar'

Auto Discovery 'tool bar'

There are six buttons on the tool bar for Auto Discovery. These are:

  • Network Scan: Uses ICMP and other methods to scan for Hosts within a specified IP address range.
  • VMware Scan: Looking for all running guests on a VMware Host using the VMware API.
  • Scheduled Scans: Network scans that have been configured to run at scheduled intervals, i.e. once a week.
  • Cancel All Scans: Cancels all scans that are currently running. This does not affect scans that have been created ('Configured') but not run, nor scans that have completed.
  • Help: Button that loads user documentation.
Scan Management showing a running Network Scan and a configured Network Scan

Scan Management showing a running Network Scan and a configured Network Scan

States

A Network/VMware Scan will transition between one of 4 'states' within Scan Management once configured. These states are:

  • Configured - The scan has been created and configured.
  • Pending - The scan is queued, ready to be run.
  • Running - The scan is running. Only one scan can be running at a time.
  • Completed - The scan has finished. You can now enter the sandbox view to analyze the results of the scan.

The states are displayed within the 'Status' column in Scan Management, as seen in the example image above.

Actions

Action buttons

Action buttons

You can take the following actions via the buttons on the right hand side of a Network Scan/VMware Scan, or via a right click on the contextual menu in the grid:

Icon Name Description
Start Start the scan
Stop Stop or cancel a scan if it is already running
Show Log Open a window with the log of the current scan with information about Hosts discovered
Open Results Shows the results of the scan in a new tab. Also known as the sandbox view
Edit Edit the configuration of an existing scan
Clone Clone a scan; it is not possible to rerun a scan, so you will need to clone an existing one if you want to perform the same task
Delete Deletes the scan and its results

Note: Only certain actions can be selected based on the scans current state (i.e. you cannot 'show log' when a scan is not 'running' or 'completed').

Configuring Auto Discovery

There is currently only one item that can be 'configured' globally for Auto Discovery; the 'Exclusion List'. This list is designed to provide you with the ability to specify IP's or IP ranges that are omitted when a Network or VMware Scan is running.Valid syntax examples include '10.10.10.10' (single IP), or '10.10.10.10/24' (IP range using CIDR notation).
To load the Exclusion List click on the 'Settings' button with the toolbar. This will load up the Settings window, as shown below:

Exclusion list within 'Auto Discovery > Settings' with one IP address added

Exclusion list within 'Auto Discovery > Settings' with one IP address added

In the above example, we have chosen to add the IP address 192.168.11.1 to the Exclusion List. This means that if you configured a scan in the future for a subnet containing 192.168.11.1, such as '192.168.11.0/24', then the Auto Discovery scan will 'skip' that IP address. This is a great piece of functionality for customers who have IDS (Intrusion Detection Systems) or IPS (Intrusion Prevention Systems) that have the ability to generate notifications or black-list IP's when auto-discovery is run against sensitive Hosts (as it is effectively a network and port scanner).

Configuring and Running a Network Scan

To run a network scan you must first configure a scan. To do this, click on the 'Network Scan' button which will load a modal window, as per the screen shown below:

The modal window is split into two sections or drawers; 'Basic' and 'Detection Mapping', with all mandatory fields denoted with a red star, such as the 'Job Title' and 'Run On' fields.

In the Basic drawer, the following fields are available:

  • Job Title: A name for the network scan. This is displayed within the Scan Management grid.
  • Run On: This is a drop-down of all available monitoring servers within the Opsview Monitor system. This allows you to run an auto-discovery scan from a slave server that may have access to different networks.
  • Network Addresses: Enter the network addresses that are to be scanned. Ranges can be added in either CIDR notation (i.e. /24), or via a range (192.168.2.0 ' 192.168.2.20).
  • Default Host Icon: The Host icon to apply to all discovered Hosts (can be amended later). By default, this is set to 'SYMBOL ' Server'.
  • Default Host Group: The initial Host Group used for all discovered Hosts (can be amended later).
  • Default Template: The Host template to apply to all discovered Hosts (can be amended later). By default, this is set to 'Network ' Base'.
  • Primary Address Based On (IP Address/DNS Name): Within the scan results, if the primary address is based on IP then the IP will be used as the 'Primary Hostname/IP'. Otherwise, the 'Primary Hostname/IP' will be the DNS name.
  • Strip Base Domains for Host Title: If 'DNS name' is used in 'Primary Address Based On', then the list of base domains entered will be removed from any DNS name found. This will convert 'cisco2611.opsview.com' to 'cisco2611' if we enter 'opsview.com' here.

In the Detection Mapping section, there are five options:

  • Detect network services: If this option is checked, then the following services will be automatically detected: FTP (TCP port 21), SSH (TCP port 22), SMTP (TCP port 25), DNS (TCP port 53), HTTP (TCP port 80), Kerberos (TCP port 88), POP3 (TCP port 110), NNTP (TCP port 119), NTP (TCP port 123), IMAP (TCP port 143), LDAP (TCP port 389), HTTPS (TCP port 443) and RDP (TCP port 3389). These ports are non-editable, and are used purely to provide an insight into the Hosts, so that you can choose to add the relevant Host templates to the Hosts once the scan has completed.
  • Detect SNMP agents: If this option is checked, then the Auto Discovery scanner will attempt to authenticate and communicate with each Host via SNMP, using the credentials specified. If the Auto Discovery scanner is successful in authenticating and communicating, it will apply the specified Host template, which is 'SNMP ' MIB-II' by default.
  • Detect Host agents: If this option is checked, then the Auto Discovery scanner will check each discovered Host to see if it is running either an Opsview Agent or a version of NRPE/NSClient. If the Auto Discovery scanner detects an Opsview Agent on Windows, for example, it will apply the 'OS ' Windows Base' template by default.
  • Detect WMI Hosts (Agentless Windows): If this option is checked the Auto Discovery scanner will check if the Host is running WMI and that it can authenticate using the credentials provided. If the Auto Discovery scanner is successful in authenticating against the detected Host it will apply the specified Host template; 'OS ' Windows Server 2008 WMI ' Base' by default.
  • Detect VMware Hosts: If this option is checked the Auto Discovery scanner will check if the Host discovered is a VMware Host. If it is, it will assign the specified Host template; 'OS ' VMware vSphere ' Host'. To run a 'VMware scan', a VMware Host must be added to Opsview Monitor first as this is the Host that will be scanned for VMware guests.

Once the options have been configured within the scan, click on 'Save' which will close the modal window and return you back to the Scan Management page. You will now be able to view your newly-created scan as below:

Note: The scan will attempt to contact each IP by using check_icmp. If a Host responds to ICMP, then detection of services and agents will be attempted. If no response by ICMP, the IP is considered to be not available.

Here the new 'Test Scan' can be viewed, in the status of 'CONFIGURED', which means it has been created but not yet executed (i.e. 'run'). At this stage, the following options are available at the far right of the scan's row:

Options available when scan is 'CONFIGURED': Start, Edit, Clone and Delete

Options available when scan is 'CONFIGURED': Start, Edit, Clone and Delete

To start the scan, click on the green 'Play' button. This will change the scan status from 'CONFIGURED' to 'PENDING', and then to 'RUNNING' as it progresses:

At this stage of the scan the only options available at the far right of the scans row are:

Options available when scan is 'CONFIGURED': Cancel, View Log and Clone

Options available when scan is 'CONFIGURED': Cancel, View Log and Clone

If the scan is running against a large number of Hosts or detecting agents/SNMP/etc for each Host, it is prudent to 'View Log' to see what is actually happening. To view the log, click on the 'View Log' icon in the scan's row or right click on the scan' and click 'View Log'. This will load a modal window, as below:

Here the output highlights what has been detected during the course of the scan.

Once the scan has finished the status will change to 'COMPLETED':

At this stage the following options are available at the far right of the scans row:

Options available when scan is 'COMPLETED': View Log, Open Results, Clone and Delete.

To view the Hosts detected via the Auto Discovery scan, click on 'Open Results' which will load the results of the scan into a new tab. These tabs are commonly referred to as a 'Sandbox':

Results window displaying the Hosts discovered during the 'Test Scan'

Results window displaying the Hosts discovered during the 'Test Scan'

As can be seen above, the Auto Discovery scan 'Test Scan' has detected and profiled 21 Hosts on the given network range. For eight of those Hosts, it was able to authenticate via SNMP and has applied the 'SNMP ' MIB-II' Host template. By default, the columns above are shown, however extra columns are available by clicking on the column headers contextual menu.

Toolbar within the Scan results

Toolbar within the Scan results

Within the sandbox / results window, there are three options available from the toolbar at the top of the screen:

  • Import into Opsview
  • Update / Bulk Update
  • Delete / Bulk Delete

Import into Opsview allows you to select one or more Hosts by checking the checkbox next to the Host and clicking the 'import into Opsview' button. This converts the discovered Hosts into 'real' Hosts that appear within 'Settings > Hosts Settings' in the main Opsview Monitor software.

Bulk update/Update window

Bulk update/Update window

Update / Bulk Update provides you with the ability to change one or more fields for a Host/group of Hosts before performing an Import into Opsview Monitor. The options available are:

  • Update Parents: Add a parent to the Hosts selected or replace the parents on the Hosts selected with a new option.
  • Update Host Group: Change the Host Group that the Host belongs to.
  • Update Host Icon: Change the icon that the Host will display.
  • Update Host Templates: Add a Host template to the selected Hosts, or choose to replace all Host templates currently on the selected Hosts with one or more new Host templates which are multi-selectable via the drop-down menu.

Delete / Bulk Delete will delete the Hosts that have had their checkboxes checked. On press of the 'Delete'/'Bulk Delete' button, a message box will appear asking for confirmation of the delete action:

Bulk delete / Delete message box

Bulk delete / Delete message box

Once a Host / series of Hosts have been imported into Opsview an icon will appear next to the them in the column next to the checkboxes. This column is sortable and contains a hyperlink through to the Host within the 'Settings > Host Settings' view:

2 imported Hosts, with hyperlink going to 'Settings > Host Settings > switch3.opsera.com'

2 imported Hosts, with hyperlink going to 'Settings > Host Settings > switch3.opsera.com'

Hyperlink clicked, the imported Host is now editable within the Settings section

Hyperlink clicked, the imported Host is now editable within the Settings section

Note: There is a maximum of 100,000 IP's that can be scanned in a single Auto Discovery scan.

Hosts within the scan result 'sandbox' can also be right-clicked, which loads a contextual menu as below:

Contextual menu of a discovered Host

Contextual menu of a discovered Host

From this contextual menu, you can choose to 'Import', 'Update' or 'Delete' on a Host by Host basis. You can also choose to add individual Hosts to the Exclusion List which was discussed earlier in Section Configuring Auto Discovery.

Configuring a Scheduled Scan

Scheduled Scans are normal Network/VMware scans that have an extra drawer entitled 'Scheduler'. To configure a scheduled scan, you should first click on the Scheduled Scans button from the Auto Discovery toolbar.

Once clicked, a modal window will appear displaying all configured and active Scheduled Scans (it will be blank by default, as we have not configured anything):

To configure a Scheduled Scan of the 'Network Scan' type, click on the button on the toolbar which will load up the familiar 'Network Scan' window that is covered in detail in Configuring and running a Network Scan. There is only one difference which is the addition of the 'Scheduler' drawer, as can be seen in the screen shown below:

Scheduled scan configuration window

Scheduled scan configuration window

Within the 'Scheduler' drawer, you have the option to tell Auto Discovery to run the configured Network Scan at a recurring interval ' e.g. every day at 23:00, or every Monday at 12:00.

In the example below we are going to configure a scan to run every Saturday evening at 19:00 and to save the past 10 historical scan results.

First, we need to configure our Network Scan fields as per the guide Configuring and running a Network Scan. Once configured, we can configure the 'Scheduler' section as below:

Schedule scan configured for 19:00 every Saturday

Schedule scan configured for 19:00 every Saturday

Once the scan is configured, clicking 'Save' will close the modal window and display the Scheduled Scans window ' this time with our newly created Scheduled Scan:

Scheduled Scans with one active Scheduled Scan

Scheduled Scans with one active Scheduled Scan

This window is the same as the 'Scan Management' tab but with one extra option, the 'checkbox' which is the 'Enabled' column. When checked, the Scheduled Scan will be considered active and will run whenever the criteria set in the 'Scheduler' tab is met. However, you may choose to 'disable' the Scheduled Scan to stop it running, as opposed to deleting it which will remove it permanently.

Configuring a VMware Scan

A VMware scan looks for all running guests on a VMware Host, and when it finds guests it can then attempt to profile them similar to a Network Scan covered in Configuring and running a Network Scan.

If the Opsview Monitor system does not have a Host that has the 'OS ' VMware vSphere ' Host' Host template applied, then the 'VMware Scan' button will give an error as below:

There are two ways to add a VMware Host: auto discover and profile a VMware Host using an Auto Discovery scan, or add the VMware Host manually and assign the 'OS ' VMware vSphere ' Host' template. Remember to 'Reload' after adding the VMware Host.

Once a VMware Host has been added to the system, the VMware Scan button will display the modal configuration window as shown below:

Populated VMware Scan

Populated VMware Scan

This VMware Scan is very similar to the Network Scan, with the main difference being the 'VMware Hosts' drop-down option within 'Basic', which allows users the ability to specify which VMware Hosts they would like to run the VMware Scan against. The 'Detection Mapping' drawer is exactly the same as that in 'Network Scan', aside from the omission of the 'VMware' section ' as we cannot detect for VMware Hosts running atop of a VMware Host.

VMware SDK

The monitoring and Auto Discovery of VMware Hosts/guests is performed via the VMware SDK. If you attempt to run a VMware Scan without first installing the VMware SDK, a warning message will appear:

To remedy this issue, please download and install the VMware SDK onto each Opsview Monitor monitoring server (Master and all Slaves). Currently, the SDK can be downloaded via this link: http://communities.vmware.com/community/vmtn/developer/forums/vsphere_sdk_perl

Once configured, the VMware Scan will run exactly the same as a Network Scan in terms of behavior and statuses/options. The main difference for VMware Scans vs Network Scans is that a VMware Scan detects guests via the API and not via ping, meaning that if a VMware guest has ping disabled but is 'online', the VMware scan will still detect and display it within the scan results.

Auto Discovery

Overview of Auto Discovery in Opsview Monitor