Best practices and FAQs

ここでは、Discovery の使用に関するベスト プラクティスと推奨事項を示します。

Can I use the Discovery/scans folder as import folder

If you are using the Discovery Tool on the same server that is running your Jira/Assets service (we do not recommend that), then do not use the scans folder of the Discovery Tool as the import folder.

The import function will create subfolders and handle the imported files in the import folder, which will be in conflict with the Discovery-Tool logic.

Simply create a separate import folder on the server and let Discovery copy the result files to that folder.

I get an error message when setting up Discovery or Collector

I get the “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.” error message.

This problem occurs because the MD5 algorithm is not FIPS compliant. The MD5 algorithm uses Windows Communication Foundation to obtain a hash value. The hash value generates a unique name for a data contract.

To correct this behavior:

  1. Disable the "Local Security Setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy in Windows.
  2. Go to Start > Control Panel > Administrative tools > Local Security Policy. The Group Policy dialog appears. Under the "Local Policies" heading, select "Security Options" and look for the entry, "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." If this entry is enabled, disable it. 
  3. Open the registry editor and browse the following path. Make sure this registry subkey is set to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

I get the “The interface is unknown. (Exception from HRESULT: 0x800706B5)” error message

  • Run repairwmi.cmd on the client machine that's generating the WMI corruption errors. It recompiles all .mof WMI files found in the %windir%\System32\Wbem\Repository folder.

  • Execute the commands below on the client machine that's generating the WMI corruption errors.

    • Winmgmt.exe /standalonehost
      Winmgmt.exe /resetrepository

  • If the script shows that wmidiag is missing, refer to the Microsoft WMI troubleshooting documentation.

Will parallel threads improve the scan performance?

You will get the best scan performance by using two threads per CPU-Core.

たとえば、2 コアだと 4 スレッド、4 コアだと 8 スレッドのようになります。

1 つのコアに 3 つ以上のスレッドを使用しても、スキャンのパフォーマンスは向上しません。

Can I use multiple Discovery instances?

It is possible to use multiple Instances of the Discovery-Tool, but it is not recommended.

インスタンスが同時にスキャンを実行すると、スキャンのパフォーマンスに影響する可能性があります。

また、メモリ リークを引き起こし、システム パフォーマンスに影響を与える可能性があります。

It will be more effective to use one instance with multiple scan settings and using parallel threads

Can the scan settings overlap?

スキャン設定を重複させることはできません。

ある設定が実行中のときに別の設定の予定時刻になった場合は、実行中の設定が完了した後に次の設定が開始されます。

How do I scan a large number of destination systems?

If you reaching the maximum of scannable systems with all possibility's of split up Scan-Setting over the day and using 2 threads per CPU-Core then you need to create another discovery server to spread the "load" to different scan-systems.

(同じサーバーに複数の Discovery インスタンスを作成しないでください)

How many systems can I scan per day?

This time required for a scan depends on many various factors in your environment. (e.g. WMI needs more execution time, how many applications are installed, custom pattern, available CPU-Cores, etc.) that we can just provide some example calculations and you need to figure out what are your limits in your environment.

次の計算は、それぞれの項目に対する経験上の平均所要時間に基づいています。

システム タイプ

平均時間

Windows クライアント

(20 アプリケーション)

85秒
Windows Server45秒

Linux クライアント/サーバー

20秒

macOS100秒
SNMP デバイス2秒


例の環境での概算:

Windows クライアント

Windows Server

Linux クライアント/サーバー

macOS

SNMP デバイス

平均時間

Discovery セットアップ例

5020

55160秒

1 スキャン サーバー

1 CPU コア

2 スレッド

505050
207540秒

1 スキャン サーバー

1 CPU コア

2 スレッド

200150100305029950秒

1 スキャン サーバー

2 CPU コア

4 スレッド

300500150502056040秒

1 スキャン サーバー

2 CPU コア

4 スレッド

100100500

23000秒

1 スキャン サーバー

2 CPU コア

4 スレッド

50015001500

140000秒

1 スキャン サーバー

4 CPU コア

8 スレッド

100020002500300100255200秒

2 スキャン サーバー

2 CPU コア

4 スレッド

200020004000

340000秒

2 スキャン サーバー

4 CPU コア

8 スレッド

1000300050001000500421000秒

2 スキャン サーバー

4 CPU コア

8 スレッド

400070004000
2000739000秒

3 スキャン サーバー

4 CPU コア

8 スレッド

How can we limit access to the discovered data imported into Assets in Jira Service Management?

Access to the object schema you’re importing the data to can be limited to a certain Jira group. However, members of the group jira-system-administrators can always modify the object schema settings. This schema can be restricted from members of the jira-administrators group.

Can we discover cell phones with your product?

No. As of factory default Apple iOS or Android do not support any kind of remote access like SSH or SNMP. We cannot recommend Jailbreaking or Rooting your devices to gain remote access.

What kind of data can be collected from laptops (PCs & Macs)?

Discovery will find the laptops connected to your network at the time of scanning. It will collect IP and MAC address without using credentials to get into the machines. But if you also provide credentials equivalent to local admins, you are able to get a lot more information from the machines like hostname, user profiles, CPU, RAM, installed software etc. (See Data collected by Assets Discovery)

We have already imported hundreds of servers and computers into [text]. What happens if we start using Assets Discovery and automatically import (mostly) the same hosts again? Will they be linked somehow?

As of the initial version of Assets Discovery, it will not consider any existing object types or objects in your Assets configuration. When you run the first import, you will need to select which object schema to import to and Assets Discovery will build up an object type structure there with all the discovered data. This topic is something we will look deeper into though.

What version of SNMP is supported by Assets Discovery?

Assets Discovery supports SNMP version 1, 2, and 3.

Is there a Linux Version of the Discovery-Tool?

Yes. Since Release 2.2.0 the Discovery Tool will run on a Linux Desktop Environment with Mono installed. Using Discovery on Linux

Why does the Import of the result doesn't work?

Please, make sure that the user that is running the JIRA Instance (Tomcat-Service) has read and write permissions at the configured import folder and files.

Does a scan impact my network?

Generally, no. the average network load per scanned system is around 400kb.

Does a scan impact the remote system?

Generally, no. However, some combinations of operating systems and scanning patterns may have a measurable impact on the remote system.

Can I use the Discovery-Tool on an existing Server-System?

We do not recommend to use the Discovery-Tool on a system that provide any other services. The Discovery-Tool needs to handle a lot of objects and will use a lot of the system memory.

After updating to 2.6.0 I get double ESXi Hosts, what can I do?

The change from collecting ESXi informations from SSH or SNMP to the provided Web-Api can result to new Object Hashes for the ESXi Host System.

This is related to the issue that the attribute "Serial Number" can not be collected in some cases. We apologise that and we hope that this issue will be fixed by VMWare.

You have two options to handle that situation:

  1. If the "old" ESXi-Object(s) are not used for connected JIRA-Issues you can delete the "old" ESXi-Object(s)
  2. If you want to use the "old" ESXi-Object(s) copy the ObjectHash Value from the "new" ESXi-Object to the "old" ESXi-Object.

Now you can delete the "new" ESXi-Object and the "old" one will be updated in future.

Do I need the super administrator access credentials, such as root username and password, of each and every device that has to be scanned, which can be hundreds? Is there another way that our client's users don't have to provide us with all this compromised data?

Yes, we recommend to create a "Discovery"-User which is used to connect to the systems.

Please take a look to technical solutions called LDAP or Active Directory to prevent adding hundreds of "single"-credentials to the Discovery-Tool

How can I create SNMP Walk Result-Data that can be used to build custom pattern?

For SNMP Pattern you need to know which OID contains the data that you like to assign to the Assets Object.

The OID Values can be assign to the "default"- Object properties of a Discovery Info Class or can be used for Extended Information of a Discovery Info Class.

To include the OID in an SNMP Walk you need to add the parameter "-O n" to the SNMP Walk command.

snmpwalk -v1 -O n -c public 192.168.178.60 .iso > walk_out.txt

My Discovery Service Name changed, how can I remove the "wrong" service manually?

First try to use the "Discovery.exe -u" command.

If the service is still in the List of Windows Services:

Open a Command Prompt and execute the following command with your exact Service Name.

After restarting the system the service is uninstalled.

sc delete [service name]



最終更新日: 2024 年 10 月 25 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.