Windows Express Scan
Overview Copied
AutoMonitor allows users to quickly and effortlessly discover and import hosts into their Opsview Monitor environment. The new wizard-based functionality simplifies and automates the scanning and configuration steps providing a fast and reliable way of maintaining continuous monitoring of your changing Enterprise landscape.
Windows Express Scan provides a configuration wizard to guide you through and quickly discover Windows Active Directory computer objects (Hosts) within a given domain and automatically import them into Opsview Monitor.
Windows Express Scan Copied
Hosts discovered by the Windows Express Scan will be imported into the following Host group Structure:
Opsview > Automonitor > Windows Express Scan > {Domain} > {Hostname}
The scan will inspect discovered Hosts to allocate relevant Host Templates from the following list:
- Network - Base
- OS - Windows Base Agentless
- Application - Microsoft Hyper-V Server Agentless
- Application - Microsoft IIS Agentless
- Database - Microsoft SQL Database States Agentless
- Database - Microsoft SQL Performance Agentless
- Database - Microsoft SQL System Agentless
- Application - Microsoft DNS Agentless
- Application - Microsoft Exchange - Status
- Application - Microsoft Exchange - Mailflow
- Application - Microsoft Exchange - Database
- Application - Microsoft Exchange - Client Connectivity
Prerequisites Copied
In order to access the AutoMonitor Application and run a Windows Express Scan, the following permissions are required:
Note
Depending on your organisation structure, you may prefer to not give user permissions to CONFIGUREHOSTGROUPS and/or have access to the Opsview Host Group. In this case, you need to create the Host Group Structure in advance (Opsview > Automonitor > Windows Express Scan > {Domain}) and provide access only to the Domain Host Group to the user(s) running a Windows AutoMonitor Scan.
Domain credentials: Copied
- Directory-level permission to perform
PowerShell Get-ADComputer
command on the Active Directory server. - Access right to run
PowerShell Get-WindowsFeature
command on the discovered servers/hosts. - Access right to run
PowerShell Get-Service
command on the discovered servers/hosts and permission to see the Microsoft Exchange Service in order to discover its presence on a server. - Access right to run
PowerShell Get-ChildItem
command and access to read the IIS path to find details of the Microsoft IIS Service. - Permission to read Windows Registry (using the
RegistryKey.OpenRemoteBaseKey
method) to inspect Microsoft SQL properties.
Note
If the Domain Account does not have the right permissions, Windows Express Scan will be limited in its ability to determine what services can be monitored.
Running a Scan Copied
AutoMonitor Windows Express Scan feature is accessible from the Configuration > AutoMonitor menu. When selecting this option you will be presented with the following screen:
Select Windows to start with the AutoMonitor Windows Express configuration wizard.
-
In the first step of the configuration wizard (Windows > Input your domain name), as per the screen shown below, you need to enter your Active Directory Domain name. Note that if you are using Kerberos authentication then this should be the same as the realm and is case sensitive.
-
Then click on Next.
-
In the second step of the configuration wizard (Windows > Choose Active Directory Server), as per the screen shown below, you need to enter the following information:
-
Windows Active Directory Server: Fully qualified domain name (FQDN) or IP address of one of your Windows Active Directory Servers
-
Account Name and Password: Credentials for a Domain username with Active Directory access rights. (Just the username, neither
Domain\Username
norusername@domain
, e.g.opsviewadmin
). This username will be used to inspect Hosts and allocate relevant Host Templates
Once you have entered the relevant information for the required fields, the “Start Scan” button will be enabled for you to proceed when you are ready to start the scan.
When you start the scan, it will first validate the information you have entered by attempting to connect to the Active Directory server using the following Authentication Methods (from the most secure to the least secure):
- Secure Kerberos (SSL)
- Secure Basic (SSL)
- Kerberos (non-SSL)
If the credentials are invalid/fail to be authorised, the following error message will be displayed:
If the Connection timed out - service did not respond
message appears, this indicates that something in the back-end failed to respond in a timely fashion. This may indicate that the back-end is overloaded, that there is a network outage or there are no appropriate firewall rules in place. Alternatively, a “Connection has timed out” error indicates some other operational error has occurred during the authentication process.
Upon successful authorisation, the Scan starts by interrogating the Active Directory server for a list of hosts to scan. It then proceeds to scan those hosts to discover what services they are running, and therefore which host templates should be applied. Once the scan has started the progress bar will be displayed which indicates how many of the discovered hosts have been scanned:
As the scan is being carried out, it can be aborted by hovering over the Abort
button which displays a panel to confirm the aborting of the scan. Once the Yes
button is clicked, the form from the previous page is displayed and the scan is aborted. Note that if the scan is close to finishing then it may be completed before it can be aborted.
If an unrecoverable error occurs during the scan, the following error page will be displayed:
A connection timed out
message indicates that something in the back-end failed to respond in a timely fashion. This may indicate that the back-end is overloaded or that there is a network outage. Alternatively, a “Sorry there was an error that we can’t identify” message indicates that some other error occurred during scanning. This may indicate a system outage or configuration problem. Scans will recover from short Datastore (i.e. CouchDB) outages. However, if an outage lasts longer than 1-hour the scan will time out and show this error message.
If such errors occur, you can click Try again to restart the scan. You can also view the log to understand what the problem could be, for example, you might see access denied when creating Host Group or importing Host, in which case, check you have sufficient permissions to either create or write to the desired Host Group.
When the scan completes the following screen will be displayed:
At this point, you can click on Apply Changes to trigger a system reload and start monitoring the scanned hosts. Clicking on New will allow you to start another scan. Hosts that have already been imported will be disregarded and will NOT be re-imported by later scans:
Clicking View log will display a detailed list of the steps completed by the scan:
If the scan fails for some reason, View log is a good way to help diagnose the problem.
Once the scan has finished, you can see the pending hosts by clicking the Host Settings link. It is worth noting at this point, you may wish to check the host configurations to ensure the details are correct, as although AutoMonitor tries its best to fill them in correctly, you may have a case where the credentials used for scanning are NOT the same credentials that are required by the service check (e.g. Microsoft Exchange username and passwords).
Host Certificates Copied
The AutoMonitor scan does not use certificates for host checking. However several of the service checks do use certificates for host identification checks.
You should upload your certificates to the location below because if the scan used SSL for authentication, the AutoMonitor Scan overrides the WINRM_TRANSPORT
variable in the host configuration to use the following filename for the Certificate Authority PEM file:
/opt/opsview/monitoringscripts/etc/certs/<AD domain>
The Certificate Authority or host certificates for the imported hosts can be placed in this folder using the orchestratorimportscripts
helper tool. This command line tool will place the certs in the correct directory and signal that you need to execute the Apply Changes action in the Opsview Monitor user interface. For example, after giving your certificate file a filename matching your AD domain:
sudo -u opsview /opt/opsview/orchestrator/bin/orchestratorimportscripts etc-certs /path/to/cert/source/<AD domain>
Note
In a clustered environment (multiple clusters and collectors) these certificates should be distributed to ALL collectors. To do this, after following the steps above, run the Apply Changes process to copy to the collectors.
If you want to manage certificates in a sub-folder of
/opt/opsview/monitoringscripts/etc/certs
, theorchestratorimportscripts
tool can also be pointed at a directory structure to replicate that in the right location with the right permissions. Then update theWINRM_TRANSPORT
host variable paths and run an Apply Changes.
Considerations Copied
AutoMonitor Windows Express Scan now supports running on Master Monitoring Server or one of the Clusters. The cluster on which the scan is run is selected by an algorithm that probes the connectivity to the AD server being scanned and selects the Cluster that has the best connection. Once selected, the imported hosts are then monitored by the cluster that discovered them.