mnagel

Members
  • Posts

    515
  • Joined

  • Last visited

  • Days Won

    99

Reputation

177 Excellent

About mnagel

  • Rank
    Myth
    Myth
  • Birthday July 17

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. It was published to the Exchange as H4T9GH, but it is basically what LM support provided with some tweaks. As an Event Source, it has the same poor behavior as all Event Sources, that is, you cannot practically ACK them, only add SDT. It also is not universal since there are different ways to get this info on different platforms. I like the idea of converting to a DS version with instances like the first post mentioned, and of course we are all still waiting for that promised core LM release real soon now :).
  2. Please! I created a facility for this years ago with Nagios via callbacks in our notification template processor (actual templates with conditionals, etc.), but that would be tricky here. You need basically a trigger to run callbacks or similar here when alerts fire with the results placed into a token. My guess is it won't happen unless it can be monetized somehow :(.
  3. https://lmgtfy.app/?q=sql+IndexSearches+metric
  4. I think I have just gotten used to full or partial table scans and then run all the complex bits on the client side. Wasteful of resources and more time-intensive, but ya gotta do what ya gotta do.
  5. Something that strikes me as I delve into this further is that filter syntax is largely undocumented. There are examples in the legacy docs, nothing really in Swagger. I have figured it out mostly via trial and error and the occasional support ticket. It is clear you can use AND logic with comma-separated components, but is is not clear if you can reference the same LHS multiple times. The is really no indication you can implement OR via filter short of glob expression matching. The only documentation I can find on filters specifically relate to limitations added for embedded special characters in the v2 API. Perhaps the API team could document the various common parameters in Swagger or elsewhere?
  6. I was thinking of was that the filter is not valid -- you cannot match only on values. Well you can, but it is then detached from the property name and could match many properties. You need to match on name and value together. filter=customProperties.name:PROPNAME,customProperties.value:PROPVALUE The /device/groups idea is a good one if you are not matching on wildcards, like in this case (though you could use two passes to get an ID list, then iterate). We have found the sometimes that is necessary due to lack of endpoints (e.g., there is no direct way to map a device datasource instance ID back to the datasource ID), but if you can use one query to do your work you should try to do so.
  7. The good news is it seems dev has finally released new modules that are more configurable, but I have not looked at how much complexity was shifted to propertysources and how maintainable that will end up being. They tied to ssh.user/ssh.pass still, though, so you will still run the risk of incurring costs unexpectedly if you use those for non-LMConfig reasons (like errdisabled port detection). I think it is possible to disable LMConfig modules in the subtree alert tuning, though, so that may mitigate the risk. OSS tools do a much better job than LM did previously, hoping this brings some parity (and fixes for non-change thrashing we see all the time). I would never dream of editing a 1200+ line module and then have to merge changes into updates later.
  8. Excellent point -- the other functions we need could likely be satisfied with an API user having manager and not admin role. I will see if we can leverage the library to avoid needing an admin API user -- thanks! That said, it should still be possible to bind an allowlist to any API user to limit the attack surface. I as well can dream...
  9. I have been aware of the debugger method for some time -- was not familiar with the secret debugger library, but you can access the debugger similarly via the API. So.... sleep well knowing that any set of leaked admin API keys could expose your entire network to remote attack via arbitrary PowerShell scripts executed via the debugger API. I was forced at the time to use that method to set the system.ips list to fix NetFlow ingestion for Palo Alto firewalls at the 5000 series or higher. No alternate method of binding device NetFlow export has yet been provided. Recognizing how dangerous this was, I asked about having certain API calls like this locked to an allow list, but that went nowhere. I have also tried changing Windows collector service accounts to use the Performance Monitoring group rather that Domain Admins (especially after the SolarWinds hack), but I found too many things broke so had to move back. Even today well after the damage done during the SolarWinds hack due to lateral movement from compromised servers, LM collector installation instructions still include "If this Collector is monitoring other Windows systems in the same domain, run the service as a domain account with local administrator permissions." Tick, tick tick...
  10. My recommendation? Stay away from any wizards LM provides. This stuff happens here and with the "simple" netscan setup, you end up with a bunch of nonsense top-level groups if you are not careful. I think there should be a knob in the portal settings to disable wizards...
  11. No, you are correct -- datasources store time series numerical data only. Various datasources tie themselves into knots trying to workaround this limitation via datapoint legends. I recommended a while back adding a per-datapoint enum facility so those could be properly displayed in charts as meaningful strings, especially since legends sometimes get so long and don't wrap that you literally have to open the DS source code to find out what a value means. I never saw even a peep from LM on that sensible fix, sadly.
  12. Typically this is done via autodiscovery, but if you add manual instances you can manually define properties for the instances. For the AD method, each instance is generated with the normal fields followed by an optional list of property/value strings. Assuming AD is run often enough, those strings should be current (more or less) for reference in custom alert messages via unconditional token substitution. You can also use PropertySources to add auto properties if you want to do that without editing an existing datasource. If you need examples, Arista_Sensor_Fans is one of many datasources that generates auto properties. Or, look at almost any PropertySource module. I would not add any manual properties to automatic instances as those would likely vanish at some point.
  13. There already is one, you don't need to add it. But, you do need to dig around to find where those are (grumble). Our rule:
  14. You cannot use a straight SNMP check for this, but you can use a SNMP via Groovy to enumerate the disks and generate the sum as a datapoint value. There are many datasources that access SNMP via Groovy you can use as examples -- a quick search of our backups shows HP_Chassis_MemoryModules among many others. You will want to focus on this OID - http://oidref.com/1.3.6.1.2.1.25.3 Mark
  15. Sure, you can use Service Insight for this, but it is a premium feature, which is using an expensive mallet to handle something that should be available without that extra cost. Or, there should be a Service Insight light for this stuff, leaving the costly part for the intended enhanced features of Service Insight (like Kubernetes). My recommendation on this was to extend cluster alerts so you could at least match up instances. My use case at the time was to detect an AP offline on a controller cluster. There is no way to do this without SI, which as you say is complex, and it is an extra cost. We need stuff like this in the base product.