1 2 Previous Next

Jack Coates' Blog

21 Posts tagged with the ldms_core tag

Thanks to some questions from Jim Hysell, I found a bug in ldms_core yesterday, which has been fixed in 3.6.4. The bug was in the listing of detected vulns and autofix vulns by severity, which are then added together to make the detected and autofix lines in the Vulnerabiltiy Statistics graph. Prior to 3.6.4, the number is only accurate if you haven't created overlapping scopes. Of course, since everything's covered by the default "All machines" scope, that effectively means that all scopes overlap at least little. This caused the vulns on the machines that are in overlap to be counted once per scope that the machine was in, which is probably not what anyone wants.

 

Net result: For some LDSS admins, upgrading to ldms_core 3.6.4 or greater will cause a precipitous drop in the number of detected and autofix vulnerabilities. The new number is more accurate than the older one.

ldssstats-daily.png
So, in figuring that out I also realized that I could delineate between vulns detected, and machines with vulns, which wasn't very clear in the text report. There's a big difference between "you've got six critical vulns in the environment" and "you've got six machines with critical vulns on them"... These values are now clarified:

 

Detected vulnerability counts by severity:
Critical - 68 vulnerabilities found on 8 machines.
High - 45 vulnerabilities found on 7 machines.
Low - 12 vulnerabilities found on 9 machines.
Medium - 48 vulnerabilities found on 10 machines.
N/A - 129 vulnerabilities found on 11 machines.
Service Pack - 10 vulnerabilities found on 3 machines.
Unknown - 11 vulnerabilities found on 9 machines.


Detected vulnerabilities set to autofix by severity:
Critical - 64 vulnerabilities found on 7 machines.
High - 40 vulnerabilities found on 5 machines.
Low - 4 vulnerabilities found on 4 machines.
Medium - 12 vulnerabilities found on 7 machines.
N/A - 47 vulnerabilities found on 7 machines.
Service Pack - 1 vulnerability found on 1 machine.
Unknown - 5 vulnerabilities found on 7 machines.

 

By the way, I've also posted ldms_core to google code, so anyone so inclined can use the source code more easily. I'll do the same for my other projects as time permits.

0 Comments Permalink Tags: ldms_core, statistics, droppedpackets, upgrades, report

I just posted ldms_core 3.4.7, which integrates some of the feedback and discoveries of the last few weeks... thanks for all the help, folks. Debugging help and feature suggestions from LANDesk admins around the world are making this utility into a very useful tool indeed.

tall-tree.jpg

Here's a few notes about where it might (or might not) go next:

  • Scheduled Tasks
  •   
       
    •  
      •  
    • Check scheduled tasks and policies for RRD stats -- jobs without start times, jobs in success-level buckets, duplicated jobs...   
          
      •  
    •  
      •  
    • Delete ghost devices from scheduled tasks (stuck in active because they reported status). If they were from a query they should be deleted from the list, but if they were from a static targeting they should be moved to pending. http://community.landesk.com/support/message/17222#17222   
          
      •  
    •  
  • Import   ldms_delete_users, auto-reassign to single user or delete objects, give the user an option to decide what should be done. Alternatively, rewrite ldms_delete_users as a standalone tool...
  • NMAP as an XDD client add-on instead of a core-side piece... this implies some command-channel use and data-passing which are non-trivial, but entirely possible. On the plus side, it will also produce a much higher level of accuracy in OS fingerprinting.
  • Email
  •   
       
    •  
      •  
    • Be smart about hysteresis... maybe it could not send another email within a day unless the new email it wants to send is more urgent than the last email that it had to send? Users going from daily runs to hourly runs are having challenges sorting the important emails from the repetitive info.
      •  
    •  
      •  
    • Maybe it's email worthy that unmanaged nodes isn't fresh...   
          
      •  
    •  
  • Web pages and reports
  •   
       
    •  
      •  
    • In RRD pages, give textual data supporting the graph. That'll probably push it over the edge to needing templated data instead of straight html.   
          
      •  
    •  
      •  
    • Support proxy servers (nice to have for update check, will need for geo-location)   
          
      •  
    •  
      •  
    • Give links to non-RFC1918 addresses on maps: GeoIP2Location   
          
      •  
    •  
      •  
    • Drill-down from topology map with per subnet listings of computers, including inventory and remote control links for them   
          
      •  
    •  
  • Auto-import email from domain controller into ConsoleUser table. If UserName is like Directory and Email is blank, then import from AD. Requires AD credential input in UI.
  • Count duplicate serial number records and show a count before the number... e.g. "34 machines with serial number SystemSerialNumb, 2 machines with LYAC12"
  • More options, more smarts, more feedback, more efficiency...
  • Find why McAfee silently stops it from working properly when it's run as a scheduled task (error 0x9 in Windows scheduled task, immediate "success" as a LANDesk scheduled task, works great when run interactively from the start menu).
2 Comments Permalink Tags: ldms_core, droppedpackets, health, monitoring, nmap, core

ldms_core 3.3.3

Posted by Jack Coates Jan 6, 2009

Finally got the network map looking like I wanted it. You'll want to delete \\CORE\ldreports\ldms_core\ldms_core.css and replace it with the one from ldms_core 3.3.3 to enjoy this mofessional lookin style. Or don't, if you like that really ugly green on black look. I'd really love to see how some bigger maps get laid out, if someone could post some screenshots that would be great.

Cropper-1-01-06-2009-01-41-43 PM.Png

2 Comments Permalink Tags: ldms_core, droppedpackets

Version 3.2.6 is now uploaded to http://www.droppedpackets.org/scripts/ldms_core.

 

As the next step in its ongoing quest to delete data that was automatically gathered and then left to rot, ldms_core will now delete automatically gathered SLM products that have no installations (note that this is not USAGE, but INSTALLS).

 

It is possible that this can produce churn in situations where products are being installed and uninstalled in rapid succession; this should be a minor problem compared to the database performance degradation that results from thousands of junk product definitions.

 

As is usual with new features, this needs testing; please give it a whirl on your test server before trying it on production. At the very least, have a database backup handy.

3 Comments Permalink Tags: ldms_core, droppedpackets, maintenanceance

ldms_core 3.2.0

Posted by Jack Coates Nov 12, 2008

service checking now looks at the Avocent Management Platform services, too. I've also added code to look for schema faults. Ever see messages in your event viewer that say "column whatever is too small, increase it by so much?"

 

0 Comments Permalink Tags: ldms_core, droppedpackets

ldms_core 3.1.5

Posted by Jack Coates Nov 3, 2008

I've posted a new ldms_core which has a lot of changes (good, bad, and otherwise).

 

  • added ability to report on stale vuln data (greater than 7 days will produce a warning)

  • installation directory changes -- NullSoft Installer System uninstallation routine actually assumes a separate directory per program, and was deleting things that shouldn't be deleted when users would remove a program. To correct this, uninstall all Monkeynoodle programs and delete Program Files\Monkeynoodle before installing ldms_core.

  • detect dual boot systems via serial number

  • fixed &CullIPs again -- I had a function which seemed to do the right thing, but was actually deleting the oldest IP -- the downfall of using a small test set is that the expected result might happen for the wrong reasons.

  • Always check that what's supposed to be an IP is one -- failure to do so was causing spurious calls to DoNMAP and CullIPs

  • LDMS statistics graphing and trending via RRD. This is pretty cool; I'm just generating the graphics and putting them into ldmain\reports\ldms_core for now, but I'll throw together a nice index.html for it in a bit. LDSS stats are not being gathered yet.

  • hourglass cursor when setup is doing things

  • Unmanaged nodes culling (&CullUDD) failed when the discovered node was a WAP; skipping the attempt for now.

 

I'm still trying to decide if I want to spend time on a more formalized test procedure and/or beta period... if anyone has thoughts or would like to volunteer as a tester, please let me know.

 

I'm also having some difficulty with the Right Way(TM) to schedule repeated runs... in the past, I've asked the user to create a Windows scheduled task, but those quit working when the service account password changes. Currently I'm creating a LANDesk scheduled task, but those are finicky and are least likely to work on the cores which most need an automatic maintenance program. I could go to a long-running service, but memory consumption is high and that introduces a whole new set of potential problems. Ideas are welcome.

9 Comments Permalink Tags: ldms_core, health, statistics

ldms_core ate ldms_status

Posted by Jack Coates Oct 17, 2008

LANDesk cores are getting more stable all the time, and I'm just not seeing the need to check that everything's working every 10 minutes any more. I've taken the service checking routines from ldms_status and put them into ldms_core 3.1.2 so that it can check and restart services once, when it runs, instead of all the time. I'll leave ldms_status online of course, but I don't see a lot of future for it at this time and will mark it obsolete real soon now.

Here's some roadmap for ldms_core, with discussion of the items:

  • It's been 7 days or more since you downloaded content -- I still need to find the best way to filter this. The publishdate column in vulnerabilities is one option, but could false positive. select count(*) from vulnerability where publishdate > getdate()-7; if that value is 0, complain.Maybe even run vaminer.exe instead of just complaining?
  • List uninstallable patches? This will probably not be possible, at least without introducing a lot of bugs. XML blobs need to be extracted from the database and parsed, which seems like a lot of work for a little gain.
  • More progress indications, for instance after clicking Authorization button in setup. Not exciting.
  • Group patches by vendor? Probably not something I can do in this context.
  • Topology map. Gateways become nodes, devices sharing gateways are grouped in clouds around them, subnet masks decide size of circle. Core's gateway is in the center and traceroute hops to the other gateways are used to define the map. Use Perl::Graph to generate HTML? This is the one I want to work on next. select defgtwyaddr,count(address) from tcp where nullif(address,'') is not null group by defgtwyaddr
  • Kick out a Google Earth file to plot non-RFC1918 addresses on a map. The topology map and this map would both be dumped into the LANDesk reports file share, I suppose.
  • Check scheduled tasks and policies for status, alert if lots of jobs have bad status
  • Switch to MIME email so I can send multipart messages with attachments, such as those maps. That would also allow reworking of some of the log messages into a table format, using HTML. I prefer the retro look of Text::Table, but it probably can't be displayed properly by the average LANDesk admin's email program.
  • The new alerting system might be a better way to look for sync scan issues than using event viewer. If it ain't broke, don't fix it, but it's possible that database lookup would be faster.
  • Keep old information and show trend lines on a purty chart, http://search.cpan.org/src/CHARTGRP/Chart-2.4.1/README. This is going to involve storing data and managing time and I'm just not in a big hurry to reinvent that wheel.
  • Find a way to detect stuck LPM Event Listeners. Not even sure if this is a database or filesystem issue, but it needs to be found and fixed.
  • Convert into a long-running service? Probably not going to happen, I just can't come up with enough justifications to explain why I'd want to go through the hassle.
  • Cull Automatically Gathered software definitions with no installations. This is going to be hard, and may not be compatible with the changes planned for LDMS 9.0, but it also would be a lot of bang for console performance. Tempting.
2 Comments Permalink Tags: ldms_core, ldms_status, maintenance, monitoring, health

ldms_core 3.0.5

Posted by Jack Coates Oct 3, 2008

ldms_core home page

 

The new alert system in version 8.8 can get stacked up on low-performance cores, and it doesn't purge records unless you tell it to. ldms_core will now check that queue and purge records older than X days. There's also an email test button in the setup window, so you can make sure you've got email right.

 

I've also updated the manual.

 

 

1 Comments Permalink Tags: ldms_core, statistics, health, maintenance

ldms_core 3.0.1

Posted by Jack Coates Sep 29, 2008

At something like 90 to 360 seconds per scan, it makes no sense to NMAP thousands of nodes in a single run; target lists are now capped at 100 nodes per run, 50 if debug is on. Fixed a couple of bugs, too.

 

The manual is getting pretty out of date, I need to do something about that.

 

download here.

4 Comments Permalink Tags: droppedpackets, ldms_core

Today I enhanced debug mode and provided for a debug logfile. I also did a bunch of refactoring and bug fixes... maybe half of what Perl Critic suggested. This isn't an urgent release unless you're having trouble, might as well wait for 3.0.

 

http://www.droppedpackets.org/scripts/ldms_core/ldms_core_2-0.zip/view

 

I've got some reports of problems with NMAP... it crashes and takes ldms_core.exe with it. That's not supposed to happen, so if it's happening to you, please let me know and send a debug file.

 

UPDATE: Talk about relentless... Arnold Garcia tested with the new debug stuff and helped me find a problem, along with some more debugging suggestions. I did some more refactoring as well, so I've posted again and let's call it 2.9.8. This is worth upgrading to if you've had trouble with NMAP.

 

The TODO list:

  1. TODO -- Test email button in the GUI

  2. TODO -- Setup should install a LANDesk LOCALEXEC script to run it

  3. TODO -- Provide visual feedback of activity stage, level

  4. TODO -- Check scheduled tasks and policies

  5. TODO -- plot non-RFC1918 addresses on a map

  6. TODO -- keep old information and show a trend.

  7. TODO -- purty Charts, http://search.cpan.org/src/CHARTGRP/Chart-2.4.1/README

  8. TODO -- when you find duplicate IP addresses, wipe out the one that has the

  9. older update date.

  10. TODO -- If the database isn't busy, reindex it? Detecting a need to reindex

  11. the database seems to be just as intrusive as actually reindexing the

  12. database. More research required before this can be done safely.

 

0 Comments Permalink Tags: ldms_core, nmap

Version 2.9.6 has been posted.

 

A customer request to maintain off-core patch repositories has been implemented, along with detection of duplicate IP addresses and a report of detected vulnerability counts by severity.

 

Trending over time remains on the drawing board, but may not happen until after 3.0... not many numbers left, and I really don't want to end up with 2.9.256 type versions. It's also occurred to me that I might be able to avoid wheel reimplementation by just formatting data outputs for MRTG to read and providing a nice installer package for it...

 

A higher priority (to me, anyway) change is to implement XDD-agent-side NMAP, and a web service to ingest the discovered OS Names. NMAP's accuracy is poor in large networks when it's run from a central core. Doing this project offers all sort of potentially fun challenges and is currently at least as shiny as more reporting.

2 Comments Permalink Tags: ldms_core, nmap, monitoring

no-longer beta ldms_core

Posted by Jack Coates Aug 11, 2008

I've posted a beta release of ldms_core at http://www.droppedpackets.org/scripts/ldms_core/ldms_core_2-9-5beta.zip which attempts to support email authentication. If you'd like to try it out, please let me know of any errors.

 

17 days without a complaint, it must be working. 2.9.5 is published.

6 Comments Permalink Tags: droppedpackets, ldms_core, beta, mail, authentication

I'm considering a re-write of ldms_status to get off of the ActiveState perltray framework and just use native Win32::GUI to display in the system tray instead. I'm having Timer problems (that's why Stop all services only works half the time), the tooltip function is buggy, and every now and then the fool thing will just stop with no error. That's tough to troubleshoot (though it's probably the tooltip function, since ActiveState recommends that you locally suppress errors in that function to make it work at all).

 

Doing this would have the benefit of abstracting the functions that check, stop, and start services into a module so that they'd be easier to use from other programs... someday, I hope to have ldms_core and ldms_status sharing more functions... status acting as a long-running service, core launching from time to time to do cleanup and stats gathering.

 

The first step in that direction is probably to put all of the status logic into a shared module, then to strip ldms_status down to a more open "Monkeynoodle services" tray icon that calls the ldms_status module to do things, but also displays balloon tips for ldms_status and ldms_core.

0 Comments Permalink Tags: ldms_status, ldms_core

ldms_core performance

Posted by Jack Coates Jul 15, 2008

I've done a few installs of ldms_core on servers where XDD or scheduled UDD has been running for a good long while in a 5,000 to 10,000 node environment, and I've found a bit of a performance issue. Eventually it all works itself out, but that first run takes a day or two to complete. Gradually it gets faster and faster, and within a week it works the way it does for a fresh LANDesk core. This post is not to announce a fix, just acknowledging that I see the problem and know what needs to be done.

 

This is what's happening: If NMAP's binary is found in the configured place, then ldms_core goes to the database and looks for targets with no OS Name, sorted by lastscantime desc for a LIFO scan order. So far so good, except a few months ago I realized that some NMAP scans finish in a few seconds, while others take several minutes. In order to get the most success up front, I first send a single ping packet to each target and see if it responds. If it answers ping, it goes to the front of the list, and if it doesn't, it goes to the back of the list.

 

That works really well when the list of targets is a few dozen machines, but when it's a few hundred machines the performance is terrible. As NMAP updates the OS Names, the target list becomes smaller, the pings go faster, and less time is taken. I'm not parallelizing any of this traffic, so a long time spent on step 1 means step 2 can cool its heels in the corner. This all fits with my design goal of "low and slow", under-the-radar information gathering, but no one can tell that it's doing anything -- there's an icon in the system tray and a couple of entries in event viewer, but no CPU, no network, no nothing.

 

I've considering batching targets into small groups, which I could then do in parallel, but decided it was too complex and wasteful of resources. So, the planned fix is a two parter:

  1. First, I'm going to log and balloon tip what's happening so that the end user knows that it's okay to leave it alone... killing the program and starting it over just makes it take longer, and all the statistics that they installed it for happen at the end.

  2. Second, I'm going to radically decrease the ping timeout -- if the node doesn't ICMP REPLY in a second or two, I know what I came for. Better still, if the machine responds to ping I'll do NMAP right away, but if it doesn't respond to ping I'll push it to the end of the line.

If you really care a lot, the source is installed with the binary, and this is the DoNMAP subroutine beginning at line 1119.

1 Comments Permalink Tags: ldms_core, nmap

minor ldms_core touchup

Posted by Jack Coates Jul 7, 2008

 

In calculating the amount of time that an eventually patched patch remains unpatched (say that three times fast), I was not CASTING to a BIGINT, but rather leaving it at the default SQL INT. Ergo, if you patch patches after 90 days or so, you'd get a non-fatal SQL error from ldms_core. You'll want to upgrade, from here: http://www.droppedpackets.org/scripts/ldms_core

 

 

For everyone else, nothing to see here, move along. I did some code clean up but haven't really started on the big stuff for the 3.0 release.

 

 

0 Comments Permalink Tags: droppedpackets, ldms_core, monitoring, maintenance
1 2 Previous Next

Popular Blog Posts

Incoming Links

LANDesk Community powered by Jive Software's Clearspace ® Subscribe| Legal Notices| Investor Relations| Avocent| Privacy Policy © 2009 LANDesk Software