Process Classifiers

Kenny Wimberly · ‎04-17-2009

Just wanted to throw this out there to see if anyone has any ideas....

I have two classifications I need to do for processes:
1. Domain Controller - I need to be able to classify this as a process and setup a relationship

2. FTP - This process is generally wrapped up in IIS. But the process classification does not appear to allow wmi classification for processes.

What I would like to do is utilize WMI to classify a process, create a relationship Runs On::Runs. Has anyone done anything like this?

I've completed a Microsoft Exchange process classifier that checks for the process mad.exe on the server and then creates a relationship in the Email Server table. I'm assuming this is the correct way to handle this. I could be wrong...but hey, that's why I'm asking 😄

Thanks for any ideas!

itscc1 · ‎01-11-2012

Hello computerdr74,

Did you ever get an answer to this? I am about to start creating classifications for domain/windows based services, so if I find anything different I will post here.

BTW, as a starter, what exactly did you have to do for the MS Exchange classifier?

Kind regards,
Chris

Kenny Wimberly · ‎01-11-2012

I never did, but I haven't worked on discovery, heavily, in a while. I'm about to ramp back up, though.

To answer your question, when you go to the Process classifier table (discovery_classy_proc) you will see several processes already defined. Use one of those as a guide. In the related list Classification Criteria, you will need to create a new record...here's how the values should read on that record:

Name: command
Operator: contains
value: mad.exe

I don't remember if you need a "parameters" record like you will see with IIS and SQL Express. But, it's possible.

As for the Process Classification record, make sure it looks similar to the Microsoft SQL Express record. The table would be Email Server and relationship type would be runs on::runs. The on classification script can contain anything you would like to set on the record when it is created.

I hope this helps!

itscc1 · ‎01-12-2012

Thanks for this, very helpful.
The parameters is used (i think) for what an argument to a command would be. e.g. svchost.exe is used by many different services. its picking the right one for the service you are looking to classify! This may help when it comes to classifying FTP or domain services - but maybe (for FTP anyway) the discovery would have see the command running at that point in time, else its not going to appear!

I think you are doing the right thing with the process classifying, it works anyway.

Now i have successfully mapped the Exchange 2007 roles to the servers, I want to have a relationship to the Business Service "Email". This is proving tricky!

Thanks again,
Chris

Kenny Wimberly · ‎01-12-2012

Should be as simple as creating a relationship definition (sys_relationship table) to make sure that all Email Servers get linked to the Email Business Service. Or in the On Classification Script, you could build the relationship there by checking the cmbd_rel_ci table to see if there is currently a relationship for the current record and associated business service. If not, create the record on the cmdb_rel_ci table to build that relationship. Just a thought.