SQL Probe and WID

DuaneNMore · ‎11-21-2016

When I run a discovery against a Windows 2012R2 server, the SQL Server probe finds the Windows Internal Database and thinks we have a sqlserver. This is because this thing runs as C:\Windows\WID\Binn\sqlserver.exe. I think I'd like to ignore this particular instance, but the way discovery is set up, if it sees sqlserver.exe it thinks you are running sqlserver. Being new to discovery (took the class last week) I know there is a way, but I am uncertain how.

I also have the additional problem of installing the SQL management library (SMO) for when I do discover real sql servers but that is well known.

Ryan Zulli · ‎11-21-2016

Hi Duane,

The process classification is where you'd want to look...Discovery --> Discovery Definition --> CI Classification --> Processes. Click on the Microsoft SQL Server record and you'll see that we look for a condition where Command contains sqlserver.exe. Here you can add another condition, AND where Command IS NOT C:\Windows\WID\Binn\sqlserver.exe.

Of course the proper way would be to copy the OOB code and create a new record that way during the next update you can compare changes (if any).

Let me know if this helps.

Thanks,

-Ryan

View solution in original post

Dave Smith1 · ‎11-22-2016

Check the logs on the MID server itself to see if any recorded processing is shedding light on what's causing the stall.

As a matter of interest: did your MID exhibit the same behaviour before you did this change, or has it always stalled like that?

DuaneNMore · ‎11-22-2016

It has always stalled. The only thing I have been discovery thus far is the Windows MID Server itself.

I did it as 127.0.0.1 before and after the SQL WID Change.

I restarted the MID Server. And then built a credential discovering the MID Server by its address. I have yet to see a discovery get to "Completed".

In the Discovery status there is always as many ECC Q outputs as inputs.

I reviewed the MID Server agent log and all the probes that start seem to end, and there is always as the 12 eccsender.1 messages. The only 2 errors of note are

PowershellProbe Slow execution (129ms) of script: probe:WMI: Installed Software

and

PostProbeProcessor: Unable to invoke fcinfo command on the target host

Dave Smith1 · ‎11-23-2016

Okay.. how many records have are in the ECC queue?

I've got around 30 in mine, the first 6 being standard P->C->I stuff. All of my Exploration probes (and processing) only seems to take less than a minute, but I'm not running much on mine. It'd be interesting to sort those by "Created" and look for large gaps in the processing to try and ascertain what's causing the stall.

Also, checked the timeline view at all?

DuaneNMore · ‎11-23-2016

As a note, this is Helsinki.

None of the probes seems stuck. Everything that starts seems to complete. There are 24 records in the ECC Queue and everything that starts completes. PCI probes start and complete in 30 Seconds. The Exploration Probes and processing takes less than a minute as well. None of the probes seems stuck, THe timeline doesn't indicate anything is stuck. It's almost like it is waiting for something else.

I am going to configure SNMP Credentials and Probe and see what happens.

DuaneNMore · ‎11-23-2016

I Configured an SNMP credential built a discovery schedule, ran Discover now. It runs through it set of probes and also never gets out of the Active State. I misconfigured the credential once, it came back with host unreachable, but the scan still shows as Active.

On the WIndows Scans, another thing I checked is in the Discovery Status, it has "started 12 completed 12", the ECC Queue has 24 entries all 12 Outputs and Inputs finishing within a minute or so; When I go to the Devices tab and go over to the SCAN Status is "Completed 11".