Schedule discovery A schedule determines what horizontal discovery searches for, when it runs, and which MID Servers are used. Before you beginRoles required: admin, discovery_admin About this taskYou can use a Discovery schedule to launch horizontal discovery, which uses probes, sensors, and pattern operations to scan your network for CIs. Use this procedure to create a schedule manually from the Discovery Schedule form. Service Mapping also provides a Discovery schedule for top-down discovery. See Create a discovery schedule for an application CI for more information.Use the Discovery Schedule module in the Discovery application to: Configure device identification by IP address or other identifiers. Determine if credentials will be used in device probes. Name the MID Server to use for a particular type of discovery. Create or disable a schedule that controls when the discovery runs in your network. Configure the use of multiple Shazzam probes for load balancing. Configure the use of multiple MID Servers for load balancing. Run a discovery manually. Procedure Navigate to Discovery > Discovery Schedules and create a new record. Complete the Discovery Schedule form, using the fields in the table. Right-click in the record's header and select Save from the context menu. To create a range of IP addresses to discover, click Quick Ranges under Related Links. Figure 1. A discovery schedule Table 1. Discovery Schedule Form Field Description Name Enter a unique, descriptive name for your schedule. Discover Select one of the following scan types: Configuration items: Configuration item scans use discovery identifiers to match devices with CIs in the CMDB and update the CMDB appropriately. You can perform a simple discovery by selecting a specific MID Server to scan for all protocols (SSH, WMI, and SNMP), or perform more advanced discoveries with discovery behaviors. When you select a behavior, the MID Server field is not available. IP addresses: IP addresses scans devices without the use of credentials. These scans discover all the active IP addresses in the specified range and create device history records, but do not update the CMDB. IP address scans also show multiple IP addresses that are running on a single device. Devices are identified by class and in some cases by type, such as Windows computers and Cisco network gear. The Max range size Shazzam probe property determines the maximum number of IP addresses Shazzam scans. See Configure Shazzam probe parameters for details. Networks: Network scans discover IP networks (routers and switches). Results from this search are used to populate the IP Network [cmdb_ci_ip_network] table in Discovery > IP Networks with a list of IP addresses and network masks. Network scans update routers and layer 3 switches in the CMDB. Web Service: This scan discovers resources on Amazon Web Services. Results from this search are used to populate the AWS Resource table [cmdb_ci_aws_resource]. For EC2 instances, the information may appear as reference in the AWS Resource table. Service: This scan discovers services for the Service Mapping application. See Create a discovery schedule for an application CI for instructions. MID Server selection method Select the method that Discovery uses to select a MID Server: Auto-Select MID Server: Allow Discovery to select the MID Server automatically based on the Discovery IP Ranges you configure. To find a matching MID Server, you must configure MID Servers to use: The Discovery application, or ALL applications. This makes the MID Server authorized to be accessed by Discovery. The IP Range that includes the ranges you configure on the Discovery Schedule. Specific MID Cluster: Use a preconfigured cluster of MID Servers. You must select the cluster. You no longer need to specify one member of the cluster. The MID Server cannot be part of multiple clusters, such as one that supports load balancing and one that supports failover. You can add any cluster regardless of the application that the MID Servers are assigned to assigned to. When you select the cluster, the Discovery application is automatically added if it does not already exist for the MID Servers in the cluster. Specific MID Server: Use only one MID Server. If that MID Server is part of a cluster, only that MID Server is used; the cluster is not used. You can add any MID Server regardless of the application it is assigned to. The Discovery application is automatically added if is not already assigned for the MID Server you select. You can assign a specific MID Server for all types of Discover scans except Service. Use Behavior: Use a behavior when a single schedule requires the use of multiple MID Servers to perform any of the following: Scans requiring multiple Windows credentials. A schedule that must execute two or more particular protocols (SNMP, SSH, or WMI) using more than one MID Server. Load balancing for large discoveries where a single MID Server would be inadequate. Scanning multiple domains. Note: The Discovery schedule enforces domain separation. The MID Servers that are available for selection are limited to the same domain of the user who is configuring the schedule. MID Server Select the MID Server to use for this schedule. This field is available if MID Server selection method is set to Specific MID Server, or if you discover IP addresses, networks, or web services. MID Server Cluster Select the MID Server cluster to use for this schedule. This field is available if MID Server selection method is set to Specific MID Cluster. Behavior Select a behavior configured for the MID Servers in your network. This field is available only if MID Server selection method is set to Use Behavior. Active Select the check box to enable this schedule. If you clear the check box, the schedule is disabled, but you can still run a discovery manually from this form, using the configured values. Location Choose a location to assign to the CIs that are discovered by this schedule. If this field is blank, then no location is assigned. Max run time Set a time limit for running this schedule. When the configured time elapses, the remaining tasks for the discovery are canceled, even if the scan is not complete. Use this field to limit system load to a desirable time window. If no value is entered in this field, this schedule runs until complete. Run and related fields Determines the run schedule of the discovery. Configure the frequency in the Run field and the other fields that appear to specify an exact time. Note: The run time always uses the system timezone. If you add the optional Run as timezone field, it has no effect on the actual runtime. Include alive Select this check box to include alive devices, which are devices that have at least one port that responds to the scan, but no open ports. Discovery knows that there is a device there, but has no information about it. If this check box is cleared, Discovery returns all active devices, which are devices that have at least one open port. Log state changes Select this check box to create a log entry every time the state changes during a discovery, such as a device going from Active to Classifying. View the discovery states from the Discovery Devices related list on the Discovery Status form. The Completed activity and Current activity fields display the states. Shazzam batch size Enter the number of IP addresses that each Shazzam probe can scan. Dividing the IP addresses into batches improves performance by allowing classification for each batch to begin after the batch completes, rather than after all IP addresses have been scanned. The probes run sequentially. For example, if this value is set to 1000 and a discovery must scan 10,000 IP addresses using a single MID Server, it creates 10 Shazzam probes with each probe scanning 1000 IP addresses. By default, the batch size is 5000. A UI policy enforces a minimum batch size of 256 because batch sizes below 256 IP addresses do not benefit from clustering. The policy converts any value below 256 to a value of zero.The value for this field cannot exceed the value defined in the maximum range size property for the Shazzam probe. Shazzam cluster support Select the check box to distribute Shazzam processing among multiple MID Servers in a cluster and improve performance. Works with the Shazzam batch size. For example, if the cluster contains 100,000 IP addresses and there are 10 MID Server Schedules, every MID Server will process 10,000 addresses (100,000 IP Addresses/10 MID Servers). If the Shazzam batch size contains the default 5,000 IP addresses per probe, a Schedule runs two Shazzam probes per MID Server (10,000 IP addresses/5,000 per batch). This field is available starting with the Eureka release. Use SNMP Version Use this field to designate the SNMP version to use for this discovery. Valid options are v1/v2c, v3, or All. Quick ranges Define IP addresses and address ranges to scan by entering IP addresses in multiple formats (network, range, or list) in a single, comma-delimited string. For more information, see Create a Quick IP range for a Discovery schedule. Discover now Use this link to immediately start this Discovery. Discovery IP Ranges This related list defines the ranges of IP addresses to scan with this schedule. If you are using a simple CI scan (no behaviors), use this related list to define the IP addresses to discover. Discovery Range Sets This related list defines each range set in a schedule to be scanned by one or more Shazzam probes. Discovery Status This related list displays the results of current and past Discovery schedule runs. Table 2. Discovery Schedule run options Run option Description Daily Runs every day. Use the Time field to select the time of day this discovery runs. Weekly Runs on one designated day of each week. Use the Time field to select the time of day this discovery runs. Monthly Runs on one designated day of each month. Use the Day field to select the day of the month. Use the Time field to select the time of day this discovery runs. If the designated day does not occur in the month, the schedule does not run that month. For example, if you designate day 30, the schedule does not run in February. Periodically Runs every designated period of time. Use the Repeat Interval field to define the period of time in days, hours, minutes and seconds. The first discovery runs at the point in time defined in the Starting field. The subsequent discoveries run after each Repeat Interval period passes. Once Run one time as designated by the date and time defined in the Starting field. On Demand Does not run on a schedule. Click the Discover now link to run this discovery. Weekdays Runs every Monday, Tuesday, Wednesday, Thursday, and Friday. Use the Time field to select the time of day. Weekends Runs every Saturday and Sunday. Use the Time field to select the time of day. Month Last Day Run the last day of every month. Use the Time field to select the time of day. Calendar Quarter End Runs on March 31, June 30, September 30, and December 31. Use the Time field to select the time of day. To change these dates, modify the script include DiscoveryScheduleRunType. After Discovery Allows you to sequentially stagger the schedule. Use this option to run this schedule after the Discovery designated in the Run after field finishes. Check the Even if canceled check box to designate that this discovery should run even if the Run after Discovery is canceled before it finishes. This option is not valid when the Discovery is started via DiscoverNow, or when using the Discover CI feature. You cannot designate an inactive Discovery schedule. You cannot create a loop by designating the run after Discovery to be the same Discovery. This Discovery does not run if the Run after discovery does not finish, with the exception that the Even if canceled box is checked and the Discovery is canceled. What to do nextIf you selected a specific MID Server, go to the MID Server dashboardMID Server dashboard to verify that the MID Server you select is up and validated. Run Quick Discovery Quick Discovery, or DiscoverNow, allows an administrator to run a CI Configuration discovery on a single IP address without requiring a schedule. About this task The platform automatically selects the correct MID Server to use for the discovery if one is associated with the IP address selected. If no MID Server is configured for the network in which that address appears, you can select a MID Server. Use this feature to discover new devices in the network as soon as they are connected to the network, rather than waiting for a regularly scheduled discovery. To configure the system to automatically determine which MID Server to use, set up the IP range capabilities for each MID Server in your system. You can run DiscoverNow from a Discovery schedule form or from a script. Procedure Navigate to Discovery > Discovery Schedules. Click Quick discovery in the header. A dialog box appears asking for an IP address and the name of the MID Server to use. Only Up and Validated MID Servers are available. Enter the target IP address for a discovery in the Target IP field. Note: DiscoverNow does not currently support IP network discovery. Make sure that you enter a single IP address only and not an entire network, such as 10.105.37.0/24. When a MID Server is assigned to the subnet containing the target IP address and currently in an operational status ofUp, the name appears automatically in the MID Server field. If multiple MID servers are found, the system selects one for you. The value in the MID Server field can be overwritten if you want to select a different MID Server.Attention: If the selected MID Server is part of a load balanced cluster and becomes unavailable for any reason, the instance does not assign another MID Server from that cluster to the quick Discovery. You must select another MID Server from the list of appropriate MID Servers. If no MID Server is defined for that network, select one from the list of available MID Servers. Figure 2. Quick Discovery Dialog Click OK to run discovery. The status record for that discovery appears. The Schedule column is empty because no schedule is associated with this discovery.Figure 3. Quick Discovery Status List Run DiscoverNow from a script You can run DiscoverNow from a script, such as a background job, a business rule, or web services. Use the following script: var d = new Discovery(); var statusID = d.discoveryFromIP(TARGET_IP, TARGET_MIDSERVER); The discoveryFromIP method takes two arguments, IP and MID Server. The IP argument is mandatory, but the MID Server argument is optional. To choose the MID Server, supply either the sys_id or name of the MID Server as the argument. If you do not name a MID Server, the system attempts to find a valid one automatically. A valid MID Server has a status of Up and is capable of discovering the given IP address. If the system finds a valid MID Server and runs a discovery, the discoveryFromIP method returns the sys_id of the discovery status record. If no MID Server is capable of discovering this IP address, the method returns the value undefined. If you manually specify the TARGET_MIDSERVER, the system validates the given value and ensures that the MID Server table contains the specified MID Server record. If the validation passes, the discoveryFromIP method returns the sys_id of the discovery status record. If the validation fails, the method return the value undefined. Validate discovery results Validate the results of your discovery by accessing the ECC queue, analyzing the XML payload, and checking the Discovery log. Before you beginRole required: discovery_admin About this taskInitial discoveries often reveal unexpected results, such as previously unknown devices and processes or failed authentication. Results should also accurately identify known devices and update the CMDB appropriately. Become familiar with the network that is being discovered and the types of data returned for the different types of discoveries. Use the Discovery Log and the ECC Queue to monitor the Discovery process as data is returned from probes or pattern operations. Procedure To view the actual payload of a probe, click the XML icon in a record in the ECC Queue. Figure 4. ECC Queue To view the actual payload of a probe, click the XML icon in a record in the ECC Queue. Use the Discovery Log form for a quick look at how the probes are doing. To display the Discovery Log, navigate to Discovery > Discovery Log. Figure 5. Discovery Log The Discovery Log provides the following information: Column Information Created Displays the timestamp for the probe launched. Click this link to view the record for the probe launched in this list. Level Displays the type of data returned by this probe. The possible levels are: Debug Error Information Warning Message Message describing the action taken on the information returned by the probe. ECC queue input Displays the ECC queue name associated with the log message. CI The CI discovered. Click this link to display the record from the CMDB for this CI. Source Displays the probe name that generated the log message. Device Displays the IP address explored by the probe. Click this link to examine all the log entries for the action taken on this IP address by this Discovery. Note: If you cancel an active discovery, note the following: Existing sensor jobs that have started processing are immediately terminated. The existing sensor jobs that are in a Ready state, but have not started processing, are deleted from the system. MID Server selection sequence for Discovery The Discovery application follows this sequence to find a MID Server. MID Server auto-selection These steps are followed when you select Auto-Select MID Server for the MID Server selection method on the Discovery form. Discovery looks for a MID Server with the Discovery application that also has an appropriate IP range configured. If no MID Servers meet these criteria, it looks for a MID Server that has the ALL application that also has an appropriate IP range configured. If more than one MID Servers meet the above criteria, Discovery chooses the first MID Server with the status of Up. If more than one MID Servers are Up, it randomly picks one. If none are Up, it uses the default MID Server specified for the Discovery application, assuming it is Up. If no default MID Server is specified for the Discovery application, it uses the default MID Server specified for the ALL application, assuming it is Up. If no default MID Server is specified for the Discovery application, Discovery cycles through the same steps above, but it looks for MID Servers with the status of Paused or Upgrading. Note: When a MID Server is paused or upgrading, it does not actually process commands until it returns to the status of Up. MID Server clusters These steps are followed when you select Specific MID Cluster for the MID Server selection method on the Discovery form, and the cluster is a load balancing cluster: Discovery uses the first MID Server in the cluster that Discovery finds with the status of Up. If more than one MID Servers are Up, Discovery randomly picks one. If it cannot find any MID Servers, Discovery looks for MID Servers in the cluster with the status of Paused or Upgrading. These steps are followed if the cluster is a failover cluster: Discovery uses the MID Server with the lowest Order value that also has the status of Up. If no MID Servers are found, Discovery looks for MID Servers in the cluster with the status of Paused or Upgrading, choosing the one with the lowest Order value. Note: Discovery ignores the default MID Server for the Discovery and ALL applications when selecting a MID Server from the cluster. Port scan (Shazzam) phase During the port scan phase, Discovery collects all of the target IP addresses and splits them equally between MID Servers matching the criteria mentioned above (meaning the MID Servers are qualified to do the port scan work). The Shazzam batch size, which you configured on the Discovery schedule, determines the number of IP addresses that each Shazzam probe can scan. This helps determine how much work each MID Server does during the port scan phase. For example, if there are 16,000 IP addresses to scan among three qualified MID Servers, and you use the default Shazzam batch size of 5000, two MID Servers each handle 5000 IP address scans (1 Shazzam probe each), and the other MID Server handles 6000 IP address scans by launching two Shazzam probes.