Discovery basics

Discovery finds computers, servers, printers, and a variety of IP-enabled devices, and the applications that run on them. It can then update the CIs in your CMDB with the data it collects.

Probes, sensors, and patterns

Discovery uses these components to explore computers and devices (which are also known as hosts):
Probes and sensors
Probes and sensors are scripts that collect data on the host, process it, and update the CMDB. Several probes and sensors are provided out of box, but you can also customize them and create new ones. You can also configure parameters to control the behavior of a particular probe every time it is triggered. A base set of probes and sensors is always used in the first two stages of Discovery. If you are not using patterns, additional probes and sensors are used to identify and explore hosts and the software that runs on them (see Discovery phases).
Patterns are a series of operations that also collect data on a host, process it, and update the CMDB, just as probes and sensors do. Patterns differ from probes and sensors in that they are written in Neebula Discovery Language (NDL) rather than JavaScript, and they are called into action during the last two phases of Discovery. An increasing number of patterns are provided out of box, but you can also customize them and create new ones using the Pattern Designer.

Discovery phases

The four phases of discovery are outlined below. For a more detailed, step-by-step breakdown of the steps for each phase, see Horizontal discovery process flow with probes and sensors and Horizontal discovery process flow with patterns.

Discovery follows these phases:
  • Scanning
    Discovery sends the Shazzam probe to the network to see if specified ports are open on the network and if they can respond to queries. For example, if Shazzam finds a device that responds on port 135, Discovery knows that it is a Windows server.
  • Classification
    If Discovery finds devices, it continues to send probes to find the type of device at each IP address. For example, Discovery would send the WMI probe, which is used for Windows devices, and find out that the Windows operating system on this server is running Windows 2012. Classifiers specify which trigger probes to run for identification and exploration.
  • Identification
    Discovery tries to gather more information about the device, looks at those attributes, determines if it has a CI in the CMDB, and reconciles that information by either updating the CI or creating a CI. Discovery uses additional probes, sensors, and identifiers to do this. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, Discovery uses the appropriate identification rule for the CI type specified in the pattern.
  • Exploration
    The identifier in the previous step (Identification) launches the exploration probes configured in the classification record to gather additional information about the device, like the applications running on the device, and attributes about the device, such as memory, network cards, drivers, etc. Discovery then maps applications to devices and to other applications. In this phase, Discovery also uses additional probes and sensors that are hard-coded to find this additional information. If you are using a pattern, the operations in the pattern perform the exploration of the CI.

Horizontal discovery and top-down discovery

There are actually two types of discovery:
Horizontal discovery

The Discovery application performs horizontal discovery, which means that it finds devices on your network and several attributes about those devices including the operating system, software, memory, and so on. It can also establish relationships between the applications and the device, and between applications. But it does not draw relationships between CIs that are part of specific business services.

Top-down discovery

Top-down discovery, which is a technique used by Service Mapping, finds and maps CIs that are part of business services in your organization, such as an email service. Service Mapping actually utilizes horizontal discovery to find devices in the scanning and classification phases, and top-down discovery to map business services.

Note: Both Discovery and Service Mapping can use the same pattern; however, you define steps in the pattern differently for the two applications.

Discovery and MID Servers

Discovery uses special server processes, called MID Servers. Each MID server is a lightweight Java process that can run on a Linux, Unix, or Windows server. The job of the MID server during Discovery is simply to execute probes, sensors, and patterns, and then return the results back to the instance for processing. It does not retain any information.

MID servers communicate with the instance they are associated with by a simple model: They query the instance for the initial probes to run, and they post the results back to the instance. There, the data collected by the probes is processed by sensors, which decide how to proceed. Optionally, if you use patterns, the operations in the patterns decide how to proceed. The MID server starts all communications, using SOAP on HTTPS, which means that all communications are secure, and all communications are initiated inside the enterprise's firewall. No special firewall rules or VPNs are required.

Discovery is agentless, meaning that it does not require any permanent software to be installed on any computer or device to be discovered. The MID server uses several techniques to probe devices without using agents. For example, the MID server uses SSH to connect to a Unix or Linux computer, and then run a standard command (such as uname or df) to gather information. Similarly, it uses the Simple Network Management Protocol (SNMP) to gather information from a network switch or a printer.

In addition to the MID Server, you need:
  • IP addresses
    The address or addresses to query on the network. You configure these on the Discovery schedule.
  • Credentials
    The access credentials for the devices that you intend Discovery to collect data on.

Discovery communications

Discovery communications cover how your instance talks to the MID Servers and how the MID Servers talk to your devices. The MID Server is installed on the local internal network. All communications between the MID Server and the instance are done via SOAP over HTTPS. Since we use the highly secure and common protocol HTTPS, the MID Server can connect to the instance directly without having to open any additional ports on the firewall. The MID Server can also be configured to communicate through a proxy server if certain restrictions apply.

The MID Server is deployed in the internal network, so it can, with proper login credentials, connect directly to discoverable devices.

Discovery communications