Discovery to Monitoring, Automatic & On Your Terms

Discovery to Monitoring, Automatic & On Your Terms

Introduction

So you have this great discovery and auditing tool called Open-AudIT and you also have an amazing monitoring tool called NMIS. How can you automatically take your discovered devices and have NMIS monitor them…and why would you want to?

With version 4.2.0 of Open-AudIT, we have re-implemented Integrations in an extremely easy-to-use yet extremely configurable way.

Why?

Discovery provides network transparency. Monitoring provides network visibility. Both are essential to good network management and go hand-in-hand with diagnosing network performance issues and device management and lifecycle.

You cannot manage something if you don’t know it exists, and you cannot plan for the future if you don’t know the current performance of your devices – be they desktops, servers, switches, or routers.

Why wouldn’t you want the ability to automatically monitor select device types (for example) as they come online? You can set up a scheduled Integration and automatically include all discovered routers and switches.

 

Let that sink in for a moment.

Automatically monitor devices without having to set them up individually in your monitoring solution. From discovery to monitoring automatically, on your terms.

 

Less time spent entering details.

More accurate information with zero possibility of spelling mistakes mistyped credentials, etc.

No double handling of information between systems is required.

 

It just works.

Discover it in Open-AudIT, monitor it in NMIS – seamlessly.

 

How does it work?

Integrations take a list of devices from NMIS and a list of devices from Open-AudIT. They match the devices based on selected attributes, combine their attributes according to which system (NMIS or Open-AudIT) should be the point of truth, and update both systems based on any changes.

The list of devices may actually be empty on either side. We can restrict the device list on either side based on device attributes. We can select attributes to be stored – even if they don’t exist in Open-AudIT. NMIS and Open-AudIT don’t even need to be on the same server. There is so much flexibility!

But with great flexibility, comes (potentially) great complexity. This is an area we are particularly proud of. We’ve kept the creation of an Integration as easy as possible. At its most simple level, if NMIS and Open-AudIT are installed on the same server, you can click a ‘create’ button and everything is automatically done for you. You don’t need to supply any information. We’ve chosen sensible defaults and the Integration just works.

On the other end of the scale, you might have NMIS running on Debian and Open-AudIT running on Windows. You might wish to only integrate devices that are routers. You might even have some fields in NMIS that don’t exist in Open-AudIT, – but you wish to track and be able to edit them in Open-AudIT which then updates NMIS. It’s all completely achievable with just a few clicks.

More than the simple integration above, – but still very easy to accomplish.

No code to write, just a simple-to-use web interface. Oh, – and there is also the JSON RESTful based Open-AudIT API as well.

Questions

Now let’s back up a little bit and set the scene. You’ve been using Open-AudIT for a while and have discovered some devices on your network. You have working credentials for these devices and can see their configuration. You may have computers, switches, printers, routers, firewalls, etc.

How can we easily send some of these devices to NMIS for monitoring?
When you create an Integration in Open-AudIT, by default we include all discovered devices that have working SNMP credentials. However,  you might not want every device integrated with NMIS. Some of your servers, for example, may use SNMP – but you don’t need NMIS monitoring them. Integration has a section to select which devices to include from Open-AudIT. Every device is defaulted to have its “manage_in_nmis” attribute set to “y”. There is also a rule in Open-AudIT that sets this attribute if we talk to the device using SNMP.

 

But in this example, we don’t want every SNMP talking device, we only want our routers in NMIS.

In this instance, we can simply change the used attribute to “type” (instead of “manage_in_nmis”) and the value of that attribute to “router” (instead of “y”) – then we’re done!

What if I want the SNMP Community string to be defined in NMIS, not Open-AudIT?
An Integration contains a list of the fields used by both systems (NMIS and Open-AudIT). Each field has a flag that defines its ‘priority’. This can be set to either NMIS or Open-AudIT (actually stored as external or internal). Just select NMIS for the priority for the NMIS → configuration. community field and if this value is changed in NMIS, the next time the Integration is run Open-AudIT will be updated.

How can I automatically run the Integration?
Integrations can be scheduled within Open-AudIT just like discoveries, queries, baselines, et al. You can choose to run an Integration on whatever time frame you choose.

What if I’m an NMIS user, have just installed Open-AudIT, and don’t have any devices in it?
Simply run the default Integration. Your NMIS devices will be sent to Open-AudIT and discovered automatically. Open-AudIT stores more information about the make-up of a device, as opposed to NMIS’s performance data. When you run an Integration; Open-AudIT has the device’s IP and the device’s credentials.  You can then run a discovery and retrieve everything Open-AudIT can.

 

Again – this is configurable. You might not wish to run a discovery on the device – that’s up to you! To enable or disable a discovery is a single attribute. Click, done!

Making it Happen
As usual, the Open-AudIT wiki has all the technical details you should need. Check the Integrations page and if you still have questions, please do ask in the Community Forums.

Auditing your network, without credentials.

Auditing your network, without credentials.

Now that I have your attention, how can we possibly audit a network and find all the juicy details about the devices upon it, without having high level credentials to talk to those devices?

Well, it’s a bit of a mistruth. Or a caveat. Or whatever you want to call it. We definitely can do this, but for devices such as routers, printers and switches you will need a minimal set (read only, minimum access level) of SNMP credentials. Computers can be audited without any credentials being stored in Open-AudIT.

“How can you do that?”, “It won’t work on my network, my network and devices are locked down”. Yes, yes, your network is perfectly secure, I understand. In that case you are the perfect candidate to implement network discovery and auditing in this fashion.

So how do we do this? Well, as mentioned, first source a set of SNMP credentials that allow the minimal level of access. Do not worry about credentials for Windows, Linux or any other computer OS.

Next configure Open-AudIT to match devices based on IP address. Note that if you have devices that frequently change IP, you may need to enable this on a per discovery basis to avoid too many false positive device matches. Note that even this can be negated by using a collector per subnet to run discoveries.

Once you have your minimal SNMP credentials and have created and configured a subnet discovery, run it. Naturally devices without credentials will probably be classed as unclassified or even unknown. That is expected – no credentials, remember.

Next use your management software to deploy the audit scripts to the appropriate operating system for each device. For Linux machines (for example), you can use Puppet, Chef or Ansible to push the audit_linux.sh script. Windows domain users also have the option to deploy and run the script at domain login. Then create a cron job (or scheduled task under Windows) to run the audit script on a schedule of your choosing and submit the results to your Open-AudIT server.

Then you should check for unclassified or unknown devices within Open-AudIT and work through them, determining what it is and remediate as necessary.

As the audit script results are submitted, the unclassified or unknown devices should be matched and decrease in number.

Eventually you should have zero unclassified or unknown devices. You have just discovered and audited your network using only a minimal set of SNMP (read only) credentials. You still have all the data Open-AudIT usually collects, but no central store of credentials!

Obviously this will take a lot more effort than using Open-AudIT as designed, but in those cases where you just cannot store sensitive credentials in a central location, Open-AudIT still has you covered.

Open-AudIT 4.0.0

Open-AudIT 4.0.0

As at October 2020, we have released a new version of Open-AudIT using version 4.0.0.

Why the major version bump?

Well our underlying build infrastructure and libraries have changed in an incompatible way.

This new version is not able to be installed with older Opmantek applications that are designed to talk to NMIS8, hence the major version number increase to 4.0.0.

Wait – my applications won’t work, what?

Unfortunately this is a breaking change. If you are using other Opmantek applications on the same server, you will need to upgrade them all at the same time, including upgrading to NMIS9.

New License Required (perpetual license only)

A new license will be required if you have a perpetual license. Subscription licenses are unaffected. Contact Opmantek if you require a new license.

Application wise, what has changed for me?

Not much really. Most of the changes are behind the scenes. Having said that, there are a few minor front end changes, as detailed in the Release Notes for Open-AudIT v4.0.0.

We have disabled Open-AudIT – NMIS integration for the moment. This is one component that we have to rework in order to be compatible. This is coming ASAP. We have implemented the ability to import and export to and from NMIS as below (all available using the GUI, see Manage → Devices → Import from NMIS). What we don’t have is the ability to sync between NMIS and Open-AudIT.

Community

Auto Import from NMIS 8 using locally loaded and parsed Nodes.nmis (Linux only) and also uploading a Nodes.nmis file (Windows and Linux).
Auto Import from NMIS 9 on Linux using the local command line (Linux only).
Manual export to NMIS 8 – you select the devices and it’ll give you a CSV and instructions to import. (Windows and Linux).

Professional / Enterprise

Auto Import from NMIS 8 using locally loaded and parsed Nodes.nmis (Linux only).
Auto Import from NMIS 9 on Linux using the local command line (Linux only).

Should I upgrade?

No, but maybe you should migrate. That will depend on if you are using NMIS on the same machine (hence Windows users will be unaffected). If you’re not using NMIS (or any other Opmantek applications) on the same server, migrate away! If you are using NMIS on the same server as Open-AudIT, to get to version 4.0.0 you will need to be running NMIS9 and any associated and migrated Opmantek products (opCharts, opReports, et al). If you migrate any Opmantek applications for NMIS9, you will need to migrate them all. We do encourage users to migrate to version 4.x as soon as you can (bearing in mind the NMIS9 requirements).

How do I migrate (and why is this different to an upgrade)?

Our installer will not allow you to upgrade from 3.x to 4.x on Linux. This is in part because when you change to 4.x, you must uplift all other Opmantek applications and we want to make sure you knowingly choose to do so. So, how do you do this? It’s actually very easy. Stop the OMKD daemon, move the /usr/local/omk folder out of the way, and start the 4.x installer. NOTE – If you have NMIS 8 installed, but only Open-AudIT, DO NOT UPGRADE, it will break. Again – NMIS 9 only (at least for now).


# Stop the daemon
sudo systemctl stop omkd

# Move the old install out of the way (do *not* delete it)
sudo mv /usr/local/omk /usr/local/omk.old

# Run the installer
sudo ./tmp/OAE-Linux-x86_64-release_4.0.0.run

# Copy the original configuration files back
sudo cp -r /usr/local/omk.old/conf/* /usr/local/omk/conf/

# Convert those original files to JSON
sudo /usr/local/omk/bin/opcommon-cli.exe act=convert_json_dir dir="/usr/local/omk/conf/"

# Restart the OMKD daemon so it uses the newly converted files
sudo systemctl restart omkd

After doing the above, if Open-AudIT doesn’t acknowledge you have a license, copy the encrypted string from /usr/local/omk.old/conf/opLicense.nmis and paste into the text field at /omk/opLicense (use the Enter a License Key button).

On Windows, there is nothing to do, just run the installer.

What about Windows users?

Windows users are essentially unaffected. Opmantek does not release or support any other products for Windows. Our plan is to get a Windows release out ASAP. This will also be version 4.0.0.

What will happen to us version 3.x users?

We plan to focus development going forward on the 4.x series, so that’s where major new features will be introduced. We won’t completely forget version 3.x users though. Any important bug fixes, minor GUI improvements or security issues will be back-ported.

Is Open-AudIT Community affected?

Basically, no. Professional and Enterprise build their feature sets on top of Community. There have been a couple of very minor changes to Community that don’t affect users (ie, we check and parse an additional config file from Enterprise because that changed). Minor stuff like that. As a result, when you install Professional or Enterprise you will see version 4.0.0 in the title bar, however if you change to the Community GUI you’ll see version 3.5.1. Both the version 4.x and 3.x streams of Professional and Enterprise use the same version of Community (as said, currently 3.5.1). Eventually (when we discontinue support for the 3.x series of Professional / Enterprise) we will increase the Community version to match the 4.x series.

Open-AudIT V4.0.0 New Release

Open-AudIT V4.0.0 New Release

Open-AudIT 4.0.0 is here. For more information about why we have gone to 4.0.0, please see my blog post Open-AudIT 4.0.0.

WARNING – See blog post above about migrating as you cannot upgrade to Open-AudIT 4.0.0 (hint, it’s easy).

A new license will be required if you have a perpetual license. Subscription licenses are unaffected (but may need to be manually copied, see blog post). Contact Opmantek if you require a new license.

Please note (as detailed in the blog post):

  • NMIS9 Syncing has not been implemented for this release.
  • This release is not compatible with older versions of Opmantek products, that were designed for NMIS8.

Open-AudIT Community will (for now) remain at version 3.5.1.

Open-AudIT Professional and Enterprise build on top of Community, so their major version has been increased, as explained in the blog post. So if you install version 4.0.0 and switch to the Community GUI you will see version 3.5.1 there. DON’T PANIC, this is intentional (smile)Linux SHA256: 7e035e6af2260d7fc6a93fdcd6d1ba1193ce09ae7f704031c552daa3c3ff194b

Linux md5sum: 7c5318948aa9c1733396d2f63e27f5ea

There are no major changes for 4.0.0 from a users perspective. The minor changes and fixes are detailed below.

Version Type Collection Description
Professional Bug Tasks Menu link to scheduled reports needed reformatting (user now required to provide quotes when using the IN keyword).
Professional Bug Tasks Add ‘required’ indicator to attributes on tasks_create form.
Professional Bug LDAP Servers Add ‘required’ indicator to ldap_servers::create template for ‘secure’ attribute.
Professional Improvement Attributes Add icons to attributes::read template for devices and locations.
Professional Improvement Users Only show Cloud text to Cloud users on users_read template.
Professional Task Integrations Remove ‘integrations’ from menu for initial ABI4 release.
Professional Task Configuration Change nmis_url in database config to NMIS9 URL.
Professional Improvement Discoveries Add links to individual discovery scan options in help text on discoveries::create template.
Professional Improvement Roles Add roles.ad_group to roles::collection template.
Professional Improvement Users Add error message to auth_log when user in htpasswd, but not OAC.
Professional Improvement Discoveries Add hover text to discoveries_read left side menu.
Professional Improvement NMIS Provide same functionality for OAP/E as per OAC – Import Devices from NMIS8 and NMIS9.
Professional Bug Baselines, Roles Add baselines endpoint to roles::read and roles::create templates.
Community Bug Networks Bad SQL (still worked on Ubuntu 18.04) in networks::collection.
Community Improvement All Allow for URL Encoded HTML Entities in $id when searching to match name -> id.
Community Improvement Configuration Allow for config.json UUID retrieval.
Community Improvement Users Language selector added zh-tw. Merge pull request #6 from jasoncheng7115/patch-2
Community Task NMIS Ensure we can import nodes from NMIS 9 (as well as NMIS 8).

Getting Started with the Opmantek VM

Getting Started with the Opmantek VM

This page details the four simple steps you need to get started using the Opmantek Virtual Machine.

The virtual machine is a vendor neutral image (OVF) that can be converted and used with VMware (ESXi, Fusion, et al), Virtual Box, KVM and Hyper-V. It’s a quick and easy way to get up and running for Proof of Concepts, Trials and other scenarios where a full production install is not required. Download it, convert it and run it and you’re good to go.

Of course you may have requirements around configuring your Linux machines in a company standard way, and in that case our individual applications are also available to install on a machine built by you to your requirements. To download individual applications, you can here.

Download Icon

Step 1 – Download

Download the Opmantek Virtual Appliance from here.

Deploy Icon

Step 2 – Deploy

So you’ve downloaded the latest version of the Opmantek Virtual Appliance and now you want to set it up and take it for a test drive to see how NMIS and the Opmantek networking modules can help you administer your network. No problem. Easy. Simply:

  1. Import the OVA (Open Virtual Appliance Format) or OVF file into VMware, Virtualbox,…
  2. Start up the new VM, optionally set a static IP address.
  3. Access NMIS and the other Opmantek applications in your browser.

For more details on how to do this including specific hypervisor detail, follow the instructions for your hypervisor of choice below:

Configure Icon

Step 3 – Configure

Out of the box there is nothing to do – just start the virtual machine and connect to the application URL, done!

If you would like to configure the virtual machine to use HTTPS, set the hostname or set the IP options to your liking, see here – Getting Started, Configuring the Appliance

Run Icon

Step 4 – Run

Start the virtual machine and configure the application settings, see here – Getting Started, Configuring the Applications

Our individual applications are covered in great detail in their own wiki spaces (see below).