Configuration Reference for Auto Setup
This page provides detailed reference material for Auto Setup files, their directives, and resource-discovery sensors.
We use the term "auto-discovery" in this page to emphasize the fact that the auto-setup resource-probing process is a distinct phase of operation.
Auto Discovery Instructions File Format
An auto-discovery instructions file contains three sections of declarations:
- global directives (of the form
option = value
) - host-sensor definitions (a set of
<host "name">
declarations) - service-sensor definitions (a set of
<service "name">
declarations)
Host-sensor definitions (<host "name">
objects) are intended to decide what single host profile should be applied to the machine's configuration. That host profile may itself reference an arbitrary number of ancillary service profiles, as it is set up within Monarch.
Service-sensor definitions (<service "name">
objects) are intended to decide which service profiles or individual services, if any, should be applied to the machine's configuration. There is no constraint on the number of such service profiles or services that may be applied to the host as a result of processing the auto-discovery results.
The tag names in <host "mytag">
and <service "mytag">
declarations must be unique across all <host>
and <service>
objects in the file, respectively. They are used to label the outcome of discovery on the respective sensors, but do not otherwise affect the matching of client resources.
Comments may be used anywhere within the auto-discovery instructions file to document the utility of specific pieces or to disable certain sections. Comments begin with an unescaped "#
" character and run to the end of the line. Unfortunately, that is true as well within an option value, even if that value is quoted. The option value will be truncated at that point, and a leading double-quote character that you thought would enclose the value but not be part of it will instead become the first character in the value. To work around this and get a "#
" character included in an option value, you must escape it with a preceding backslash character:
pattern = "this\#that"
Because backslashes are used when reading the config file for purposes like that, there is a level of interpreting backslashes throughout the instructions file, before the discovery code itself ever sees your option values. That means that if you truly want to get a single backslash character into an option value, you must double it in the instructions file to get it seen as a single backslash character in the option value seen by the discovery code. Furthermore, there is often an additional layer of interpreting backslashes as escape characters, within the discovery code. For instance, trying to match a literal backslash as part of a sensor pattern
requires that you follow the ordinary Perl rules for regular expressions, meaning that the regular expression compiler must see a doubled backslash to match a single literal backslash. In a similar manner, the file_name
, symlink_name
, directory_name
, and file_content
sensor types use backslashes as escapes for resource fileglob metacharacters. Again, you would need to double the backslashes to get a single backslash recognized as a literal backslash in a filepath. Combining those two levels of interpretation, you will end up with quadrupled backslashes in the instructions file:
resource = " "C:\\\\program files\\\\outlook*" "
This is insane, making the instructions file far less readable and maintainable than it should be. So we have provided a workaround; see the description of the file_name
sensor type for details.
With respect to individual sensor definitions, if a single sensor definition is matched by the resources on the GDMA client, that suffices to activate inclusion of the associated host profile or service in the generated configuration. In the current implementation, there is no support for logical combinations of matching or not matching multiple sensor definitions being used for the final activation decision.
The auto-discovery instructions file must be internally tagged with a version number in the format_version
directive. This declares the kinds of capabilities that may be present in the file, and provides a means to support backward compatibility as the software is extended.
Here is a sample auto-discovery instructions file, so you can see how one is constructed. We cover the individual directives below.
# The file-format version number is here to provide some clue to the software that # reads this file as to what capabilities to expect. format_version = "1.0" <host "Linux"> type = os_type pattern = "linux" host_profile = "gdma-linux-host" </host> <host "Windows"> type = os_type pattern = "windows" host_profile = "gdma-windows-host" </host> <host "Solaris"> type = os_type pattern = "solaris" host_profile = "gdma-solaris-host" </host> <host "AIX"> type = os_type pattern = "aix" host_profile = "gdma-aix-host" </host> # All of the above could have been collapsed into just one sensor: <host "GDMA host"> type = os_type pattern = "(.*)" host_profile = "gdma-$SANITIZED1$-host" # Don't actually have this sensor in play, inasmuch as it would # collide with the results from the preceding sensors. enabled = false </host> <service "Apache 2.2"> type = full_process_command # Match a filepath ending in a particular filename along with either # an extra space (preceding process arguments) or the end of the # entire command line. Capture the "httpd.bin" portion for logging # purposes, and the config file path (value of the "-f" option) to # perhaps distinguish what kind of web server is being run. pattern = "/(httpd\.bin)(?:\s+-f\s+(\S+)|$)" service = "apache-web-server" </service> <service "MySQL"> type = full_process_command pattern = "/(mysqld)" service_profile = "mysql-server" </service> <service "Cassandra"> type = file_name resource = "/path-to/cassandra.yaml" pattern = "/cassandra.yaml$" service_profile = "cassandra-server" </service> <service "DNS Client"> type = running_system_service pattern = "^DNS Client$" service_profile = "windows-dns-client" </service> <service "Search Indexer"> type = full_process_command pattern = "^searchindexer.exe$" service_profile = "windows-search-indexer" </service>
Catalog of Possible Auto Discovery Sensor Definition Directives
Inside the <host "mytag">...</host>
or <service "mytag">...</service>
wrapper for each sensor definition, you must include some number of sensor definition directives. The full set of available directives is listed in this section. See the Catalog of Supported Sensor Types section below for the available sensor types.
Directive | Definition |
---|---|
type | This directive specifies the kind of resource to be probed. It is mandatory for every sensor definition. |
resource | This directive is required for a few particular sensor types. For those, it specifies key details of how the resource is to be located, and provides some level of filtering before |
cardinality | This directive is only supported in a This directive is supported and generally recommended in a
|
pattern | This directive is mandatory for sensor definitions, and provides the details against which the resource probing will be matched to determine if the resource is present on the machine. The exact nature of the pattern depends on the sensor type, but generally a Perl regular expression is used for string matching and possible substring capture. This makes the pattern matching very flexible. If parts of the pattern are captured during pattern matching, they can be referenced in other directives as pattern = "(.+)_(.+)-(\d+)" when matched against a resource with value |
transliteration | This directive is optional. For convenience, it may be specified multiple times in a sensor definition to define a series of separate transforms, to implement some especially complex character substitutions or simply to make the intent clearer. It specifies how to substitute individual characters in pattern-match string results before applying # Turn all ASCII uppercase into lowercase characters; also turn backslashes # into underscores. transliteration = "{A-Z\\\\}{a-z_}" # Same thing, but performed as separate successive steps in the order given. transliteration = "{A-Z}{a-z}" transliteration = "{\\\\}{_}" # This transliteration and sanitization do exactly the same thing: delete all # characters which are not either alphanumeric or just a few allowed punctuation # characters: - . @ _ transliteration = "/-.@_a-zA-Z0-9//cd" sanitization = "-.@_a-zA-Z0-9" # Change all space characters to underscores. In the process of doing so, # squash each sequence of consecutive spaces down to a single underscrore. transliteration = "/ /_/s" # Change all non-alphanumeric characters to underscores. transliteration = "/a-zA-Z0-9/_/c" Transliteration can help in handling backslashes within Windows pathnames. While their use is conventional and widespread on this platform, the Windows kernel itself accepts forward slashes as directory separators in filepaths passed to system calls. It's the transliteration = "{\\\\}{/}" Our matched-value character-cleanup model is presently primitive; the same transliteration and sanitization options in a sensor definition will apply uniformly to all of the Implementation note: This option effectively specifies Perl code that will be taken directly from the user and executed. The execution part validates that it has a proper construction of the " |
sanitization | This directive is optional. It specifies which characters are to be preserved in pattern-match string results when they are referenced in The value of this option is the SEARCHLIST part of a Perl " Implementation note: The same code-crash and security issues arise as with |
host_profile | This directive is mandatory for a |
service_profile | This directive is optional for a Merging of match results from multiple sensor definitions that name the same In general, use of the |
service | This directive is optional for a Merging of match results from multiple sensor definitions that name the same |
check_command | This directive is optional, and probably rarely used. If supplied, it overrides the server-side "Check command" selected in every host service generated by this sensor definition. (Of course, that means that the sensor's profile should either only expand to one service, or all the services so generated must be checkable by exactly the same form of a check command.) We might only support this directive if we construct an actual useful use case for it, and show to what degree it can and must be macro-izable. |
command_arguments | This directive is optional. If supplied, it is combined with the value of the |
externals_arguments | This directive is optional, and is only allowed in a sensor definition with a If the final results of all sensor resource matching includes multiple matching sensors, whether or not they share the same The format of the externals_arguments value is a " There is no default value of externals_arguments = "$SANITIZED1$!$SANITIZED2$!$SANITIZED3$" for as many elements as are matched by the sensor pattern. For clarity, it helps to understand which macro references, if specified in the externals_arguments directive, get expanded during auto-setup. |
instance_suffix | This directive is supported in any sensor definition, be it As an example, for an instance_suffix = "_$SANITIZED2$" to append an underscore and the found open-port number to the name of the base service to create the full service-instance name. (As noted above, For any sensor definition that includes a This directive is mandatory if the sensor |
instance_cmd_args | This directive is optional. If present, it provides the per-service-instance command arguments for each generated service derived from this sensor definition. Its format is a " Normally, there shouldn't be any need for this option; it is supported more or less to cover the waterfront, in case we realize later on that there is some supporting use case. These command arguments would only come into play for a command run directly on the GroundWork server, such as a freshness check for the service instance. So perhaps that might be the important supporting use case. In contrast, most of the calculation done by GDMA Auto-Setup is targeted at configuring service externals that define what commands will be run on the GDMA client machine. For configuring those on a per-service-instance basis, see the |
instance_ext_args | This directive is optional. If present, it provides the per-service-instance externals arguments for each generated service derived from this sensor definition. Its format is a " If this directive is not supplied, service-instance-level externals arguments are set to be inherited from those for the base service. The usual caveats apply about correspondence and conflicts if multiple sensor definitions generate the same service instance suffix. Merging of identical setup for multiple copies of the same service instance is allowed, and conflicting setup causes the configuration phase to fail. |
enabled | This directive is optional, and defaults to a positive value (" |
Interactions Between Auto Discovery Sensor Definition Directives
Auto-discovery fails if sensor matching produces conflicting values of the host_profile
directive within the final overall discovery results. (Multiple <host>
sensors that all produce the same value of the host_profile
on a given machine are allowed; the duplicate values are reduced to a single copy when discovery results are submitted to the server.) In contrast, multiple service_profile
and service
values can be sent in as part of the discovery results. That said, if two <service>
sensors both match and have the same service_profile
or the same service
, the fully-evaluated externals_arguments
must match for every generated instance_suffix
that is shared between the matching <service>
sensors. If this condition is not met, auto-discovery fails because the downstream code is unable to resolve the evident conflict.
Catalog of Supported Sensor Types
In addition to the fixed sensor types already listed in this catalog, one might conceive of some sort of "always present" resource that could be used to force certain configuration to be present under conditions that do not match any of the existing sensor types. We don't provide such a type because it would be ripe for abuse, causing people to not write the proper resource pattern matching into sensor definitions and then later being surprised when those resources should no longer be monitored. If there are additional sensor types that make sense but are not being supported, talk to GroundWork and we'll see what can be done about extending the set.
Fixed Sensors
Sensor Type | Value | |
---|---|---|
type = os_type | This value is determined by internal logic within Perl code. Possible sensor values to be matched against using the aix linux solaris windows
| |
type = os_version | This value is determined by programmatically probing the operating system in an OS-specific manner. Note that this value reflects the kernel version more than anything else. It does not distinguish, for instance, between Linux distributions (Red Hat Enterprise Linux, Ubuntu, SLES, etc.). If it comes to pass that an additional | |
AIX | On AIX, we the equivalent of: `uname -v`.`uname -r` Typical sensor values on this platform are strings like: 5.3 | |
HP-UX | On HP-UX, the proper derivation on this platform is unknown at this time. For the moment, we use the equivalent of: `uname -r` | |
Linux | On Linux, we use: `lsb_release -r -s` Typical sensor values on this platform are strings like: 7.4.1708 (on CentOS 7.4) 11 (on SLES 11.1) 16.04 (on Ubuntu 16.04.3 LTS) We might have used the output from " | |
Solaris | On Solaris, we use the equivalent of: `uname -r` `uname -v` Typical sensor values on this platform are strings like: 5.10 Generic 5.11 11.3 | |
Windows | On Windows, programmatically obtaining the OS version on this platform is somewhat difficult. There is a standard Perl package for that purpose, but it is subject to confusion within Windows itself. Using that mechanism, we get a string typically beginning with "Win2003", "Win2008", or "Win2012", such as "Win2003 Enterprise Edition Service Pack 2". But note that the initial "Win2012" string is also generated for Windows 2016, so it is not completely definitive on this platform. See the article Finding your Operating System version programmatically for more information on the mess that is Windows versions in this regard. Microsoft Windows Server 2003, Enterprise Edition Service Pack 2 Version 5.2.3790 Microsoft Windows Server 2008 Standard Service Pack 2 Version 6.0.6002 Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Microsoft Windows Server 2016 Datacenter Version 10.0.14393 If you need to make distinctions based on the OS version for this platform, you should try a run of discovery on each of the OS versions that matter to you, and see what OS version string is determined during discovery. Then you can develop sensor patterns to match against whatever strings you obtained. | |
| This value will be either | |
| This value is determined by internal logic within Perl code. Possible sensor values to be matched against using the arm intel powerpc sparc |
Static Sensors
Sensor Type | Value |
---|---|
type = file_name type = symlink_name type = directory_name resource = "fileglobs" | For all of these sensor types, the value to match with the The sensor resource may be an ordinary Perl file glob, not just one path. It can even contain more than one glob pattern, with globs separated by spaces. To have the sensor match as a whole, the A fileglob is a means of specifying a potentially partially-wildcarded filepath, such as: resource = "/etc/*.conf" In brief, the conventions for metacharacter interpretation within a Perl glob are as follows:
With respect to backslashes in globs, to avoid confusion and confine the use of an initial backslash to only mean it is escaping the interpretation of the next character, we only allow a backslash to appear immediately before either a double-quote character or one of the glob metacharacters: " \ * ? ~ { } , [ ] - The sensor will claim you have a bad filepath glob if you use an unescaped backslash before any other character. See the description of the There are various complications with glob matching on Windows.
|
| For this sensor type, the specified pattern is matched against all the active filesystem mount points on the machine. The practical intent is generally to match physical or network filesystems, not virtual filesystems like the autofs ctfs ext4 jfs2 objfs swap binfmt_misc debugfs fd mntfs proc sysfs cachefs devfs fuse.gvfsd-fuse mqueue procfs tmpfs cdfs devpts fusectl nfs pstore udfs cdrfs devtmpfs hpfs nfs3 rpc_pipefs ufs cgroup ext2 hugetlbfs nfs4 securityfs usbfs cifs ext3 jfs ntfs sfs zfs resource directive is recommended where practical and sensible, but optional; if it is not provided, the mount points for all filesystems mounted on the system are matched against the sensorpattern .
Possibly in a future release, we might provide support for special values of the On UNIX-like systems, the implementation of this sensor type does identify On Windows, the initial implementation of this sensor type identifies a set of mount points, but some of them might not be currently active with a mounted filesystem behind them. This is typically the case, for instance, for a drive letter that represents a CD-ROM drive, where there may be no disc currently in the drive but the drive path will still be listed in the potential results for your sensor The value to match with the pattern = "//\\?/Volume{2bac18e8-2b26-11e8-81d8-806e6f6e6963}/" Unlike the sensor |
| For this sensor type, the pattern directive regular expression is applied against all lines of the file content. This regex is tested only once against each line of a file that matches the specified resource, so it cannot be used to match more than one copy of the pattern on a single line. (If there is a good use case, we could relax that constraint, and perform a global pattern match that recognizes multiple instances of the pattern in a single line of the file. Talk to GroundWork if you see such a need.) But the pattern can match multiple lines of the file and thereby generate multiple service instances.The sensor resource may be an ordinary Perl file glob, not just one path. It can even contain more than one glob pattern, with globs separated by spaces. Each component of the resource must be an absolute pathname, because there is no single fixed base directory against which a relative path could be rooted. To have the sensor match, the resource-filepath globs as a whole must match exactly one file in the filesystem. (Given that this sensor can have cardinality = "multiple", it probably makes sense to allow the resource to match multiple files, and to scan each of the matching files in the same way. We would like feedback on real-world cases where it might be useful.)The resource globs for this sensor type follow the same conventions for metcharacter interpretation and are subject to the same restrictions on the presence of backslash characters as is documented for the file_name sensor type. |
Dynamic Sensors
Sensor Type | Value | |
---|---|---|
type = running_system_service | System services are an OS-specific type of object. We only match against running services because apparently, most operating systems have many disabled services, and there is little point in matching those entries. | |
aix | "lssrc -a " is used to list the available services. (This only shows services that are registered with the system resource controller. There may be others, such as those run by inetd. And if a service is started manually by running the executable from the command line, it may not show up in the lssrc output.) Before pattern matching, the list is filtered to include only active services, not inoperatlve services. The pattern directive regular expression is matched against the service subsystem name, and not against any other part of the lssrc output. | |
linux | The command used to probe will probably need to vary depending on the OS distribution and version, to accommodate both chkconfig --list 2>/dev/null | fgrep :on | awk '{print $1}' systemctl list-unit-files --full --state static,enabled,indirect \ --no-pager --no-legend | awk '{{print $1}}' Also look at the | |
solaris | "svcs -H -o FMRI " will be used, which will list both legacy_run and online services, and ignore disabled services. The value to match with the pattern directive regular expression will be the FMRI (Fault management Resource Identifier), such as "svc:/network/nfs/server:default ". | |
windows | We use the equivalent of " wmic service get name,state | findstr Running | |
| This sensor type is not supported. That is to say, we considered and rejected providing a sensor type that would match just against the command name of the process. The reason we rejected this idea is that the command to fetch this data, " | |
type = full_process_command resource = "userlist" | This sensor matches the regular expression given as the On UNIX-like platforms, the command " On Solaris, the command string retrieved by " On Solaris, there is currently no support for limiting the processes under consideration to only those running in a particular zone. If such a capability is needed, talk to GroundWork. On Windows, a username may be specified as just the user account or prepended with a domain name in the form On Windows, it is possible for domain names and user account names to contain spaces. That conflicts with the possible use of spaces to separate consecutive user names within the resource = " "NT AUTHORITY\\LOCAL SERVICE" Administrator " On Windows, you may use " resource = " ".\\MyUser" " would match processes running under the " On Windows, the ability to access process command-line and user-account information for processes not owned by the currently running user may be limited by the set of privileges assigned to the account. This is commonly evident if you run the GDMA service as a non-admin user. Such restrictions severely limit the utility of this sensor type in such a context. The proper treatment of Windows privileges is beyond the scope of this document. On UNIX-like platforms, user name matching for this sensor is case-sensitive. On Windows, it is case-insensitive. On UNIX-like platforms, all the user names you specify must exist on the platform you are probing. Otherwise, the " There is an important consideration when writing the sensor type = file_name type = symlink_name type = directory_name type = mounted_filesystem type = full_process_command type = open_named_socket You may be tempted to backslash-escape the forward slashes in pathnames within your sensor patterns, because you are used to doing so in ordinary Perl regular expressions that are delimited by slashes. Thus for instance, for a full_process_command sensor, you may be tempted to write: pattern = "\/usr\/bin\/python -Es \/usr\/sbin\/firewalld" The backslashes there would be pretty much useless, because those backslashes would be swallowed by quote-escape interpretation as the instructions file is read, and never reach the regex processing. So you might try doubling them, so single backslashes become part of the regular expression used by the pattern matching: pattern = "\\/usr\\/bin\\/python -Es \\/usr\\/sbin\\/firewalld" While that would work, it is completely unnecessary. The manner in which the regular expression you provide is used does not treat slashes within the regex as delimiters. So it is simplest and most readable to just reference paths in sensor patterns in their usual unadorned form: pattern = "/usr/bin/python -Es /usr/sbin/firewalld" On Windows, for all of those listed sensor types except On Windows particularly, since the filesystem normally treats filepath components in a case-insensitive fashion, the issue of how to match command names is likely to come up when you construct your sensor # Match the command name case-insensitively, without capturing it. pattern = "\\\\(?i:searchindexer.exe)\\s" # Make the entire pattern case-insensitive, without capturing any of it. pattern = "(?i)\\\\searchindexer.exe\\s" | |
type = open_local_port resource = "IP address blocks" | This sensor looks to see whether a particular port or set of ports are open (generally in a LISTEN state, not just in general use on an ESTABLISHED connection) on the local machine. For this sensor type, the resource specifies a list of space-separated IP address blocks, in CIDR-block notation, used to qualify the port matching (e.g., to specify on what network interface the port is open). The pattern specifies one or more port numbers to probe. Broadly speaking, a matched port must be open on some network address within at least one address range which is positively specified by the resource, and within no address range which is negatively specified by the resource. In that regard, IPv4 and IPv6 addresses are handled separately, though their respective CIDR blocks can be mixed arbitrarily in the specified sensor resource. Each individual port which is found to be open will ultimately generate a separate service instance for each service in the sensor definition's There is no default value for the sensor resource. To match ports, you must supply a resource value. CIDR blocks are positively specified in the sensor resource by simply being present there. CIDR blocks are negatively specified in the sensor resource by being prefixed with a " A positive Wildcards as a general idea don't just apply with respect to the sensor resources. Ports can be opened by a program either using a specific IPv4 or IPv6 address, or by using an IPv4 or IPv6 wildcarded address (effectively, all zeroes). If a port is found to be open on a wildcarded IP address, it automatically matches every non-negated CIDR block of the same address type (IPv4 or IPv6). If you wish to exclude such wildcarded IP addresses from consideration, you must provide an explicit negated CIDR block of that address type that lists the wildcard address with a full-length netmask (i.e., either IPv4-in-IPv6 mapped addresses, namely those in the Each resource component can be one of several objects:
The address components of discovered listening ports may have any of the following forms:
The address matching across all those possibilities can seem a bit complicated. So to see how this plays out in practice, and to guide the construction of your own sensor resource values, consider the following situation. Assume the following IPv4 ports are seen to be open on the machine: 0.0.0.0:123 (a wildcarded IP address, visible in all domains) 127.0.0.1:123 (an address in the loopback domain) 172.28.113.60:123 (an address in a particular private domain) Then assume we have the following partial sensor definition (missing # Test a port number against a defined resource, for various definitions of the # resource. The important thing to notice here is that open ports with wildcard # IP addresses (0.0.0.0) will unconditionally match a resource CIDR block such as # "172.16.0.0/12" even though you didn't specify "0.0.0.0" as a valid part of the # CIDR block. That is the nature of a wildcarded IP address for the open port. <service "NTP"> type = open_local_port # See below for example resource values. resource = " ... CIDR block(s) ... " # The well-known port 123 is used by NTP. pattern = "123" service = "ntp" </service> Here is what address:port combinations would match under various values of the sensor resource, keeping in mind that every match will result in a separate discovered sensor instance: # Match all ports on all IPv4 network interfaces: # matches 0.0.0.0:123 # matches 127.0.0.1:123 # matches 172.28.113.60:123 resource = "0.0.0.0/0" # Match all IPv4 ports in the loopback domain, plus IP addresses seen as # wildcards since they will logically also be seen in the loopback domain: # matches 0.0.0.0:123 # matches 127.0.0.1:123 resource = "127.0.0.0/8" # Match all IPv4 ports in a particular private domain, plus IP addresses seen as # wildcards since they will logically also be seen in that same private domain: # matches 0.0.0.0:123 # matches 172.28.113.60:123 resource = "172.16.0.0/12" # Match all IPv4 ports on all IPv4 network interfaces, except for ignoring # IP addresses seen as wildcards by explicitly excluding them: # matches 127.0.0.1:123 # matches 172.28.113.60:123 resource = "0.0.0.0/0 !0.0.0.0/32" # Match all IPv4 ports on all IPv4 network interfaces, except for ignoring # IP addresses in the loopback domain by explicitly excluding them: # matches 0.0.0.0:123 # matches 172.28.113.60:123 resource = "0.0.0.0/0 !127.0.0.0/8" # Match all IPv4 ports on all IPv4 network interfaces, except for ignoring # IP addresses in the private address domain by explicitly excluding them: # matches 0.0.0.0:123 # matches 127.0.0.1:123 resource = "0.0.0.0/0 !172.16.0.0/12" # Match all IPv4 ports in the loopback domain, ignoring IP addresses seen as # wildcards by explicitly excluding them: # matches 127.0.0.1:123 resource = "127.0.0.0/8 !0.0.0.0/32" # Match all IPv4 ports in a particular private domain, ignoring IP addresses # seen as wildcards by explicitly excluding them: # matches 172.28.113.60:123 resource = "172.16.0.0/12 !0.0.0.0/32" # Match only IPv4 IP addresses seen as wildcards: # matches 0.0.0.0:123 resource = "0.0.0.0/32" # Match no IPv4 ports, because no positive (non-negated) CIDR block is given: # (no ports matched) resource = "!0.0.0.0/32" The Port ranges are included specifically because the user might want to specify a very large number of possible ports for a particular sensor. Port ranges can be specified using either the commonly understood single-dash notation or the standard Perl double-dot range operator as the punctuation between the first and last port numbers in the range. To simplify both parsing of the pattern and human understanding, no spaces are allowed around the range punctuation. Thus we have: pattern = "7000-7500" # Standard notation for a large set of consecutive numbers. pattern = "7000..7500" # Exact same thing, but expressed as a Perl range. pattern = "7000 - 7500" # Not allowed. pattern = "7000 .. 7500" # Not allowed. If we allowed spaces around the range punctuation, then a pattern like " We considered adding support for well-known port names in the pattern, such as the ports listed in tcp://127.0.0.1/32 udp://127.0.0.1/32 tcp:127.0.0.1/32 udp:127.0.0.1/32 tcp://[fe80::1]/128 udp://[fe80::1]/128 tcp:[fe80::1]/128 udp:[fe80::1]/128 tcp://www.example.com Using a prefix like that would allow us not to split the | |
type = open_named_socket | Some processes listen on a port not by opening an anonymous socket, but by opening a socket which is named by some path which is visible in the filesystem. For instance, The sensor As noted earlier, the list of candidate socket paths is drawn from /run/lvm/lvmpolld.socket /run/systemd/private /tmp/.esd-1059/socket @/tmp/.ICE-unix/1896 @/tmp/.X11-unix/X0 @ISCSID_UIP_ABSTRACT_NAMESPACE private/rewrite public/cleanup Not having a sensor resource to nail down particular filepaths also means that your Sockets named in the filesystem (that is, the When this sensor type becomes available on Windows, named socket paths will ordinarily include backslashes, making it complicated to construct corresponding sensor patterns. So to avoid the ugliness of needing to double each backslash in a pattern match and then double it again to escape backslash interpretation as the instructions file is read, we support using forward slashes in sensor patterns for such paths even on the Windows platform: pattern = "C:/foo/bar" As with path matching for patterns in similar sensors, on the Windows platform the forward slashes in your pattern will match backslashes in the actual filepath, and any matched backslashes will be returned as such in strings captured as part of your sensor |
Auto Discovery Trigger File Format
We want to make the content of the trigger file flexible to a degree, both to allow for a few possible commands that we have in mind for the first implementation, and to allow the same file format to continue to be used as the software evolves. The data should be very simple and self-describing. Since this is intended to be just a transient trigger file, we do not currently imagine passing complex instructions in this file (such as "hey, the discovery-instructions file has rules for matching almost anything in the world, but really, for you, just pay attention to these particular areas"). As such, we do not see the need to include a format-version number in this file. Any directives which are not understood by a reader of this file are flagged as such so the failure to process them is documented, and they are logged and otherwise ignored.
Catalog of Possible Auto Setup Trigger Directives
Currently, there are only a few directives supported in the trigger file. GroundWork will provide options to set these directives on the autosetup
command that creates trigger files.
Directive | Description | |
---|---|---|
if_duplicate | Specify how the discovery results are to be handled if they simply duplicate what happened in the last round of similar-type (dry-run or live-action) discovery. (Dry-run means any value of
The most common setting for if_duplicate = "optimize" | |
soft_error_reporting | Specify how errors will be handled if
The most common setting for soft_error_reporting = "ignore" | |
change_policy | Optionally, specify a change policy specific to just the pass of discovery run by this trigger, temporarily overriding the The most common setting for change_policy = "non_destructive" | |
last_step | Specify how far to proceed with processing the auto-discovery instructions. Possible values are:
The For As a practical matter, if you're going to do a dry run for most diagnostic purposes, you may as well set The most common settings for # Use this for a full dry run. last_step = "test_configuration" # Use this for a full production run. last_step = "do_configuration" |
Server-side Configuration Options
The config/register_agent_by_discovery.conf
file on the GroundWork server contains a number of directives that control the handling of auto-discovery results. We list them only briefly here. See the config file for more information.
enable_processing = yes debug_level = 1 max_logfile_size = 10000000 max_logfiles_to_retain = 5 instructions_directory = "/usr/local/groundwork/apache2/htdocs/gdma_instructions" trigger_directory = "/usr/local/groundwork/apache2/htdocs/gdma_trigger" results_directory = "/usr/local/groundwork/gdma/discovered" max_input_size = 1000000 default_change_policy = "non_destructive" hostname_qualification = "full" <hardcoded_hostnames> default_host_profile = "gdma-{HOST_OS}-host" default_hostgroup = "Auto-Registration" assign_hostgroups_to_existing_hostgroup_hosts = false default_monarch_group = "auto-registration" assign_monarch_groups_to_existing_group_hosts = false customer_network_package = "AutoRegistration" compare_to_foundation_hosts = false match_case_insensitive_foundation_hosts = false force_hostname_case = "lower" force_domainname_case = "lower" use_hostname_as_key = false use_mac_as_key = false host_address_selection = "0.0.0.0/0 ::/0" rest_api_requestor = "agent auto-setup" ws_client_config_file = "/usr/local/groundwork/config/ws_client.properties" GW_RAPID_log_level = "WARN" log4perl_config = ...
Related Resources
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page: