2 Replies Latest reply on Aug 26, 2016 10:06 AM by sparda963

    Scan for new node running for hours


      Hi there,


      Thanks for reading.  I'm seeing a node discovery is running for a few hours now.  It appears to be active but my network just isnt' that big!  I'm checking the CLI to see if messages from node are coming in (over UDP 514) but I'm not seeing them there either.  Where'd I get out in the weeds?





        • Re: Scan for new node running for hours

          Fixing the immediate problem:  SSH into the LEM and issue a Reboot.


          Okay, I'm going to put this here for all time (or until we change this):


          Friends don't let friends "Scan for New Nodes"!


          I'm going to assume for a moment that we're friends for the sake of this discussion.


          LEM gets data one of two ways:

          • You send it syslog from your network stuff
          • You send it Agent data from the LEM Agents


          In both cases, LEM is a passive collector.  It sits there and waits for data to show up.  The "Scan for Nodes" button makes is seem like LEM is doing some sort of discovery, scanning your network for devices, and finding all the syslog sources.


          This is a load of hooey.


          Agents will, if they're configured right during install, phone home and show up in LEM automatically.


          Never use "Scan for New Nodes" to make Agents show up


          If an Agent isn't showing up, something is wrong with the Agent.  Maybe it's misconfigured, maybe there's something blocking the traffic, but no matter what the issue is, the "Scan for New Nodes" button will never, ever, ever fix the problem with Agents.


          So, what does "Scan For New Nodes" actually do?


          For it to do anything, you must have configured some device to send its syslog to LEM.  That data needs to be visible when you SSH in and run the CHECKLOGS command in the syslog local facilities.  If they're empty, "Scan for New Nodes" accomplishes nothing.  "Scan for New Nodes" will not go out to your firewalls and routers and set them up to send syslog to LEM, or discover those devices via SNMP or some other magic.  It just looks at what LEM already has in the syslog files.


          What if data is there?


          "Scan for New Nodes" looks at the data it has collected in those syslog facilities, and looks at our connector library.  It then tries to see which connectors (if any) seem to match the log data.  Then it turns all those connectors on.  What if multiple connectors might match the logs data?  LEM turns all of them on.  Doesn't this mean the same log line might be getting read by 2 or more connectors, duplicated, and inserted in the database more than once?  You betcha!  Does this mean that you may see unmatched and bad data because (for example) the Cisco CatOS connector can read some of (but not all) of the Cisco IOS logs from your ASA, and it freaks out?  You betcha!


          There's just not that many ways to logically format 1024 bytes of text in a log line, and as the library has grown, the number of potential matches increases.  Running a scan will almost always require you to go back into LEM and remove connectors that aren't valid ("Wait, I don't own any FreeBSD, F5, Mikrotik or NX-OS devices!") or you can just manually setup the one connector that would have matched the firewall in the first place.  It's less clicks.


          So, as a friend, allow me to reiterate:


          Don't click "Scan for New Nodes"!

          2 of 2 people found this helpful