0 Replies Latest reply on Jul 24, 2018 9:53 AM by m00st

    Process not found on an application created via Real-Time Process Explorer

    m00st

      As a new user to Orion, I slowly but surely trying to implement Orion in our (industrial control) environment. When I want to monitor a particular process, I can't seem to get it to work as I would expect it to. Maybe I am doing something wrong, but this is the process I've tried a few times now:

       

      We have a number of machines added and monitoring using WMI credentials. These credentials have been hardened (e.g. no remote desktop and/or write permissions). Using these credentials I can start the Real-Time Process Explorer and select the application/process I want to monitor:

      orion real time process monitor

      Selecting the Start Monitoring option I create a component monitor:

      Orion component monitor creation

      and subsequently an application monitor:

      Orion application monitor creation

      The application monitor gets created successfully, but after it's initial poll, the application monitor will go into a Down state. I've kept one of these monitors running for a week and the best I got is a warning going into Unknown state and then again a Down state. In the above setup, this is the result I get (stating the process was not found) with the Real-Time Process Explorer alongside showing the same process running multiple times, including the original PID (4620) I selected:

       

      Orion process monitor process not found with process shown in process explorer

      I've erased the hostname from the screenshots, but all actions were performed on the same hosts. What am I doing wrong here? I was looking into the direction of the credentials, but these point to the inherited credentials as per default:

      Orion component monitor credentials

       

      Some additional info:

      • When I switch to RPC polling, I get the following error: Network connection failed. HResult: The specified object is not found on the system. Error: Unable to connect to the specified computer, or the computer is offline.
      • We are not using DNS. For this particular host, the hostname was either resolved through WMI or I have changed it manually.
      • Hosts (including Orion) are in a restricted network environment with no access to Internet.

       

      Hopefully someone can point me in the right direction..

       

      Small update, when switching back to WMI, I get the following (more descriptive) error for the component monitor: Server unavailable using WMI. Unable to connect to "10.11.13.37" for WMI access. Unable to connect to server "10.11.13.37" as user "mon_admin".  (I changed the IP address for anonimity)

       

      The real-time process explorer however still works fine with the same inherited credentials.