cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Colleting inventory information from vCenter

Hello everyone,

I am having a problem with setting up of a rule, that would collect information about VMs from a new vCenter (previous one was done by a consultant I believe).

I have a http address / ip address of vCenter and an account with access. I added the account to the beacon as well.

Next I setup targets. Included all above mentioned IP addresses and selected following options:

Connection options: Attempt connection only by IP address

Rest: Not specified.

For Actions I selected action type Discovery and Inventory and enabled VMware Infrastructure (both ticks) and enabled standard ports 80 and 443.

Yet, when I run this rule, job is finished in less than a minute without any results. No devices were discovered.

Am I missing something there?

 

Kind regards,

Jan

(1) Solution

Hi,

To find out if your subnet is assigned to a beacon, you need to know some subneting and how they are represented in FNMS.

You will see subnets like xxx.xxx.xxx.xxx/xx

Let say you have 192.168.0.1 this should be in the subnet 196.168.0.1/24 this will give you the following ip range 192.168.0.1-192.168.0.255

So if you see this in your assigned subnet to a beacon, and your ip is in this range then the vCenter is assigned to the right beacon.

You can use this http://www.subnet-calculator.com/ to help you out with the subneting

If you have question and it's to hard, you can take the shortcut and put your ip xxx.xxx.xxx.xxx/32, in this way you will assign only the ip for the vCennter on the beacon that is required.

At least I done this because of the sites that are so badly configured by the network team.

After you assigned the vCenter subnet to the correct beacon, the inventory should take place.

View solution in original post

(15) Replies
mfranz
By Level 17 Champion
Level 17 Champion

Hi Jan,

Can you please check the logs for the Inventory rule? By default they should be on the Beacon server runnning the task under

C:\ProgramData\Flexera Software\Compliance\Logging\InventoryRule\

You might have to sort the folder content by date to find the appropriate subfolder and logs. These logs usually contain useful indications of what actually happened.

Also, did you set up the Discovered Device with the "This device is a virtualization host or management server." option?

Best regards,

Markward

Hi Markward,
Actually no device was discovered with that IP address. Probably that's the cause of ny issue. But I am not sure why it's not being detected by the rule.

Hi Jan,

I do not rely on discovery results for such essential infrastructure. I create those entries from lists provided by customers.

Hi,

From the beacon server, try to access the vCenter with https://vCenter/mob

You should receive a screen with authentication, you can put there the user name and password that you have, this way you can check if the connection between beacon and vCenter and credential are working.

After that from beacon server try to ping the vCenter after ip/fqdn (in some network the ICMP protocol is closed, and ping is not possible, FNMS use ping to test the server, when you use discovery method)

You should also check if the password store from beacon is correctly configured.  

Type of the account configured in password store should be account on VmWare VirtualCenter

If this steps are ok, then is a problem of WebUI configuration and rule creation

And of course check the log files, they are in c:\programdata\Flexera Softare\Compliance\InventoryRule, order the folder after that, as there can be a lot of rules, every time you run a inventory, a new folder with log is created.

 

Can you confirm the subnet of the vCenter is assigned to a beacon?

In Discovery and Inventory =>Network=>Unassigned Subnets

Make sure the subnet the vCenter is on is not listed. If it is, you should be able to select it and assign it to a beacon.

Hi,

are you sure that there is no firewall?

Please check it with telnet or Test-NetConnection.

You can also use the Flexera tool: esxquery.exe to get the VM data and check the permission, e.g.

D:\tool>esxquery.exe -a

10.150.200.20: found VMware vCenter Server v6.5.0

10.150.200.20: inventory generated successfully

Then you should get a lot of files in the folder: D:\ProgramData\Flexera Software\Incoming\Inventories

The common causes of problems in this space have all been well covered by previous responses in this thread, but to summarize the 2 most common problems that I see leading to a failure to discover VMware vCenter or ESX on a target IP address are:

  1. Subnet of the target IP address has not been assigned to any beacon (this means FlexNet doesn't know which beacon should be used to probe the target IP address).
  2. A firewall is blocking the beacon connecting to port 443 on the vCenter (or ESX) server.

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Hello Everyone

Thank you all for the input, every advice was super helpful and I noticed few problems with the connection.
Here are some updates for those interested in development of this situation.

1) I was able to access to vCenter portal from beacon server.
2) Login to vCenter portal was also successful. I can see all the details of VMware
3) I pinged http address from the beacon, and this IP address I added to the rule.

(I suppose above points exclude an option that it is caused by Firewall?)

4) The account name was actually incorrect in the beacon application. I updated that.
5) Type of the account was correct - VMware VirtualCenter

6) As per your suggestions I checked subnets and we have a lot of unassigned subnets. About 10 times as many as assigned ones.
I will try to lookup subnet of this vCenter and see if it's there.

Thanks for all the support, I don't have technical background so it's much appreciated.

Kind regards,
Jan

Hi,

To find out if your subnet is assigned to a beacon, you need to know some subneting and how they are represented in FNMS.

You will see subnets like xxx.xxx.xxx.xxx/xx

Let say you have 192.168.0.1 this should be in the subnet 196.168.0.1/24 this will give you the following ip range 192.168.0.1-192.168.0.255

So if you see this in your assigned subnet to a beacon, and your ip is in this range then the vCenter is assigned to the right beacon.

You can use this http://www.subnet-calculator.com/ to help you out with the subneting

If you have question and it's to hard, you can take the shortcut and put your ip xxx.xxx.xxx.xxx/32, in this way you will assign only the ip for the vCennter on the beacon that is required.

At least I done this because of the sites that are so badly configured by the network team.

After you assigned the vCenter subnet to the correct beacon, the inventory should take place.

Hi everyone,

I think we did it. In system tasks I see following messages:

VMware virtual servers discovered: 1

Devices inventoried: 1

Which wasn't the case before, also I see some hosts from the vCenter portal in FNMSInventory.Computer table with inventory date of when I run the rule.

@adrian_ritz As you suggested I created subnet based on IP address. Later I might change it, but looks like it worked for now.

BTW one last question. I see some hosts in computer table as mentioned above, but not in webUI. Should they show up in all inventory?

Kind regards,

Jan

Hi,

I'm glad that it worked, you should see the data in the system I think after next reconcile with inventory import, I'm not sure.

A reason for a ComplianceComputer not showing up in the WebUI, can be that it has the ComplianceComputerStatus "Awaiting Inventory" (ID = 4).

It could be that the vCenter inventory returned VMs that are still missing a full inventory. Also a typical reason would be computer type assets without inventory. For these, FNMS creates ComplianceComputers with StatusID 4.

Hosts are not fully discovered by the vCenter inventory process. Information about which VM's and all the details of the VMware virtual environment are.

To get all the hardware data, you need to scan each host directly as a Linux device using ssh. Yes, all the information needed is available in vCenter but it is not pulled.

Yes, ssh is disabled if you are following either VMware best practices and Security best practices.  Be prepared to manually enter the missing details into the hosts.

Also note that if you are running the newer vCenter appliances, VMware has set end-of-life for the windows based vCenters, you will fail the device inventory but succeed on the VMware inventory.

Hope this helps

 

@JeffVoss Can you elaborate, how hosts are not fully discovered?

I can think of two ways to take your question,

It will create a host record missing a lot of the hardware information. Yes, I know it is all available in vCenter via PowerCLI, but Flexera support uses the API from the older versions. I do know I couldn't do the IBM compliance scan every 30 minutes with powershell, so they have a point in using the API the way they are. Since my company follows both VMware best practice and Security best practice of disabling of ssh on hosts so I am unable to scan the hosts for details. So I have to manually enter the data into the systems. I have to do it for sockets on a server anyway since that is not discoverable, so not a major issue and ESX hosts don't get added vary often.

Since newer vCenter is a hardened software appliance that you cannot set up for inventory, so the scan of the vCenter appliance will fail but the vCenter interrogation will work properly.