41 minutes ago, Caleb said:
Has anyone built a way to scan for duplicate IP's in your network through a datasource (or netscan if possible) to pull into LogicMonitor? Was looking at other tools online like nmap, angryip, and netscantools but would rather keep it all in one area if I can make it a datasource and more graphical for the operations team.
Scan tools like that are not the way to detect duplicate IPs since they tell you nothing about the MAC address bound to the IP. Generally duplicate IP detection requires monitoring ARP traffic on each LAN, which can sometimes be proxied by monitoring the ARP table on L3 gateway devices (if the device supports it and if doesn't cache ARP entries forever).
The tool we've typically used for this is arpwatch, where you will see duplicate IPs generate repeated flip-flops of MAC/IP bindings. Because arpwatch requires a distinct instance for each interface, we have found addrwatch to be more effective for environments with multiple VLANs to monitor as it supports 802.1q tags on a VLAN trunk interface (though addrwatch is not commonly found in Linux distros). Your addrwatch system would need to have a leg into each L2 island (or multiple addrwatch systems would need to be stood up).
The trick with either of these would be to get the results into LogicMonitor in a meaningful manner. I would probably lean toward addrwatch, which supports various output methods including MySQL. The results database could then be leveraged to build a datasource identifying duplicate addresses as instances. You could also go with an eventsource, but I try to avoid them since they are difficult to deal with and extremely confusing to end users.