Forum Discussion

Cole_McDonald's avatar
Cole_McDonald
Icon for Professor rankProfessor
9 months ago

Finding the culprit for TCP_StatsCollector ConnectionsEstablished alert for Windows collectors

From the collector’s device page in the LM Portal or the collectors page, get to a debug console, then here’s your !POSH one-liner to get  info about the destination device that is holding your ports captive.

netstat -an | sls establish | foreach { ($_ -split "\s+")[3] } | group | sort count | select count, name -last 10

In the Netstat, a shows all, n shows IP addresses rather than solving the DNS for it.

The Select-String (aliased as sls) passes only the “Established” connection entries from the netstat down the pipeline.

The foreach{} splits each line ($_ is the current object being iterated by the foreach loop) on contiguous whitespace (I use this a lot!) and takes the third element (remote address:port) to pass down the pipeline

It then passes Group-Object (aliased as group) which bundles identical strings and Sort-Object (aliased as sort) by the count property of the group object.

The select displays grabs the calculated match count and the name properties to limit display and just shows the -last 10 of them (which are the biggest number of matched lines due to the sort previously applied.

This should give you the target/s for troubleshooting further.

  • Good stuff here @Cole McDonald I’m sure many in the community will find this useful.

  • Anonymous's avatar
    Anonymous

    Freaking awesome. Now if there were a way for LM to action this script when this particular alert happens and put a note on the alert.  hm….

  • … or, if we could pass a text block back through the DS, we could use that output to create ad hoc reports when data is collected that could be included in the alerts.

  • Freaking awesome. Now if there were a way for LM to action this script when this particular alert happens and put a note on the alert.  hm….

    escalation step <execute script> would take care of this :)

    It would allow so much extra power!  initial remediation automation.  more complex integrations.  API injection (which would fulfill your ask)

  • Anonymous's avatar
    Anonymous

    Yep. Wonder why LM hasn’t done it. Oh, right APM, Dexda, and UIv4 keeping them under water.