aarkkelin
Joined 2 years ago
User Profile
User Widgets
Contributions
Cylance Offline Mode
We are looking to try to utilize LM and monitor whether Cylance is running in offline mode on a Windows server. Our SOC was able to determine that if it switches to offline mode (which can happen without the NIC going down), it adds a registry entry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop\VenueStatus Ideally we’d like to monitor for IF that registry item exists and when it does see it, it would send us an alert. I’m assuming this could be done through some PS scripting. But I’m not sure how to have that data interpreted into a usable data or event source in LM. Would appreciate any help you guys can offer here!129Views9likes2CommentsCylance Offline Mode Monitoring
We are looking to try to utilize LM and monitor whether Cylance is running in offline mode on a Windows server. Our SOC was able to determine that if it switches to offline mode (which can happen without the NIC going down), it adds a registry entry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop\VenueStatus Ideally we’d like to monitor for IF that registry item exists and when it does see it, it would send us an alert. I’m assuming this could be done through some PS scripting. But I’m not sure how to have that data interpreted into a usable data or event source in LM. Would appreciate any help you guys can offer here.Re: Checkpoint IPsec Tunnel Monitoring.
Just wanted to toss a note in here saying I stumbled upon this by accident but was actually something we were actively looking into how to monitor this on CheckPoints. So, thanks for opening the original thread, @Nishil Vachhani . Secondly, I was able to build a datasource to monitor a specific tunnel. It’s a bit tedious if you have to repeat that for multiple tunnels at a site. But for anyone looking to just monitor a few, it’s definitely doable using the OID info in the CheckPoint article linked in the comments above. It’s not the cleanest thing ever and it’s definitely something I hope LM builds into their standard CheckPoint datasources and tidies up a bit. But for now, this seems to get the job done.1View0likes0CommentsRe: Monitor version of Java
I tried posting yesterday and it’s apparently still being reviewed by the moderators or something. I think the issue was I tried to post the PS script I was using. But long story short, I still can’t get it to output any data of use. It’s not giving me an error anymore so I THINK it’s running on the remote host now instead of the local but I also don’t know how to know that for sure. Without posting the script, do you know what command I should be using to essentially output the data and then have it add it to the property source? PS I should have mentioned I’m not a PS guru by any means so I really appreciate any and all help here!0Views0likes0CommentsRe: Monitor version of Java
So, spent most of the day on this and am admittedly not a Powershell guru by any means. Unfortunately, I just cannot figure out how to get it to translate the output into anything meaningful. I don’t get the failure notices that I was getting before which makes me think it’s actually using remote PS but I also don’t know how to actually check that. I just want some verification that it’s actually seeing the response to (Get-Command java | Select-Object -ExpandProperty Version).toString() . Because the servers that I have Java installed on, I can run that command and get a response of what version number it is. But I can’t get LM to interpret that data. I’m guessing I’m missing sometime of “write/output” command but I find a lot of documentation about that online and am not sure how to use that again, in a way that LM knows how to use it. Script “borrowed” and modified from @Stuart Weenig : # Clears the CLI of any text Clear-Host # Clears memory of all previous variables Remove-Variable * -ErrorAction SilentlyContinue #------------------------------------------------------------------------------------------------------------ # Initialize Variables $wmi_pass = '##WMI.PASS##' $wmi_user = '##WMI.USER##' $hostname = '##SYSTEM.SYSNAME##' $collectorName = hostname # Insert additional variables here # If the hostname is an IP address query DNS for the FQDN if ($hostname -match "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b") { $hostname = [System.Net.Dns]::GetHostbyAddress($hostname).HostName } ## This script block should contain all code that you want to execute remotely on the target host. $scriptBlock = { (Get-Command java | Select-Object -ExpandProperty Version).toString() } #------------------------------------------------------------------------------------------------------------ try { #-----Determin the type of query to make----- # check to see if this is monitoring the localhost collector, as we will not need to authenticate. if ($hostname -like $collectorName) { $response = Invoke-Command -ScriptBlock $scriptBlock } # are wmi user/pass set -- e.g. are these device props either not substiuted or blank elseif (([string]::IsNullOrWhiteSpace($wmi_user) -and [string]::IsNullOrWhiteSpace($wmi_pass)) -or (($wmi_user -like '*WMI.USER*') -and ($wmi_pass -like '*WMI.PASS*'))) { # no $response = Invoke-Command -ComputerName $hostname -ScriptBlock $scriptBlock } else { # yes. convert user/password into a credential string $remote_pass = ConvertTo-SecureString -String $wmi_pass -AsPlainText -Force; $remote_credential = New-Object -typename System.Management.Automation.PSCredential -argumentlist $wmi_user, $remote_pass; $response = Invoke-Command -ComputerName $hostname -Credential $remote_credential -ScriptBlock $scriptBlock } exit 0 } catch { # exit code of non 0 will mean the script failed and not overwrite the instances that have already been found throw $Error[0].Exception exit 1 }0Views0likes0CommentsRe: Monitor version of Java
Thanks for the replies, @mnagel and @Michael Raymond . Fwiw, the support tech did spend awhile with me on this despite me essentially trying to spin up a new property/data source, which I know they like to remind us is always best help and out of scope. But by the end of it, the suggestion was to come back to this post and the community to try to troubleshoot more. That being said, I will have to try some of your guys’ suggestions today and see if I can tweak this. Hoping it ends up working and will helpful for others so I can post it to the community exchange. Again, thanks for your help and I’ll probably be back with more questions later. :)3Views5likes0CommentsRe: Monitor version of Java
I’m trying to use this in a slightly different way, though I think it will still work if I can make it work. Essentially just looking to find out which servers actually have Java installed if they return with a version response from the cmdlet. If you set that up in a PropertySource, then you could write a datasource against that property with a datapoint that checks the version string against your required value. @mnagel When you mention setting that up in a PropertySource, do you input some other commands to get the right hostname of the remote device? I worked extensively with LM support on this earlier today and they confirmed with me that running the command and using AppliesTo doesn’t suffice because it just runs the Java cmdlet on the host the collector is running on instead of the remote device. So how do you suggest getting it to run on the actual remote devices instead? I’d appreciate any help you can offer on this.1View1like0CommentsRe: Auto Restart Windows Service and alert if it fails
So the instructions on the Github link and blog are a little unclear. I was able to test it with a few different services and it worked for me. However, the instructions make it sound like you should use the shortened “Service name” for the wilcard value. Instead, when I used the “Display name” as the wildcard value, it worked as expected. It takes a few polls but you can also do a manual poll anytime and it should reset it that way too which is kind of nice because it’s like a button you can press without having to login to the actual server. Not saying it will work for everything but it did work for the few I tried after I made those adjustments.24Views1like0Comments