10 Replies Latest reply on Apr 11, 2019 11:54 AM by Andrew Waters

    Discovery results monitoring

    Alvaro Paronuzzi
      Share This:

      Hi everyone,

      I have a requirement of monitoring the result of the discovery runs from an external source.

       

      Example:

      Option 1) Rest/API call to BMC Discovery in order to get all the NoAccess results of the discovery runs (at least returning the ip address and the host name)

      Option 2) Splunk accessing a BMC Discovery log file (if any) containing the NoAccess results of the discovery runs (at least returning the ip address and the host name)

       

      How would you suggest to approach this request? Does Discovery allow to "query" these results from an external source/tool?

       

      Thank you in advance for any help you can provide.

       

      Kind Regards,

      Alvaro Paronuzzi

        • 1. Re: Discovery results monitoring
          Andrew Waters

          Isn't using the REST API querying the results from an external source?

          • 2. Re: Discovery results monitoring
            Alvaro Paronuzzi

            Hi Andrew,

            thank you for your response.

            Could you please point out to some useful documentation?

            I think I should provide a query/call that the customer can execute from the external tool to get those details from Discovery.

             

            Thank you in advance for your help.

            Alvaro

            • 3. Re: Discovery results monitoring
              Andrew Waters

              How about intro, endpoints, examples.

              2 of 2 people found this helpful
              • 4. Re: Discovery results monitoring
                Alvaro Paronuzzi

                Hi Andrew,

                Thank you. This one seems to contain what I'm looking for:

                 

                My question here is: how do restrict the query in order to get only the hosts for which the discovery run ended with NoAccess?

                 

                It may be something relate to this on:

                 

                results: string*

                     URI to the summarized information of the discovery run

                 

                but I don't have an example of how to do it.

                 

                Thank you in advance for your help.

                Al

                • 5. Re: Discovery results monitoring
                  Danny Fleer

                  You could use a search query to get DiscoveryAccess which have the end state "NoAccess":

                   

                  • search DiscoveryAccess where _last_marker and end_state = 'NoAccess'

                   

                  Maybe you need to add some more conditions to get only DiscoveryAccess of the last day/week or if you want to order the result.

                  In this case the REST API endpoint would be /data/search.

                  2 of 2 people found this helpful
                  • 6. Re: Discovery results monitoring
                    Alvaro Paronuzzi

                    Hi Danny,

                    Thank you for your help!

                     

                    What does "_last_marker" represent?

                    How can I add that time restriction?

                    In the documentation I could find the endpoint you mentioned:

                     

                    but I don't know how to use it so a little more help is needed here...

                    Would it be possible for you to share an example of how to use this REST API endpoint please?

                     

                    Thanks!

                    Al

                    • 7. Re: Discovery results monitoring
                      Alvaro Paronuzzi

                      It seems an example of the use of this REST API endpoint can be found here:

                       

                      REST API example code - BMC Discovery 11.2 - BMC Documentation

                       

                      I will try to merge the information collected so far and see if I am missing something.

                       

                      Thanks,

                      Al

                      • 8. Re: Discovery results monitoring
                        Alvaro Paronuzzi

                        Starting from the example, I would write something like this.

                        Any feedback is highly appreciated!

                         

                         

                        const BASE_PATH = 'https://discovery.zzz/api/v1.1';  // UPDATED aparonuzzi

                        const TOKEN = 'your_token';  // UPDATE ME (?)

                         

                        const QUERY = `SEARCH DiscoveryAccess where end_state has subword 'NoAccess'

                                       SHOW name, join(#InferredElement:Inference:Associate:DiscoveryAccess.endpoint, ',') as "IP Address"`;

                         

                         

                        // Set up some defaults for every call to the API

                        var request = require('request').defaults({auth: {'bearer': TOKEN},

                                                                   json: true,

                                                                   agentOptions: {

                                                                       rejectUnauthorized: false

                                                                   }});

                         

                         

                        // Helper functions

                        function fail(message) {

                            console.error(`ERROR: ${message}`);

                            process.exit(1);

                        }

                         

                        function get(options, callback) {

                            request.get(options, function (error, response, body) {

                                if (error) {

                                    fail(error);

                                }

                         

                                if (response.statusCode === 200) {

                                    callback(body);

                                }

                                else {

                                    let msg = `Request to ${options.uri} failed with status ${response.statusCode}`;

                                    if (body && body.message) {

                                        msg = `${body.message} (${msg})`;

                                    }

                                    else if (response.statusMessage) {

                                        msg = `${response.statusMessage} (${msg})`;

                                    }

                                    fail(msg);

                                }

                            });

                        }

                         

                        function print_csv(results_page) {

                            // https://stackoverflow.com/a/29976603

                            let csv_lines = results_page.map(function(results_row) {

                         

                               return JSON.stringify(results_row);

                            })

                            .join('\n')

                            .replace(/(^\[)|(\]$)/mg, '');

                         

                            console.log(csv_lines);

                        }

                         

                        // Application code

                         

                        function success_callback(write_headings, body) {

                            // We searched for one node kind so expecting one result set back

                            const results_page = body[0];

                         

                            // Output headings just once

                            if (results_page.headings.length && write_headings) {

                                console.log('"' + results_page.headings.join('","') + '"');

                            }

                         

                            // Write out this page

                            print_csv(results_page.results);

                         

                            // Are there more pages?

                            if (results_page.next) {

                                get({uri: results_page.next}, success_callback.bind(this, false));

                            }

                        }

                         

                        // Run the query, getting back first page of results.

                        // Our callback will keep asking for the next page.

                        get( {uri: `${BASE_PATH}/data/search`,

                              qs: {query: QUERY}}, success_callback.bind(this, true));

                         

                         

                         

                        Thanks,

                        Al

                        • 9. Re: Discovery results monitoring
                          Danny Fleer

                          You will find an interactive documentation of the REST API by browsing <discovery_fqdn>/swagger-ui

                          Swagger allows you to create and test the request body of the POST request.

                           

                          2 of 2 people found this helpful
                          • 10. Re: Discovery results monitoring
                            Andrew Waters

                            _last_marker is the latest DiscoveryAccess for a particular endpoint.

                             

                            It really comes down to what you want to see. For example if you search for a particular scan, you can base the query on just finding the appropriate DiscoveryRun.

                             

                            If you want recent DiscoveryAccess you can look at starttime which is when the scan of the endpoint started.

                            2 of 2 people found this helpful