krimi03

UIM Device correlation (with docker monitor and NAT in place)

Discussion created by krimi03 Employee on Mar 15, 2018
Latest reply on Apr 12, 2018 by krimi03

Dear community,

 

I'm experiencing the following challenge with one of our customers:

 

1) devices monitored with docker_monitor probe are setup with non-unique IP addresses (INSIDE), which are later NATted (Network Address Translation) to a unique IP address (OUTSIDE). The robot is configured with the robotip_alias attribute to state the unique OUTSIDE IP address (this wokrs correctly). The problem is the IP address reported by the docker_monitor probe is the INSIDE one and it results in multiple devices being over-correlated into one master device

 

2) additional problem caused by the above - from time to time the device (server) is reinstalled and gets setup with a different MAC and IP address (INSIDE), while the OUTSIDE IP address stays the same. The correlation is confused again and does not correlate the old and new device, because of a mismatch in MAC and IP (OUTSIDE).

 

i've done some extensive troubleshooting and research and I have the following idea how this could be resolved:

 

1) include either docker.HostName or label device attributes coming from the docker_probe into correlation names

2) exclude docker.PrimaryIPV4Address from source IPAddresses property

3) achieve a correlation using either the name_origin or origin_IP correlation rule

 

Somehow I'm struggling to set this up correctly (I'm testing this using the dry_run_... probe command with a test cfg file as recommended in the device discovery troubleshooting guide), thus I'm on the search for an UIM device correlation expert, who would be willing to help me. CA Support case associated with this issue: 00985900

 

There is an ongoing project to onboard 4000 servers and 2000+ databases in UIM monitoring by the end of March, where this issue causes a huge blocker.

 

Kindly requesting help with this situation.

 

Kind regards

 

Michael

Outcomes