Azure Express Scan

Overview of AutoMonitor Azure Express Scan

Overview

AutoMonitor allows users to quickly and effortlessly discover and import hosts into their Opsview Cloud environment. The new wizard-based functionality simplifies and automates the scanning and configuration steps providing a fast and reliable way of maintaining continuous monitoring of your changing Enterprise landscape.

Azure Express Scan provides a configuration wizard to guide you through and quickly discover Microsoft Azure objects (Hosts) within a given Azure Subscription and automatically import them into Opsview Cloud.

Azure Express Scan


Virtual Machine discovered by the Azure Scan will be imported into the following Host group Structure:

  • Opsview > Automonitor > Azure Express Scan > {Subscription Name} > {Resource Group Name} > {Resource Name / HostName}

Health Availability Status for Azure Resource Groups will be imported into the following Host group Structure:

  • Opsview > Automonitor > Azure Express Scan > {Subscription Name} > Azure_RGs_Health_{Subscription Name} > Azure_RGs_Health_{Subscription Name}

The Scan will inspect discovered Hosts to allocate relevant Host Templates from the following list:

  • Cloud - Azure - Virtual Machines
  • Cloud - Azure - Linux VMs
  • Cloud - Azure - Windows VMs
  • Cloud - Azure - VM Backups
  • Cloud - Azure - Storage Accounts
  • Cloud - Azure - Health Availability Status
  • Cloud - Azure - Virtual Machines Scale Sets
  • Cloud - Azure - Virtual Machines Scale Sets VM

See more information about Host Templates within the Cloud - Azure Opspack

Pre-Requisites

In order to access the AutoMonitor Application and run an Azure Express Scan, the following permissions are required:

πŸ“˜

Depending on your organisation structure, you may prefer to NOT give user permissions to CONFIGUREHOSTGROUPS and/or have access to the Opsview Host Group. In this case, you need to create the Host Group Structure in advance (Opsview > Automonitor > Azure Express Scan > {Subscription Name} ) and provide access only to the Subscription Name Host Group to the user(s) running an Azure AutoMonitor Scan.

Azure Credentials required:

  • Tenant ID / Directory ID
  • Subscription ID
  • App ID / Client ID
  • Secret Key

Information about Where to Find Azure Credentials can be found at the bottom of this page

Your Microsoft Azure App/Client needs to have the following Roles assigned

  • Monitoring Contributor
  • Network Contributor
  • Storage Contributor
  • Backup Contributor

🚧

If your Microsoft Azure App DOES NOT have the right permissions, Azure Express Scan will fail

Running a Scan

AutoMonitor Azure Express Scan feature is accessible from the Configuration > AutoMonitor menu. When selecting this option will be presented with the following screen:

950950

Select Azure to start with the AutoMonitor Azure Express configuration wizard

In the configuration wizard (Azure | Input your Azure Credentials), as per the screen shown below, you need to enter Tenant ID, Subscription ID, App ID and Secret Key to be able to discover Microsoft Azure Resources. (Information about Where to Find Azure Credentials can be found at the bottom of this page).

955955

Once you have entered the relevant information for the required fields, the Start Scan button will be enabled for you to proceed when you are ready to start the scan.

957957

If the credentials are invalid or fail to be authorised, the following error message will be displayed:

959959

Upon successful authorisation, the Scan starts by interrogating Microsoft Azure for a list of Resource Groups, Virtual Machines, Scale Sets and Storage Accounts to scan. Once the scan has started the progress bar will be displayed which indicates how many of the discovered resources have been scanned:

948948

As the scan is being carried out, it can be aborted by hovering over the Abort button which displays a panel to confirm the aborting of the scan. Once the Yes button is clicked, the form from the previous page is displayed and the scan is aborted. Note that if the scan is close to finishing then it may be completed before it can be aborted.

441441

If an unrecoverable error occurs during the scan, the following error page will be displayed:

955955

A Sorry there was an error that we can't identify message indicates that some other error occurred during scanning. This may indicate a system outage or configuration problem. Scans will recover from short Datastore (i.e. CouchDB) outages. However, if an outage lasts longer than one hour the scan will time out and show this error message.

If such errors occur, you can click Try again to restart the scan. You can also view the log to understand what the problem could be, for example, you might see access denied when creating Host Group or importing Host, in which case, check you have sufficient permissions to either create or write to the desired Host Group.

When the scan completes the following screen will be displayed:

951951

At this point, you can click on Apply changes to trigger a system reload and start monitoring the scanned hosts. Clicking on New will allow you to start another scan. Hosts that have already been imported will be disregarded and will NOT be re-imported by later scans:

Clicking "View log` will display a detailed list of the steps completed by the scan:

849849

If the scan fails for some reason, View log is a good way to help diagnose the problem.

Once the scan has finished, you can see the pending hosts by clicking the Host Settings link. It is worth noting at this point, you may wish to check the host configurations to ensure the details are correct, as although AutoMonitor tries its best to fill them in correctly, you may have a case where the credentials used for scanning are NOT the same credentials that are required by the service check.

Host Check Command associated to Virtual Machines

In order for the scan results to be more useful to the user, the scan will try to associate the appropriate host check command for each host. For that the scan will retrieve the Network Security Group (NSG) rules associated to that Virtual Machine and will assign the more secure one (TCP port 443 (HTTP/SSL), TCP port 22 (SSH), TCP port 80 (HTTP), TCP port 25 (SMTP), TCP port 21 (FTP), TCP port 161 (SNMP), TCP port 135 (MS RPC), TCP port 5900 (VNC)).

Choosing a collector to monitor Azure Resources

AutoMonitor will automatically determine which collector cluster has the best connection to Microsoft Azure (using the URL https://login.microsoftonline.com) and will set the imported hosts to be monitored by that collector. If no collector can connect to Microsoft Azure, then the scan will fail.

Variables

Automonitor will attempt to populate the variables as appropriate for the host checks added by the scan. To ensure that all service checks can run correctly, populate the AZURE_CREDENTIALS global variable manually (in Configuration > Variables), as described below, before or after running the scan. If a subset of hosts require a different set of credentials, the AZURE_CREDENTIALS variable can be applied at the host level where needed to override the global variable.

Where to Find Azure Credentials

Follow the steps below to retrieve this information.

Step 1: Find the Subscription ID

The Subscription ID can be found in the Subscriptions section under the All services section in the Azure dashboard.

771771 719719

Step 2: Find the Tenant/Directory ID

The Tenant/Directory ID can be found in the Azure Active Directory section under the Properties section in the Azure dashboard.

11281128

Step 3: Find the Client/Application ID for your application

You need to create and register your application if you haven't already. For more information, refer to: Create an Azure Active Directory application

The Client/Application ID can be found in the Azure Active Directory section under the App registrations section in the Azure dashboard.

16231623

Step 4: Generate the Secret Key for your application

You will need to create a Secret Key for your application, once this has been created its value will be hidden, so save the value during creation.

To create the Secret Key, select your application from the list, select the Certificates and secrets section and then click on New client secret.

Specify a description and expiration date for your key and then click Add.

17011701

Troubleshooting

  • After importing Hosts from an Azure Express Scan, some service checks may report UNKNOWN state with an unknown error message. This issue can be due to a missing credentials variable - ensure the AZURE_CREDENTIALS variable is populated correctly at either the global variable level (in Configuration > Variables), or on the specific host with the UNKNOWN check. These failing checks may take 15 minutes or more to resolve after applying this fix due to caching - to speed this process up you can restart the opsview-cachemanager component (see Cache Manager Configuration).