Jump to content
DarrenWhite99

Internal Monitors for Duplicate Agents Using the Same ID, Or Single Agents with Multiple IDs

Recommended Posts

I saw another post that reported that cloned systems with LT installed before imaging could continue to check in separately under the same ID. They implemented a solution using a script that would identify suspicious activity as any agent that had reported more than 2 different names within the past 7 days. I recognized a simple way that this could be detected in an "Agent ID Sharing" monitor, by testing the agent history for a name change, where the newly changed name was changed to the same name more than 2 times. Only a machine with more than 2 name changes to the same name would meet that criteria. For a false positive, this would require an agent "X" to be changed like: X->A->X->A->X->A. (Changed to "A" 3 times). The monitor is only looking over the span of 1 day, it is extremely unlikely that someone would generate that many name changes in such a short period. When 2 or more agents are checking in to the same id, the name can be changed dozens of times every day.

I also created a "Duplicate Agent Detection" monitor that uses a weighted criteria to identify when a machine has now begun reporting in under a new ID. This is common when a machine has had the OS reinstalled, upgraded or had the LabTech agent reinstalled (or otherwise had a malfunction) causing it to get a new ID. The monitor looks for any 2 agents that have the same machine manufacturer, model, and serial number, and any 4 or more matches for the agents OS, OSVersion, BiosVersion, Domain, or TotalMemory.

I have attached SQL files you can use to import these monitors. 

To monitor for "Agent ID Sharing", create an internal monitor with these settings:

Updated 2017-08-29 - Improved to eliminate false positives from multiple computer renames, and resolves a compatibility issue with MariaDB

Interval: Daily
Monitor Mode: Send Fail after Success
Table To Check: computers
Field To Check: ComputerID
Check Condition: Anything
Result: 
Identity Field: (SELECT GROUP_CONCAT(DISTINCT UPPER(hc2.NewData) ORDER BY hc2.NewData SEPARATOR ',') FROM h_computers AS hc2 WHERE hc2.computerid=computers.computerid AND hc2.What='Name'  AND hc2.When>DATE_ADD(NOW(),INTERVAL -1 DAY) GROUP BY hc2.computerid)
Additional Condition: computers.computerid IN (SELECT DISTINCT hc.computerid FROM (SELECT hc1.computerid, COUNT(hc1.hisid) AS ChangedCount FROM h_computers AS hc1 WHERE hc1.what='Name' AND hc1.When>DATE_ADD(NOW(),INTERVAL -1 DAY) GROUP BY hc1.computerid,hc1.NewData) AS hc WHERE hc.ChangedCount>2)
 

To monitor for "Duplicate Agent Detection", create an internal monitor with these settings:

Interval: Daily
Monitor Mode: Send Fail after Success
Table To Check: computers
Field To Check: ComputerID
Check Condition: InSet
Result: (SELECT DISTINCT C2.computerid FROM (`computers` AS c1 LEFT JOIN `computers` AS c2 USING (`ClientID`,`LocationID`,`Name`)) WHERE NOT ( c2.`ComputerID` IS NULL OR c1.`ComputerID`=c2.`ComputerID` OR C1.DateAdded>C2.LastContact OR C1.LastContact>C2.LastContact ) AND ((C1.`OS`=c2.`OS`)+(C1.`Version`=c2.`Version`)+(C1.`BiosFlash`=c2.`BiosFlash`)+(C1.`Domain`=c2.`Domain`)+(C1.`TotalMemory`=c2.`TotalMemory`)+10*((C1.`BiosName`=c2.`BiosName`)+(C1.`BiosVer`=c2.`BiosVer`)+(C1.`BiosMFG`=c2.`BiosMFG`)))>33)
Identity Field: (SELECT GROUP_CONCAT(c2.computerid SEPARATOR ',') FROM computers AS C2 WHERE c2.computerid<>computers.computerid AND c2.clientid=computers.clientid AND c2.locationid=computers.locationid AND c2.Name=computers.Name AND (((C2.BiosName=computers.BiosName)+(C2.BiosVer=computers.BiosVer)+(C2.BiosMFG=computers.BiosMFG))*10+(C2.OS=computers.OS)+(C2.`Version`=computers.`Version`)+(C2.BiosFlash=computers.BiosFlash)+(C2.Domain=computers.Domain)+(C2.TotalMemory=computers.TotalMemory))>33)
internal shared duplicate agent monitor same id

Internal Monitors - Duplicate or Shared Agent Detection.zip

  • Like 2
  • Thanks 6

Share this post


Link to post
Share on other sites

I adjusted the Duplicate Agent ID's query, as I received feedback that some people with more broken agents than me were getting a query failure. The Identity field is the only change.

The attached file has been updated, the .sql file for the "Duplicate Agent ID" monitor is safe to import over your existing monitor. It will automatically refresh the monitor, but will leave customizations to the alert message, alert template, interval, and a few other fields alone.

 

The Agent ID Sharing monitor is unchanged.

  • Thanks 1

Share this post


Link to post
Share on other sites

Is there a script that can be run by the monitor when it finds the duplicate to delete the duplicate agent that is found?

Share this post


Link to post
Share on other sites

Hello Darren. Can your script or monitor be modified to identify duplicate agents? I need to recover some licenses. 

Share this post


Link to post
Share on other sites
On 11/19/2018 at 11:46 AM, PaulH said:

Hello Darren. Can your script or monitor be modified to identify duplicate agents? I need to recover some licenses. 

There are two monitors. One identifies duplicate agents.

Share this post


Link to post
Share on other sites

Hi, in the original post the text for "Agent ID Sharing" monitor doesn't match the .zip file.  I tried to create the monitors manually and just got the "circle of hope" on the Query Results tab until I closed the window a few minutes later.

After importing "Agent ID Sharing*" I see:

table to check: h_computers
field: NewData
check condition: NotEquals
result: computers.`Name`
identity: (SELECT GROUP_CONCAT(DISTINCT UPPER(hc.NewData) ORDER BY hc.When SEPARATOR ',') FROM h_computers AS HC WHERE hc.What LIKE 'Name' and hc.When>DATE_ADD(NOW(),INTERVAL -7 DAY) AND hc.computerid = computers.computerid GROUP BY hc.computerid)
additional cond: h_computers.What LIKE 'Name' AND h_computers.When>DATE_ADD(NOW(),INTERVAL -2 DAY)

...also on the Alerting tab the "message on failure" has what I assume is an extra "v" at the end: This agent ID might be shared by the following computers: %FIELDNAME%v

 

The "Duplicate Agent Detection*" monitor looks the same as the original post to me.  I've seen CWA get hung up if a query is hung so possibly my difficulty with it was due to the first monitor query still running, not sure there.

 

We do have the MAC address detection enabled which usually rejoins reinstalled agents back "into" (as?) the same ID number as before uninstallation.  (the exception being if the PC switches from wired to wireless and thus changes MACs).

We did have one client's remote site manage to clone a laptop and did get the back-and-forth behavior which was unexpected!

Share this post


Link to post
Share on other sites

Curious to know if anyone has been able to create a script that would use these monitors to delete the duplicate agents, and if so would they be willing to share?

Share this post


Link to post
Share on other sites

I suspect many people have but don't want to provide their solution in case the worst happens, something goes wrong, and it ends up deleting loads of computers in your estate.

 

Share this post


Link to post
Share on other sites

Hi,

Can you also give me the sql query to check for only duplicate Computer Names? Nothing more like bios etc... 

Bios is fine for computers that have been reinstalled but often we have customers with internal IT and they give the same name to a new device for a user when the old one doesn't get removed. 

So basically it should be an easy query but can't get it to work...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...