fatih
Enthusiast
Enthusiast

vShield Manager Querying vCenter a lot ( spamming ? )

Hi,

I/We have installed vShield Manager 4.1 U1 ( for endpoint and Deep Security purpose ) in a environment with 31 ESX 4.1 U2.

We have yet installed endpoint driver only in 1 cluster ( development ) with 9 hosts and everything about the endpoint driver and Deep security is working fine.

The only issu we have is that vShield Manager does a lot of queries constantly and it never stops , it is doing Query on all the 31 hosts and when it is finished it starts over again and really spamming the vCenter "Recent Task" window with the queries.

Has anyone seeing this and know of a way to have vShield Manager stop querying or do them much more less frequently ?

/Fatih

0 Kudos
6 Replies
sorabhk5
VMware Employee
VMware Employee

Can you share which tasks/task name.?

If the tasks are like scan, query, open ports etc, these are standard tasks and will get executed only when any ESX host is selected in the vCenter.

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]
fatih
Enthusiast
Enthusiast

Exactly , the same and repeating task is "Query" all the time. There is one Query task for one of the 31 ESX hosts all the time. It keeps querying every 1-15 seconds a new ESX hosts constantly without anyone selecting any ESX hosts or even beeing in the vShield Manager interface.

My experience from earlier vShield Manager installations is also that it querys only when you select one ESX in the vShield Manager interface. But those installation vas pre 4.1 U2 ( 4.1 / 4.1 U1 ) , this is first I have done with 4.1 U2 but then again..it is vShield Manager which is querying so it should not be any difference if ESX is 4.1 U1 or U2

It is really annoying and fills up the task/event windows everywhere.

One another thing I noticed now. I searched through the logs (vmkernel/vmkwarning/messages etc ) to see if I could see any evidence of the Query task and the only thing I think is related is /var/log/vmware/esxupdate.log which logs this every 15 min (since we installed vShield Manager )

[2012-01-02 12:36:14]   DEBUG:       lock: Lock file /var/run/esxupdate.pid created with PID 771
[2012-01-02 12:36:15]    INFO:        cos: vsish command /usr/sbin/vsish cannot be found
[2012-01-02 12:36:15]    INFO:        cos: No hardware vendor/model information obtained
[2012-01-02 12:36:15]    INFO: vmware.esx: BIOS reports Vendor , Model
[2012-01-02 12:36:15]    INFO:  esxupdate: --
Command: query
Args: ['query']
Options: {'nodeps': None, 'all': None, 'retry': 5, 'force': None, 'vibview': None, 'nocache': None, 'compliant': None, 'loglevel': 'DEBUG', 'cleancache': None, 'bundles': None, 'nosigcheck': None, 'bundlezips': None, 'olderversion': None, 'proxyurl': None, 'meta': None, 'timeout': 30.0, 'cachesize': None, 'HA': True, 'maintenancemode': None}
[2012-01-02 12:36:15]   DEBUG: vmware.esx: VIBs loaded: database 881  metadata 0  pkgdb 0
[2012-01-02 12:36:15]   DEBUG: vmware.esx: Final VIB counts: metadata 0  pkgdb 0
[2012-01-02 12:36:15]    INFO:  esxupdate: All done!
[2012-01-02 12:36:16]   DEBUG:       lock: Lock file /var/run/esxupdate.pid created with PID 782
[2012-01-02 12:36:16]    INFO:        cos: vsish command /usr/sbin/vsish cannot be found
[2012-01-02 12:36:16]    INFO:        cos: No hardware vendor/model information obtained
[2012-01-02 12:36:16]    INFO: vmware.esx: BIOS reports Vendor , Model
[2012-01-02 12:36:16]    INFO:  esxupdate: --
Command: query
Args: ['query']
Options: {'nodeps': None, 'all': None, 'retry': 5, 'force': None, 'vibview': None, 'nocache': None, 'compliant': None, 'loglevel': 'DEBUG', 'cleancache': None, 'bundles': None, 'nosigcheck': None, 'bundlezips': None, 'olderversion': None, 'proxyurl': None, 'meta': None, 'timeout': 30.0, 'cachesize': None, 'HA': True, 'maintenancemode': None}
[2012-01-02 12:36:17]   DEBUG: vmware.esx: VIBs loaded: database 881  metadata 0  pkgdb 0
[2012-01-02 12:36:17]   DEBUG: vmware.esx: Final VIB counts: metadata 0  pkgdb 0
[2012-01-02 12:36:17]    INFO:  esxupdate: All done!

/Fatih

0 Kudos
xRemcox
Contributor
Contributor

We have the same problem in our enviroment. We saw that the user for dsm and the user for vshield queries a lot. I managed to stop the dsm queries, but the vshield queries are still running and ruining our logging...

Did you already fixed this problem?

0 Kudos
sorabhk5
VMware Employee
VMware Employee

Sorry about the late response. I suggest log a ticket with support for this.

All opinions expressed here are my personal opinions and not of my employer. Thanks #Sorabh [[ http://sorabhk5.in or @sorabhk5 ]]
0 Kudos
fatih
Enthusiast
Enthusiast

@xremcox ,

How did you stop the queries from DSM ?

0 Kudos
xRemcox
Contributor
Contributor

I did the following:

DSM performs an extra query on ESX servers that reportedly do not have a fast path driver installed. DSM does this to distinguish an ESX that legitimately does not have the driver installed from an ESX that cannot load the driver due to an error.

You can perform the steps below to create a hidden system setting that can turn off this extra query.

The caveat is that an ESX with a fast path driver in an error state will appear as "unprepared" in DSM, instead of having an active host error assigned to it.

1. Query the SQL database to find out the Host ID(s) for the ESX servers that you want to stop from being queried.
  
  Basically, you need to use this SQL query:
  
    select HostID from hosts where Hostname = '<esx hostname as in DSM>'
  
2. Modify the attached script and change the integer array on the first line to be the list of ESX servers from Step 1.
  
  For example: If the Host IDs for the servers that you want to stop querying are 15 and 102, then change the line to "Integer[] hostIds = new Integer[]{15, 102}".
  
3. Save this script in the DSM server machine.
  
  In a multimode environment, this can be done on any node in the directory <installation dir>\Scripts (e.g. c:\Program Files\Trend Micro\Deep Security Manager\Scripts).
  
4. Under scheduled tasks, create a new task as type "Run Script" and "Once Only" to execute the script.

It is a bit dirty, but it works for DSM, but unfortunatly not for the vshield spamming. I attached the script.

0 Kudos