I’m setting up BFI and have a situation with a complex set of remote shared disks (NFS). I’m confused by what look like conflicting statements in the documentation on this at IBM Documentation
“Scenario 2” describes a situation with two shared disks.
There are two shared disks. Shared Disk 1 is mounted on nine computers. Shared Disk 2 is mounted on six computers. To properly report the discovered software, create two computer groups in BigFix Inventory:
Computer Group 1 that contains computers on which Shared Disk 1 is mounted
Computer Group 2 that contains computers on which Shared Disk 2 is mounted
Three of the computers belong to both computer groups because they have both disks mounted. Select one of these computers to be scanned. This way, only one computer is scanned to discover software that is installed on both shared disks. Scan results from the designated computer are propagated to the rest of computers in both groups. Computers on which only one disk is mounted show software from that disk only. Computers on which both disks are mounted show software from both disks.
From the sound of this, I would try to locate a computer that mounts both shared disks, have that one computer run the shared disk scan, and apply the results as a template to computers from both groups. It sounds here like BFI automagically figures out which computers mount which disk. But, at the very end of the article there is this “Important” note -
Ensure that you assign a software template to a group in which all computers have the shared disk mounted. Otherwise, software discovered on the shared disk is reported on computers that do not in fact have access to that software.
That looks like a contradiction to me, and I’m not sure how I should schedule the scans for my shared disks. If my scanning computer has both nfs:mount1 and nfs:mount2 scanned, how would I apply its results separately to the two groups of computers that only mount one or the other?
In Scenario 2, there are 12 computers.
- Computers 1-9 have Shared Disk 1 mounted (Computer Group 1).
- Computers 7-12 have Shared Disk 2 mounted (Computer Group 2).
You scan only Computer 7 to discover the software on both Shared Disks. After the results of the software scan are uploaded to BigFix and imported into BFI, you will have two Software Templates (there is a 1:1 relationship between a Shared Disk mount point and a Software Template).
In BFI, create Computer Group 1 based on BigFix data (to keep the group membership in sync), and associate it with Software Template 1 only (which points to Shared Disk 1).
Same for Computer Group 2 and Software Template 2 only (which points to Shared Disk 2).
Computers 7, 8, and 9 belong to both groups, so the software found in both the templates will show up on these three computers, since they will have two Software Templates attached.
[Shared Disk 1] <—> [Computer Group 1 (computers 01-09)] <—> [Software Template 1]
[Shared Disk 2] <—> [Computer Group 2 (computers 07-12)] <—> [Software Template 2]
What the note is saying, to me, is that you must not assign Software Template 2 to Computer Group 1 (or any other group which contains any computers where Shared Disk 2 is not mounted).
I hope this makes sense when you read it.
It does indeed, thanks very much!
So…a template applies to a mount point, not to the computer group mounting it?
If that’s the case, I may have my work cut out for me. At least three hundred mount points involved.
Would the automatic scanning mentioned as a 9.2.12 feature help in that case?
I would put it this way: a Software Template is a logical representation of all the software discovered on a mount point (or Shared Disk, as it is referred to in the documentation), and the BFI Computer Group is used to associate the discovered software to the set of computers that have that mount point.
With the manual approach, you have control over which computers are scanned for software on any given mount point.
With the automated approach, BFI will choose the computers to be scanned. It is not apparent what logic is employed by BFI in this decision. However, given the quantity if mount points in your environment, it seems like the right approach.
I’m afraid I can’t get to 9.2.12 as I’m using a SQL 2016 back-end. I may have to wait for 9.2.13, setup the shared disks manually, or defer scanning them entirely.
Can a Template cover more than one shared disk? I have some 300 total but they could be divided into 8 “groupings” of mounts. Any given client would match one of those eight mount table configurations. If I could define a Template to consist of about 50 mount points / shared disks, I’d only need eight templates.
I think I won’t like the answer to that though…
I think the key is being able to define Computer Groups in BigFix where all members of each group have the same mount table configuration. Then, they can be used as the basis for the BigFix Inventory Computer Group definitions.
In BFI, it appears that a Computer Group of type “Software Template” can be mapped to multiple Software Templates. Each Software Template still represents one mount point, but, theoretically, all the mount points in the mount table configuration could be connected to a Computer Group.
The initial challenge will be finding the minimum number of computers to scan to to hit all 300 mount points. The ongoing challenge will be keeping up with changes to the mount table configurations and the computer group definitions, which I imagine is not trivial.
Thanks very much. That sounds doable, when I talk about eight groupings of mount points, every computer within a group should share the same mount point list.
Good luck. Let me know if I can help.
Hi Jason,
I don’t like to be a one to bring bad news. But SQL 2016 backend is not supported and data in your db may not be correct.
Here is a technote anout that: http://www-01.ibm.com/support/docview.wss?uid=swg22016328
The meaning is as follows. SQL 2016 changed the way date is treated and first import is corrupting historical endpoints data.
Solution is to backup the SQL 2016 db and start anew installation of BFI.
We are actively working on bundling exporrt/import tool to help in that situation.
1 Like
I’m afraid my solution is to hold BFI deployment until a fix is available. I had hoped to make some progress with at least my test systems over the next couple of months, evem if the data is incomplete.
I will not be installing a downlevel copy of SQL server just to run BFI. I have a shared SQL infrastructure and just don’t have that flexibility.
Can we not just change database compatibility level, which can be modified per-database?
Per https://support.microsoft.com/en-us/help/4010261/sql-server-and-azure-sql-database-improvements-in-handling-some-data-t , it appears the new datediff functionality is only in effect if compatibility.level is set to 130 or higher…
https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-transact-sql-compatibility-level?view=sql-server-2017
Changing the database compatibility level would be a fine option for me.
Things are getting trickier than that.
At the moment you are using not supported database that makes your BFI server not compliant. Contact your IBM account representative or IBM Compliance team directly to discuss compliance conditions of your environment.
You may wait till 9.2.13 release in which MS SQL 2016 shall be supported (this functionality is not committed to be delivered) but till that time you will be not compliant and will have to start a new installation of BFI anyway as data in your current db is corrupted.
Changing compatibility level is not supported.
You may create audit snapshots from current BFI but it may not be accurate.
I don’t have a compliance issue. I’m trying to get this to work in order to head off an effort in my company to deploy another overlapping, competing product.
I will not install and license another downlevel version of SQL server to support BFI. I’ll wait for a BFI that works with current database releases. Looking forward to 9.2.13.
Sorry if this comes across harshly, that’s really not my intent and I definitely appreciate your help and insight. Just making it clear that BFI needs to work in my environment, I’m not going to build an environment around BFI.
Crucial part of the technote above is “Utilizing this database engine may cause serious data loss in BFI/ILMT which can significantly impact its licensing audit capabilities.”
You may want to contact your IBM account representative and check your audit capabilities.
FYI: IBM has released a Support document providing additional details around this issue.
Troubleshooting: Breaking Changes introduced in MS SQL 2016, makes this database incompatible with the current version of LMT/BFI
Several additional non-IBM links are included:
2 Likes