What is the TDX Asset Discovery Windows Agent?
The TeamDynamix Asset Discovery Windows Agent (aka the Discovery Agent) is a software program that you install on a computer that uses Microsoft Windows. During installation, you connect it to a TeamDynamix Asset Discovery Scanner. Once it's set up, the Discovery Agent periodically scans the computer using WinRM and sends the gathered information back to the Discovery Scanner.
How the Agent Works
- The agent connects to TDAdmin to figure out how often it should run.
- The schedule for how often it should run is set on the Asset Discovery job in TDAdmin.
- The default value is once a week, but can be changed.
- On the interval specified in the Asset Discovery job, the agent uses WinRM to scan the machine it's installed on.
- Because the agent uses WinRM to collect data, the data it returns will be exactly the same as the data returned by a job using the "WMI" data provider.
- The agent then sends the information it collected back to TDAdmin.
The agent communicates with the scanner over an SSL/TLS secure channel. The exact CipherSuite used to secure the channel is determined in the same way that it is determined when browsing to an HTTPS website using a web browser and involves a negotiation between the agent and scanner machines to select the most secure CipherSuite supported by both machines. A CipherSuite is a combination of a key exchange and authentication algorithm, encryption algorithm, and message authentication code algorithm.
In order to support SSL/TLS communications, the asset scanner must be configured with an SSL Certificate. An external certificate can be provided, or the scanner can automatically generate a self-signed certificate. Each agent can also be configured with a client certificate to validate the identity of each agent machine to the scanner machine.
By default, the scanner and agent are configured to use an auto-generated, self-signed server certificate and no client certificate. Additionally, the agents are configured to validate the name of the server certificate presented to them but ignore certificate chain validation issues (since, by default, the server will be presenting a self-signed certificate).
Agent Configuration Files
When the TeamDynamix Asset Discovery Scanner service is installed on the scanner machine, it creates a directory of files. The default directory is C:\Program Files(x86)\TeamDynamix\Asset Discovery Scanner. Inside that directory is a folder called "config". This folder contains multiple .json files which control the configuration of the different data providers, including the agent.
Four configuration files that control how the agent service works are:
- applocal.json - this provides service-level settings, like which TeamDynamix environment and scanner the agent should communicate with. You should never need to modify this file.
- appsettings.json - settings related to the scanner service, like how often it checks for configuration updates
- agentappsettings.json - settings related to the agent service, like how often to check for configuration updates and how often to send data to TDAdmin
- wmisettings.json - this controls exactly how WinRM discovery is conducted, including which credentials to use and which port to use
When the agent is installed on a target machine, it copies these files and installs them on the machine running the agent. The default directory is C:\Program Files(x86)\TeamDynamix\Asset Discovery Agent. The config files on the agent machine are identical copies of the ones on the Asset Discovery Scanner machine.
Configuration File Updates
The scanner's configuration updates in two ways:
- After using Sync Config
- You can make changes to the configuration of the scanner or any data provider in TDAdmin.
- Then, click Sync Config in the Discovery Manager application on the scanner service to update the relevant configuration files on the scanner machine.
- The files in the /config folder will be replaced with the updated settings from TDAdmin
- If you have modified any config files in the /config/custom folder, they will be unchanged
- Automatically:
- The scanner will also check TDAdmin for configuration changes periodically, even if Sync Config isn't clicked.
- The default schedule for checking for configuration changes is every 30 minutes.
- The schedule can be updated by modifiying the "Server.ConfigPollingMinutes" attribute in the appsettings.json file (see below).
The agent's configuration updates in two ways:
- After every scan:
- Each time the agent sends discovery results back to the scanner, it checks the timestamps of each file in the /config folder on the scanner machine, and compares those timestamps to the matching files in the /config folder on the agent machine.
- If any of the files on the scanner machine is newer than the one on the agent machine, the agent will update its own copy with the newer version.
- If changes have been made, the agent will immediately re-run the discovery process using the updated settings.
- Automatically:
- The agent will also check for new configuration files periodically, even if a discovery job is not configured.
- The default schedule for checking for configuration changes is once a day.
- The schedule can be updated by modifiying the "ConfigPollingMinutes" attribute in the appsettings.json file (see below).
Modifying Agent Configuration
Warning: Most settings should be modified using TDAdmin, rather than by manually modifying the files. If you choose to modify the files, you accept the risk that you may break your discovery settings.
If you decide to change the configuration files manually, make sure to edit the versions on the scanner. This is important because the agent updates its own files by pulling from the scanner regularly. By changing the scanner's files, you'll ensure that your adjustments aren't erased. Plus, this way, you won't need to update each agent computer separately.
To modify a configuration file for the the agent:
- Access the machine running the Asset Discovery Scanner
- Navigate to the installation directory for the Asset Discovery Scanner.
- The default is C:\Program Files (x86)\TeamDynamix\TeamDynamix Asset Discovery Scanner
- Open the /config folder
- Using a text editor (e.g., Notepad, Notepad++, or Wordpad), open the relevant file you want to update
- Make changes to the file
- Click Save
- Restart the service:
- Click Windows Key + R to open the Run interface
- Type services.msc, then click Enter
- From the list of services, find the TeamDynamix Asset Discovery Scanner service
- Right-click the service, then click Restart
The next time the agent checks in, it will get the updated version of the configuration file and replace its own copy with the one you modified on the scanner machine.
This file is generated at time of install and does not change unless manually edited. You shouldn't ever need to modify this manually, but we include its information here for context.
|
Property
|
Type
|
Description
|
|
APIUrl
|
string
|
The API URL of the TeamDynamix environment where the discovered assets will be created/modified. This value is set when you install the asset discovery scanner service.
|
|
BEID
|
guid
|
The BEID of the TeamDynamix environment where the discovered assets will be created/modified. This value is set when you install the asset discovery scanner service.
|
|
DisplayName
|
string
|
The long/display name of the Windows service. Shown in the list of services in the Services control panel app.
|
|
Id
|
guid
|
A unique id that identifies this instance of the discovery agent. Do not modify this value.
|
|
LocalName
|
string
|
The short name of the Windows service installed on the local machine.
|
|
LogFileDir
|
string
|
The file path to log files created by the discovery process. The agent only keeps the log from the last discovery with the name [LogFilePath]\[AgentName]-disc-log.json.
|
|
Name
|
string
|
n/a
|
|
ResultsDir
|
string
|
The file path to which discovery results will be written. The agent only keeps the result file from the last discovery with the names [ResultsPath]\[AgentName]-sum.json and [ResultsPath]\[AgentName]-assets.json.
|
|
WSKey
|
guid
|
The Web Services Key of the TeamDynamix environment where the discovered assets will be created/modified. This value is set when you install the asset discovery scanner service.
|
|
Property
|
Type
|
Description
|
|
Debug
|
boolean
|
True to include debug (stack) information in error messages.
|
|
LogLevel
|
loglevel
|
The level of detail that should be logged. This can be overridden on a provider-by-provider basis. Possible values are:
- None: Do not log any information
- CriticalError: Log only critical errors (errors that stop the discovery process completely)
- Error: Log all errors including those errors that may only prevent specific actions but let the discovery process continue
- Warning2: Log all errors and serious warnings
- Warning1: Log all errors and warnings
- Results: Log individual results (device found, for example) as well as all errors and warnings
- Info: Log high-level information as well as all errors and warnings
- DetailedInfo: Log detailed information (all process/protocol information plus summary property-level information) as well as all errors and warnings
- Verbose: Log very detailed information about all aspects of the discovery process along with all errors and warnings
We do not encourage modifying this setting in the file. Instead, modify the setting in TDAdmin > Applications > [assets/CIs application] > Asset Discovery > Asset Discovery Scanners > [specific scanner] > Edit, then change the Log Level dropdown.
After modifying this setting in TDAdmin, pull the most recent changes by clicking "Sync Config" in the Discovery Manager application on the asset scanner machine.
|
|
PeacefullShutdownWait
|
int
|
The number of milliseconds to wait for discovery to shutdown after a shutdown (cancellation, service stop, etc.) request. After this time, discovery will be forcibly stopped.
|
|
VerboseServiceLogging
|
boolean
|
True to log additional detail into the log file for the service itself (different from LogLevel which controls the level of logging for individual discovery jobs)
|
|
Server.ConfigPollingMinutes
|
int |
The frequency, in minutes, at which the discovery scanner should check with TDAdmin for updated configuration information. Defaults to 1440 (once/day). Note that a discovery will be run and configuration files updated at startup, so a reboot or service restart can be used to force updates at any time.
|
|
Server.DisableDiscoverySchedule
|
boolean |
True to disable the discovery schedule causing scheduled discovery jobs not to run.
|
|
Server.DisableUploadQueueing
|
boolean
|
True to stop results and log files from being queued for upload to TDX.
|
|
Server.ScheduleMissedAllowance
|
int
|
Number of minutes late the scheduler can be when running a scheduled job. For example, if a job is scheduled for run at 1pm but the scheduler does not notice this (perhaps it was stopped) until 1:45pm, the scheduler would run the job as long as the allowance was more than 45 minutes. If not, it would skip that occurrence of the job. |
|
Server.SchedulePollingSeconds
|
int
|
Frequency, in seconds, at which the scheduler should check for jobs that need to run. |
|
Server.SendLogsToTDX
|
boolean |
True to send discovery process log files to TDX for possible analysis
|
|
Server.AgentListener.Enabled
|
boolean
|
True to enable the listener that listens for messages from discovery agents.
|
|
Server.AgentListener.CertPath
|
string
|
Path to a certificate to use for protecting the communications channel between agents and the server (using SSL). Set to “[auto]” to have system autogenerate a self-signed certificate.
|
|
Server.AgentListener.CertPassword
|
string
|
Password for certificate private key.
|
|
Server.AgentListener.ClientCertCACheck
|
boolean
|
True to perform a certificate authority validation on agent client certificates (if client certs are required)
|
|
Server.AgentListener.ClientCertCNCheck
|
boolean
|
True to perform a common name validation on agent client certificates (if client certs are required)
|
|
Server.AgentListener.ClientCertRevokeCheck
|
boolean
|
True to perform a revocation validation on agent client certificates (if client certs are required)
|
|
Server.AgentListener.Port
|
int
|
TCP/IP port on which to listen for agents. Defaults to 1443.
|
|
Server.AgentListener.Protocols
|
enum
|
Which SSL protocols to allow. Set to None to allow the OS to choose the best protocol. Otherwise, one or more of the following: Ssl2, Ssl3, Tls, Tls11, Tls12.
|
|
Server.UploadQueue.AbandonMinutes
|
int
|
Minutes after which an item that was queued for upload but not marked complete is considered abandoned. When an item is abandoned, the scanner sends a run-end to TDX with a result of “Abandoned”.
|
|
Server.UploadQueue.Enabled
|
boolean
|
False to disable uploading of discovery results and logs. Depending on the setting of DisableUploadQueueing, results and logs may still be queued for upload once uploading is re-enabled.
|
|
Server.UploadQueue.ResultsBatchSize
|
int
|
The maximum number of assets to send to TDX in a single batch.
|
|
Server.UploadQueue.UploadPollingSeconds
|
int
|
The number of seconds between checks to see if items are wait for upload. Note that uploads can also be immediately triggered such as at the end of a discovery run.
|
|
Server.UploadQueue.UploadRetries
|
int
|
Number of times the scanner should attempt to upload results to TDX before considering the upload attempt to have failed.
|
|
Property
|
Type
|
Description
|
|
Debug
|
boolean
|
True to include debug (stack) information in error messages.
|
|
LogLevel
|
loglevel
|
The level of detail that should be logged. This can be overridden on a provider-by-provider basis. Possible values are:
- None: Do not log any information
- CriticalError: Log only critical errors (errors that stop the discovery process completely)
- Error: Log all errors including those errors that may only prevent specific actions but let the discovery process continue
- Warning2: Log all errors and serious warnings
- Warning1: Log all errors and warnings
- Results: Log individual results (device found, for example) as well as all errors and warnings
- Info: Log high-level information as well as all errors and warnings
- DetailedInfo: Log detailed information (all process/protocol information plus summary property-level information) as well as all errors and warnings
- Verbose: Log very detailed information about all aspects of the discovery process along with all errors and warnings
We do not encourage modifying this setting in the file. Instead, modify the setting in TDAdmin > Applications > [assets/CIs application] > Asset Discovery > Asset Discovery Scanners > [specific scanner] > Edit, then change the Log Level dropdown.
After modifying this setting in TDAdmin, pull the most recent changes by clicking "Sync Config" in the Discovery Manager application on the asset scanner machine.
|
|
PeacefullShutdownWait
|
int
|
The number of milliseconds to wait for discovery to shutdown after a shutdown (cancellation, service stop, etc.) request. After this time, discovery will be forcibly stopped.
|
|
VerboseServiceLogging
|
boolean
|
True to log additional detail into the log file for the service itself (different from LogLevel which controls the level of logging for individual discovery jobs)
|
|
Agent.CertName
|
string
|
The expected name of the server certificate that will be presented by the scanner.
|
|
Agent.ClientCertPassword
|
string
|
If a client certificate is in used, the password that protects the private key.
|
|
Agent.CertSkipCACheck
|
boolean
|
True to skip the certificate authority check of the scanner’s server certificate.
|
|
Agent.CertSkipCNCheck
|
boolean
|
True to skip the certificate name check of the scanner’s server certificate.
|
|
Agent.CertSkipRevokeCheck
|
boolean
|
True to skip the certificate revocation check of the scanner’s server certificate.
|
|
Agent.ClientCertPath
|
string
|
Path to the client certificate the agent should use or null/empty to not use a client certificate.
|
|
Agent.ConfigUpdateInterval
|
int
|
The frequency, in minutes, at which the discovery agent checks with the discovery scanner for updated configuration files. Defaults to 1440 (once/day). Note that a discovery will be run and configuration files updated at startup, so a reboot or service restart can be used to force updates at any time.
|
|
Agent.MaxLogFileSize
|
boolean
|
The maximum size of the server log file (not the discovery log files) in KB. The agent will keep up to 50 log files and will then automatically purge the oldest files to make room for newer ones. Defaults to 2048.
|
|
Agent.Port
|
int
|
The destination port to use for communications with the scanner. Defaults to 1443.
|
|
Agent.Protocols
|
boolean
|
Limits the protocols the agent will use to communicate with the scanner. The default value of “None” allows the OS to choose the most appropriate protocols.
|
|
Agent.ServerId
|
guid
|
Id of the scanner this agent should connect to.
|
|
Agent.ServerResponseTimeout
|
int
|
Length of time, in milliseconds, the agent should wait for a response from the scanner after communicating with it. Defaults to 8000.
|
|
Agent.ServerUrl
|
string
|
IP address or network name of the scanner this agent should connect to.
|
|
Agent.UploadInterval
|
int
|
The frequency, in minutes, that the agent will send discovery data to the scanner. Defaults to 10080 (once/week). Note that the agent always sends discovery results to the scanner at startup so a reboot or service restart can be used to force updates at any time.
|
|
Property
|
Type
|
Description
|
|
Credentials
|
credential[]
|
A single set of credentials (an object with Username and Password properties) as a single-member array. Only necessary if the identity the service is running as does not have access to WMI.
|
|
Debug
|
boolean
|
True to log extra debug-only information in log files. Defaults to False.
|
|
InitialTargetDiscoveryRetries
|
int (1-100)
|
Number of times to try to connect to WMI.
|
|
InitialTargetDiscoveryTimeout
|
int (10-30,000)
|
Maximum number of milliseconds to wait for a connection attempt to WMI.
|
|
MaxRecursion
|
int (1-200)
|
Property value resolution maximum level of recursion (nested references to other property values within a property value expression).
|
|
Namespace
|
string
|
WMI namespace all property queries should use. Defaults to “root\cimv2”.
|
|
Port
|
int (1-65,535)
|
Port to use for WMI communications. Defaults to 5985.
|
|
Properties
|
property[]
|
List of properties to attempt to collect.
|
|
RequestRetries
|
int (1-100)
|
Number of times to try WMI requests.
|
|
RequestTimeout
|
int (10-30,000)
|
Maximum number of milliseconds to wait for WMI requests to respond.
|