Question & Answer
Question
Answer
- Provide a count from your CMDB or internal asset tools.
- Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.
- Use the MVS 2.0 utility and create asset identity exclusions.
- Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.
About the MVS 2.0 utility
Types of data the MVS tool reviews:
- Log source types associated to server operating systems (Windows servers, Linux, AIX, z/OS, Kubernetes nodes, Cloud Hosts (IaaS servers).
- Ports commonly used by servers (22, 53, 80, 137, 443, 8080)
- Assets populated into the QRadar asset database by vulnerability scans or passive flow scanning that are identified as servers or unknown assets.
Before you begin
- Administrators must confirm they have the DSM-IBMManagedVirtualServer DSM installed on their QRadar Console. To confirm the file is installed, check the Admin tab for the DSM-IBMManageVirtualServer DSM is installed. Optionally, from the command line, type yum info DSM-IBMManage* and confirm the DSM is installed.
# yum info DSM-IBMManage* Loaded plugins: product-id, search-disabled-repos Installed Packages Name : DSM-IBMManageVirtualServer Arch : noarch Version : 7.5 Release : 20240314102425 Size : 3.7 M Repo : installed From repo : /DSM-IBMManageVirtualServer-7.5-20240314102425.noarch Summary : DSM IBM Manage Virtual Server Install URL : www.ibm.com License : IBM Corp. Description : IBM Manage Virtual Server
- The mvs.sh tool requires users to provide admin credentials or create an authorized service token to run the utility. The recommended user role permission for the MVS tool is admin to ensure queries for the count can be run. The minimum user role permission level is Log Activity.
- Optional. If the MVS tool is not installed on your Console, download the DSM from IBM Fix Central and install the DSM:
yum install -y DSM-IBMManageVirtualServer*
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Manage log sources, then select +New Log Source > Single Log Source.
- In the Select a Log Source Type field, type MVSCount.
Note: If this option does not display for you, confirm the IBM Manage Virtual Server DSM is installed. - In the Select a Protocol Type field, select Syslog.
- Configure the log source parameters:
- Name: Type a name for the log source, this value can be any name, such as MVS Count.
- Description: Optional. Type a description of the log source.
- Enabled: Ensure this check box is On.
- Log Source Group: Optional. Add the log source to a log source group.
- In the Configure protocol parameters field, configure the following parameters:
- Log Source Identifier field, type ibm.managevirtualserver.
- Incoming Payload Encoding, select UTF-8.
- Click Finish to save the log source configuration.
The administrator must download the MVS 2.0 script from IBM Fix Central, extract the files, then run the script. The script searches the last 7 days to create an initial MVS count and evaluates new data collected to update the MVS output.
Procedure
- Download the MVS Version 2.0 script from IBM Fix Central.
- Copy MVS2.0.zip to the QRadar Console.
- Use SSH to log in to the QRadar Console as the root user.
- To create a directory for the tool, type:
mkdir /store/mvs
- Extract MVS2.0.zip to the directory:
unzip MVS2.0.zip
- To run the utility, type:
sh mvs.sh -s -v
Note: The verbose option is recommended the first time administrators run the MVS count utility to create the mvs_details.csv file to understand the servers included in the initial count. - Select an permission for the mvs utility.
Note: The user or authorized service token user role can be an admin user role for the permission. Users who want to run with reduced permissions can use the Log Activity user role as a minimum permission level.# sh mvs.sh -s -v Which authentication would you like to use: 1: Admin user 2: Authorized service (q to quit) Please enter your choice:
- Wait for the MVS utility to run:
Username: admin Password: starting MVS counter... validating MVS running... .......... MVS Counter process started successfully.
- Wait for the CSV files to be created in the /store/mvs directory.
Results
The MVS 2.0 utility creates two files for users:
- count_mvs.csv - This file has a summary of the overall count that administrators can use to declare MVS licenses to IBM.
- mvs_details.csv - If the verbose option is enabled, a details file is created. The details file allows administrators to review the results of the MVS utility to understand the overall count. As the details file has asset information, users are not required to submit this file to IBM.
What types of servers need to be reported for enterprise licenses?
What's counted as MVS:
- All servers (physical and virtual)
- Servers are counted regardless of infrastructure: Amazon AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud.
- Operating systems: Windows, Linux, Unix,
- Kubernetes Nodes
- Satellite ground stations
- Network infrastructure
- Routers and switches
- Firewalls and VPNs
- Load balancers
- Proxies
- Intrusion Prevention Systems (IPS)
- File Integrity Monitoring (FIM) or File Activity Monitoring (FAM)
- Data Loss Prevention (DLP)
- Audio-visual (AV) equipment
- Client endpoints
- Workstations
- Point of Sale devices
- Meters
- Network storage and disk drives
- IoT infrastructure
- SaaS solutions
Troubleshooting
Users who experience issues with the MVS tool can review the logs in /var/log/mvs/mvs.log.
Incorrect permissions
If your user permission is not correct, the following error message is displayed in the log:
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authenticate user request status: 401
[QRADAR] [main] com.mvs.counter.MvsManager: [ERROR] [NOT:0000003000][-/- -] [-/- -]Credentials are not valid, killing process - 3539
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authentication has been completed successfully false
The MVS script fails to start
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the /opt/qradar/jars directory.
- To remove the jar file, type:
rm mvs-1.0.jar
- Navigate to the MVS directory, such as /store/mvs.
- To replace the removed jar file, type:
sh mvs.sh -s -v
- Provide permissions for the script to start.
Results
If the script continues to fail, you can contact QRadar Support for assistance.
How often does the MVS script run?
The MVS tool runs daily at midnight hardware time on the Console to create a new MVS output file.
Why do I see unknown assets in the MVS tool
The MVS tool outputs a detailed list of IP addresses and hostnames that contributed to the MVS score. Depending on the tuning applied to your asset database, unknown assets might be counted. Administrators need to review the output to confirm if the number of IT servers in use to ensure that the best possible number can be declared for licensing.
The numeric score output by the MVS tool is dependent on the data within QRadar. If you want to improve the MVS count accuracy, you can:
- Run a vulnerability assessment import on QRadar to collect the operating system information for assets in your network. QRadar supports Qualys, Beyond Security, Rapid7, Outpost24, Tripwire, Saint, and more. To configure a vulnerability import to update assets, see our Supported vulnerability scanners list.
- Create asset identity exclusions from real-time searches to exclude assets you do not want counted by MVS.
- Ensure network hierarchy is updated so you are not collecting assets outside of your network, such as remote to remote.
How can I tune my asset database to report better results?
As the MVS script uses the asset database to generate the MVS count. Administrators can experience issues where unknowns, such as mobile phones on the network or unknown assets being added to the count based on the mvs_details.csv file. Administrators who need to tune their assets to prevent hosts from being counted as MVS should create real-time searches for asset types they want to exclude, such as VPNs, load balancers, or other asset types.
References
Why are open ports counted?
Open ports are counted for common server communications where data is exchanged from computer to computer on specific ports, which are common to servers. As QRadar detects common port traffic from flow data, this can be used to help identify servers were no operating system information is available.
Ports that contribute to MVS:
- TCP/443 (HTTPS and APIs)
- TCP/80 (web server default port)
- TCP/8080 (web server alternate port)
- TCP/137 (NetBIOS name services)
- TCP/53 (DNS server port)
What are my reporting options?
The MVS tool is used to generate an MVS count based on data evaluated in QRadar. Administrators who experience problems with the MVS tool can contact their sales representative or customer success lead for assistance. As tuning of the assets might be required, administrators have the option to use another tool to declare their MVS count for licensing purposes. If you experience issues with the MVS script, administrators can discuss using a scan report, such as a Tenable Nessus credentialed scan to assist with the MVS process.
Acceptable methods to report your MVS count can include any of the following:
- Provide a count from your CMDB or internal asset tools.
- Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.
- Use the MVS 2.0 utility and create asset identity exclusions.
- Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.
What about temporary servers?
As MVS is reported, users are expected to report the assets protected by QRadar directly or indirectly. Administrators who use the MVS 2.0 utility are provided a nightly MVS count and a greatest count that defines the current count of MVS and the highest value recorded. Administrators are required to report the greatest MVS number seen by the tool.
Was this topic helpful?
Document Information
Modified date:
09 July 2024
UID
ibm17159084