Question & Answer
Question
Answer
MVS tool 2.1 includes several new features and updates:
- Added domain separation counts for MVS estimates. The report now breaks out domains by MVS count and includes an individual CSV file for each domain configured in QRadar. For example, the following MVS output has three domains 0 (Default), Domain1, and Domain2.
- Allow users to exclude Kubernetes or VPN IP addresses by CIDR or IP address ranges.
- Improved the MVS counting with:
- Mobile devices are excluded based on their names.
- Updated Log Source Device Types to expand the list of servers for improved detection.
- Updated the Source Ports to identify MVS from server ports from events.
- Added support to count HTTP response code (200) events.
- Hardened security by allowing only admins to run the MVS tool.
Methods to declare MVS for enterprise licenses
- Provide a count from your CMDB or internal asset tools.
- Use the MVS 2.1 utility and create asset identity exclusions.
- Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.
Configuring the MVS 2.1 utility
Types of data the MVS tool reviews:
- Log source types associated to server operating systems (Windows servers, Linux, AIX, z/OS, Kubernetes nodes, Cloud Hosts (IaaS servers).
- Ports commonly used by servers (22, 53, 80, 137, 443, 8080)
- Assets populated into the QRadar asset database with known server operating systems by vulnerability scanners (Windows servers, Linux hosts, Unix, or AIX)
Before you begin
- Administrators must confirm they have the DSM-IBMManagedVirtualServer DSM installed on their QRadar Console. To confirm the file is installed, check the Admin tab for the DSM-IBMManageVirtualServer DSM is installed. Optionally, from the command line, type yum info DSM-IBMManage* and confirm the DSM is installed.
# yum info DSM-IBMManage* Loaded plugins: product-id, search-disabled-repos Installed Packages Name : DSM-IBMManageVirtualServer Arch : noarch Version : 7.5 Release : 20240314102425 Size : 3.7 M Repo : installed From repo : /DSM-IBMManageVirtualServer-7.5-20240314102425.noarch Summary : DSM IBM Manage Virtual Server Install URL : www.ibm.com License : IBM Corp. Description : IBM Manage Virtual Server
- The mvs.sh tool requires users to provide admin credentials or create an authorized service token to run the utility. The recommended user role permission for the MVS tool is admin to ensure queries for the count can be run. The minimum user role permission level is Log Activity.
The steps for configuring the log source is only required during the initial setup of MVS. If you are upgrading from MVS 2.0 to MVS 2.1, you must download and update the MVS.2.1.zip file. For more information, see Running the MVS utility.
- Optional. If the MVS tool is not installed on your Console, download the DSM from IBM Fix Central and install the DSM:
yum install -y DSM-IBMManageVirtualServer*
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Manage log sources, then select +New Log Source > Single Log Source.
- In the Select a Log Source Type field, type MVSCount.
Note: If this option does not display for you, confirm the IBM Manage Virtual Server DSM is installed. - In the Select a Protocol Type field, select Syslog.
- Configure the log source parameters:
- Name: Type a name for the log source, this value can be any name, such as MVS Count.
- Description: Optional. Type a description of the log source.
- Enabled: Ensure this check box is On.
- Log Source Group: Optional. Add the log source to a log source group.
- In the Configure protocol parameters field, configure the following parameters:
- Log Source Identifier field, type ibm.managevirtualserver.
- Incoming Payload Encoding, select UTF-8.
- Click Finish to save the log source configuration.
- From the Admin tab, click the Custom Event Property icon.
- Select Extraction Based.
- Configure the following values:
- In the Tenant field, select N/A as the property should apply to all domains.
- Select New Property and type Response Code for the name of the property.
- In the Field Type, select numeric.
- Ensure the Enabled check box is selected.
- From the Log Source Type drop-down list, select Apache HTTP Server.
- From the Log Source drop-down list, select All.
- From the High Level Category drop-down list, select Any.
- From the Low Level Category drop-down list, select Any.
- In the Regex field, type:
" (\d{3}) (\d+|-) (\d+|-|")
Results
The custom property is created to allow the MVS tool to count 200 response codes.
The administrator must download the MVS 2.1 script from IBM Fix Central, extract the files, then run the script. The script searches the last 7 days to create an initial MVS count and evaluates new data collected to update the MVS output.
Procedure
- Download the MVS Version 2.1 script from IBM Fix Central.
- Copy MVS2.1.zip to the QRadar Console.
- Use SSH to log in to the QRadar Console as the root user.
- If you are upgrading to a newer version of the MVS tool:
- Type the following command to stop the tool:
sh mvs.sh -k
- To remove the prior version of the MVS jar, type:
rm /opt/qradar/jars/mvs-1.0.jar
- Type the following command to stop the tool:
- To create a directory for the tool, type:
mkdir /store/mvs
- Extract MVS2.1.zip to the directory:
unzip MVS2.1.zip
- To run the utility, type:
sh mvs.sh -s -v
Note: The verbose option is recommended the first time administrators run the MVS count utility to create the mvs_details.csv file to understand the servers included in the initial count. -
The tool provides a summary of the types of data that is counted.
# sh mvs.sh -s -v The MVS utility counts assets using Operating System information, Log Source Types, and Ports commonly used by servers. To receive an estimated MVS report, it is advised that tune assets on your Console. For configuration and tuning information, see: https://ibm.biz/qradarmvs. Do you want to run the MVS tool now (Y/N)?
- Tune any IP addresses or CIDR ranges the MVS tool should exclude for Kubernetes.
Would you want to exclude the IP ranges of Kubernetes (Y/N)? Y Please provide Kubernetes IP ranges to would like to exclude: 1: CIDR Ranges 2: IP Ranges (q to quit) Please enter your choice: 1 Enter CIDR Range: 10.0.0.0/24, 10.0.0.0/16
- To exclude any assets that are not servers
Would you want to exclude the IP ranges of VPN(Y/N)? Y Please provide VPN IP ranges to would like to exclude: 1: CIDR Ranges 2: IP Ranges (q to quit) Please enter your choice: 1 Enter CIDR Range: 192.168.1.100-192.168.1.255,10.1.1.10-10.1.1.255
- Select an permission for the mvs utility.
Note: The user or authorized service token user role can be an admin user role for the permission. Users who want to run with reduced permissions can use the Log Activity user role as a minimum permission level. -
Which authentication would you like to use: 1: Admin user 2: Authorized service (q to quit) Please enter your choice:
- Wait for the MVS utility to run:
Username: admin Password: starting MVS counter... validating MVS running... .......... MVS Counter process started successfully.
- Wait for the CSV files to be created in the /store/mvs directory.
Results
The tool rights nightly at midnight to generate new MVS reports. The MVS 2.1 utility can create multiple files for administrators if domains are configured in QRadar:
- count_mvs.csv - This file has a summary of the overall count that administrators can use to declare MVS licenses to IBM. If you have domains configured a summary is also outlined for each domain.
- mvs_details.csv - If the verbose option is enabled, a details file is created. The details file allows administrators to review the results of the MVS utility to understand the overall count. As the details file has asset information, users are not required to submit this file to IBM.
- {domainname}_mvs_count.csv - A file is created for each domain, which is then summarized in the mvs_count.cvs file.
Requesting support assistance
Required log files
To understand how the MVS tool counted the servers in your network, several files are required. To best assist you and understand your issue, attach the following files to your support case:
- /var/log/mvs.log
- /store/mvs/count_mvs.csv
- /store/mvs/details_mvs.csv
- /store/mvs/{domainname}_mvs_count.csv
- Open a case with QRadar Support: https://www.ibm.com/mysupport/s/createrecord/NewCase
- Log in with your IBM ID.
- In the Type of support field, select Product support.
- In the Case title field, type MVS tool help.
Note: The keyword MVS is important in the case title as it helps our support system more effectively route your case to the proper support team. - Complete the product information fields and select your QRadar software version. For example,
- In the Severity and account information section, select a Severity and include your business impact. The impact might be counting issues or errors you experience with the MVS tool.
- Fill out the Case Description field and ensure you attach your logs and verify your contact number. If you plan to be out of the office, you can add a team member from your organization to your case.
Results
A QRadar Support representative will review the case and contact you using your preferred method of communication.
What types of servers need to be reported for enterprise licenses?
What's counted as MVS:
- All servers (physical and virtual)
- Servers are counted regardless of infrastructure: Amazon AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud.
- Operating systems: Windows, Linux (Ubuntu, Red Hat, Kali, and other distros), Unix, HP-UX, and AIX.
- Kubernetes Nodes
- Satellite ground stations
- Network infrastructure
- Routers and switches
- Firewalls and VPNs
- Load balancers
- Proxies
- Intrusion Prevention Systems (IPS)
- File Integrity Monitoring (FIM) or File Activity Monitoring (FAM)
- Data Loss Prevention (DLP)
- Audio-visual (AV) equipment
- Client endpoints
- Workstations
- Point of Sale devices
- Meters
- Network storage and disk drives
- IoT infrastructure
- SaaS solutions
Troubleshooting
Users who experience issues with the MVS tool can review the logs in /var/log/mvs/mvs.log.
Incorrect permissions
If your user permission is not correct, the following error message is displayed in the log:
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authenticate user request status: 401
[QRADAR] [main] com.mvs.counter.MvsManager: [ERROR] [NOT:0000003000][-/- -] [-/- -]Credentials are not valid, killing process - 3539
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authentication has been completed successfully false
If you need to stop the script for any reason, you can use the -k option to kill the utility.
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the MVS directory, such as /store/mvs.
- To stop the utility, type:
sh mvs.sh -k
The utility is halted.
The MVS script fails to start
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the /opt/qradar/jars directory.
- To remove the jar file, type:
rm mvs-1.0.jar
- Navigate to the MVS directory, such as /store/mvs.
- To replace the removed jar file, type:
sh mvs.sh -s -v
- Provide permissions for the script to start.
Results
If the script continues to fail, you can contact QRadar Support for assistance.
How often does the MVS script run?
The MVS tool runs daily at midnight hardware time on the Console to create a new MVS output file.
Why do I see unknown assets in the MVS tool
The MVS tool outputs a detailed list of IP addresses and hostnames that contributed to the MVS score. Depending on the tuning applied to your asset database, unknown assets might be counted. Administrators need to review the output to confirm if the number of IT servers in use to ensure that the best possible number can be declared for licensing.
The numeric score output by the MVS tool is dependent on the data within QRadar. If you want to improve the MVS count accuracy, you can:
- Run a vulnerability assessment import on QRadar to collect the operating system information for assets in your network. QRadar supports Qualys, Beyond Security, Rapid7, Outpost24, Tripwire, Saint, and more. To configure a vulnerability import to update assets, see our Supported vulnerability scanners list.
- Create asset identity exclusions from real-time searches to exclude assets you do not want counted by MVS.
- Ensure network hierarchy is updated so you are not collecting assets outside of your network, such as remote to remote.
How can I tune my asset database to report better results?
As the MVS script uses the asset database to generate the MVS count. Administrators can experience issues where unknowns, such as mobile phones on the network or unknown assets being added to the count based on the mvs_details.csv file. Administrators who need to tune their assets to prevent hosts from being counted as MVS should create real-time searches for asset types they want to exclude, such as VPNs, load balancers, or other asset types.
What types of data should I tune with identity exclusions?
- VPN users with different DHCP addresses. For example, 10.3.18.19, 10.3.18.22, 10.3.20.21, 10.3.20.25
- Workstations IP addresses or hostnames e.g “JOHN” or “DESKTOP-XXX”
- Mobile phone IP addresses or hostname e.g “galaxy-xx” or “iphone-xx”
- Mac addresses that report as ::1
References
What data does the MVS tool use in QRadar to create an MVS count report?
Operating Systems that contributes to MVS
Asset data with operating system information added by VA scanner imports is used to collect information in QRadar on what are servers versus what are endpoints to create a list of hostnames and IP addresses for MVS counting reports. The following operating systems are used to generate MVS counts for data within QRadar:
- Windows Servers
- Linux Servers
- AIX Servers
- AS/400
- zOS
- and other Server OS
- Kubernetes Nodes
- Satellite ground stations
- Apache HTTP servers with HTTP code 200
Log Source Types that contribute to MVS
Log source types that are configured in QRadar that are common to servers are evaluated to estimate the number of servers in QRadar. Each Log Source enabled for the following Log Source Types counts as 1 MVS:
Log Source Type Name |
---|
Ambiron TrustWave ipAngel Intrusion Prevention System |
Apache HTTP Server |
EMC VMware |
EMC VMware vCenter |
EMC VMware vCloud |
FreeRADIUS |
GenericAuthServer/Configurable Authentication message filter |
Hewlett Packard UniX (HP-UX) |
HP Tandem |
IBM AIX Server |
IBM DB2 |
IBM i |
IBM Informix |
IBM RACF |
IBM Security Access Manager for Mobile |
IBM Security Directory Server |
IBM Security Trusteer |
IBM WebSphere Application Server |
IBM AIX Audit |
IBM zSecure Alert |
Linux DHCP |
Linux IPtables |
Linux login messages |
Microsoft DHCP Server |
Microsoft DNS Debug |
Microsoft Exchange Server |
Microsoft IAS Server |
Microsoft IIS Webserver Logs (IIS) |
Microsoft ISA |
Microsoft SQL Server |
Microsoft Hyper-V |
Microsoft SharePoint |
OpenBSD OS |
OpenLDAP |
Oracle Database Listener |
Oracle RDBMS OS Audit Record |
Oracle Alert Logs |
Oracle BEA WebLogic |
Oracle FGA |
PostFix Mail Transfer Agent |
SecureAuth IdP |
SecWorld XGF Series |
Solaris Operating System Authentication Messages |
Solaris Operating System DHCP Logs |
Solaris Operating System Sendmail Logs |
Solaris BSM |
SQL Server Trace |
Squid Web Proxy |
Sun ONE LDAP |
Sybase ASE |
WinCollect |
WindowsAuthServer |
Ports that contribute to MVS
Open ports are counted for common server communications where data is exchanged from computer to computer on specific ports, which are common to servers. As QRadar detects common port traffic from flow data, this can be used to help identify servers where operating system information is available. The following ports are counted as server communication and each asset that communicates on the following ports would count as 1 MVS.
Port number | Server port association |
---|---|
25, 465, 587, 110, 143, 993, 995, 563, 1352 | Mail server |
3128, 1080, 3127 | Proxy server |
111, 369, 530 | RPC server |
161, 162 | SNMP server |
22 | SSH server |
514, 1514 | Syslog server |
80, 8080, 443, 8000, 8001 | Web server |
135, 137, 138, 139, 445, 593 | Windows server |
In earlier versions of the MVS tool, assets with hostnames that were mobile devices could be incorrectly counted by the MVS tool. Due to this, the MVS tool 2.1 has an exclusion list for common mobile devices. It is expected that assets with the following hostnames are not counted as MVS as they are likely mobile phones:
Device hostname |
---|
android |
asus |
blackberry |
galaxy |
honor |
huawei |
ipad |
iphone |
ipod |
mate |
moto |
motorola |
oneplus |
oppo |
pixel |
redmi |
reno |
samsung |
sony |
vivo |
xiaomi |
xperia |
What are my reporting options?
The MVS tool is used to generate an MVS count based on data evaluated in QRadar. Administrators who experience problems with the MVS tool can contact their sales representative or customer success lead for assistance. As tuning of the assets might be required, administrators have the option to use another tool to declare their MVS count for licensing purposes. If you experience issues with the MVS script, administrators can discuss using a scan report, such as a Tenable Nessus credentialed scan to assist with the MVS process.
Acceptable methods to report your MVS count can include any of the following:
- Provide a count from your CMDB or internal asset tools.
- Use the MVS 2.1 utility and create asset identity exclusions.
- Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.
- Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.
What about temporary servers?
As MVS is reported, users are expected to report the assets protected by QRadar directly or indirectly. Administrators who use the MVS 2.1 utility are provided a nightly MVS count and a greatest count that defines the current count of MVS and the highest value recorded. Administrators are required to report the greatest MVS number seen by the tool. Servers identified by the MVS tool can drop off the count after the asset expires based on the Asset Profiler Configuration set by the administrator. The default asset profile keeps automatically discovered assets is 120 days, but this time frame can be configured by administrators.
Was this topic helpful?
Document Information
Modified date:
15 October 2024
UID
ibm17159084