Unknown agent ID and IP address
We're using HPOMW 9 to monitor many Windows, Unix, and Linux servers.
The policy “VP_SM-Server_EventLogEntries(11.0) (forwards all entries with source HPOV-MS)” recently started generating the following odd event on a daily basis.
EventID: 0x00000400 (1024) - (MS526) Incoming address change information was not processed on server.
No managed node having an AgentId '87ce81e2-6502-7569-18ed-f37967b1c7e4' was found.
The change information contains the following IP address(es): 22.214.171.124
Below is the name associated with the IP address listed in the event.
# nslookup 126.96.36.199
We do not recognize that FQDN.
Our DNS server forwards that out to the Internet for a response but we have no idea how that IP address got tied to an OMW agent ID.
Did a quick google search on that domain name and found “nagoya1.commufa.jp is an IP address owned by Commufa and located in Nagoya, Japan”.
Our organization has nothing to do with that company or domain.
We used wbemtest and connected to root\hewlettpackard\openview\data namespace and executed the following query:
select * from ov_managednode where agentid = '87ce81e2-6502-7569-18ed-f37967b1c7e4'
Unfortunately, nothing was found.
Does anyone know how we could go about stopping this event?
How could we find what node used the agent ID referenced in the event?
Any help from the experts out there would really be appreciated.
Thanks in advance.
I hope you’re having a great day,
Could you please check if the fqdn and the coreID are the same in the ovconfget of the node with the issue? Also please check in the proprieties of the node have the same coreID and FQDN in the advanced settings in the tree node on the OMW console.
Any questions or doubts please let me know.
As mentioned in my original post, we don't know which node that agent ID (and IP address) is associated with so we can't run ovconfget or check its properties.
That event is being generated by the “VP_SM-Server_EventLogEntries(11.0) (forwards all entries with source HPOV-MS)” policy running on the HPOMW 9 management server.
We're guessing the agent was removed from a node but not cleanly removed from the management server or vice versa.
We need a way to determine what node used the agent ID referenced in that event.
As noted in the original post, we could not find it by executing wbemtest and checking the root\hewlettpackard\openview\data namespace.