I want to Tag my Assets with what VLAN they are on.
There are two ways that I can think of doing this:
Use a Dynamic Asset Group to apply the Tag by filter
Directly Tag the Assets using the API and a script
I have around 230 different VLANs to Tag with and originally had them as Dynamic Asset Groups, but I was told that was hurting the performance on my box, so I switched to Directly Tagging Assets via a script but I do not see any improvement. I know Sites should be kept to a minimal, but what about Asset Groups or Tags, do they also hurt performance?
Good question, I’d like to know that too. I’ve also been Dynamic Asset Group to tag VLANs, in addition to tagging new devices with their OUs using the AD webhook. We’ve got about as many VLANs and 30k devices so if it’s creating a significant performance problem, I’d switch to using PowerShell to automatically tag things using the API.
The only thing that bothers me is that my memory didn’t increase after removing all the Asset Groups and even running a maintenance cycle. It seems that everything I do to free up memory just uses more. And it makes me wonder if it was worth it because the Asset Group way of Tagging is so much more elegant and easier to maintain.
Agreed. I’ve run into memory problems before and ended up having to ratelimit specific scans (log4j) to prevent the scanner from getting backlogged forever.
So just to verify, are you actually creating an asset group with a tag or are you just referring to using the filtered asset search to dynamically create a tag?
The first would essentially be an Asset Group and Tag and the latter would only have a Tag.
Personally I would just use the Dynamic Tags for all of the VLANs. Ideally, there should really be no difference in the overhead between a tag and an asset group. However, if your tag is being applied because of the association of an asset group then you would be doubling the resources used if your only goal was to tag.
I think that is why I was told I have too many. I was using an Asset Group only to Tag Assets, and like you said, I doubled the resources.
So for Tags that I just want to use as informational (or membership in an Asset Group) I should probably just Tag them using the API.
For Tags that I want to reference somewhere else, let the Asset Group do the Tagging
You don’t even need to use the API is what I’m saying. You can create tags with dynamic criteria without having to also specify an asset group. So Instead of the Asset Group being defined on the VLAN and the tag just being defined as the association on the asset group, you just tell the tag to be defined on the criteria of the VLAN.
Once you put in the criteria to the filtered asset search and click search, just hit add tags. Don’t tell it to create asset group.
For anyone following this who has over 100 Tags that they want to convert to this (in my example. all my existing VLANs because each VLAN also included Tags for What Firewall that network was behind, the datacenter it is in, and any other Networking specifics like DMZ or PCI) instead of going to each Tag and manually adding the Search Criteria, there is an API endpoint that you can bulk update these https://rapid7con10app1.gianteagle.com:3780/api/3/html#operation/updateTagSearchCriteria
