We are trying to deploy the Rapid7 Insight Agent on our VMware VDI machines. They are non-persistent, instant clones. We are running into an issue where every time a clone comes online, it’s creating a duplicate instace of the machine in the InsightIDR console.
We’ve followed the instructions here https://docs.rapid7.com/insight-agent/virtualization/, ie stopped the service, removed the bootstrap.cfg, and captured the image, however the clones still create duplicate entries.
when you say the IDR console, do you mean the agent management page? If so this is expected behavior currently. We are working towards solving this issue by correlating VDI assets by some value other than the agentid, but right now the agent management page relies solely on the unique agentid for each agent shown, and each VDI will have its own unique agent id.
One thing to note, if these VDIs spin up and down and maintain the same hostname (as opposed to some random name) then IDR itself will correlate the newly provisioned agent to the same hostname in IDR.
The VDI’s host names predetermined by the provisioning settings using a naming pattern within VMware Horizon. ie VDI-X, where X could be any number from 1 to the max number of provisoned VDI’s in the pool.
Understood, so then with IDR itself the assets would only have 1 record for each FQDN, whereas in Agent Management there is going to be 1 record for each uuid. One way to get a better sense the overall counts of agents to look at would be to apply filters based on their status, such as Online or Offline with a timestamp within the last 24 hours. For example
Understanding this is an older post.
We have the same problem, and have been working with Rapid7 Engineering since at least January of 2022. It is a known problem that as of 12/7/2022 has not been corrected. VMWare has not been responsive to Rapid7 with respects to assistance. If you are continuing to have a problem, reach out to your VMWare team and encourage them to work with Rapid7 on a resolution.
This is still an issue in 2023 also in non-persistent Citrix environments, this issue really shows when the billing model is pr device and this trickles down to what you bill customers if you are a MSSP There are currently no ways to control this besides having a script that saves the bootstrap.cfg right before reboot and reinserts it before startup, please just support some kind of user controlled env vars to correlate besides uuid or having “reserved host names” that can be set in the rapid7 platform tenant and correlate/merge those hostnames regardless of it’s uuid.
There are currently no ways to control this besides having a script that saves the bootstrap.cfg right before reboot and reinserts it before startup, please just support some kind of user controlled env vars to correlate besides uuid or having “reserved host names” that can be set in the rapid7 platform tenant and correlate/merge those hostnames regardless of it’s uuid.