After I posted my previous blog entry [1] I went to implement a solution (for which the documentation is done and awaiting moderation to be release here on Connect).
It worked pretty well, but still we have far too many basic inventory coming in. A look at captured NSE's indicated that there is another problem with inventories hijacking the Basic Inventory Capture Item:
Sample 1:
<?xml version='1.0' ?>
<message>
<from><resource guid='{ffffff-ffff-ffff-ffff-ffffffffffff}' typeGuid='{493435F7-3B17-4C4C-B07F-C23E7AB7781F}'/></from>
<to>1592B913-72F3-4c36-91D2-D4EDA21D2F96</to>
<time>20130905211027.187000-120</time>
<body><inventory><dataClass guid="ca029e6b-f124-4399-9b91-10c41b73165b"><data><resource partialUpdate="true"><row PolicyGuid="ffffff-ffff-ffff-ffff-ffffffffffff" TaskInstanceGuid="ffffff-ffff-ffff-ffff-ffffffffffff"/></resource></data></dataClass></inventory></body></message><?xml version='1.0' ?>
<message>
<from><resource guid='{ffffff-ffff-ffff-ffff-ffffffffffff}' typeGuid='{493435F7-3B17-4C4C-B07F-C23E7AB7781F}'/></from>
<to>1592B913-72F3-4c36-91D2-D4EDA21D2F96</to>
<time>20130905203801.546000-120</time>
<body><inventory><dataClass guid="246cd556-2330-465c-8dc3-5914d10f7d76"><data><resource partialUpdate="true"><row Compliance="1" PolicyGuid="ffffff-ffff-ffff-ffff-ffffffffffff" StringGuid="00000000-0000-0000-0000-000000000000"/></resource></data></dataClass></inventory></body></message>A quick query on the database showed the following information for the offending dataclasses:
| Name | Description |
|---|---|
| Policy Compliance Remediation | Stores a record each time a task is launched in an attempt to remediate a non-compliant computer |
| Policy Compliance Status | Records status of compliance against a given computer and assigned policy |
Conclusion: the Policy Compliance remdiation and status data is sent with the Baisc Inventory Caputre Item which is mis-leading. Given the data is gathered and sent by the agent (Software Management?) we cannot fix it ourself and will have to report the issue as a defect to the Software Management team.
Oh, and here's riddle (2) then: