AWS Application Discovery Service is no longer open to new customers. Alternatively, use AWS Transform which provides similar capabilities. For more information, see [AWS Application Discovery Service availability change](https://docs.aws.amazon.com/application-discovery/latest/userguide/application-discovery-service-availability-change.html). # Application Discovery Service Agentless Collector Agentless Collector Application Discovery Service Agentless Collector (Agentless Collector) is an on-premises application that collects information through agentless methods about your on-premises environment, including server profile information (for example, OS, number of CPUs, amount of RAM), database metadata, utilization metrics, and data about network traffic among on-premises servers. You install the Agentless Collector as a virtual machine (VM) in your VMware vCenter Server environment using an Open Virtualization Archive (OVA) file. Agentless Collector has a modular architecture, which allows for the use of multiple agentless collection methods. Agentless Collector provides modules for data collection from VMware VMs and from database and analytics servers. It also provides a module for collecting data about network traffic among your on-premises servers. Agentless Collector supports data collection for AWS Application Discovery Service (Application Discovery Service) by collecting usage and configuration data about your on-premises servers and databases, as well as data about network traffic among your on-premises servers. Application Discovery Service is integrated with AWS Migration Hub, a service that simplifies your migration tracking as it aggregates your migration status information into a single console. You can view the discovered servers, obtain Amazon EC2 recommendations, visualize network connections, group servers into applications, and then track the migration status of each application from the Migration Hub console in your home Region. The Agentless Collector database and analytics data collection module is integrated with AWS Database Migration Service (AWS DMS). This integration helps plan your migration to the AWS Cloud. You can use the database and analytics data collection module to discover database and analytics servers in your environment and build an inventory of servers that you want to migrate to the AWS Cloud. This data collection module collects database metadata and actual utilization metrics of CPU, memory, and disk capacity. After you collect these metrics, you can use the AWS DMS console to generate target recommendations for your source databases. # Prerequisites for Agentless Collector Prerequisites The following are the prerequisites for using Application Discovery Service Agentless Collector (Agentless Collector): + One or more AWS accounts. + An AWS account with the AWS Migration Hub home Region set, see [Sign in to the Migration Hub console and choose a home Region](setting-up.md#setting-up-choose-home-region). Your Migration Hub data is stored in your home Region for purposes of discovery, planning, and migration tracking. + An AWS account IAM user that is set up to use the AWS managed policy `AWSApplicationDiscoveryAgentlessCollectorAccess`. To use the database and analytics data collection module, this IAM user must also use two customer managed IAM policies `DMSCollectorPolicy` and `FleetAdvisorS3Policy`. For more information, see [Deploying Application Discovery Service Agentless CollectorCreate an IAM user for Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-iam-user). The IAM user must be created in an AWS account with Migration Hub home Region set. + VMware vCenter Server V5.5, V6, V6.5, 6.7 or 7.0. **Note** The Agentless Collector supports all of these versions of VMware, but we currently test against version 6.7 and 7.0. + For VMware vCenter Server setup, make sure that you can provide vCenter credentials with Read and View permissions set for the System group. + Agentless Collector requires outbound access over TCP port 443 to several AWS domains. For a list of these domains, see [Configure firewall for outbound access to AWS domains](#agentless-collector-gs-prerequisites-firewall). + To use the database and analytics data collection module, create an Amazon S3 bucket in the AWS Region that you set as your Migration Hub home Region. The database and analytics data collection modules stores inventory metadata in this Amazon S3 bucket. For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the *Amazon S3 User Guide*. + Agentless Collector version 2 requires ESXi 6.5 or a later version. ## Configure data perimeter for access to AWS service-owned resources Configure data perimeter The Agentless Collector automatic update feature retrieves updates in the form of Docker images from an AWS service-owned Public ECR Repository. If you are using data perimeters to control access to Amazon ECR in your environment, you might need to explicitly allow access to the following to use the automatic update feature: + Resource ARNs that require access: `arn:aws:ecr-public::446372222237:repository/6e5498e4-8c31-4f57-9991-13b4b992ff7b` + Required permissions: `ecr-public:DescribeImages` ## Configure firewall for outbound access to AWS domains Configure firewall If outbound connections from your network are restricted, you must update your firewall settings to allow outbound access to the AWS domains that Agentless Collector requires. Which AWS domains require outbound access depend on if your Migration Hub home Region is US West (Oregon) Region, us-west-2, or some other Region. **The following domains require outbound access if your AWS account home Region is us-west-2:** + `arsenal-discovery.us-west-2.amazonaws.com` – The collector uses this domain to validate that it is configured with the required IAM user credentials. The collector also uses it for sending and storing collected data since the home Region is us-west-2. + `migrationhub-config.us-west-2.amazonaws.com` – The collector uses this domain to determine which home Region the collector sends data to based on the provided IAM user credentials. + `api.ecr-public.us-east-1.amazonaws.com` – The collector uses this domain to discover available updates. + `public.ecr.aws` – The collector uses this domain for downloading the updates. + `dms.your-migrationhub-home-region.amazonaws.com` – The collector uses this domain to connect to the AWS DMS data collector. + `s3.amazonaws.com` – The collector uses this domain to upload data that is collected by the database and analytics data collection module to your Amazon S3 bucket. + `sts.amazonaws.com` – The collector uses this domain to understand what account the collector has been configured with. **The following domains require outbound access if your AWS account home Region is not `us-west-2`:** + `arsenal-discovery.us-west-2.amazonaws.com` – The collector uses this domain to validate that it is configured with the required IAM user credentials. + `arsenal-discovery.your-migrationhub-home-region.amazonaws.com` – The collector uses this domain for sending and storing collected data. + `migrationhub-config.us-west-2.amazonaws.com` – The collector uses this domain to determine which home Region the collector should send data to based on the provided IAM user credentials. + `api.ecr-public.us-east-1.amazonaws.com` – The collector uses this domain to discover available updates. + `public.ecr.aws` – The collector uses this domain for downloading the updates. + `dms.your-migrationhub-home-region.amazonaws.com` – The collector uses this domain to connect to the AWS DMS data collector. + `s3.amazonaws.com` – The collector uses this domain to upload data that is collected by the database and analytics data collection module to your Amazon S3 bucket. + `sts.amazonaws.com` – The collector uses this domain to understand what account the collector has been configured with. When setting up Agentless Collector, you might receive errors such as **Setup failed – Check your credentials and try again** or **AWS cannot be reached. Please verify network settings**. These errors can be caused by a failed attempt by the Agentless Collector to establish an HTTPS connection to one of the AWS domains that it needs outbound access to. If a connection to AWS cannot be established, Agentless Collector cannot collect data from your on-premises environment. For information about how to fix the connection to AWS, see [Fixing Agentless Collector cannot reach AWS during setup](agentless-collector-troubleshooting.md#agentless-collector-fix-connector-cannot-reach-aws). # Deploying Application Discovery Service Agentless Collector Deploying a collector To deploy Application Discovery Service Agentless Collector, you must first create an IAM user and download the collector. This page walks you through the steps to take to deploy a collector. ## Create an IAM user for Agentless Collector Create an IAM user To use Agentless Collector, in the AWS account that you used in [Sign in to the Migration Hub console and choose a home Region](setting-up.md#setting-up-choose-home-region), you must create an AWS Identity and Access Management (IAM) user. Then, set up this IAM user to use the following AWS managed policy [AWSApplicationDiscoveryAgentlessCollectorAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSApplicationDiscoveryAgentlessCollectorAccess). You attach this IAM policy when you create the IAM user. To use the database and analytics data collection module, create two customer managed IAM policies. These policies provide access your Amazon S3 bucket and the AWS DMS API. For more information, see [Create a customer managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_managed-policies.html) in the *IAM User Guide*. + Use the following JSON code to create the **DMSCollectorPolicy** policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "dms:DescribeFleetAdvisorCollectors", "dms:ModifyFleetAdvisorCollectorStatuses", "dms:UploadFileMetadataList" ], "Resource": "*" }] } ``` ------ + Use the following JSON code to create the **FleetAdvisorS3Policy** policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject*" ], "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*" ] } ] } ``` ------ In the preceding example, replace `bucket_name` with the name of the Amazon S3 bucket that you created in the prerequisites step. We recommend that you create a non-administrative IAM user to use with Agentless Collector. When creating non-administrative IAM users, follow the security best practice [ Grant Least Privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege), granting users minimum permissions. **To create a non-administrator IAM user to use with Agentless Collector** 1. In AWS Management Console, navigate to the IAM console, using the AWS account that you used to set the home Region in [Sign in to the Migration Hub console and choose a home Region](setting-up.md#setting-up-choose-home-region). 1. Create a non-administrator IAM user by following the instructions for creating a user with the console as described in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) in the *IAM User Guide*. While following the instructions in the *IAM User Guide*: + When on the step about selecting the type of access, select **Programmatic access**. Note, while not recommended, only select **AWS Management Console access** if you plan to use the same IAM user credentials for accessing the AWS console. + When on the step about the **Set permission** page, choose the option to **Attach existing policies to user directly**. Then select the `AWSApplicationDiscoveryAgentlessCollectorAccess` AWS managed policy from the list of policies. Next, select the `DMSCollectorPolicy` and `FleetAdvisorS3Policy` customer managed IAM policies. + When on the step about viewing the user's access keys (access key IDs and secret access keys), follow the guidance in the **Important** note about saving the user's new access key ID and secret access key in a safe and secure place. You'll need these access keys in [Configuring Agentless Collector](agentless-collector-gs-configure.md). It's an AWS security best practice to rotate access keys. For information about rotating keys, see [ Rotate access keys regularly for use cases that require long-term credentials ](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#rotate-credentials)in the *IAM User Guide.* ## Download the Agentless Collector Download the collector To set up the Application Discovery Service Agentless Collector (Agentless Collector), you must download and deploy the Agentless Collector Open Virtualization Archive (OVA) file. The Agentless Collector is a virtual appliance that you install in your on-premises VMware environment. This step describes how to download the collector OVA file and the next step describes how to deploy it. **To download the collector OVA file and verify its checksum** 1. Sign in to vCenter as a VMware administrator and switch to the directory where you want to download the Agentless Collector OVA file. 1. Download the OVA file from the following URL: [Agentless Collector OVA](https://s3.us-west-2.amazonaws.com/aws.agentless.discovery.collector.bundle/releases/latest/ApplicationDiscoveryServiceAgentlessCollector.ova) 1. Depending on which hashing algorithm you use in your system environment, download either the [MD5](https://s3.us-west-2.amazonaws.com/aws.agentless.discovery.collector.bundle/releases/latest/ApplicationDiscoveryServiceAgentlessCollector.ova.md5) or [SHA256](https://s3.us-west-2.amazonaws.com/aws.agentless.discovery.collector.bundle/releases/latest/ApplicationDiscoveryServiceAgentlessCollector.ova.sha256) to get the file containing the checksum value. Use the downloaded value to verify the `ApplicationDiscoveryServiceAgentlessCollector` file downloaded in the preceding step. 1. Depending on your variation of Linux, run the version appropriate MD5 command or SHA256 command to verify that the cryptographic signature of the `ApplicationDiscoveryServiceAgentlessCollector.ova` file matches the value in the respective MD5/SHA256 file that you downloaded. ``` $ md5sum ApplicationDiscoveryServiceAgentlessCollector.ova ``` ``` $ sha256sum ApplicationDiscoveryServiceAgentlessCollector.ova ``` ## Deploy Agentless Collector Deploy the collector Application Discovery Service Agentless Collector (Agentless Collector) is a virtual appliance that you install in your on-premises VMware environment. This section describes how to deploy the Open Virtualization Archive (OVA) file that you downloaded in your VMware environment. **Agentless Collector virtual machine specifications** ------ #### [ Agentless Collector version 2 ] + **Operating System** – Amazon Linux 2023 + **RAM** – 16 GB + **CPU** – 4 cores + **VMware requirements** – See [VMware host requirements for running AL2023 on VMware](https://docs.aws.amazon.com/linux/al2023/ug/vmware-supported-configurations.html#vmware-host-requirements) ------ #### [ Agentless Collector version 1 ] + **Operating System** – Amazon Linux 2 + **RAM** – 16 GB + **CPU** – 4 cores ------ The following procedure steps you through deploying the Agentless Collector OVA file in your VMware environment. **To deploy Agentless Collector** 1. Sign in to vCenter as a VMware administrator. 1. Use one of the following ways to install the OVA file: + Use the UI: Choose **File**, choose **Deploy OVF Template**, select the collector OVA file you downloaded in the previous section, and then complete the wizard. Ensure the proxy settings in the server management dashboard are configured correctly. + Use the command line: To install the collector OVA file from the command line, download and use the VMware Open Virtualization Format Tool (ovftool). To download ovftool, select a release from the [OVF Tool Documentation](https://www.vmware.com/support/developer/ovf/) page. The following is an example of using the ovftool command line tool to install the collector OVA file. ``` ovftool --acceptAllEulas --name=AgentlessCollector --datastore=datastore1 -dm=thin ApplicationDiscoveryServiceAgentlessCollector.ova 'vi://username:password@vcenterurl/Datacenter/host/esxi/' ``` **The following describe the *replaceable* values in the example** + The name is the name that you want to use for your Agentless Collector VM. + The datastore is the name of the datastore in your vCenter. + The OVA file name is the name of the downloaded collector OVA file. + The username/password are your vCenter credentials. + The vcenterurl is the URL of your vCenter. + The vi path is the path to your VMware ESXi host. 1. Locate the deployed Agentless Collector in your vCenter. Right-click the VM, and then choose **Power**, **Power On**. 1. After a few minutes, the IP address of the collector displays in vCenter. You use this IP address to connect to the collector. # Accessing the Agentless Collector console Accessing the collector console The following procedure describes how to access the Application Discovery Service Agentless Collector (Agentless Collector) console. **To access the Agentless Collector console** 1. Open a web browser, and then type the following URL in the address bar:  **https://******/**, where ** is the IP address of the collector from [Deploy Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-deploy). 1. Choose **Get Started** the first time you access Agentless Collector. Thereafter, you'll be asked to **Log in**. If you're accessing the Agentless Collector console for the first time, next you'll [Configuring Agentless Collector](agentless-collector-gs-configure.md). Otherwise, next you'll see [The Agentless Collector dashboard](agentless-collector-dashboard.md). # Configuring Agentless Collector Configuring the collector Application Discovery Service Agentless Collector (Agentless Collector) is an Amazon Linux 2 based virtual machine (VM). The following section describes how to configure a collector VM on the Agentless Collector console's **Configure Agentless Collector** page. **To configure a collector VM on the **Configure Agentless Collector** page** 1. For **Collector name**, enter a name for the collector to identify it. The name can contain spaces but it cannot contain special characters. 1. Under **Data synchronization**, enter the AWS access key and secret key for the AWS account IAM user to specify as the destination account to receive the data discovered by the collector. For information about the requirements for the IAM user, see [Deploying Application Discovery Service Agentless CollectorCreate an IAM user for Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-iam-user). 1. For **AWS access-key**, enter the access key of the AWS account IAM user that you're specifying as the destination account. 1. For **AWS secret-key**, enter the secret key of the AWS account IAM user that you are you're specifying as the destination account. 1. (Optional) If your network requires the use of a proxy to access AWS, enter the proxy host, proxy port, and, optionally, the credentials needed to authenticate with your existing proxy server. 1. Under **Agentless Collector password**, set up a password to use to authenticate access to Agentless Collector. + Passwords are case-sensitive + Passwords must be between 8 and 64 characters in length + Passwords must contain at least one character from each of the following four categories: + Lowercase letters (a-z) + Uppercase letters (A-Z) + Numbers (0-9) + Non-alphanumeric characters (@\$1\$1\$1%\$1?&) + Passwords cannot contain special characters other than the following ones: @\$1\$1\$1%\$1?& 1. For **Agentless Collector password**, enter a password to use to authenticate access to the collector. 1. For **Re-enter Agentless Collector password**, for verification, enter the password again. 1. Under **Other settings**, read the **License Agreement**. If you agree to accept it, select the check box. 1. To enable automatic updates for Agentless Collector, under **Other settings**, select **Automatically update Agentless Collector**. If you do not select this checkbox, you'll need to manually update Agentless Collector as described in [Manually updating Application Discovery Service Agentless Collector](agentless-collector-update.md). 1. Choose **Save configurations**. The following topics describe optional collector configuration tasks. **Topics** + [ ## (Optional) Configure a static IP address for the Agentless Collector VM ](#agentless-collector-gs-configure-ip) + [ ## (Optional) Reset the Agentless Collector VM back to using DHCP ](#agentless-collector-gs-configure-dhcp) + [ ## (Optional) Configure the Kerberos authentication protocol ](#agentless-collector-gs-configure-kerberos) ## (Optional) Configure a static IP address for the Agentless Collector VM (Optional) Configure a static IP address for the collector VM The following steps describe how to configure a static IP address for the Application Discovery Service Agentless Collector (Agentless Collector) VM. When first installed, the collector VM is configured to use the Dynamic Host Configuration Protocol (DHCP). **Note** The Agentless Collector supports IPv4. It does not support IPv6. ------ #### [ Agentless Collector version 2 ] **To configure a static IP address for the collector VM** 1. Collect the following network information from VMware vCenter: + **Static IP address** – An unsigned IP address in the subnet. For example, 192.168.1.138. + **CIDR netmask** – To get the CIDR netmask, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, /24. + **Default Gateway** – To get the default gateway, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, 192.168.1.1. + **Primary DNS** – To get the primary DNS, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, 192.168.1.1. + (Optional) **Secondary DNS** + (Optional) **Local domain name** – This allows the collector to reach the vCenter host URL without the domain name. 1. Open the collector’s VM console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Disable the network interface, by entering the following command in the remote terminal. ``` sudo ip link set ens192 down ``` 1. **** Update the interface configuration by using the following steps. 1. Open 10-cloud-init-ens192.network in the vi editor by using the following command. ``` sudo vi /etc/systemd/network/10-cloud-init-ens192.network ``` 1. Update the values, as shown in the following example, with the information that you collected in the **Collect network information** step. ``` [Match] Name=ens192 [Network] DHCP=no Address=static-ip-value/CIDR-netmask Gateway=gateway-value DNS=dnsserver-value ``` 1. Update the Domain Name System (DNS) using the following steps. 1. Open the `resolv.conf` file in vi using the following command. ``` sudo vi /etc/resolv.conf ``` 1. Update the `resolv.conf` file in vi using the following command. ``` search localdomain-name options timeout:2 attempts:5 nameserver dnsserver-value ``` The following example shows an edited `resolv.conf` file. ``` search vsphere.local options timeout:2 attempts:5 nameserver 192.168.1.1 ``` 1. Enable the network interface, by entering the following command. ``` sudo ip link set ens192 up ``` 1. Reboot the VM as shown in the following example. ``` sudo reboot ``` 1. Verify your network settings using the following steps. 1. Check if the IP address is configured correctly, by entering the following commands. ``` ifconfig ip addr show ``` 1. Check that the gateway was added correctly, by entering the following command. ``` route -n ``` The output should be similar to the following example. ``` Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 ``` 1. Verify that you can ping a public URL, by entering the following command. ``` ping www.google.com ``` 1. Verify that you can ping the vCenter IP address or host name as shown in the following example. ``` ping vcenter-host-url ``` ------ #### [ Agentless Collector version 1 ] **To configure a static IP address for the collector VM** 1. Collect the following network information from VMware vCenter: + **Static IP address** – An unsigned IP address in the subnet. For example, 192.168.1.138. + **Network mask** – To get the network mask, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, 255.255.255.0. + **Default Gateway** – To get the default gateway, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, 192.168.1.1. + **Primary DNS** – To get the primary DNS, check the IP address setting of the VMware vCenter host that hosts the collector VM. For example, 192.168.1.1. + (Optional) **Secondary DNS** + (Optional) **Local domain name** – This allows the collector to reach the vCenter host URL without the domain name. 1. Open the collector’s VM console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Disable the network interface, by entering the following command in the remote terminal. ``` sudo /sbin/ifdown eth0 ``` 1. **** Update the interface eth0 configuration using the following steps. 1. Open ifcfg-eth0 in the vi editor using the following command. ``` sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0 ``` 1. Update the interface values, as shown in the following example, with the information that you collect in the **Collect network information** step. ``` DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=static-ip-value NETMASK=netmask-value GATEWAY=gateway-value TYPE=Ethernet USERCTL=yes PEERDNS=no RES_OPTIONS="timeout:2 attempts:5" ``` 1. Update the Domain Name System (DNS) using the following steps. 1. Open the `resolv.conf` file in vi using the following command. ``` sudo vi /etc/resolv.conf ``` 1. Update the `resolv.conf` file in vi using the following command. ``` search localdomain-name options timeout:2 attempts:5 nameserver dnsserver-value ``` The following example shows an edited `resolv.conf` file. ``` search vsphere.local options timeout:2 attempts:5 nameserver 192.168.1.1 ``` 1. Enable the network interface, by entering the following command. ``` sudo /sbin/ifup eth0 ``` 1. Reboot the VM as shown in the following example. ``` sudo reboot ``` 1. Verify your network settings using the following steps. 1. Check if the IP address is configured correctly, by entering the following commands. ``` ifconfig ip addr show ``` 1. Check that the gateway was added correctly, by entering the following command. ``` route -n ``` The output should be similar to the following example. ``` Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 ``` 1. Verify that you can ping a public URL, by entering the following command. ``` ping www.google.com ``` 1. Verify that you can ping the vCenter IP address or host name as shown in the following example. ``` ping vcenter-host-url ``` ------ ## (Optional) Reset the Agentless Collector VM back to using DHCP (Optional) Reset the collector VM back to using DHCP The following steps describe how to reconfigure the Agentless Collector VM to use DHCP. ------ #### [ Agentless Collector version 2 ] **To configure the collector VM to use DHCP** 1. Disable the network interface by running the following command in the remote terminal. ``` sudo ip link set ens192 down ``` 1. Update the interface configuration by using the following steps. 1. Open the `10-cloud-init-ens192.network` file in the vi editor by using the following command. ``` sudo vi /etc/systemd/network/10-cloud-init-ens192.network ``` 1. Update the values as shown in the following example. ``` [Match] Name=ens192 [Network] DHCP=yes [DHCP] ClientIdentifier=mac ``` 1. Reset the DNS setting, by entering the following command. ``` echo "" | sudo tee /etc/resolv.conf ``` 1. Enable the network interface, by entering the following command. ``` sudo ip link set ens192 up ``` 1. Reboot the collector VM as shown in the following example. ``` sudo reboot ``` ------ #### [ Agentless Collector version 1 ] **To configure the collector VM to use DHCP** 1. Disable the network interface by running the following command in the remote terminal. ``` sudo /sbin/ifdown eth0 ``` 1. Update the network configuration by using the following steps. 1. Open the `ifcfg-eth0 ` file in the vi editor using the following command. ``` sudo /sbin/ifdown eth0 ``` 1. Update the values in the `ifcfg-eth0 ` file as shown in the following example. ``` DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes TYPE=Ethernet USERCTL=yes PEERDNS=yes DHCPV6C=yes DHCPV6C_OPTIONS=-nw PERSISTENT_DHCLIENT=yes RES_OPTIONS="timeout:2 attempts:5" ``` 1. Reset the DNS setting by entering the following command. ``` echo "" | sudo tee /etc/resolv.conf ``` 1. Enable the network interface by entering the following command. ``` sudo /sbin/ifup eth0 ``` 1. Reboot the collector VM as shown in the following example. ``` sudo reboot ``` ------ ## (Optional) Configure the Kerberos authentication protocol (Optional) Configure Kerberos If your OS server supports the Kerberos authentication protocol, then you can use this protocol to connect to your server. To do so, you must configure the Application Discovery Service Agentless Collector VM. The following steps describe how to configure the Kerberos authentication protocol on your Application Discovery Service Agentless Collector VM. **To configure the Kerberos authentication protocol on your collector VM** 1. Open the collector’s VM console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Open the `krb5.conf` configuration file in the `/etc` folder. To do so, you can use the following code example. ``` cd /etc sudo nano krb5.conf ``` 1. Update the `krb5.conf` configuration file with the following information. ``` [libdefaults] forwardable = true dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d default_realm = default_Kerberos_realm [realms] default_Kerberos_realm = { kdc = KDC_hostname server_name = server_hostname default_domain = domain_to_expand_hostnames } [domain_realm] .domain_name = default_Kerberos_realm domain_name = default_Kerberos_realm ``` Save the file and exit the text editor. 1. Reboot the collector VM as shown in the following example. ``` sudo reboot ``` # Using the Agentless Collector Network Data Collection module Using the Network Data Collection module The Network Data Collection module makes it possible for you to discover dependencies among servers in your on-premises data center. This network data accelerates your migration planning by providing visibility into how applications communicate across servers. The Network Data Collection module connects to the servers that the VMware vCenter module identifies, and analyzes source IP to destination IP/port traffic for those servers. **Topics** + [ # Setting up the Network Data Collection module ](network-data-module-setup.md) + [ # Network data collection attempts ](collection-attempts.md) + [ # Server status in the Network Data Collection module ](network-data-collection-status.md) # Setting up the Network Data Collection module The Network Data Collection module collects network data for the server inventory that comes from the VMware vCenter module. Therefore, to use the Network Data Collection module, first set up the VMware vCenter module. For instructions, follow the guidance in the following topics: 1. [Deploying Application Discovery Service Agentless Collector](agentless-collector-deploying.md) 1. [Accessing the Agentless Collector console](agentless-collector-gs-access-console.md) 1. [Configuring Agentless Collector](agentless-collector-gs-configure.md) 1. [Using the VMware vCenter Agentless Collector data collection module](agentless-collector-gs-data-collection-vcenter.md) **To set up the Network Data Collection module** 1. On the Agentless Collector dashboard, in the **Network Data Collection** section, choose **View network connections**. 1. On the **Network connections** page, choose **Edit collector**. 1. In the credentials section, enter at least one set of credentials. You can enter up to 10 sets of credentials. The first time the module attempts to collect data for a server, it tries all of the credentials until it finds a set of credentials that works; it then saves that set and uses it again in subsequent attempts. For information about setting up credentials, see [Setting up credentials](#network-data-module-credentials-setup). 1. In the **Data collection preferences** section, to automatically start collecting data when a server reboots, select **Start data collection automatically**. 1. If you haven't set up WinRM certificates, select **Disable WinRM certificate checks**. 1. Choose **Save**. 1. Collection happens on the servers every 15 seconds. To see the details of the collection attempts for a given server, select the checkbox to the left of the server in the **Servers** table. ## Setting up credentials The Network Data Collection module uses WinRM to collect data from Windows servers. It uses SNMPv2 and SNMPv3 to collect data from Linux servers. **WinRM credentials:** + Specify the username and password of a Windows account that has the following: + Read access to the `\root\standardcimv2` namespace + Read permissions for `MSFT_NetTCPConnection` class + Remote WMI access + We recommend that you create a dedicated service account with minimal required permissions. + Avoid using domain administrator or local administrator accounts. + Port 5986 (HTTPS) must be open between collector and target servers. + Avoid disabling WinRM certificate check. For information about setting up WinRM certificates, see [Addressing self-signed certification problems when configuring WinRM certificates](agentless-collector-troubleshooting.md#agentless-collector-address-self-signed-certification-problems). **SNMPv2 credentials:** + Provide a read-only community string that can access 1.3.6.1.2.1.6.13.\$1 OID + SNMPv3 is preferable to SNMPv2 because of the improved security in SNMPv3 + Port 161/UDP must be open between collector and target servers + Use complex, non-default community strings + Avoid common strings like "public" or "private" + Treat community strings like passwords **SNMPv3 credentials** + Provide a username/password and auth/privacy details with read-only permission that can access 1.3.6.1.2.1.6.13.\$1 OID. + Port 161/UDP must be open between collector and target servers + Enable both authentication and privacy + Use strong authentication protocols (SHA preferred over MD5) + Use strong encryption protocols (AES preferred over DES) + Use complex passwords for both auth and privacy + Use unique usernames (avoid common names) **General best practices for Credential Management** + Store credentials securely + Regularly rotate all credentials + Use password managers or secure vaults + Monitor credential usage + Follow the principle of least privilege and only grant the minimum necessary permissions needed # Network data collection attempts When a new server is discovered, the collector attempts each configured credential for each IP address. After the collector finds a valid credential, it only uses that credential. After two consecutive failures, the collector attempts to collect networking data for a server after 30 minutes, 2 hours, 8 hours, and then 24 hours. After 6 failed attempts, the collector continues to try all configured credentials once every day. To resolve the issue, either edit the current credentials or add additional ones by choosing **Edit collector**, or make changes to the target server being monitored. # Server status in the Network Data Collection module The following table explains the collection status values. | Status | Meaning | | --- | --- | | Collecting or Collected | The last collection attempt for network connections was successful. | | Erroring or Errored | The last collection attempt for network connections failed due to either a networking or permissions problem. For additional information, select the checkbox to the left of the server that has the error. | | Skipped | Servers for which no valid credentials were provided. Update or configure additional server credentials. | | No data | Data collection for the server has not started. To start collecting data, choose Start collector. | | Pending | Collection has been started but no collection attempts have been made. Wait a few minutes, and then refresh the list. | # Using the VMware vCenter Agentless Collector data collection module Using the VMware data collection module This section describes the Application Discovery Service Agentless Collector (Agentless Collector) VMware vCenter data collection module, which is used to collect server inventory, profile, and utilization data from your VMware VMs. **Topics** + [ # Setting up the Agentless Collector data collection module for VMware vCenter ](agentless-collector-gs-vcenter.md) + [ # Viewing VMware data collection details ](agentless-collector-gs-vcenter-details.md) + [ # Controlling the scope of vCenter data collection ](control-data-collection-scope.md) + [ # Data collected by the Agentless Collector VMware vCenter data collection module ](agentless-collector-data-collected-vmware.md) # Setting up the Agentless Collector data collection module for VMware vCenter Setting up vCenter data collection This section describes how to set up the Agentless Collector VMware vCenter data collection module to collect server inventory, profile, and utilization data from your VMware VMs. **Note** Before starting vCenter setup, make sure you can provide vCenter credentials with Read and View permissions set for the System group. **To set up the VMware vCenter data collection module** 1. On the **Agentless Collector** dashboard page, under **Data collection**, choose **Set up** in the **VMware vCenter** section. 1. On the **Set up VMware vCenter data collection** page, perform the following: 1. Under **vCenter credentials**: 1. For **vCenter URL/IP**, enter the IP address of your VMware vCenter Server host. 1. For **vCenter Username**, enter the name of a local or domain user that the collector uses to communicate with vCenter. For domain users, use the form *domain*\$1*username* or *username*@*domain*. 1. For **vCenter Password**, enter the local or domain user password. 1. Under **Data collection preferences**: 1. To automatically start collecting data immediately following a successful setup, select **Start data collection automatically**. 1. Choose **Set up**. Next, you'll see the **VMware data collection details** page, which is described in the next topic. # Viewing VMware data collection details Viewing VMware data collection details The **VMware data collection details** page shows details about the vCenter you set up in [Setting up the Agentless Collector data collection module for VMware vCenter](agentless-collector-gs-vcenter.md). Under **Discovered vCenter servers**, the vCenter you set up is listed with the following information about the vCenter: + The IP address of the vCenter server. + The number of servers in the vCenter. + The status of the data collection. + How long since the last update. Choose **Remove vCenter server** to remove the displayed vCenter server and return you to the **Set up VMware vCenter data collection** page. If you did not choose to start data collection automatically, you can start data collection by using the **Start data collection** button on this page. After data collection starts, the start button changes to **Stop data collection**. If the **Collection status** column shows **Collecting**, data collection has started. You view the collected data in the AWS Migration Hub console. If you’re collecting data for a VMware vCenter server inventory, you can access data that appears in the console approximately 15 minutes after turning on data collection. You can choose **View servers in Migration Hub** on this page to open the Migration Hub console, if your access to the internet is not blocked. Whether you choose this button or not, for information about how to access the Migration Hub console, see [Viewing your collected data](agentless-collector-gs-view-collected-data.md). The following are the guidelines for recommended length of data collection according to migration planning activities: + TCO (total cost of ownership) - 2 to 4 weeks + Migration planning - 2 to 6 weeks # Controlling the scope of vCenter data collection Controlling data collection scope The vCenter user requires read-only permissions on each ESX host or VM to inventory using Application Discovery Service. Using the permission settings, you can control which hosts and VMs are included in the data collection. You can either allow all hosts and VMs under the current vCenter to be inventoried, or grant permissions on a case-by-case basis. **Note** As a security best practice, we recommend against granting additional, unneeded permissions to the vCenter user of the Application Discovery Service. The following procedures describe configuration scenarios ordered from least granular to most granular. These procedures are for vSphere Client v6.7.0.2. The procedures for other versions of the client might be different, depending on which version of the vSphere client you are using. **To discover data about *all* ESX hosts and VMs under the current vCenter** 1. In your VMware vSphere client, choose **vCenter** and then choose either **Hosts and Clusters** or **VMs and Templates**. 1. Choose a datacenter resource and then choose **Permissions**. 1. Choose the vCenter user and then choose the symbol to add, edit, or remove a user role. 1. Choose **Read-only** from the **Role** menu. 1. Choose **Propagate to children** and then choose **OK**. **To discover data about a *specific* ESX host and *all* of its child objects** 1. In your VMware vSphere client, choose **vCenter** and then choose either **Hosts and Clusters** or **VMs and Templates**. 1. Choose **Related Objects**, **Hosts**. 1. Open the context (right-click) menu for the host name and choose **All vCenter Actions**, **Add Permission**. 1. Under **Add Permission**, add the vCenter user to the host. For **Assigned Role**, choose **Read-only**. 1. Choose **Propagate to children**, **OK**. **To discover data about a *specific* ESX host or child VM** 1. In your VMware vSphere client, choose **vCenter** and then choose either **Hosts and Clusters** or **VMs and Templates**. 1. Choose **Related Objects**. 1. Choose **Hosts** (showing a list of ESX hosts known to vCenter) or **Virtual Machines** (showing a list of VMs across all ESX hosts). 1. Open the context (right-click) menu for the host or VM name and choose **All vCenter Actions**, **Add Permission**. 1. Under **Add Permission**, add the vCenter user to the host or VM. For **Assigned Role**, choose **Read-only**, . 1. Choose **OK**. **Note** If you chose **Propagate to children**, you can still remove the read-only permission from ESX hosts and VMs on a case-by-case basis. This option has no effect on inherited permissions applying to other ESX hosts and VMs. # Data collected by the Agentless Collector VMware vCenter data collection module Data collected by the VMware module The following information describes the data that's collected by the Application Discovery Service Agentless Collector (Agentless Collector) VMware vCenter data collection module. For information about setting up data collection, see [Setting up the Agentless Collector data collection module for VMware vCenter](agentless-collector-gs-vcenter.md). **Table legend for Agentless Collector VMware vCenter collected data:** + Collected data is in measurements of kilobytes (KB) unless stated otherwise. + Equivalent data in the Migration Hub console is reported in megabytes (MB). + Data fields denoted with an asterisk (\$1) are available only in the .csv files that are produced from the Application Discovery Service API export function. The Agentless Collector supports data export using the AWS CLI. To export collected data using the AWS CLI, follow the instructions described under **Export System Performance Data for All Servers** on the page [ Export Collected Data](https://docs.aws.amazon.com/application-discovery/latest/userguide/export-data.html) in the *Application Discovery Service User Guide*. + The polling period is in intervals of approximately 60 minutes. + Data fields denoted with a double asterisk (\$1\$1) currently return a *null* value. | Data field | Description | | --- | --- | | applicationConfigurationId\$1 | ID of the migration application the VM is grouped under. | | avgCpuUsagePct | Average percentage of CPU usage over polling period. | | avgDiskBytesReadPerSecond | Average number of bytes read from disk over polling period. | | avgDiskBytesWrittenPerSecond | Average number of bytes written to disk over polling period. | | avgDiskReadOpsPerSecond\$1\$1 | Average number of read I/O operations per second null. | | avgDiskWriteOpsPerSecond\$1\$1 | Average number of write I/O operations per second. | | avgFreeRAM | Average free RAM expressed in MB. | | avgNetworkBytesReadPerSecond | Average amount of throughput of bytes read per second. | | avgNetworkBytesWrittenPerSecond | Average amount of throughput of bytes written per second. | | computerManufacturer | Vendor reported by the ESXi host. | | computerModel | Computer model reported by the ESXi host. | | configId | ID assigned by Application Discovery Service to the discovered VM. | | configType | Type of resource discovered. | | connectorId | ID of the virtual appliance. | | cpuType | vCPU for a VM, actual model for a host. | | datacenterId | ID of the vCenter. | | hostId\$1 | ID of the VM host. | | hostName | Name of host running the virtualization software. | | hypervisor | Type of hypervisor. | | id | ID of server. | | lastModifiedTimeStamp\$1 | Latest date and time of data collection before data export. | | macAddress | MAC address of the VM. | | manufacturer | Maker of the virtualization software. | | maxCpuUsagePct | Max. percentage of CPU usage during polling period. | | maxDiskBytesReadPerSecond | Max. number of bytes read from disk over polling period. | | maxDiskBytesWrittenPerSecond | Max. number of bytes written to disk over polling period. | | maxDiskReadOpsPerSecond\$1\$1 | Max. number of read I/O operations per second. | | maxDiskWriteOpsPerSecond\$1\$1 | Max. number of write I/O operations per second. | | maxNetworkBytesReadPerSecond | Max. amount of throughput of bytes read per second. | | maxNetworkBytesWrittenPerSecond | Max. amount of throughput of bytes written per second. | | memoryReservation\$1 | Limit to avoid overcommitment of memory on VM. | | moRefId | Unique vCenter Managed Object Reference ID. | | name\$1 | Name of VM or network (user specified). | | numCores | Number of CPU cores assigned to VM. | | numCpus | Number of CPU sockets on the ESXi host. | | numDisks\$1\$1 | Number of disks on VM. | | numNetworkCards\$1\$1 | Number of network cards on VM. | | osName | Operating system name on VM. | | osVersion | Operating system version on VM. | | portGroupId\$1 | ID of group of member ports of VLAN. | | portGroupName\$1 | Name of group of member ports of VLAN. | | powerState\$1 | Status of power. | | serverId | Application Discovery Service assigned ID to the discovered VM. | | smBiosId\$1 | ID/version of the system management BIOS. | | state\$1 | Status of the virtual appliance. | | toolsStatus | Operational state of VMware tools | | totalDiskFreeSize | Free disk space expressed in MB. Available for vCenter Server 7.0 and later versions. | | totalDiskSize | Total capacity of disk expressed in MB. | | totalRAM | Total amount of RAM available on VM in MB. | | type | Type of host. | | vCenterId | Unique ID number of a VM. | | vCenterName\$1 | Name of the vCenter host. | | virtualSwitchName\$1 | Name of the virtual switch. | | vmFolderPath | Directory path of VM files. | | vmName | Name of the virtual machine. | # Using the database and analytics data collection module Using the database and analytics data collection module This section describes how to set up, configure, and use a database and analytics data collection module. You can use this data collection module to connect to your data environment and collect metadata and performance metrics from your on-premises databases and analytics servers. For information about the metrics that you can collect with this module, see [Data collected by the Agentless Collector database and analytics data collection module](agentless-collector-data-collected-database-analytics.md). **Important** End of support notice: On May 20, 2026, AWS will end support for AWS Database Migration Service Fleet Advisor. After May 20, 2026, you will no longer be able to access the AWS DMS Fleet Advisor console or AWS DMS Fleet Advisor resources. For more information, see [AWS DMS Fleet Advisor end of support](https://docs.aws.amazon.com/dms/latest/userguide/dms_fleet.advisor-end-of-support.html). At a high level, when using the database and analytics data collection module, you take the following steps. 1. Complete the prerequisite steps, configure your IAM user, and create the AWS DMS data collector. 1. Configure data forwarding to make sure that your data collection module can send the collected metadata and performance metrics to AWS. 1. Add your LDAP servers and use them to discover OS servers in your data environment. Alternatively, add your OS servers manually or use the [Using the VMware data collection module](agentless-collector-gs-data-collection-vcenter.md). 1. Configure connection credentials to your OS servers and then use them to discover database servers. 1. Configure connection credentials to your database and analytics servers and then run the data collection. For more information, see [Database and analytics data collection](agentless-collector-dashboard.md#using-collector-data-collect-database-analytics). 1. View collected data in the AWS DMS console and use it to generate target recommendations for a migration to the AWS Cloud. For more information, see [Database and analytics data collection](agentless-collector-dashboard.md#using-collector-data-collect-database-analytics). **Topics** + [ ## Supported OS, database, and analytics servers ](#agentless-collector-gs-database-analytics-collection-supported-servers) + [ # Creating the AWS DMS data collector ](agentless-collector-gs-database-analytics-collection-resources.md) + [ # Configuring data forwarding ](agentless-collector-gs-database-analytics-collection-prerequisites.md) + [ # Adding your LDAP and OS servers ](agentless-collector-gs-database-analytics-collection-add-servers.md) + [ # Discovering your database servers ](agentless-collector-gs-database-analytics-collection-discovery.md) + [ # Data collected by the Agentless Collector database and analytics data collection module ](agentless-collector-data-collected-database-analytics.md) ## Supported OS, database, and analytics servers Supported servers The database and analytics data collection module in the Agentless Collector supports Microsoft Active Directory LDAP servers. This data collection module supports the following OS servers. + Amazon Linux 2 + CentOS Linux version 6 and higher + Debian version 10 and higher + Red Hat Enterprise Linux version 7 and higher + SUSE Linux Enterprise Server version 12 and higher + Ubuntu version 16.01 and higher + Windows Server 2012 and higher + Windows XP and higher Also, the database and analytics data collection module supports the following database servers. + Microsoft SQL Server version 2012 and up to 2019 + MySQL version 5.6 and up to 8 + Oracle version 11g Release 2 and up to 12c, 19c, and 21c + PostgreSQL version 9.6 and up to 13 # Creating the AWS DMS data collector Creating the AWS DMS data collector Your database and analytics data collection module uses an AWS DMS data collector to interact with the AWS DMS console. You can view the collected data in the AWS DMS console, or use it to determine the right-sized AWS target engine. For more information, see [Using the AWS DMS Fleet Advisor Target Recommendations feature](https://docs.aws.amazon.com/dms/latest/userguide/fa-recommendations.html). Before you create an AWS DMS data collector, create an IAM role that your AWS DMS data collector uses to access your Amazon S3 bucket. You created this Amazon S3 bucket when you completed the prerequisites in [Prerequisites for Agentless Collector](agentless-collector-gs-prerequisites.md). **To create an IAM role for your AWS DMS data collector to access Amazon S3** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Roles**, then choose **Create role**. 1. On the **Select trusted entity** page, for **Trusted entity type**, choose **AWS Service**. For **Use cases for other AWS services**, choose **DMS**. 1. Select the **DMS** check box and choose **Next**. 1. On the **Add permissions** page, choose **FleetAdvisorS3Policy** that you created before. Choose **Next**. 1. On the **Name, review, and create** page, enter **FleetAdvisorS3Role** for **Role name**, then choose **Create role**. 1. Open the role that you created, and choose the **Trust relationships** tab. Choose **Edit trust policy**. 1. On the **Edit trust policy** page, paste the following JSON into the editor, replacing the existing code. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "dms.amazonaws.com", "dms-fleet-advisor.amazonaws.com" ] }, "Action": "sts:AssumeRole" }] } ``` ------ 1. Choose **Update policy**. Now, create a data collector in the AWS DMS console. **To create an AWS DMS data collector** 1. Sign in to the AWS Management Console and open the AWS DMS console at [https://console.aws.amazon.com/dms/v2/](https://console.aws.amazon.com/dms/v2/). 1. Choose the AWS Region that you set as your Migration Hub home Region. For more information, see [Sign in to Migration Hub and choose a home Region](setting-up.md#setting-up-choose-home-region). 1. In the navigation pane, choose **Data collectors** under **Discover**. The **Data collectors** page opens. 1. Choose **Create data collector**. The **Create data collector** page opens. 1. For **Name** in the **General configuration** section, enter a name of your data collector. 1. In the **Connectivity** section, choose **Browse S3**. Choose the Amazon S3 bucket that you created before from the list. 1. For **IAM role**, choose `FleetAdvisorS3Role` that you created before. 1. Choose **Create data collector**. # Configuring data forwarding Configuring data forwarding After you create the required AWS resources, configure data forwarding from the database and analytics data collection module to your AWS DMS collector. **To configure data forwarding** 1. Open the Agentless Collector console. For more information, see [Accessing the collector console](agentless-collector-gs-access-console.md). 1. Choose **View Database and analytics collector**. 1. On the **Dashboard** page, choose **Configure data forwarding** in the **Data forwarding** section. 1. For **AWS Region**, **IAM access key ID**, and **IAM secret access key**, your Agentless Collector uses the values that you configured before. For more information, see [Sign in to Migration Hub and choose a home Region](setting-up.md#setting-up-choose-home-region) and [Deploying a collectorCreate an IAM user](agentless-collector-deploying.md#agentless-collector-gs-iam-user). 1. For **Connected DMS data collector**, choose your data collector that you created in the AWS DMS console. 1. Choose **Save**. After you configure data forwarding, check the **Data forwarding** section on the **Dashboard** page. Make sure that your database and analytics data collection module displays **![\[alt text not found\]](http://docs.aws.amazon.com/application-discovery/latest/userguide/images/success_icon.svg) Connected** for **Access to DMS** and **Access to S3**. # Adding your LDAP and OS servers Adding your LDAP and OS servers The database and analytics data collection module uses LDAP in Microsoft Active Directory to gather information about the OS, database, and analytics servers in your network. *Lightweight Directory Access Protocol (LDAP)* is an open standard application protocol. You can use this protocol to access and maintain distributed directory information services over your IP network. You can add an existing LDAP server into your database and analytics data collection module to automatically discover OS servers in your network. If you don't use LDAP, you can add OS servers manually. **To add an LDAP server to your database and analytics data collection module** 1. Open the Agentless Collector console. For more information, see [Accessing the collector console](agentless-collector-gs-access-console.md). 1. Choose **View Database and analytics collector**, then choose **LDAP servers** under **Discovery** in the navigation pane. 1. Choose **Add LDAP server**. The **Add LDAP server** page opens. 1. For **Hostname**, enter the hostname of your LDAP server. 1. For **Port**, enter the port number that is used for LDAP requests. 1. For **User name**, enter the user name that you use to connect to your LDAP server. 1. For **Password**, enter the password that you use to connect to your LDAP server. 1. (Optional) Choose **Verify connection** to make sure that you added your LDAP server credentials correctly. Alternatively, you can verify your LDAP server connection credentials later, from the list on the **LDAP servers** page. 1. Choose **Add LDAP server**. 1. On the **LDAP servers** page, select your LDAP server from the list and choose **Discover OS servers**. **Important** For OS discovery, the data collection module needs credentials for the domain server to run requests using the LDAP protocol. The database and analytics data collection module connects to your LDAP server and discovers your OS servers. After the data collection module completes the OS servers discovery, you can see the list of discovered OS servers by choosing **View OS servers**. Alternatively, you can add your OS servers manually or import the list of servers from a comma-separated values (CSV) file. Also, you can use the VMware vCenter Agentless Collector data collection module to discover your OS servers. For more information, see [Using the VMware data collection module](agentless-collector-gs-data-collection-vcenter.md). **To add an OS server to your database and analytics data collection module** 1. On the **Database and analytics collector** page, choose **OS servers** under **Discovery** in the navigation pane. 1. Choose **Add OS server**. The **Add OS server** page opens. 1. Provide your OS server credentials. 1. For **OS type**, choose the operating system of your server. 1. For **Hostname / IP**, enter the hostname or IP address of your OS server. 1. For **Port**, enter the port number that is used for remote queries. 1. For **Authentication type**, choose the authentication type that your OS server uses. 1. For **User name**, enter the user name that you use to connect to your OS server. 1. For **Password**, enter the password that you use to connect to your OS server. 1. Choose **Verify** to make sure that you added your OS server credentials correctly. 1. (Optional) Add multiple OS servers from a CSV file. 1. Choose **Bulk import OS servers from CSV**. 1. Choose **Download template** to save a CSV file that includes a template that you can customize. 1. Enter the connection credentials for your OS servers into the file according to the template. The following example shows how you can provide OS server connection credentials in a CSV file. ``` OS type,Hostname/IP,Port,Authentication type,Username,Password Linux,192.0.2.0,22,Key-based authentication,USER-EXAMPLE,ANPAJ2UCCR6DPCEXAMPLE Windows,203.0.113.0,,NTLM,USER2-EXAMPLE,AKIAIOSFODNN7EXAMPLE ``` Save your CSV file after you add credentials for all your OS servers. 1. Choose **Browse**, then choose your CSV file. 1. Choose **Add OS server**. 1. After you add credentials for all OS servers, select your OS servers and choose **Discover database servers**. # Discovering your database servers Discovering your databases This section guides you through the steps you must take to configure your operating system and database servers. Then, you'll discover your servers and have the option to add a database or analytics server manually. For database discovery, you must create users for your source databases with the minimum permissions required for the data collection module. For more information, see [Creating database users for AWS DMS Fleet Advisor](https://docs.aws.amazon.com/dms/latest/userguide/fa-database-users.html) in the *AWS DMS User Guide*. # Configuring set up To discover the databases running on the previously added OS Servers, the data collection module requires access to the operating system and database servers. This page outlines the steps you need to take to make sure that your database is accessible at the port that you specified in connection settings. You'll also turn on the remote authentication on your database server and provide your data collection module with permissions. ## Configure set up on Linux Complete the following procedure to configure set up to discover database servers on Linux. **To configure Linux to discover database servers** 1. Provide sudo access to the `ss` and `netstat` commands. The following code example grants sudo access to the `ss` and `netstat` commands. ``` sudo bash -c "cat << EOF >> /etc/sudoers.d/username username ALL=(ALL) NOPASSWD: /usr/bin/ss username ALL=(ALL) NOPASSWD: /usr/bin/netstat EOF" ``` In the preceding example, replace `username` with the name of the Linux user that you specified in OS server connection credentials. The preceding example uses the `/usr/bin/` path to the `ss` and `netstat` commands. This path might be different in your environment. To determine the path to the `ss` and `netstat` commands, run the `which ss` and `which netstat` commands. 1. Configure your Linux servers to allow running remote SSH scripts and allow the Internet Control Message Protocol (ICMP) traffic. ## Configure set up on Microsoft Windows Complete the following procedure to configure set up to discover database servers on Microsoft Windows. **To configure Microsoft Windows to discover database servers** 1. Provide credentials with grants to run Windows Management Instrumentation (WMI) and WMI Query Language (WQL) queries and read the registry. 1. Add the Windows user that you specified in OS server connection credentials to the following groups: Distributed COM Users, Performance Log Users, Performance Monitor Users, and Event Log Readers. To do so, use the following code example. ``` net localgroup "Distributed COM Users" username /ADD net localgroup "Performance Log Users" username /ADD net localgroup "Performance Monitor Users" username /ADD net localgroup "Event Log Readers" username /ADD ``` In the preceding example, replace `username` with the name of the Windows user that you specified in OS server connection credentials. 1. Grant the required permissions for the Windows user that you specified in OS server connection credentials. + For **Windows Management and Instrumentation Properties**, choose **Local Launch** and **Remote Activation**. + For **WMI Control**, choose the **Execute Methods**, **Enable Account**, **Remote Enable**, and **Read Security** permissions for the `CIMV2`, `DEFAULT`, `StandartCimv2`, and `WMI` namespaces. + For ** WMI plug-in**, run `winrm configsddl default` and then choose **Read** and **Execute**. 1. Configure your Windows host by using the following code example. ``` netsh advfirewall firewall add rule name="Open Ports for WinRM incoming traffic" dir=in action=allow protocol=TCP localport=5985, 5986 # Opens ports for WinRM netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow # Allows ICPM traffic Enable-PSRemoting -Force # Enables WinRM Set-Service WinRM -StartMode Automatic # Allows WinRM service to run on host startup Set-Item WSMan:\localhost\Client\TrustedHosts -Value {IP} -Force # Sets the specific IP from which the access to WinRM is allowed winrm set winrm/config/service '@{Negotiation="true"}' # Allow Negosiate auth usage winrm set winrm/config/service '@{AllowUnencrypted="true"}' # Allow unencrypted connection ``` # Discovering a database server Complete the following set of tasks to discover and add database servers on the console. **To start the discovery of your database servers** 1. On the **Database and analytics collector** page, choose **OS servers** under **Discovery** in the navigation pane. 1. Select the OS servers that include your database and analytics servers, then choose **Verify connection** on the **Actions** menu. 1. For servers that have the **Connectivity** status of **Failed**, edit the connection credentials. 1. Select a single server or multiple servers when they have identical credentials, then choose **Edit** on the **Actions** menu. The **Edit OS server** page opens. 1. For **Port**, enter the port number that is used for remote queries. 1. For **Authentication type**, choose the authentication type that your OS server uses. 1. For **User name**, enter the user name that you use to connect to your OS server. 1. For **Password**, enter the password that you use to connect to your OS server. 1. Choose **Verify connection** to make sure that you updated your OS server credentials correctly. Next, choose **Save**. 1. After you update credentials for all OS servers, select your OS servers and choose **Discover database servers**. The database and analytics data collection module connects to your OS servers and discovers the supported database and analytics servers. After the data collection module completes the discovery, you can see the list of discovered database and analytics servers by choosing **View database servers**. Alternatively, you can add your database and analytics servers to inventory manually. Also, you can import the list of servers from a CSV file. You can skip this step if you already added all your database and analytics servers to the inventory. **To add a database or analytics server manually** 1. On the **Database and analytics collector** page, choose **Data collection** in the navigation pane. 1. Choose **Add database server**. The **Add database server** page opens. 1. Provide your database server credentials. 1. For **Database engine**, choose the database engine of your server. For more information, see [Supported OS, database, and analytics servers](agentless-collector-gs-database-analytics-collection.md#agentless-collector-gs-database-analytics-collection-supported-servers). 1. For **Hostname / IP**, enter the hostname or IP address of your database or analytics server. 1. For **Port**, enter the port where your server runs. 1. For **Authentication type**, choose the authentication type that your database or analytics server uses. 1. For **User name**, enter the user name that you use to connect to your server. 1. For **Password**, enter the password that you use to connect to your server. 1. Choose **Verify** to make sure that you added your database or analytics server credentials correctly. 1. (Optional) Add multiple servers from a CSV file. 1. Choose **Bulk import database servers from CSV**. 1. Choose **Download template** to save a CSV file that includes a template that you can customize. 1. Enter the connection credentials for your database and analytics servers into the file according to the template. The following example shows how you can provide database or analytics server connection credentials in a CSV file. ``` Database engine,Hostname/IP,Port,Authentication type,Username,Password,Oracle service name,Database,Allow public key retrieval,Use SSL,Trust server certificate Oracle,192.0.2.1,1521,Login/Password authentication,USER-EXAMPLE,AKIAI44QH8DHBEXAMPLE,orcl,,,, PostgreSQL,198.51.100.1,1533,Login/Password authentication,USER2-EXAMPLE,bPxRfiCYEXAMPLE,,postgre,,TRUE, MSSQL,203.0.113.1,1433,Login/Password authentication,USER3-EXAMPLE,h3yCo8nvbEXAMPLE,,,,,TRUE MySQL,2001:db8:4006:812:ffff:200e,8080,Login/Password authentication,USER4-EXAMPLE,APKAEIVFHP46CEXAMPLE,,mysql,TRUE,TRUE, ``` Save your CSV file after you add credentials for all your database and analytics servers. 1. Choose **Browse**, then choose your CSV file. 1. Choose **Add database server**. 1. After you add credentials for all OS servers, select your OS servers and choose **Discover database servers**. After you add all your database and analytics servers into the data collection module, add them to the inventory. The database and analytics data collection module can connect to the servers from the inventory and collects metadata and performance metrics. **To add your database and analytics servers to the inventory** 1. On the **Database and analytics collector** page, choose **Database servers** under **Discovery** in the navigation pane. 1. Select the database and analytics servers, for which you want to collect metadata and performance metrics. 1. Choose **Add to inventory**. After you add all database and analytics servers to your inventory, you can start collecting metadata and performance metrics. For more information, see [Database and analytics data collection](agentless-collector-dashboard.md#using-collector-data-collect-database-analytics). # Data collected by the Agentless Collector database and analytics data collection module Data collected by the database and analytics module The Application Discovery Service Agentless Collector (Agentless Collector) database and analytics data collection module collects the following metrics from your data environment. For information about setting up data collection, see [Using the database and analytics data collection module](agentless-collector-gs-database-analytics-collection.md). When you use the database and analytics data collection module to collect **Metadata and database capacity**, it captures the following metrics. + Available memory on your OS servers + Available storage on your OS servers + Database version and edition + Number of CPUs on your OS servers + Number of schemas + Number of stored procedures + Number of tables + Number of triggers + Number of views + Schema structure After you launch the schema analysis in the AWS DMS console, your data collection module analyzes and displays the following metrics. + Database support dates + Number of lines of code + Schema complexity + Similarity of schemas When you use the database and analytics data collection module to collect **Metadata, database capacity, and resource utilization**, it captures the following metrics. + I/O throughput on your database servers + Input/output operations per second (IOPS) on your database servers + Number of CPUs that your OS servers use + Memory usage on your OS servers + Storage usage on your OS servers You can use the database and analytics data collection module to collect metadata, capacity, and utilization metrics from your Oracle and SQL Server databases. At the same time, for PostgreSQL and MySQL databases, the data collection module can collect only metadata. # Viewing your collected data Viewing collected data **Important** End of support notice: On May 20, 2026, AWS will end support for AWS Database Migration Service Fleet Advisor. After May 20, 2026, you will no longer be able to access the AWS DMS Fleet Advisor console or AWS DMS Fleet Advisor resources. For more information, see [AWS DMS Fleet Advisor end of support](https://docs.aws.amazon.com/dms/latest/userguide/dms_fleet.advisor-end-of-support.html). You can view the data that your Application Discovery Service Agentless Collector (Agentless Collector) collected in the Migration Hub console by following the steps in [Viewing servers in the AWS Migration Hub consoleViewing servers](view-servers.md). You can also view the collected metrics for database and analytics servers in the AWS DMS console by taking the following steps. **To view the data discovered by the database and analytics data collection module in the AWS DMS console** 1. Sign in to the AWS Management Console and open the AWS DMS console at [https://console.aws.amazon.com/dms/v2/](https://console.aws.amazon.com/dms/v2/). 1. Choose **Inventory** under **Discover**. The **Inventory** page opens. 1. Choose **Analyze inventories** to determine database schema properties, such as similarity and complexity. 1. Choose the **Schemas** tab to see the results of analysis. You can use the AWS DMS console to identify duplicate schemas, determine the migration complexity, and export the inventory information for the future analysis. For more information, see [Using inventories for analysis in AWS DMS Fleet Advisor](https://docs.aws.amazon.com/dms/latest/userguide/fa-inventory.html). # Accessing the Agentless Collector Accessing the Agentless Collector This section describes how to use the Application Discovery Service Agentless Collector (Agentless Collector). **Topics** + [ # The Agentless Collector dashboard ](agentless-collector-dashboard.md) + [ # Editing Agentless Collector settings ](agentless-collector-edit-configure.md) + [ # Editing VMware vCenter credentials ](agentless-collector-vcenter-edit.md) # The Agentless Collector dashboard Collector dashboard On the Application Discovery Service Agentless Collector (Agentless Collector) dashboard page you can see the status of the collector and choose a method of data collection as described in the following topics. **Topics** + [ ## Collector status ](#using-collector-status) + [ ## Data collection ](#using-collector-data-collect) ## Collector status Collector status **Collector status** gives you status information about the collector. The collector name, the status of the collector's connection to AWS, the Migration Hub home Region, and the version. If you have AWS connection issues, you might need to edit Agentless Collector configuration settings. To edit the collector configuration settings, choose **Edit collector settings** and follow the instructions described in [Editing Agentless Collector settings](agentless-collector-edit-configure.md). ## Data collection Data collection Under **Data collection** you can choose a data collection method. Application Discovery Service Agentless Collector (Agentless Collector) currently supports data collection from VMware VMs and from database and analytics servers. Future modules will support collection from additional virtualization platforms, and operating system level collection. **Topics** + [ ### VMware vCenter data collection ](#using-collector-data-collect-vcenter) + [ ### Database and analytics data collection ](#using-collector-data-collect-database-analytics) ### VMware vCenter data collection VMware vCenter data collection To collect server inventory, profile, and utilization data from your VMware VMs, set up connections to your vCenter servers. To set up the connections, choose **Set up** in the **VMware vCenter** section and follow the instructions described in [Using the VMware vCenter Agentless Collector data collection module](agentless-collector-gs-data-collection-vcenter.md). After you set up vCenter data collection, from the dashboard you can perform the following: + View data collection status + Start data collection + Stop data collection **Note** On the dashboard page, after you set up vCenter data collection, the **Set up** button in the **VMware vCenter** section is replaced with data collection status information, a **Stop data collection** button, and a **View and edit** button. ### Database and analytics data collection Database and analytics data collection You can run your database and analytics data collection module in the following two modes. **Metadata and database capacity** The data collection module collects such information as schemas, versions, editions, CPU, memory, and disk capacity from your database and analytics servers. You can use this collected information to compute target recommendations in the AWS DMS console. If your source database is overprovisioned or underprovisioned, then the target recommendations also will be overprovisioned or underprovisioned. This is the default mode. **Metadata, database capacity, and resource utilization** In addition to metadata and database capacity information, the data collection module collects actual utilization metrics of CPU, memory, and disk capacity for the databases and analytics servers. This mode provides more accurate target recommendations than the default mode because the recommendations are based on the actual database workloads. In this mode, the data collection module collects performance metrics every minute. **To start collecting metadata and performance metrics from your database and analytics servers** 1. On the **Database and analytics collector** page, choose **Data collection** in the navigation pane. 1. From the **Database inventory** list, select the database and analytics servers for which you want to collect metadata and performance metrics. 1. Choose **Run data collection**. The **Data collection type** dialog box opens. 1. Choose how to collect data for analysis. If you choose the **Metadata, database capacity, and resource utilization** option, then set the period of data collection. You can collect data during the **Next 7 days** or set the **Custom range** of 1–60 days. 1. Choose **Run data collection**. The **Data collection** page opens. 1. Choose the **Collection health** tab to see the status of data collection. After completing the data collection, your data collection module uploads collected data to your Amazon S3 bucket. Then, you can view this collected data as described in [Viewing your collected data](agentless-collector-gs-view-collected-data.md). # Editing Agentless Collector settings Editing collector settings You configured the collector when you first set up Application Discovery Service Agentless Collector (Agentless Collector) as described in [Configuring Agentless Collector](agentless-collector-gs-configure.md). The following procedure describes how to edit Agentless Collector configuration settings. **To edit the collector configuration settings** + Choose the **Edit collector settings** button on the Agentless Collector dashboard. On the **Edit collector settings** page, perform the following: 1. For **Collector name**, enter a name to identify the collector. The name can contain spaces but it cannot contain special characters. 1. Under **Destination AWS account for discovery data**, enter the AWS access key and secret key for the AWS account to specify as the destination account to receive the data discovered by the collector. For information about the requirements for the IAM user, see [Deploying Application Discovery Service Agentless CollectorCreate an IAM user for Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-iam-user). 1. For **AWS access-key**, enter the access key of the AWS account IAM user that you're specifying as the destination account. 1. For **AWS secret-key**, enter the secret key of the AWS account IAM user that you're specifying as the destination account. 1. Under **Agentless Collector password**, change the password to use to authenticate access to the Agentless Collector. 1. For **Agentless Collector password**, enter a password to use to authenticate access to the Agentless Collector. 1. For **Re-enter Agentless Collector password**, for verification enter the password again. 1. Choose **Save configurations**. Next, you'll see [The Agentless Collector dashboard](agentless-collector-dashboard.md). # Editing VMware vCenter credentials Editing vCenter credentials To collect server inventory, profile, and utilization data from your VMware VMs, set up connections to your vCenter servers. For information about setting up VMware vCenter connections, see [Using the VMware vCenter Agentless Collector data collection module](agentless-collector-gs-data-collection-vcenter.md). This section describes how to edit the vCenter credentials. **Note** Before editing vCenter credentials, make sure you can provide vCenter credentials with Read and View permissions set for the System group. **To edit the VMware vCenter credentials** On the [Viewing VMware data collection details](agentless-collector-gs-vcenter-details.md) page, choose **Edit vCenter servers**. + On the **Edit vCenter** page, perform the following: 1. Under **vCenter credentials**: 1. For **vCenter URL/IP**, enter the IP address of your VMware vCenter Server host. 1. For **vCenter Username**, enter the name of a local or domain user that the connector uses to communicate with vCenter. For domain users, use the form *domain*\$1*username* or *username*@*domain*. 1. For **vCenter Password**, enter the local or domain user password. 1. Choose **Save**. # Manually updating Application Discovery Service Agentless Collector Updating Agentless Collector When you configure Application Discovery Service Agentless Collector (Agentless Collector), you can choose to enable automatic updates as described in [Configuring Agentless Collector](agentless-collector-gs-configure.md). If you do not enable automatic updates, you'll need to manually update Agentless Collector. The following procedure describes how to manually update Agentless Collector. **To manually update Agentless Collector** 1. Obtain the latest Agentless Collector Open Virtualization Archive (OVA) file. 1. (Optional) We recommend that you delete the previous Agentless Collector OVA file, before you deploy the latest one. 1. Follow steps in [Deploy Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-deploy). **The previous procedure only updates the Agentless Collector. It is your responsibility to keep the OS up to date.** **To update your Amazon EC2 instance** 1. Get the IP address of the Agentless Collector from VMware vCenter. 1. Open the collector’s VM console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Follow the instructions in [Update instance software on your AL2 instance](https://docs.aws.amazon.com/linux/al2/ug/install-updates.html) in the Amazon Linux 2 User Guide. **Kernel Live Patching** ------ #### [ Agentless Collector version 2 ] The Agentless Collector version 2 virtual machine uses Amazon Linux 2023 as described in [Deploy Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-deploy). To enable and use Live Patching for Amazon Linux 2023, see [Kernel Live Patching on AL2023](https://docs.aws.amazon.com/linux/al2023/ug/live-patching.html) in the *Amazon EC2 User Guide*. ------ #### [ Agentless Collector version 1 ] The Agentless Collector version 1 virtual machine uses Amazon Linux 2 as described in [Deploy Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-deploy). To enable and use Live Patching for Amazon Linux 2, see [Kernel Live Patching on AL2](https://docs.aws.amazon.com/linux/al2/ug/al2-live-patching.html) in the *Amazon EC2 User Guide*. ------ **To upgrade from Agentless Collector version 1 to version 2** 1. Install a new Agentless Collector OVA by using the latest image. 1. Set up credentials. 1. Delete the old virtual appliance. # Troubleshooting Agentless Collector Troubleshooting This section contains topics that can help you troubleshoot known issues with Application Discovery Service Agentless Collector (Agentless Collector). **Topics** + [ ## Fixing `Unable to retrieve manifest or certificate file error` ](#unable-to-retrieve-manifest-or-certificate-file) + [ ## Addressing self-signed certification problems when configuring WinRM certificates ](#agentless-collector-address-self-signed-certification-problems) + [ ## Fixing Agentless Collector cannot reach AWS during setup ](#agentless-collector-fix-connector-cannot-reach-aws) + [ ## Fixing self-signed certification problems when connecting to the proxy host ](#agentless-collector-fix-self-signed-certification-problems) + [ ## Finding unhealthy collectors ](#agentless-collector-fixing-unhealthy-connectors) + [ ## Fixing IP address issues ](#agentless-collector-vcenter-ip-issues) + [ ## Fixing vCenter credentials issues ](#agentless-collector-vcenter-credentials-issues) + [ ## Fixing data forwarding issues in the database and analytics data collection module ](#agentless-collector-database-analytics-forwarding-issues) + [ ## Fixing connection issues in the database and analytics data collection module ](#agentless-collector-database-analytics-connection-issues) + [ ## Standalone ESX host support ](#agentless-collector-standalone-esx-host) + [ ## Contacting AWS Support for Agentless Collector issues ](#agentless-collector-support) ## Fixing `Unable to retrieve manifest or certificate file error` If you receive this error when you try to deploy the OVA from the Amazon S3 URL in the VMware vCenter UI, ensure that your vCenter server meets the following requirements: + VMware vCenter Server version 8.0 update 1 or later + VMware vCenter Server 7.0 Update 3q (ISO Build 23788036) or later ## Addressing self-signed certification problems when configuring WinRM certificates If you enable WinRM certificate checks, you might need to import a self-signed certificate authority into the Agentless Collector. **To import a self-signed certificate authority** 1. Open the collector’s VM web console in VMware vCenter and sign in as `ec2-user` with the password `collector` as shown in the following example. ``` username: ec2-user password: collector ``` 1. Make sure that every self-signed CA certificate that is used to sign WinRM certificates is under the directory `/etc/pki/ca-trust/source/anchors`. For example: ``` /etc/pki/ca-trust/source/anchors/https-winrm-ca-1.pem ``` 1. To install the new certificates, run the following command. ``` sudo update-ca-trust ``` 1. Restart the Agentless Collector by running the following command ``` sudo shutdown -r now ``` 1. (Optional) To verify that certificates have been successfully imported, you can run the following command. ``` sudo trust list --filter=ca-anchors | less ``` ## Fixing Agentless Collector cannot reach AWS during setup Agentless Collector requires outbound access over TCP port 443 to several AWS domains. When configuring Agentless Collector in the console you can get the following error message. **Could Not Reach AWS** AWS cannot be reached. Please verify network settings. This error occurs because of a failed attempt by Agentless Collector to establish an HTTPS connection to an AWS domain that the collector needs to communicate with during the setup process. The Agentless Collector configuration fails if a connection can't be established. **To fix the connection to AWS** 1. Check with your IT admin to see if your company firewall is blocking outbound traffic on port 443 to any of the AWS domains that require outbound access. Which AWS domains require outbound access depend on if your home Region is US West (Oregon) Region, us-west-2, or some other Region. **The following domains require outbound access if your AWS account home Region is us-west-2:** + `arsenal-discovery.us-west-2.amazonaws.com` + `migrationhub-config.us-west-2.amazonaws.com` + `api.ecr-public.us-east-1.amazonaws.com` + `public.ecr.aws` **The following domains require outbound access if your AWS account home Region is not `us-west-2`:** + `arsenal-discovery.us-west-2.amazonaws.com` + `arsenal-discovery.your-home-region.amazonaws.com` + `migrationhub-config.us-west-2.amazonaws.com` + `api.ecr-public.us-east-1.amazonaws.com` + `public.ecr.aws` If your firewall is blocking outbound access to the AWS domains that Agentless Collector needs to communicate with, configure a proxy host in the **Data synchronization** section under **Collector configuration**. 1. If updating the firewall does not resolve the connection issue, use the following steps to ensure that the collector virtual machine has outbound network connectivity to the domains listed in the previous step. 1. Get the IP address of the Agentless Collector from VMware vCenter. 1. Open the collector’s VM web console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Test the connection to the listed domains by running telnet on ports 443 as shown in the following example. ``` telnet migrationhub-config.us-west-2.amazonaws.com 443 ``` 1. If telnet cannot resolve the domain, try configuring a static DNS server using the [ instructions for Amazon Linux 2](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/). 1. If the error continues, for further support, see [Contacting AWS Support for Agentless Collector issues](#agentless-collector-support). ## Fixing self-signed certification problems when connecting to the proxy host If communication with the optionally provided proxy is via HTTPS and the proxy has a self-signed certificate, you might need to provide a certificate. 1. Get the IP address of the Agentless Collector from VMware vCenter. 1. Open the collector’s VM web console and sign in as `ec2-user` with the password `collector` as shown in the following example. ``` username: ec2-user password: collector ``` 1. Paste the body of the certificate that is associated with the secure proxy, including both `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`, into the following file: ``` /etc/pki/ca-trust/source/anchors/https-proxy-ca.pem ``` 1. To install the new certificate, run the following commands: ``` sudo update-ca-trust ``` 1. Restart the Agentless Collector by running the following command: ``` sudo shutdown -r now ``` ## Finding unhealthy collectors Status information for every collector is found on the [Data collectors](https://console.aws.amazon.com/migrationhub/discover/datacollectors?type=connector) page of the AWS Migration Hub (Migration Hub) console. You can identify collectors with problems by finding any collectors with a **Status** of **Requires attention**. The following procedure describes how to access the Agentless Collector console to identify health issues. **To access the Agentless Collector console** 1. Using your AWS account, sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/). 1. In the Migration Hub console navigation pane under **Discover**, choose **Data collectors**. 1. From the **Agentless collectors** tab, make a note of the **IP address** for each connector that has a status of **Requires attention**. 1. To open the Agentless Collector console, open a web browser. Then type the following URL in the address bar:  **https://******/**, where *ip\$1address* is the IP address of an unhealthy collector. 1. Choose **Log in**, and then enter the Agentless Collector password, which was set up when the collector was configured in [Configuring Agentless Collector](agentless-collector-gs-configure.md). 1. On the **Agentless Collector** dashboard page, under **Data collection**, choose **View and edit** in the **VMware vCenter** section. 1. Follow the instructions in [Editing VMware vCenter credentials](agentless-collector-vcenter-edit.md) to correct the URL and credentials. After correcting the health issues, the collector will re-establish connectivity with vCenter server, and the collector's status will change to the **Collecting** state. If the issues persist, see [Contacting AWS Support for Agentless Collector issues](#agentless-collector-support). The most common causes for unhealthy collectors are IP address and credentials issues. [Fixing IP address issues](#agentless-collector-vcenter-ip-issues) and [Fixing vCenter credentials issues](#agentless-collector-vcenter-credentials-issues) can help you resolve these issues and return a collector to a healthy state. ## Fixing IP address issues A collector can go into an unhealthy state if the vCenter endpoint provided during collector setup is malformed, invalid, or if the vCenter server is currently down and not reachable. In this case, you'll receive a **Connection error** message . The following procedure can help you resolve IP address issues. **To fix collector IP address issues** 1. Get the IP address of the Agentless Collector from VMware vCenter. 1. Open the Agentless Collector console by opening a web browser, and then type the following URL in the address bar:  **https://******/**, where *ip\$1address* is the IP address of the collector from [Deploy Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-deploy). 1. Choose **Log in**, and then enter the Agentless Collector password, which was set up when the collector was configured in [Configuring Agentless Collector](agentless-collector-gs-configure.md). 1. On the **Agentless Collector** dashboard page, under **Data collection**, choose **View and edit** in the **VMware vCenter** section. 1. On the **VMware data collection details** page, under **Discovered vCenter servers**, make a note of the IP address in the **vCenter** column. 1. Using a separate command line tool like `ping` or `traceroute`, validate that the associated vCenter server is active and the IP is reachable from the collector VM. + If the IP address is incorrect and the vCenter service is active, then update the IP address in the collector console, and choose **Next**. + If the IP address is correct but the vCenter server is inactive, activate it. + If the IP address is correct and the vCenter server is active, check if it is blocking ingress network connections due to firewall issues. If yes, update your firewall settings to allow incoming connections from the collector VM. ## Fixing vCenter credentials issues Collectors can go into an unhealthy state if the vCenter user credentials provided when configuring a collector are invalid, or do not have vCenter Read and View account privileges. If you experience issues related to vCenter credentials, check to make sure that you have vCenter Read and View permissions set for the System group. For information about editing vCenter credentials, see [Editing VMware vCenter credentials](agentless-collector-vcenter-edit.md). ## Fixing data forwarding issues in the database and analytics data collection module Fixing data forwarding issues The home page of the database and analytics data collection module in Agentless Collector displays the connection status for **Access to DMS** and **Access to S3**. If you see **No access** for **Access to DMS** and **Access to S3**, then configure data forwarding. For more information, see [Configuring data forwarding](agentless-collector-gs-database-analytics-collection-prerequisites.md). If you experience this issue after you configure data forwarding, then check to make sure that your data collection module can access to the internet. Then, make sure that you added the **DMSCollectorPolicy** and **FleetAdvisorS3Policy** policies to your IAM user. For more information, see [Deploying Application Discovery Service Agentless CollectorCreate an IAM user for Agentless Collector](agentless-collector-deploying.md#agentless-collector-gs-iam-user). If your data collection module can't connect to AWS, then provide outbound access to the following domains. + `dms.your-home-region.amazonaws.com` + `s3.amazonaws.com` ## Fixing connection issues in the database and analytics data collection module Fixing connection issues The database and analytics data collection module in Agentless Collector connects to your LDAP servers to discover OS servers in your data environment. Then, the data collection module connects to your OS servers to discover database and analytics servers. From these database servers, the data collection module gathers capacity and performance metrics. If your data collection module can't connect to these servers, then verify that you can connect to your servers. In the following examples, replace *replaceable* values with your values. + To verify that you can connect to your LDAP server, install the `ldap-util` package. To do so, run the following command. ``` sudo apt-get install ldap-util ``` Then, run the following command. ``` ldapsearch -x -D "CN=user,CN=Users,DC=example,DC=com" -w "password" -b "dc=example,dc=com" -h ``` + To verify that you can connect to a Linux OS server, use the following commands. ``` ssh -i C:\Users\user\private_key.pem -p 22 username@my-linux-host.domain.com ``` Run the previous example as an administrator in Windows. ``` ssh username@my-linux-host.domain.com ``` Run the previous example in Linux. + To verify that you can connect to a Windows OS server, use the following commands. ``` winrs -r:[hostname or ip] -u:username -p:password cmd ``` Run the previous example as an administrator in Windows. ``` sudo apt install -y winrm winrm --user=username --password=password [http or https]://[hostname or ip]:[port] "[cmd.exe or any other CLI command]" ``` Run the previous example in Linux. + To verify that you can connect to a SQL Server database, use the following commands. ``` sqlcmd -S [hostname or IP] -U username -P 'password' SELECT GETDATE() AS sysdate ``` + To verify that you can connect to a MySQL database, use the following commands. ``` mysql -u username -p 'password' -h [hostname or IP] -P [port] SELECT NOW() FROM DUAL ``` + To verify that you can connect to an Oracle database, use the following commands. ``` sqlplus username/password@[hostname or IP]:port/servicename SELECT SYSDATE FROM DUAL ``` + To verify that you can connect to a PostgreSQL database, use the following commands. ``` psql -U username -h [hostname or IP] -p port -d database SELECT CURRENT_TIMESTAMP AS sysdate ``` If you can't connect to your database and analytics servers, then make sure that you provide the required permissions. For more information, see [Discovering your database servers](agentless-collector-gs-database-analytics-collection-discovery.md). ## Standalone ESX host support The Agentless Collector does not support a standalone ESX host. The ESX host must be part of the vCenter Server instance. ## Contacting AWS Support for Agentless Collector issues Contacting AWS Support If you encounter issues with Application Discovery Service Agentless Collector (Agentless Collector) and need help, contact [AWS Support](https://aws.amazon.com/contact-us/) You'll be contacted and might be asked to send the collector logs. **To obtain Agentless Collector logs** 1. Get the IP address of the Agentless Collector from VMware vCenter. 1. Open the collector’s VM web console and sign in as **ec2-user** using the password **collector** as shown in the following example. ``` username: ec2-user password: collector ``` 1. Use the following command to navigate to the log folder. ``` cd /var/log/aws/collector ``` 1. Zip the log files by using the following commands. ``` sudo cp /local/agentless_collector/compose.log . docker inspect $(docker ps --format {{.Names}}) | sudo tee docker_inspect.log >/dev/null sudo tar czf logs_$(date '+%d-%m-%Y_%H.%M.%S').tar.gz --exclude='db.mv*' * ``` 1. Copy the log file from the Agentless Collector VM. ``` scp logs*.tar.gz targetuser@targetaddress ``` 1. Give the `tar.gz` file to AWS Enterprise Support.