Open-AudIT

What's on your network?
It is currently Sat Jan 20, 2018 7:03 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
PostPosted: Sat Jul 02, 2011 3:33 am 
Offline
Newbie

Joined: Wed Jun 29, 2011 4:56 am
Posts: 4
For a while now software has been showing up as detected as new, even after it has been detected before. It creates a large number of "Software Detected in the last 1 days" on the home page. Any ideas why this could happen? I ran table check in MySQL and everything came back OK.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 02, 2011 1:44 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Total guess but are you running more than one audit process at a time? Not multiple audits of different machines but multiple simultaneous audits of a single machine.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 06, 2011 2:03 am 
Offline
Newbie

Joined: Wed Jun 29, 2011 4:56 am
Posts: 4
No, I have multiple locations auditing different domains at the same time but no machine is audited more than once by the process.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 09, 2011 2:41 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
What value are you using for uuid_type in the audit.config? Is it possible that you have multiple machines with the same UUID?

When OpenAudit adds new software it grabs the latest audit timestamp for a machine specified by its UUID.
Code:
"SELECT MAX(system_audits_timestamp) AS timestamp FROM system_audits WHERE system_audits_uuid = '$uuid'"


Then it tires to update any existing software given the machines uuid, the software name and the timestamp.
Code:
"UPDATE software SET software_timestamp = '$timestamp', software_count = '$count', software_version = '$software_version',
software_location = '$software_location', software_uninstall = '$software_uninstall', software_install_date = '$software_install_date',
software_publisher = '$software_publisher', software_install_source = '$software_install_source', software_system_component = '$software_system_component',
software_url = '$software_url', software_comment = '$software_comments'
WHERE software_uuid = '$uuid' AND
software_name = '$software_name' AND
(software_timestamp = '$software_timestamp' OR software_timestamp = '$timestamp')"

If the update doesn't work because no existing software with the same uuid, name and timestamp is found then the software is added as new.

To troubleshoot you'd need to take an example software audit line and trace it through the OpenAudit add process to see why it's not doing what you'd expect.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 12, 2011 4:18 am 
Offline
Newbie

Joined: Wed Jun 29, 2011 4:56 am
Posts: 4
Thanks for the tip. I'm going to run an export of uuid and system names a few times a day then diff them to see if I'm getting systems with the same uuid.

While looking at the uuid filed on the system table I see 1 with a blank uuid so maybe this creates an issue with some of the joins. Also some of them have the FQDN as the uuid so not sure how that happened. I'll delete those systems and see if that cleans anything up.

I'll post my results. Thanks again.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 12, 2011 4:21 am 
Offline
Newbie

Joined: Wed Jun 29, 2011 4:56 am
Posts: 4
Also, I'm using uuid type "uuid" in audit.conig


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group