| Open-AudIT https://www.open-audit.org/phpBB3/ |
|
| [help] [solved] Failed Audits https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6024 |
Page 1 of 1 |
| Author: | spichelman [ Fri Feb 15, 2013 8:35 am ] |
| Post subject: | [help] [solved] Failed Audits |
Hi- I've installed the latest 9.2 Beta and when I choose Failed Audits from the Reports menu - no results are returned. I am looking at the sys_man_audits table in the OAv2 DB to see why there "mostly" not any data in the "audit_wmi_fails" column/field? Here is the SQL select from the XML file for Failed Audits that comes with OA: SELECT system.system_id, system.hostname, system.man_ip_address, sys_man_audits.system_audits_time, sys_man_audits.audit_debug FROM system LEFT JOIN sys_man_audits ON (system.system_id = sys_man_audits.system_id AND system.timestamp = sys_man_audits.system_audits_time) LEFT JOIN oa_group_sys ON (system.system_id = oa_group_sys.system_id) WHERE oa_group_sys.group_id = 3 AND sys_man_audits.audit_debug > ''" I am trying to figure out what to look for in this table to determine a failed/missing audit of a machine? select audit_wmi_fails from sys_man_audits; --> Examples of values in fields below... 'Win32_USBDevice ' 'W3SVC ' I see the "systems_audits_id" and "system_audits_time" are listed/audited in the table by the "audit_domain_windows.vbs" script. However, audit_debug has all empty/null values? Any clues are appreciated. Thx. -SP |
|
| Author: | jpa [ Fri Feb 15, 2013 9:35 am ] |
| Post subject: | Re: Failed Audits |
The current OA architecture makes failed/missing audits hard to log. The server does not know when an audit has been attempted so if there is a problem that causes the audit to fail to send data to the server there is no log of that failure. Basically the Failed Audit report shows audits where the data reached the server but there was a problem processing the data part way through. Some failures to audit can be detected because data is sent to the server by the audit process. OA processes and writes the XML upload data to the database one section at a time. Before OA processes a section of XML it writes that section name to the audit_debug column of sys_man_audits for the audit causing the problem. So if OA processes the sys, windows and bios data and then dies on the processor section the audit_debug field should have processor in it. A successful audit clears this field at the end of processing the data. The audit process itself can have trouble with some WMI calls which it includes in the audit data sent to the server. If the data actually gets to the server then audit_wmi_fails column should have these listed. You can look through the audit_windows.vbs source for the data in audit_wmi_fails to see the code that is failing (e.g. grep for Win32_USBDevice). There's not enough detail in this error message to determine the exact problem in all cases but it's a start. |
|
| Author: | Mark [ Fri Feb 15, 2013 10:36 am ] |
| Post subject: | Re: Failed Audits |
Everything JPA said is 100% correct. [quote="spichelman"]when I choose Failed Audits from the Reports menu - no results are returned. This is a good thing. It means audits are processing correctly. [quote="spichelman"]I am looking at the sys_man_audits table in the OAv2 DB to see why there "mostly" not any data in the "audit_wmi_fails" column/field? Any data here is sent by the audit_windows script. It simply means the audit_windows script did not get any info for those WMI calls. In the case of Win32_USBDevice, this is a WMI component that is only installed if you have the Microsoft SMS/System Center client installed. In the case of W3SVC, either IIS is not installed on the machine in question, or it failed querying IIS for some reason. You would need to dump some variables from the audit_script to chase that down. I'll have to leave that as an excersize for someone else though.[quote="spichelman"]I am trying to figure out what to look for in this table to determine a failed/missing audit of a machine? This table will not provide that data. JPAs post details where to look for a submitted, but failed audit. As for finding a failed audit_windows script - not much hope there. The machine will obviously NOT be in the Open-AudIT database. Personally, I would export the "All Windows" group to an Excel file, then query Active Directory (assuming you are running AD), for a list of machine names. Put that list into Excel and compare the two lists to determine which PCs are missing. I may code something for Open-AudIT to query Active Directly directly, but I'm swamped at the moment with other features. Consider that feature "on the list"... |
|
| Author: | spichelman [ Sat Feb 16, 2013 7:07 am ] |
| Post subject: | Re: Failed Audits |
Thanks guys(Mark/Jpa) for the detailed answers. JPA - will look into the audit_windows source if a problem arises with a "partial" audit. Mark - Yes, running an SQL query on the "All Windows group" is a good idea. We write some of our own PHP scripts for custom queries - maybe we could query AD and compare(check for unique) results within the same script? I've tried the same logic in a VB script but have not got it working yet. Thought OpenAudit v1 have a failed_audit.log file in the scripts dir or have the option in the audit.sh script to see missed computers? Maybe I misunderstood... <smile> Thanks again for your continued support and hard work with OAv2. -SP |
|
| Page 1 of 1 | All times are UTC + 10 hours |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|