Open-AudIT

What's on your network?
It is currently Wed Jan 24, 2018 9:14 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Mar 06, 2015 1:32 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Hi-

Having an issue updating some systems - will not update DB entries for new software that has been added or upgraded?

When running "audit_windows" script manually works.
--> cscript audit_windows.vbs Stacie-xxxxxx.xxxxxx.local

vs.

Batch script using "Domain" script - does "not" work?

@echo on
cscript C:\xampplite\open-audit\other\audit_domain.vbs
exit

Under Software - until we manually updated - the entry showed this version of Firefox:

Mozilla Firefox 24.3.0 ESR (x86 en-US)
24.3.0
Mozilla
2015-03-05 08:44:00

After manual run of "audit_windows" script - it updated and worked...

Mozilla Firefox 31.3.0 ESR (x86 en-US)
31.3.0
Mozilla
2015-03-05 08:44:00


Here is the Open Audit log of the "Domain" script running in batch:

Mar 05 07:13:27 MDNAM 1644 C:system F:add_system Processing audit result for stacie-xxxxxx.
Mar 05 07:13:27 MDNAM 1644 M:system F:create_system_key System Key being generated for stacie-xxxxx.
Mar 05 07:13:27 MDNAM 1644 M:system F:create_system_key System Key is stacie-xxxxxx.xxxxxx.local for stacie-xxxxx type fqdn.
Mar 05 07:13:27 MDNAM 1644 M:system F:find_system HIT on man_ip_address for 192.168.10.119.
Mar 05 07:13:27 MDNAM 1644 M:system F:find_system Returning System ID 214.
Mar 05 07:13:27 MDNAM 1644 C:system F:add_system Updating result for stacie-xxxxxx (System ID 214).
Mar 05 07:13:28 MDNAM 1644 M:system F:update_system System update start for 192.168.10.119 (stacie-xxxxxxx) (System ID 214)
Mar 05 07:13:32 MDNAM 1644 M:system F:update_system System update end for 192.168.010.119 (stacie-xxxxx) (System ID 214).
Mar 05 07:13:34 MDNAM 1644 C:system F:add_system C:system F:add_system Processing completed for stacie-xxxxxxx (System ID 214), took 6.2473 seconds.


Here is the Manual run of the "audit_windows" script...


C:\xampplite\open-audit\other>cscript audit_windows.vbs Stacie-xxxxxx.xxxxxx.local
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

starting audit - Stacie-xxxxxx.xxxxxx.local
Not pinging target (override with ping_target=y).
My PID is : 3820
Audit Start Time : 2015-03-05 08:44:00
Audit Location: remote
-------------------
system info
windows info
bios info
scsi info
processor info
memory info
motherboard info
optical info
modem info
video info
monitor info
sound info
disk info
partition info
mount point info
shares info
network card info
network address info
DNS info
printer info
scheduled tasks
environment variables
logs
pagefile
local users info
local groups info
Codec info
ODBC Driver info
ODBC Driver info 64bit
MDAC info
DirectX info
Windows Media Player info
Internet Explorer info
Outlook Express info
Software info
Software for 64bit
Software for 64bit (registry)
Software for 64bit (registry) #3
Hotfix info
Services info
CD Keys
network routing info
Audit Generated in 164 seconds.
Submitting audit online
Audit Submitted
Total Execution Time: 183 seconds.

C:\xampplite\open-audit\other>


Mar 05 08:46:48 MDNAM 1644 C:system F:add_system Processing audit result for stacie-xxxxxxx.
Mar 05 08:46:48 MDNAM 1644 M:system F:create_system_key System Key being generated for stacie-xxxxxxx.
Mar 05 08:46:48 MDNAM 1644 M:system F:create_system_key System Key is 4C4C4544-0058-4210-8048-B5C04F465A31-stacie-xxxxxxx for stacie-xxxxxxx type uuho.
Mar 05 08:46:48 MDNAM 1644 M:system F:find_system HIT on system_key for Not-Networked.
Mar 05 08:46:48 MDNAM 1644 M:system F:find_system Returning System ID 214.
Mar 05 08:46:48 MDNAM 1644 C:system F:add_system Updating result for stacie-xxxxxxx (System ID 214).
Mar 05 08:46:48 MDNAM 1644 M:system F:update_system System update start for Not-Networked (stacie-xxxxxxx) (System ID 214).
Mar 05 08:46:48 MDNAM 1644 M:system F:update_system System update end for (stacie-xxxxxxx) (System ID 214).
Mar 05 08:47:04 MDNAM 1644 C:system F:add_system C:system F:add_system Processing completed for stacie-xxxxxxx (System ID 214), took 16.3408 seconds.


Why does the "audit_windows" script generate/create a possibly new "System Key" and not the Domain script - hence updating the machine with latest info?

Any help is appreciated - thx.

-SP


Last edited by spichelman on Fri Mar 06, 2015 11:09 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 1:37 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Hi Again-

Should we update to 1.5.3 or is there a later version?
And is there an updated version of the Domain script?
Thx.

-SP


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 4:11 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
Some sort of name lookup trouble? Technically the audit_domain is running
Code:
cscript audit_windows.vbs Stacie-Chmelicek

and your manual test is running
Code:
cscript audit_windows.vbs Stacie-Chmelicek.xxxxxx.local


What do you get with your manual test if you run
Code:
cscript audit_windows.vbs Stacie-Chmelicek submit_online=n create_file=y

Review the computername.txt file that gets created with the above command. Network info look good? Other data look good?


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 4:57 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Hi Jpa-

1.
DNS seems to be correct Forward and reverse:

C:\>nslookup stacie-xxxxxxxk.xxxxxxx.local
Server: mdndc2.xxxxxxx.local
Address: 192.168.1.39

Name: stacie-xxxxxxxk.xxxxxxx.local
Address: 192.168.10.119


C:\>nslookup 192.168.10.119
Server: mdndc2.xxxxxxx.local
Address: 192.168.1.39

Name: stacie-xxxxxxxk.xxxxxxx.local
Address: 192.168.10.119

2.
Reviewed <Computer>.txt (xml) and found hostname is wrong - relevant?

<hostname>stacie-xxxxxxx</hostname>

Is this because of NETBIOS - 15-char limit?
Our DNS entries often do "not" match...

Though - NET DNS shows correctly here:
<net_dns_host_name>stacie-xxxxxxxk</net_dns_host_name>

Also - can I ask why this shows up as User domain - instead of xxxxxxx.local?
<user_domain>stacie-xxxxxxx</user_domain>

We are not running WINS anymore to my knowledge - other ideas?
Or is there another issue?
Thx.

-SP


Last edited by spichelman on Fri Mar 06, 2015 11:11 am, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 5:05 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
What do you get from the following?
Code:
nslookup stacie-chmelicek


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 5:11 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
C:\xampplite\open-audit\other>nslookup stacie-chmelicek
Server: mdndc2.xxxxxxx.local
Address: 192.168.1.39

Name: stacie-chmelicek.xxxxxxx.local
Address: 192.168.10.119


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 5:15 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
C:\PsTools>psexec \\Stacie-Chmelicek -u XXXXXXX\Administrator -p "" cmd /C hostname

Stacie-Chmelicek
cmd exited on Stacie-Chmelicek with error code 0.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 5:24 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
In our TCP/IP properties - IPv4 - for many machines in our environment - have this setting checked...

Default:
Use NETBIOS fro DHCP server (Linux server in our case)

And on our servers:
Enable NETBIOS over TCP/IP.

We use Samba as well - mix of BSD & Linux servers.

Relevant?
Thx.

-SP


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 5:34 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
With the info given from the logs you can see that something is different. The manual audits have
Code:
Mar 05 08:46:48 MDNAM 1644 M:system F:create_system_key System Key is 4C4C4544-0058-4210-8048-B5C04F465A31-stacie-chmelice for stacie-chmelice type uuho.
and the domain audits have
Code:
Mar 05 07:13:27 MDNAM 1644 M:system F:create_system_key System Key is stacie-chmelice.xxxxxx.local for stacie-chmelice type fqdn.
This would indicate that the Domain audits don't have a <uuid> value in the audit data.

Are you running the Domain audit script and the manual windows audit as the same user? Different users with the same or different priviledges?

I didn't write any of this so I'm really just tracing the code and guessing what's going on. If you could get audit files from the domain and manual audits to compare the differences you might find the problem. Maybe the software isn't even getting audited when run from the Domain script? Again, I'm just guessing.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 6:09 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Thanks for your help - I know this is a bit of a challenge.
Same user/priv - domain admin - and other machine scans appear to be fine.
Thinking may be more of an issue with his particular machine - since we don't encounter these problems to often.

Could WMI diag show us more detail?
Else, first - we'll remove system from OA and then re-run a domain scan.
Not sure you recall working with me and changing the audit_windows script?

Perhaps we should move to v1.5.4-1 for Windows?
Unless you have any further ideas - we'll try the options above.

-SP


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 7:44 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
Maybe the audit_windows is performing an Active Directory audit because it thinks the computer is down. This would fit with what you're seeing. No UUID in the audit data; no software info either.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 11:06 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Jpa-

Removed PC from DB - ran audit_windows - same results.
Ran audit_windows.vbs <hostname> w/o domain-name

Changed Fields in DB: hostname & fqdn.
Added letter at end - was missing one letter from the entire FQDN entry or hostname.

Later - we'll see see if Audit_Domain updates machine....?

-SP


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 06, 2015 1:43 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
Sorry, I didn't get that. You removed the computer from OpenAudit, ran a manual audit and it didn't do anything but update the hostname and fqdn? No software, no hardware, no other info?


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 07, 2015 7:01 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
The hostname of he machine was missing a letter the entire time.
Meaning, it was using the NETBIOS - 15 char limit or Active Directory name.

The Open audit domain script has been using the AD/NETBIOS name for the FQDN and hostname when auditing.
So - we just changed these fields to refelect the real DNS - FQDN in the Open Audit MySQl DB.


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 07, 2015 1:40 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1229
Well, I suppose the system should handle this either way. I'll need to create a test machine with a 15+ character name to see where it falls over.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group