Open-AudIT https://www.open-audit.org/phpBB3/ |
|
[help] every morning phantom computers https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6631 |
Page 1 of 1 |
Author: | shanimal [ Thu Oct 19, 2017 10:58 pm ] | ||
Post subject: | [help] every morning phantom computers | ||
every morning I seem to have a couple of new phantom "computers" in OA2 (ver 2.0.8 ) with bare minimum info, all useless. Any idea whats' going on? Overnight I have @ 400 systems being audited, hundreds of windows systems audited from my workstation using batch files, and hundreds of linux running the script locally from /etc/cron.daily/
|
Author: | jpa [ Fri Oct 20, 2017 12:50 am ] |
Post subject: | Re: [help] every morning phantom computers |
You might be able to review the various logs for errors. I would cheat and change my audit script batch to add the last_seen_by parameter and pass in something like "audit-computername" where computername is the name or ip of the specific device being audited. |
Author: | shanimal [ Sat Oct 21, 2017 1:29 am ] |
Post subject: | Re: [help] every morning phantom computers |
From the gui, the system logs doesn't have any details on the scans, & the access log doesn't have anything. Are there some other logs that I can check? Not sure how to do that batch thing, will keep digging for more info. The batch file I use for windows just has line after line with cscript audit_windows.vbs 10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt so it uses the same .vbs but I will look in the output files and try to match the time on these phantom computers to see if it's some of the windows IP's causing this thanks |
Author: | Mark [ Mon Oct 23, 2017 10:00 am ] |
Post subject: | Re: [help] every morning phantom computers |
Can you take the device ID (from the URL, ie /devices/123) and run the below. Windows[code]c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"[/code] Linux[code]mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"[/code] And post the output here. |
Author: | jpa [ Mon Oct 23, 2017 1:02 pm ] |
Post subject: | Re: [help] every morning phantom computers |
What Mark wrote and... my stab at it. Mark's stuff gives you everything OpenAudit has in the system table for a given device. I'm hoping that last_seen_by is coming from the script input and we can modify that to find problem devices. Something like: [code]cscript audit_windows.vbs 10.60.62.138 last_seen_by=audit_10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt[/code] This will pollute your last_seen_by field so don't do this if you don't want that to happen. |
Author: | shanimal [ Tue Oct 24, 2017 1:55 am ] |
Post subject: | Re: [help] every morning phantom computers |
when I try this command: mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = 557;" I get this error: ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t' at line 1 |
Author: | shanimal [ Tue Oct 24, 2017 2:10 am ] | ||
Post subject: | Re: [help] every morning phantom computers | ||
Update I got it to run by just running the first part to get into MariaDB, then ran the command. Here is a screenshot of the results
|
Author: | shanimal [ Wed Oct 25, 2017 11:51 pm ] |
Post subject: | Re: [help] every morning phantom computers |
I upgraded to version 2.0.10 yesterday, and this morning didn't find any new phantom computers. Thank you for that fix! |
Page 1 of 1 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |