Open-AudIT

What's on your network?
It is currently Tue Jan 23, 2018 2:16 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 15 posts ] 
Author Message
 Post subject: audit missing machines
PostPosted: Wed Aug 02, 2006 3:53 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
Fresh install of Open-Audit, setup to audit my domain.

Main audit window finds all 95 machines and spawns 95 seperate audits (20 at once)

Only 69 show up in DB, and 6 are listed in the failed_audit file.. what happened to the other 21?

Run audit again, without changing anything, and the total jumps to 88 (still 6 in failed)

Of the two still missing I find there is a WMI problem with one, the other is fine... so I manually run audit *computername* and it works great.

None of the machines that were missed the first (or second) time were off, or otherwise unreachable.

Any ideas what happened?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 3:57 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
are they windows?

OA doesn't audit anything other then windows at the moment


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 4:09 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
Yes, they are all Windows XP SP2 (firewall disabled)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 5:11 am 
Offline
Moderator

Joined: Sat Mar 04, 2006 2:44 am
Posts: 193
Please could you post your audit.config file


Top
 Profile  
Reply with quote  
 Post subject: audit.config
PostPosted: Wed Aug 02, 2006 5:13 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
audit_location = "l"
verbose = "y"
online = "ie"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "y"
ie_form_page = "http://intranet.wlne.local/openaudit/admin_pc_add_1.php"
input_file = "other.txt"
email_to = "it@abc6.com"
email_from = "openaudit@abc6.com"
email_server = "mail.wlne.local"
audit_local_domain = "y"
local_domain = "LDAP://wlne-s-dc1.wlne.local/dc=wlne,dc=local"
hfnet = "n"
Count = 0
number_of_audits = 20
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 5:26 am 
Offline
Moderator

Joined: Sat Mar 04, 2006 2:44 am
Posts: 193
I would first of all recomend downloading the latest version of Open Audit from the trunk in subversion. Details here:
http://sourceforge.net/svn/?group_id=160594

Then set

online = "yesxml"

and

non_ie_form_page = http://intranet.wlne.local/openaudit/admin_pc_add_2.php

In the audit.config file and try auditing the domain.

There currently seems to be some kind of timing issue with the online = "ie" method that quite a few people are experiencing.

Let me know if all the machines are audited properly using this method (apart from the ones with WMI problems which I'm guessing is a problem on your side). The failed_audit file may still give the wrong number.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 5:39 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
I'll give that a try - thanks.

Side note - I've tried a similar logging method (failed_audit) in my own software, but when I have multiple 'threads' (like 20 audit windows) possibly appending at the same time I've lost data. You're probably already aware of this, just wanted to point it out.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 5:43 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
I would suggest doing 5 at a time....i audit over 350 computers and it's done within 45mins or so.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 6:11 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
Tried subversion... much better, all the machines show up on the first run. There's at least some missing info though, one of the first machines I clicked on has no installed software (most of them do though). Is this a known issue?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 6:43 am 
Offline
Moderator

Joined: Sat Mar 04, 2006 2:44 am
Posts: 193
I don't think it is a known issue with with the

online = "yesxml"

method but it is with the ie method.

Please could you try doing a single audit of one of the machines that the software didn't appear for and let me know if it appears on this audit. Thanks.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 6:54 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
No, I don't get any installed software if I audit one individually. I can't think of anything different about that machine. In fact, there's an identical machine (same model, software load, etc) that does have software listed from the audit. It is happening to more than one machine, both domain and non-domain, some win2k some winxp.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 7:42 am 
Offline
Newbie

Joined: Sat Nov 12, 2005 4:56 am
Posts: 10
After further investigation... it's not just software that's missing... it's anything in the software category (services,startup,bho...). I confirmed that the audit script is getting the service info from the machine, and passing it correctly to the entry sub... but I don't have time to trace it further right now.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 8:27 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
Manually remove those systems from the DB and do a single audit on them again see what happens


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 8:56 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
I'm having the same problem with the latest SVN version. Running an audit against the single workstation gives the same result.

I think I've spotted a pattern: Systems with a generated UUID aren't inserted, but systems with a UUID retrieved from WMI are.

Cheers, Nick.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 02, 2006 9:14 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
Just remembered, I've mentioned this bug to Mark via email prior to joining this forum:

In admin_pc_add_2.php, insert_processor() is dying prematurely because some older systems don't return WMI valus for $processor_current_voltage, $processor_ext_clock and $processor_max_clock_speed and SQL query fails.

My short-term cludge is to insert:
if ($processor_current_voltage=='') $processor_current_voltage='0';
if ($processor_ext_clock=='') $processor_ext_clock='0';
if ($processor_max_clock_speed=='') $processor_max_clock_speed='0';
at line 398.

Longer term I recommend:
- Better handling of errors in functions - either returning from the function so that further processing can continue or, abort processing if the error is considered critical enough.
- Using a better SQL INSERT query that only attempts to insert valid data in the first place. I use the function below to construct such queries.

Cheers, Nick.

// ******* Construct SQL query ******************************
function ConstructSQLInsert($SQLData, $Table) {
$keys=array_keys($SQLData);

foreach($keys as $key)
{
if(!empty($SQLData["$key"]))
{
$fields.="$key,";
$values.="'$SQLData[$key]',";
}
}

$fields=rtrim($fields,",");
$values=rtrim($values,",");

$query="INSERT INTO $Table ($fields) VALUES ($values)";

return $query;
}


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 15 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group