Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 10:02 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 
Author Message
PostPosted: Wed Aug 09, 2006 7:30 pm 
Offline
Newbie

Joined: Tue Jul 11, 2006 6:24 pm
Posts: 16
I noticed some computers missing from my audits, but they are not in the failed audits email.

after some checking, I noticed that the domain admin was removed from those computers.

It would be nice if those computers showed up in the failed audits, since audit did fail on them.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 09, 2006 11:22 pm 
Yep, there are some errors where the audit will connect to them, but then fail, and so they don't end up in the failed for some reason. Haven't had the time to check it out!


Top
  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 09, 2006 11:43 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Some times I have audits fail, leaving the audit process running, but I haven't found the cause yet.

Watch this space.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Aug 15, 2006 1:37 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
On this subject... I have two terminal servers, one will not appear at all in the audit, the other hangs the audit script at this point....

[code]
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

No username and password provided - therefore assuming local domain PC.
PC name supplied: PEGASUS
PC name from WMI:
User executing this script: andrew
System UUID:
[/code]

It does this whether or not I do it as part of the domain or as an individual PC (W2003 Terminal Services)

I can't manage WMI on the box from the auditing machine. I have full rights to the WMI however.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Aug 24, 2006 10:48 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I looked into this further. Actually in my case, the audit fails on connect to WMI, and because it never times out, I never knew which machines were causing the issue.

I couldn't find any VBS timeout value to tweak, so I gave up in disgust.

I figured it was easier to fix the problem with WMI on the box rather than fix the script.

However to find the failing box, if you set verbose = "y" in audit.config you will see the failed audit on the screen, which hangs at setting UUID and at least you know which machine(s) failed, even though nothing is posted to the database or elsewhere.

verbose = "y" gives quite a lot of info, but use cscript audit.vbs rather than wscript audit.vbs so you dont have to close lots (and I mean LOTS) of pop up dialog boxes. (cscript uses text output, wscript uses GUI output.)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 12, 2006 5:04 am 
Offline
Newbie

Joined: Tue Aug 01, 2006 11:11 pm
Posts: 16
Did you ever figure out why the WMI Section was failing? I have 2 PC's that are doing the same thing, and have yet to figure out what the problem is.

Here's the link to my question: [url]http ://www.open-audit.org/phpbb2/viewtopic.php?t=1212[/url]

I have WMI Enabled via a Domain Global Policy Object. If WMI is not installed, and enabled, than the GPO installs and enables it.

Any clues on this?

-Frank


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 19, 2006 2:10 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I haven't fixed this, but if you comment out the line in audit.vbs shown, and let me know if the computer now shows up with a blank IP address, or some other issue.

[code]
''''''''''''''''''''''''''''''''
' Double check WMI is working '
''''''''''''''''''''''''''''''''
if ((UCase(strComputer) <> system_name) AND (strComputer <> ".") AND (strComputer <> full_system_name) AND (strComputer <> ns_ip) AND (strComputer <> system_ip)) then
email_failed = email_failed & strComputer & ", " & VBcrlf
ie = nothing
' exit function <===== This line!
end if
[/code]

This fixes an issue I have with several remote machines, but still doesn't give me any result for the box that I know WMI is screwed up on. This however is not an issue with Open Audit. WMI is not working, and therefore OA cannot connect to the machine. I will need to fix WMI (obviously!) :roll: Look in your event logs on the failing boxes for events related to WMI and try to remotely manage WMI from your own machine.


Last edited by A_Hull on Tue Sep 19, 2006 2:15 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 19, 2006 2:14 am 
Offline
Newbie

Joined: Tue Aug 01, 2006 11:11 pm
Posts: 16
I have had this problem where if you comment out the WMI Doulbe Check section, it gives you an error, and then makes a blank entry missing the IP Address, and holds no other information.

Im not sure why this is occuring on my 2 PC's. The rest of them work fine. Its just one or two that has the problem.

Any help is appreciated.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 19, 2006 2:20 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
[quote="flackaff"]I have had this problem where if you comment out the WMI Doulbe Check section, it gives you an error, and then makes a blank entry missing the IP Address, and holds no other information.

Im not sure why this is occuring on my 2 PC's. The rest of them work fine. Its just one or two that has the problem.

Any help is appreciated.


Just comment out the line indicated, otherwise you wont get the "failed" email message.

Do you see any other errors, in the event logs of these machines, can you manage their WMI from your own machine?

See also
[url]http://www.microsoft.com/downloads/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en[/url]

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 19, 2006 2:45 am 
Offline
Newbie

Joined: Tue Aug 01, 2006 11:11 pm
Posts: 16
If I comment out the line then the script puts in a bad entry into the SYSTEMS.

I have WMI Settings enabled via the GPO, and when I double check the ADD/REMOVE Software listing, it is listed there. However, the script still fails.

It all seems to hinge around not being able to find the Machine name via WMI.

Ill recheck to see if WMI can access the machine, and let you know.

Thanks for all the help on this, it has me stumped.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group