Open-AudIT

What's on your network?
It is currently Tue Jan 23, 2018 9:47 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Thu Oct 19, 2017 10:58 pm 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
every morning I seem to have a couple of new phantom "computers" in OA2 (ver 2.0.8 ) with bare minimum info, all useless. Any idea whats' going on? Overnight I have @ 400 systems being audited, hundreds of windows systems audited from my workstation using batch files, and hundreds of linux running the script locally from /etc/cron.daily/


Attachments:
OA2error.JPG
OA2error.JPG [ 72.63 KiB | Viewed 568 times ]

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices
Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 20, 2017 12:50 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
You might be able to review the various logs for errors. I would cheat and change my audit script batch to add the last_seen_by parameter and pass in something like "audit-computername" where computername is the name or ip of the specific device being audited.


Top
 Profile  
Reply with quote  
PostPosted: Sat Oct 21, 2017 1:29 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
From the gui, the system logs doesn't have any details on the scans, & the access log doesn't have anything. Are there some other logs that I can check? Not sure how to do that batch thing, will keep digging for more info. The batch file I use for windows just has line after line with

cscript audit_windows.vbs 10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt

so it uses the same .vbs but I will look in the output files and try to match the time on these phantom computers to see if it's some of the windows IP's causing this

thanks

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 23, 2017 10:00 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
Can you take the device ID (from the URL, ie /devices/123) and run the below.
Windows
Code:
c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"

Linux
Code:
mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"

And post the output here.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 23, 2017 1:02 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
What Mark wrote and... my stab at it. Mark's stuff gives you everything OpenAudit has in the system table for a given device. I'm hoping that last_seen_by is coming from the script input and we can modify that to find problem devices.

Something like:
Code:
cscript audit_windows.vbs 10.60.62.138 last_seen_by=audit_10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt

This will pollute your last_seen_by field so don't do this if you don't want that to happen.


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 24, 2017 1:55 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
when I try this command:

mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = 557;"

I get this error:

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t' at line 1

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 24, 2017 2:10 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
Update I got it to run by just running the first part to get into MariaDB, then ran the command. Here is a screenshot of the results


Attachments:
OA-557 (Small).JPG
OA-557 (Small).JPG [ 118.64 KiB | Viewed 539 times ]

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices
Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 25, 2017 11:51 pm 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
I upgraded to version 2.0.10 yesterday, and this morning didn't find any new phantom computers. Thank you for that fix!

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group