Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Sun Dec 15, 2019 6:35 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Sep 01, 2006 12:00 am 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
Hi all,

first of all I have to admit that the information gathered by Open-Audit is really helpful and I'd like to use the software in our company (approx. 40 clients and 30 servers).

Unfortunately the script (latest svn checkout) takes about 1 and a half hour to scan my workstation (Windows XP SP2 with firewall and PAX enabled).

I shortly debugged the script and found out that e.g. the network device scanning takes about 40 minutes to complete on my PC. What could be the reason and why is this taking so long?

Thanks for your help in advance,
Oliver Neumann


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 01, 2006 12:51 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
oliver.neumann wrote:
Hi all,

first of all I have to admit that the information gathered by Open-Audit is really helpful and I'd like to use the software in our company (approx. 40 clients and 30 servers).

Unfortunately the script (latest svn checkout) takes about 1 and a half hour to scan my workstation (Windows XP SP2 with firewall and PAX enabled).

I shortly debugged the script and found out that e.g. the network device scanning takes about 40 minutes to complete on my PC. What could be the reason and why is this taking so long?

Thanks for your help in advance,
Oliver Neumann


Can you manage the WMI from the machine doing the audit.

In otherwords, go to My Computer, right click, select Manage.
Then from there, select Action> Connect to another computer, select the machine causing the bother.

Now go to Services and Applications > WMI Control.
Right Click and select Properties.
Do you see the Sucessfully Connected to {Machine Name} dialog straight away, or do you have time for a cup of coffee before it appears?

Let us know the results. Sounds like WMI Firewall or DNS is causing the bother. How is the network performance otherwise?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 12:54 am 
Offline
Newbie
User avatar

Joined: Wed Aug 16, 2006 9:06 am
Posts: 45
Location: Rome - Italy - Europe (GMT +2)
Where does it stop? On a specific audit or all of them are very slow?
You audit your computer locally or from network?

L.

_________________
Lorenz


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 1:19 am 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
Thanks for the quick answer, you both.

You got me wrong - it does not matter if I call the script from a remote machine via an UNC-path (\\servername\share\audit.vbs) or from my local machine () - the time the script takes is the same (as said approx. 1.5 hours).

The strange thing indeed is, that the script formerly (2 days ago) worked much faster on the same machine without any change (it then took approx. 4-5min to scan 1 PC).

The first time the script really acts slow is when recognizing the network interfaces and there doing this query:

Code:
Set colItems2 = objWMIService.ExecQuery("Select * from Win32_NetworkAdapter WHERE MACAddress='" & objItem.MACAddress & "'",,48)
   For Each objItem2 in colItems2
   '   net_adapter_type = objItem2.AdapterType
   '   net_manufacturer = objItem2.Manufacturer
   Next


I have 4 network cards, 3 of them beeing virtually (2 virtual VMWARE Cards and 1 virtual VPN Sonic Wall card).

*EDIT*: I just found out that the following statement takes very very long on my PC when trying to query for my *real* network card:

Code:
Set colItems2 = objWMIService.ExecQuery("Select * from Win32_NetworkAdapter WHERE MACAddress='" & objItem.MACAddress & "'",,48)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 1:53 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
oliver.neumann wrote:
Thanks for the quick answer, you both.

You got me wrong - it does not matter if I call the script from a remote machine via an UNC-path (\\servername\share\audit.vbs) or from my local machine () - the time the script takes is the same (as said approx. 1.5 hours).

The strange thing indeed is, that the script formerly (2 days ago) worked much faster on the same machine without any change (it then took approx. 4-5min to scan 1 PC).

The first time the script really acts slow is when recognizing the network interfaces and there doing this query:

Code:
Set colItems2 = objWMIService.ExecQuery("Select * from Win32_NetworkAdapter WHERE MACAddress='" & objItem.MACAddress & "'",,48)
   For Each objItem2 in colItems2
   '   net_adapter_type = objItem2.AdapterType
   '   net_manufacturer = objItem2.Manufacturer
   Next


I have 4 network cards, 3 of them beeing virtually (2 virtual VMWARE Cards and 1 virtual VPN Sonic Wall card).

*EDIT*: I just found out that the following statement takes very very long on my PC when trying to query for my *real* network card:

Code:
Set colItems2 = objWMIService.ExecQuery("Select * from Win32_NetworkAdapter WHERE MACAddress='" & objItem.MACAddress & "'",,48)


Two possibilites, either duplicate mac addresses are throwing the script. If the VMWARE version lets you set the mac address, make sure the two virtial MACS are not the same.

OR

Try updating the network card drivers for the "Real" NIC, I have seen problems with some NICs and WMI.

Basically the NIC drivers confused WMI and either hung it, slowed it down or blue screened the PC. Updating the drivers fixed the issue.

If that doesn't fix it, what kind of virtual network cards are they, vmware whatversion, sonicwall what version or are they generic tun/tap or what? Again, try updating the software concerned.

Finally make sure you have everything up to date (actually try this FIRST then the rest). Run Microsoft Update (Not just Windows Update, upgrade to Microsoft Update using Windows Update if appropriate). Update EVERYTHING and start again.

If you find the solution, post it here, and everybody gets the benefit in future.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 5:32 pm 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
Hi,

thanks for the reply and the good advice to update the NIC's driver. Now Open-Audit works just fine (even when called from a remote share)! It took approx. 60sec to scan my PC (with HfNetChk enabled), I think this is fast enough for my needs.

Maybe you could include a patch into your audit.vbs script to make this script working when called within startup from a remote share on a server. I did the following changes:

-x-x- line 26 -x-x-
> ExecuteGlobal CreateObject("Scripting.FileSystemObject").OpenTextFile("audit.config").ReadAll
--
< ExecuteGlobal
CreateObject("Scripting.FileSystemObject").OpenTextFile("\\servername\sharename\audit.config").ReadAll
-x-x- line 26 -x-x-

-x-x- lines 1552-1556 -x-x-
>if (strUser <> "" AND strPass <>"") then
> hfnetchk = "hfnetchk.exe -h " & system_name & " -u " & strUser & " -p " & strPass & " -nosum -vv -x mssecure.xml -o tab -f " & sTempFile
> else
> hfnetchk = "hfnetchk.exe -h " & system_name & " -vv -x mssecure.xml -nosum -o tab -f " & sTempFile
> end if
--
<if (strUser <> "" AND strPass <>"") then
< hfnetchk = "\\servername\sharename\hfnetchk.exe -h " & system_name & " -u " & strUser & " -p " & strPass & " -nosum -vv -x \\servername\sharename\mssecure.xml -o tab -f " & sTempFile
< else
< hfnetchk = "\\servername\sharename\hfnetchk.exe -h " & system_name & " -vv -x \\servername\sharename\mssecure.xml -nosum -o tab -f " & sTempFile
< end if
-x-x- lines 1552-1556 -x-x-

So it would be nice if you could integrate 2 parameters in audit.config to define where the hfnetchk binary is stored and where to find the mssecure.xml file. In audit.vbs you could read the full commandline of the script (how it was exactly called) and then extract the path and add audit.config.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 6:16 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Glad the advice worked, I like the changes you suggest. I will add them to the feature request list.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 6:23 pm 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
;) Cool.

Within the next 4 weeks I will roll out the audit.vbs script in my company to approx. 40 clients via domain group policy. I'm looking forward to review the results of this great tool and as I am a programmer (mainly PHP, C and C++) as well perhaps I can contribute some patches/extensions for your scripts if that is wanted by you. Our complete hardware is DELL, so perhaps I can contribute some extensions aquirering some vendor/hardware specific WMI settings.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 6:39 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
oliver.neumann wrote:
;) Cool.

Within the next 4 weeks I will roll out the audit.vbs script in my company to approx. 40 clients via domain group policy. I'm looking forward to review the results of this great tool and as I am a programmer (mainly PHP, C and C++) as well perhaps I can contribute some patches/extensions for your scripts if that is wanted by you. Our complete hardware is DELL, so perhaps I can contribute some extensions aquirering some vendor/hardware specific WMI settings.


:idea:
Did you know that you can audit the entire domain from your workstation using the domain audit option, this eliminates the need to do anything with domain policy or even to run the audit script from the workstations. The script will connect to every computer account found in your AD via remote WMI (or every computer in a list in a text file if you dont use AD).

The advantages of this method include the ability to schedule audits at regular intervals, even on machines which are rarely logged in, or which do not for whatever reason run a login script or adhere to domain policy (Servers for example, which may have separate policies applied, and rarely be logged in).
:idea:


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 6:55 pm 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
Hi,

thanks for the advice - I already knew that Open-Audit is capable to do so. The reason why I came across the idea of doing the audits via group policy based startup scripts (for the clients!) is, that we have many clients (notebooks) beeing "on the run" and so a regulary based centralized check would only get (let's say) 60% of all notebooks.

If I use domain logon as criteria, all notebooks beeing returned to the company get automatically monitored when the user logs on to the domain.

In my opinion this is the best process to get the most systems in my company monitored with the most accurate and up-to-date data.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 7:00 pm 
Offline
Newbie
User avatar

Joined: Wed Aug 16, 2006 9:06 am
Posts: 45
Location: Rome - Italy - Europe (GMT +2)
What kind of domain script will you use?
User logonscript or Machine logonscript?
Let me know, because i have the same problem.
I solved it scheduling an audit every 2 hours. It is reasonable that within a week i'll have the audit of all machines in the domain.
Yesterday i obtained the audit of 4 notebook also via VPN.

_________________
Lorenz


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 7:08 pm 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
lorenz wrote:
What kind of domain script will you use?
User logonscript or Machine logonscript?
Let me know, because i have the same problem.
I solved it scheduling an audit every 2 hours. It is reasonable that within a week i'll have the audit of all machines in the domain.
Yesterday i obtained the audit of 4 notebook also via VPN.


I use User logon script in order to get the information, which user was logged in when the audit ran (otherwise I would always get SYSTEM as user-information on "Audit-Trail"). This is the best way to identify, who on the machine installed the new software that is forbidden in my company ;)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 7:12 pm 
Offline
Newbie
User avatar

Joined: Wed Aug 16, 2006 9:06 am
Posts: 45
Location: Rome - Italy - Europe (GMT +2)
Ok!
But can a "domain user" interrogate WMI?

_________________
Lorenz


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 7:42 pm 
Offline
Newbie

Joined: Thu Aug 31, 2006 9:27 pm
Posts: 23
Location: Mainz, Germany
Nearly all of our domain users have administrative local rights on their PCs (otherwise they could not work on their PCs without the need to contact us admins every 10minutes ;)).

But we have some "underpriviledged" users only having "mainuser-rights" on theire PCs ... I will report if that is a problem.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Sep 01, 2006 8:16 pm 
Offline
Newbie
User avatar

Joined: Wed Aug 16, 2006 9:06 am
Posts: 45
Location: Rome - Italy - Europe (GMT +2)
Thanks!
... because i'm not sure the users with non elevated/administrative right can interrogate WMI.

_________________
Lorenz


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group