| Open-AudIT https://www.open-audit.org/phpBB3/ |
|
| Software Always Detected as New https://www.open-audit.org/phpBB3/viewtopic.php?f=10&t=5740 |
Page 1 of 1 |
| Author: | bent_screwdriver [ Sat Jul 02, 2011 3:33 am ] |
| Post subject: | Software Always Detected as New |
For a while now software has been showing up as detected as new, even after it has been detected before. It creates a large number of "Software Detected in the last 1 days" on the home page. Any ideas why this could happen? I ran table check in MySQL and everything came back OK. |
|
| Author: | jpa [ Sat Jul 02, 2011 1:44 pm ] |
| Post subject: | Re: Software Always Detected as New |
Total guess but are you running more than one audit process at a time? Not multiple audits of different machines but multiple simultaneous audits of a single machine. |
|
| Author: | bent_screwdriver [ Wed Jul 06, 2011 2:03 am ] |
| Post subject: | Re: Software Always Detected as New |
No, I have multiple locations auditing different domains at the same time but no machine is audited more than once by the process. |
|
| Author: | jpa [ Sat Jul 09, 2011 2:41 am ] |
| Post subject: | Re: Software Always Detected as New |
What value are you using for uuid_type in the audit.config? Is it possible that you have multiple machines with the same UUID? When OpenAudit adds new software it grabs the latest audit timestamp for a machine specified by its UUID. [code]"SELECT MAX(system_audits_timestamp) AS timestamp FROM system_audits WHERE system_audits_uuid = '$uuid'"[/code] Then it tires to update any existing software given the machines uuid, the software name and the timestamp. [code]"UPDATE software SET software_timestamp = '$timestamp', software_count = '$count', software_version = '$software_version', software_location = '$software_location', software_uninstall = '$software_uninstall', software_install_date = '$software_install_date', software_publisher = '$software_publisher', software_install_source = '$software_install_source', software_system_component = '$software_system_component', software_url = '$software_url', software_comment = '$software_comments' WHERE software_uuid = '$uuid' AND software_name = '$software_name' AND (software_timestamp = '$software_timestamp' OR software_timestamp = '$timestamp')"[/code] If the update doesn't work because no existing software with the same uuid, name and timestamp is found then the software is added as new. To troubleshoot you'd need to take an example software audit line and trace it through the OpenAudit add process to see why it's not doing what you'd expect. |
|
| Author: | bent_screwdriver [ Tue Jul 12, 2011 4:18 am ] |
| Post subject: | Re: Software Always Detected as New |
Thanks for the tip. I'm going to run an export of uuid and system names a few times a day then diff them to see if I'm getting systems with the same uuid. While looking at the uuid filed on the system table I see 1 with a blank uuid so maybe this creates an issue with some of the joins. Also some of them have the FQDN as the uuid so not sure how that happened. I'll delete those systems and see if that cleans anything up. I'll post my results. Thanks again. |
|
| Author: | bent_screwdriver [ Tue Jul 12, 2011 4:21 am ] |
| Post subject: | Re: Software Always Detected as New |
Also, I'm using uuid type "uuid" in audit.conig |
|
| Page 1 of 1 | All times are UTC + 10 hours |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|