Open-AudIT
https://www.open-audit.org/phpBB3/

System Audit info
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6459
Page 1 of 1

Author:  omega4471 [ Wed Sep 09, 2015 12:39 am ]
Post subject:  System Audit info

Is possible insert in the field "by" the last logged on user ?
Thanks :D
[attachment=0] Cattura.JPG
Cattura.JPG [ 70.2 KiB | Viewed 8494 times ]

Author:  el_geto [ Wed Sep 09, 2015 2:36 am ]
Post subject:  Re: System Audit info

I believe this only shows a user when the audit script is manually ran by an user, as oppose to by System or NMAP. I don't think the database has a historical record of last users so what you are asking for will require changing the whole OA product.

One alternative could be to run the audit as a login script. This won't show the last user, but every user that has logged on to the computer. Caviats, some tables will grow exponentially if you have many computers and many users logging in thorough the day.

Author:  omega4471 [ Wed Sep 09, 2015 4:22 am ]
Post subject:  Re: System Audit info

the audit run as login script and show pc ip from field submitted from,
It would be enough to enter the user logged in by
...

any suggestions?

Author:  jpa [ Thu Sep 10, 2015 1:50 pm ]
Post subject:  Re: System Audit info

It looks like this is a ToDo item that is mostly done on the back end but needs the audit portion. So in the audit_windows.vbs audit script you need to get <last_seen_user> into the <sys> section of the XML. Details left as an exercise for the reader.

In my testing adding this causes the upload to fail. Comment out line 73 and 74 in "code_igniter\application\models\m_sys_man_audits.php" by putting "//" at the beginning of the line. You can see on line 64 the TODO note. From the error message $this->user is not set and causes an error when called by line 73.

Author:  Mark [ Thu Sep 17, 2015 9:27 am ]
Post subject:  Re: System Audit info

This field is supposed to be the user that (on the Open-AudIT Server side) submitted the result using Discovery.
You should be able to populate it by following JPA's suggestion.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/