Open-AudIT
https://www.open-audit.org/phpBB3/

[help] every morning phantom computers
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6631
Page 1 of 1

Author:  shanimal [ Thu Oct 19, 2017 10:58 pm ]
Post subject:  [help] every morning phantom computers

every morning I seem to have a couple of new phantom "computers" in OA2 (ver 2.0.8 ) with bare minimum info, all useless. Any idea whats' going on? Overnight I have @ 400 systems being audited, hundreds of windows systems audited from my workstation using batch files, and hundreds of linux running the script locally from /etc/cron.daily/

Attachments:
OA2error.JPG
OA2error.JPG [ 72.63 KiB | Viewed 10681 times ]

Author:  jpa [ Fri Oct 20, 2017 12:50 am ]
Post subject:  Re: [help] every morning phantom computers

You might be able to review the various logs for errors. I would cheat and change my audit script batch to add the last_seen_by parameter and pass in something like "audit-computername" where computername is the name or ip of the specific device being audited.

Author:  shanimal [ Sat Oct 21, 2017 1:29 am ]
Post subject:  Re: [help] every morning phantom computers

From the gui, the system logs doesn't have any details on the scans, & the access log doesn't have anything. Are there some other logs that I can check? Not sure how to do that batch thing, will keep digging for more info. The batch file I use for windows just has line after line with

cscript audit_windows.vbs 10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt

so it uses the same .vbs but I will look in the output files and try to match the time on these phantom computers to see if it's some of the windows IP's causing this

thanks

Author:  Mark [ Mon Oct 23, 2017 10:00 am ]
Post subject:  Re: [help] every morning phantom computers

Can you take the device ID (from the URL, ie /devices/123) and run the below.
Windows[code]c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"[/code]
Linux[code]mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = INSERT_ID_HERE;"[/code]
And post the output here.

Author:  jpa [ Mon Oct 23, 2017 1:02 pm ]
Post subject:  Re: [help] every morning phantom computers

What Mark wrote and... my stab at it. Mark's stuff gives you everything OpenAudit has in the system table for a given device. I'm hoping that last_seen_by is coming from the script input and we can modify that to find problem devices.

Something like:
[code]cscript audit_windows.vbs 10.60.62.138 last_seen_by=audit_10.60.62.138 >>I:\temp\vlan62a%date:~12,2%%date:~4,2%%date:~7,2%.txt[/code]
This will pollute your last_seen_by field so don't do this if you don't want that to happen.

Author:  shanimal [ Tue Oct 24, 2017 1:55 am ]
Post subject:  Re: [help] every morning phantom computers

when I try this command:

mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM system WHERE `id` = 557;"

I get this error:

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t' at line 1

Author:  shanimal [ Tue Oct 24, 2017 2:10 am ]
Post subject:  Re: [help] every morning phantom computers

Update I got it to run by just running the first part to get into MariaDB, then ran the command. Here is a screenshot of the results

Attachments:
OA-557 (Small).JPG
OA-557 (Small).JPG [ 118.64 KiB | Viewed 10652 times ]

Author:  shanimal [ Wed Oct 25, 2017 11:51 pm ]
Post subject:  Re: [help] every morning phantom computers

I upgraded to version 2.0.10 yesterday, and this morning didn't find any new phantom computers. Thank you for that fix!

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/