Open-AudIT
https://www.open-audit.org/phpBB3/

[help] multi systems audit to same system in OA
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6638
Page 1 of 2

Author:  shanimal [ Thu Jan 25, 2018 10:40 pm ]
Post subject:  [help] multi systems audit to same system in OA

Yesterday I noticed that 1 vm was getting scanned in by numerous IP's so I deleted that system. This AM I saw a new system, checked it out. But it's really 9 different vm's most on different esxi hosts, spread out over multiple vcenters. No idea how/why this happens. Today I deleted the system, then audited two of the systems. It creates 1 new system in OA2, then when I scan the 2nd one, it just goes to that same system. What is it about these 9 vm's that OA2 thinks they are the same system? How they are scanned: I copy the OA 2.0.11 script to /etc/cron.daily/ these are all CentOS 7 vm's

thanks

Attachments:
OA2dups.JPG
OA2dups.JPG [ 72.51 KiB | Viewed 39148 times ]

Author:  jpa [ Sat Jan 27, 2018 8:44 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

All the system match criteria are now available in Admin->Configuration->List Configuration. Check your match_* options. Maybe take a couple audit txt files and with your match_* config try to see why they're getting combined.

Author:  shanimal [ Tue Jan 30, 2018 2:26 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

thanks, I just dialed a bunch of those Y's back to N's and deleted the one system. Will see how that works overnight, hopefully I have 8 or 9 new systems in the am.

Author:  shanimal [ Thu Feb 08, 2018 3:11 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

couldn't get that to stop happening until the only match I have is fqdn. Finally the same systems stopped auditing into 1, but now each system in OA has 3,4, 5 or more duplicates :?: :?: :?:

Author:  shanimal [ Thu Feb 08, 2018 4:35 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

update: after setting the only match to fqdn it looks like a new system was added each time a system was audited. There has to be a better way to fix this, starting to lose faith in this project after 12+ years going back to winventory

Author:  jpa [ Thu Feb 08, 2018 4:54 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

Yeah, that's doesn't sound good. But without a couple example audit files it's a bit too much work to step through the code to see what's happening. It is way more complicated and flexible than it was back in the Winventory era.

Author:  shanimal [ Thu Feb 08, 2018 5:45 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

I would hope to never have to edit any of those match* settings, the problem started with default settings and got worse when I changed the match settings... What audit files do you want to see? I run the audit_windows.vbs script from my workstation via batch files, audit files aren't created everything is uploaded directly to the OA2 server

Author:  jpa [ Thu Feb 08, 2018 6:01 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

The whole system match stuff is a bit complicated. So it would help stepping through the complication with real audit data that is causing the problem. So a couple audits with -create_file=y would give an XML audit result that could be used to debug. Confidential stuff in the XML audits so you'd need to decide if that's something you're willing to give out to random guy JPA. This is all assuming you don't already have a support contract with Opmantek.

Author:  shanimal [ Thu Feb 08, 2018 6:15 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

we have a support contract but only for NMIS, I don't mind sending xml files because I doubt there is anything valuable in there to any bad guys on the internets.

If I set create file = y it will create the audit files on my workstation? Or will it create files on the remote windows system being audited?

Author:  jpa [ Thu Feb 08, 2018 7:04 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

There are potentially software keys in the audit. Just an FYI.

For Windows use "cscript audit_windows.vbs -create_file=y -submit_online=n <computername>" and it will create the file where the script is run and not upload the data. We already know that causes problems. Don't need to make more while testing stuff.

Author:  shanimal [ Thu Feb 08, 2018 11:34 pm ]
Post subject:  Re: [help] multi systems audit to same system in OA

perfect, I saved a screenshot of the 9 systems that kept auditing into the same OA2 record so I'll enable audit file creation for those 9. I also have a nightmare mess on my hands with 3+ copies of every server in OA2 are you aware of any easy way to fix that, while trying to avoid taking the nightmare mess to the next level? thanks

Author:  shanimal [ Fri Feb 09, 2018 1:31 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

starting to think the system isn't usable anymore as is (with so many duplicate systems), and I may have to blow it away and get a fresh start.

Author:  jpa [ Fri Feb 09, 2018 1:42 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

Starting over is probably easiest but you'll lose the audit history so only do that if you don't care.

Otherwise, a query to identify the duplicates and then set everything but the oldest one to System.Status=Deleted. The duplicate systems all have the same Name, Hostname or DNS Hostname?

Author:  shanimal [ Fri Feb 09, 2018 3:34 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

as far as I know, every system should have a unique hostname, DNS name, and netbios name whatever you want to call them. Still can't figure out how/why I ended up with this mess. How would anybody in a corporate network survive if you really had multiple different systems sharing the same hostnames and/or FQDN's? I don't think you'd last 15 minutes in this industry if you tried to work with duplicate names on any level.

Author:  jpa [ Fri Feb 09, 2018 3:36 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

Sorry, my poor communications skills strike again. I mean to say that if you have a bunch of duplicate systems in your OpenAudit hopefully they have something in common that we can use to select them and then mark the extraneous ones as Deleted.

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/