Open-AudIT
https://www.open-audit.org/phpBB3/

[help] multi systems audit to same system in OA
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6638
Page 2 of 2

Author:  shanimal [ Fri Feb 09, 2018 6:02 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

I'm basically paralyzed at this point as to what to do next. I'm thinking blow away the DB? If anybody has any tips on how to fix this please let me know...

.... stay tuned.

Author:  jpa [ Fri Feb 09, 2018 8:02 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

Do you have your OpenAudit setup so you can run queries against the database (PHPMyAdmin, Adminer or some other tool)? It should be the case that your duplicate systems have a recent value for First Seen. So you could filter for recently added system and set them to deleted.

Review duplicates:
[code]
SELECT
system.name,
system.id,
system.status,
system.first_seen,
system.hostname
FROM
system
WHERE
(system.name) IN (SELECT
Tmp.name
FROM
system AS Tmp
GROUP BY
Tmp.name
HAVING
Count(*) > 1)
ORDER BY
system.id,
system.name
[/code]

Filter for recently added systems. Adjust date as necessary to filter duplicates.
[code]
SELECT
system.id,
system.name,
system.hostname,
system.first_seen
FROM
system
WHERE
DATE(system.first_seen) > '2018-02-10'
[/code]

Set the recently added (duplicates) to deleted:
[code]
UPDATE system SET system.status = "deleted" where
Date(system.first_seen) > '2018-02-10'
[/code]

It would probably be a good idea to take a backup before, after and frequently while doing this.

Author:  shanimal [ Fri Feb 09, 2018 9:56 pm ]
Post subject:  Re: [help] multi systems audit to same system in OA

Update: I found a quick way out of this issue, I had a snapshot from before I upgraded to OA 2.0.12. Now I'm going to upgrade to 2.0.12 and add the @ 70 esxi hosts that I had added since that snapshot was taken. Then I'll circle back around, enable audit file creation for the systems that all scan into 1. thank you for the assistance jpa!

Author:  jpa [ Sat Feb 10, 2018 1:28 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

Great. I thought suggesting going to your backups was a little harsh. It's great that you had something. I have to admit that I've blown away my OpenAudit many times over the years.

Author:  shanimal [ Tue Feb 13, 2018 1:01 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

took a quick look this am, turns out the system that is getting a bunch of other systems scan results is the OS 2.2 server itself... This is running CentOS 7 and it looks like all of the other systems are also running CentOS 7...

Author:  shanimal [ Tue Feb 13, 2018 1:19 am ]
Post subject:  Re: [help] multi systems audit to same system in OA

update: all share the FQDN of hostname, noticed this when I created some result files, then ran "hostname -f" on each of them. Will try to fix by setting match on fqdn to N

Author:  shanimal [ Tue Feb 13, 2018 9:53 pm ]
Post subject:  Re: [help] multi systems audit to same system in OA

That did the trick! My plan was to switch to N all match* except for fqdn, This was the exact wrong approach. I was thinking that fqdn came from corporate DNS servers which I knew wouldn't allow duplicates. But in the end it seems that the fqdn comes from the OS, in this case "hostname -f" as these were CentOS 7 systems.
The fix was turning match on fqdn to no, now all of these systems created a new record when they audited overnight. Faith restored, it all makes sense now. Thanks again jpa

Page 2 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/