Open-AudIT https://www.open-audit.org/phpBB3/ |
|
[help] multi systems audit to same system in OA https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6638 |
Page 2 of 2 |
Author: | shanimal [ Fri Feb 09, 2018 6:02 am ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
I'm basically paralyzed at this point as to what to do next. I'm thinking blow away the DB? If anybody has any tips on how to fix this please let me know... .... stay tuned. |
Author: | jpa [ Fri Feb 09, 2018 8:02 am ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
Do you have your OpenAudit setup so you can run queries against the database (PHPMyAdmin, Adminer or some other tool)? It should be the case that your duplicate systems have a recent value for First Seen. So you could filter for recently added system and set them to deleted. Review duplicates: [code] SELECT system.name, system.id, system.status, system.first_seen, system.hostname FROM system WHERE (system.name) IN (SELECT Tmp.name FROM system AS Tmp GROUP BY Tmp.name HAVING Count(*) > 1) ORDER BY system.id, system.name [/code] Filter for recently added systems. Adjust date as necessary to filter duplicates. [code] SELECT system.id, system.name, system.hostname, system.first_seen FROM system WHERE DATE(system.first_seen) > '2018-02-10' [/code] Set the recently added (duplicates) to deleted: [code] UPDATE system SET system.status = "deleted" where Date(system.first_seen) > '2018-02-10' [/code] It would probably be a good idea to take a backup before, after and frequently while doing this. |
Author: | shanimal [ Fri Feb 09, 2018 9:56 pm ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
Update: I found a quick way out of this issue, I had a snapshot from before I upgraded to OA 2.0.12. Now I'm going to upgrade to 2.0.12 and add the @ 70 esxi hosts that I had added since that snapshot was taken. Then I'll circle back around, enable audit file creation for the systems that all scan into 1. thank you for the assistance jpa! |
Author: | jpa [ Sat Feb 10, 2018 1:28 am ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
Great. I thought suggesting going to your backups was a little harsh. It's great that you had something. I have to admit that I've blown away my OpenAudit many times over the years. |
Author: | shanimal [ Tue Feb 13, 2018 1:01 am ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
took a quick look this am, turns out the system that is getting a bunch of other systems scan results is the OS 2.2 server itself... This is running CentOS 7 and it looks like all of the other systems are also running CentOS 7... |
Author: | shanimal [ Tue Feb 13, 2018 1:19 am ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
update: all share the FQDN of hostname, noticed this when I created some result files, then ran "hostname -f" on each of them. Will try to fix by setting match on fqdn to N |
Author: | shanimal [ Tue Feb 13, 2018 9:53 pm ] |
Post subject: | Re: [help] multi systems audit to same system in OA |
That did the trick! My plan was to switch to N all match* except for fqdn, This was the exact wrong approach. I was thinking that fqdn came from corporate DNS servers which I knew wouldn't allow duplicates. But in the end it seems that the fqdn comes from the OS, in this case "hostname -f" as these were CentOS 7 systems. The fix was turning match on fqdn to no, now all of these systems created a new record when they audited overnight. Faith restored, it all makes sense now. Thanks again jpa |
Page 2 of 2 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |