Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 9:35 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Dec 07, 2011 7:58 pm 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Hello, I have a problem on some of my windows 7 clients in Open-audit detection. Okay here's my problem..

I have 10 windows 7 pro desktops that currently running, when I do the auditing on one of it, let say (Desktop A), I can just see the result after wards at the querie page of my Open-Audit. But when I do the next auditing on my other windows 7 client let say the (Desktop B), the result was. it will just something like overwriting the first windows 7 record (Desktop A) and turn the record to Desktop B alone.. same thing happens when I proceed to the other Windows 7 client.. let say Desktop C.. the result is the same.. Desktop C will the only one who appears on the Open-audit record alone..

Did someone already encountered on this kind of problem?

Thank you so much in advanced for your inputs..

Ed..


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 09, 2011 7:18 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
What value do you have for uuid_type in your audit.config file? If you have uuid_type = "uuid" and your systems don't report a unique value for the UUID then you'll get the behavior you're describing. Change the uuid_type to "mac" and see if that helps.

Obviously something else if that's not it.


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 09, 2011 4:27 pm 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Hi Jpa,

I tried to change the uuid_type = "mac" but then its still the same..

Below is my audit.config.. maybe I made some misconfiguration on it..

audit_location = "r"
verbose = "y"
audit_host="http://serverhost"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"
non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"
input_file = ""

audit_local_domain = "y"

local_domain = "LDAP://domain.com"

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "mac"

Another reference info also, my 10 windows 7 desktops are all cloned with same specs from Hardware to Software.

Thank you so much in advance.
Ed


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 13, 2011 10:11 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I'm not sure what your problem is so you'll need to troubleshoot a bit.

Change the following lines in your audit.config so you can see what is getting submitted by the audit script:
[code]
online = "ie"
ie_visible = "y"
ie_auto_submit = "n"
[/code]

Run an audit and review what the audit script is sending to the server. Near the top should be a line that starts with "audit^^^". This line has data like this "audit^^^the_system_name^^^timestamp^^^the_system_uuid" which you can review between the various audits to see what they're returning for the system_uuid. If it looks like a MAC address make sure they're not all the same (shouldn't happen.) If it looks like a UUID then maybe you've got something overriding the audit.config setting in your audit.script file or something.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 13, 2011 6:29 pm 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Okay, I'll try it later.. I'll post once i have the result..

Hmm.. I have question, does Open-audit has a log file which we view some error alarm from it?


Thank you so much again.. I really appreciate your help JPA.
Ed..


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 14, 2011 3:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[code]
use_audit_log = "y"
keep_audit_log = "y"
[/code]
Gives you a log with some info but it's not extensive.

If you're set on using version 1 of OpenAudit make sure to get [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]the latest from SVN[/url].

If you want a more modern approach that is under active development you should switch to [url=http://www.open-audit.org/phpBB3/viewforum.php?f=20]version 2[/url].


Top
 Profile  
Reply with quote  
PostPosted: Thu Dec 15, 2011 10:52 am 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Yes JPA your right.. i'm still using the version 1, I think i'll have to switch it to the latest one.. do we have steps on how can we migrate from old to new version? hehe I hope there is..

I already used the Open-audit for almost 2 years.. and it has been really great working it for me in all of my windows XP, windows servers & linux based... its just so happened that some of my clients now are having now with this windows 7 environment..

Did the version 2 just really works for Windows 7 environment?

Thank you JPA for keeping in touch on my concerns.
Ed.


Top
 Profile  
Reply with quote  
PostPosted: Thu Dec 15, 2011 12:46 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
To be honest I haven't switched to version 2 yet as it's missing some things I use i version 1 and has some problems that are being worked on since it's only beta stage.

There is no upgrade from version 1 to 2.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 05, 2012 4:54 pm 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
I still encountered the problem.. :-( Happy new year everyone!


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 06, 2012 4:04 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
You need to figure out just what the OpenAudit script is trying to send to the server to see if you've got duplicates. Follow my earlier post to see what the script is sending.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 02, 2012 1:18 pm 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Okay.. Sorry for my late responce, I see.. can you please show me how to determine if my scripts are duplicating to the open host server?

I already tried to change this settings below

online = "ie"
ie_visible = "y"
ie_auto_submit = "n"

But I still can't figure out why this problem is happening.. thank you JPA for your help..

Ed.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 03, 2012 2:47 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
You need to actually do what I suggested [url=http://www.open-audit.org/phpBB3/posting.php?mode=reply&f=5&t=5807#pr19982]earlier[/url].

If you make the changes to your audit.config as suggested then when you run "cscript audit.vbs <computername>" the <computername> computer is audited and an Internet Explorer window opens up with the audit data. Do this for two separate computers and then check the "audit^^^" line in the post data and compare what each has for the system_uuid. Post here what you find.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 11, 2012 5:50 am 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Here's what I got.. see below..

I have listed 3 computers below which has the same UUID result. I noticed that every time a computer overwrites a existing record in the Open audit list, it use's only this kind of UUID # = 3000200-0400-0500-0006-000700080009 and i don't know why..
03000200-0400-0500-0006-000700080009 - Hostname = P172Computer1 (Windows 7 PRO 64)
03000200-0400-0500-0006-000700080009 - P172Computer2 (Windows 7 PRO 64)
03000200-0400-0500-0006-000700080009 - T130Computer1 (Windows 7 PRO 64)

The computers below are just running fine on Open Audit list.
4C4C4544-0057-3910-8047-C3C04F383153 - Hostname = 100Computer1 (Windows 7 PRO 64) - Good
4C4C4544-0046-3410-8033-B2C04F393153 - 100Computer2 (Windows 7 PRO 64) - Good
4C4C4544-0039-3810-8039-C3C04F433153 - 100Computer3 (Windows 7 PRO 64) - Good

Thank you so much guys for helping me.
Ed


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 11, 2012 7:58 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
You need to change the uuid_type in your audit.config file.

[code]
From:
uuid_type = "uuid"
To:
uuid_type = "mac"
[/code]

Then run the test again and instead of the "03000200-0400-0500-0006-000700080009" type UUIDs you'll have UUIDs that are network card MAC addresses. These should be unique in your environment. If you don't get different looking UUIDs then you're not changing the uuid_type correctly.


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 15, 2012 7:16 am 
Offline
Newbie

Joined: Mon Nov 21, 2011 9:46 am
Posts: 13
Jpa, I already tried on what you have replied to me, but I didn't see any changes to the UUID output or even similar mac address to the test computer I run.. Below is my audit.config settings, I can't tell which part of the code is not properly configure... Please let me know, if there something wrong in my audit.config...

' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://serverhost"
online = "ie"
strComputer = ""
ie_visible = "y"
ie_auto_submit = "n"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"
non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"
input_file = ""

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "MAC" or "mac"

Thank you so much in advance JPA!
Ed


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group