Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 12:54 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
PostPosted: Fri Feb 15, 2013 8:35 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Hi-

I've installed the latest 9.2 Beta and when I choose Failed Audits from the Reports menu - no results are returned.
I am looking at the sys_man_audits table in the OAv2 DB to see why there "mostly" not any data in the "audit_wmi_fails" column/field?

Here is the SQL select from the XML file for Failed Audits that comes with OA:

SELECT system.system_id, system.hostname, system.man_ip_address, sys_man_audits.system_audits_time, sys_man_audits.audit_debug FROM system LEFT JOIN sys_man_audits ON (system.system_id = sys_man_audits.system_id AND system.timestamp = sys_man_audits.system_audits_time) LEFT JOIN oa_group_sys ON (system.system_id = oa_group_sys.system_id) WHERE oa_group_sys.group_id = 3 AND sys_man_audits.audit_debug > ''"

I am trying to figure out what to look for in this table to determine a failed/missing audit of a machine?
select audit_wmi_fails from sys_man_audits;

--> Examples of values in fields below...

'Win32_USBDevice '
'W3SVC '

I see the "systems_audits_id" and "system_audits_time" are listed/audited in the table by the "audit_domain_windows.vbs" script.
However, audit_debug has all empty/null values?

Any clues are appreciated.
Thx.

-SP


Top
 Profile  
Reply with quote  
 Post subject: Re: Failed Audits
PostPosted: Fri Feb 15, 2013 9:35 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
The current OA architecture makes failed/missing audits hard to log. The server does not know when an audit has been attempted so if there is a problem that causes the audit to fail to send data to the server there is no log of that failure.

Basically the Failed Audit report shows audits where the data reached the server but there was a problem processing the data part way through.

Some failures to audit can be detected because data is sent to the server by the audit process. OA processes and writes the XML upload data to the database one section at a time. Before OA processes a section of XML it writes that section name to the audit_debug column of sys_man_audits for the audit causing the problem. So if OA processes the sys, windows and bios data and then dies on the processor section the audit_debug field should have processor in it. A successful audit clears this field at the end of processing the data.

The audit process itself can have trouble with some WMI calls which it includes in the audit data sent to the server. If the data actually gets to the server then audit_wmi_fails column should have these listed. You can look through the audit_windows.vbs source for the data in audit_wmi_fails to see the code that is failing (e.g. grep for Win32_USBDevice). There's not enough detail in this error message to determine the exact problem in all cases but it's a start.


Top
 Profile  
Reply with quote  
 Post subject: Re: Failed Audits
PostPosted: Fri Feb 15, 2013 10:36 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Everything JPA said is 100% correct.
[quote="spichelman"]when I choose Failed Audits from the Reports menu - no results are returned.
This is a good thing. It means audits are processing correctly.
[quote="spichelman"]I am looking at the sys_man_audits table in the OAv2 DB to see why there "mostly" not any data in the "audit_wmi_fails" column/field? Any data here is sent by the audit_windows script. It simply means the audit_windows script did not get any info for those WMI calls. In the case of Win32_USBDevice, this is a WMI component that is only installed if you have the Microsoft SMS/System Center client installed. In the case of W3SVC, either IIS is not installed on the machine in question, or it failed querying IIS for some reason. You would need to dump some variables from the audit_script to chase that down. I'll have to leave that as an excersize for someone else though.[quote="spichelman"]I am trying to figure out what to look for in this table to determine a failed/missing audit of a machine? This table will not provide that data. JPAs post details where to look for a submitted, but failed audit. As for finding a failed audit_windows script - not much hope there. The machine will obviously NOT be in the Open-AudIT database. Personally, I would export the "All Windows" group to an Excel file, then query Active Directory (assuming you are running AD), for a list of machine names. Put that list into Excel and compare the two lists to determine which PCs are missing. I may code something for Open-AudIT to query Active Directly directly, but I'm swamped at the moment with other features. Consider that feature "on the list"...

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Failed Audits
PostPosted: Sat Feb 16, 2013 7:07 am 
Offline
Newbie

Joined: Thu Apr 26, 2012 9:26 am
Posts: 37
Location: USA - Madison, Wi.
Thanks guys(Mark/Jpa) for the detailed answers.

JPA - will look into the audit_windows source if a problem arises with a "partial" audit.

Mark - Yes, running an SQL query on the "All Windows group" is a good idea.
We write some of our own PHP scripts for custom queries - maybe we could query AD and compare(check for unique) results within the same script?
I've tried the same logic in a VB script but have not got it working yet.

Thought OpenAudit v1 have a failed_audit.log file in the scripts dir or have the option in the audit.sh script to see missed computers?
Maybe I misunderstood...
<smile>

Thanks again for your continued support and hard work with OAv2.

-SP


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group