Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Tue Mar 19, 2024 5:46 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jan 25, 2018 10:40 pm 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
Yesterday I noticed that 1 vm was getting scanned in by numerous IP's so I deleted that system. This AM I saw a new system, checked it out. But it's really 9 different vm's most on different esxi hosts, spread out over multiple vcenters. No idea how/why this happens. Today I deleted the system, then audited two of the systems. It creates 1 new system in OA2, then when I scan the 2nd one, it just goes to that same system. What is it about these 9 vm's that OA2 thinks they are the same system? How they are scanned: I copy the OA 2.0.11 script to /etc/cron.daily/ these are all CentOS 7 vm's

thanks


Attachments:
OA2dups.JPG
OA2dups.JPG [ 72.51 KiB | Viewed 39156 times ]

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices
Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 27, 2018 8:44 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
All the system match criteria are now available in Admin->Configuration->List Configuration. Check your match_* options. Maybe take a couple audit txt files and with your match_* config try to see why they're getting combined.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 30, 2018 2:26 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
thanks, I just dialed a bunch of those Y's back to N's and deleted the one system. Will see how that works overnight, hopefully I have 8 or 9 new systems in the am.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 3:11 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
couldn't get that to stop happening until the only match I have is fqdn. Finally the same systems stopped auditing into 1, but now each system in OA has 3,4, 5 or more duplicates :?: :?: :?:

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 4:35 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
update: after setting the only match to fqdn it looks like a new system was added each time a system was audited. There has to be a better way to fix this, starting to lose faith in this project after 12+ years going back to winventory

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 4:54 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Yeah, that's doesn't sound good. But without a couple example audit files it's a bit too much work to step through the code to see what's happening. It is way more complicated and flexible than it was back in the Winventory era.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 5:45 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
I would hope to never have to edit any of those match* settings, the problem started with default settings and got worse when I changed the match settings... What audit files do you want to see? I run the audit_windows.vbs script from my workstation via batch files, audit files aren't created everything is uploaded directly to the OA2 server

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 6:01 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
The whole system match stuff is a bit complicated. So it would help stepping through the complication with real audit data that is causing the problem. So a couple audits with -create_file=y would give an XML audit result that could be used to debug. Confidential stuff in the XML audits so you'd need to decide if that's something you're willing to give out to random guy JPA. This is all assuming you don't already have a support contract with Opmantek.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 6:15 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
we have a support contract but only for NMIS, I don't mind sending xml files because I doubt there is anything valuable in there to any bad guys on the internets.

If I set create file = y it will create the audit files on my workstation? Or will it create files on the remote windows system being audited?

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 7:04 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
There are potentially software keys in the audit. Just an FYI.

For Windows use "cscript audit_windows.vbs -create_file=y -submit_online=n <computername>" and it will create the file where the script is run and not upload the data. We already know that causes problems. Don't need to make more while testing stuff.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 08, 2018 11:34 pm 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
perfect, I saved a screenshot of the 9 systems that kept auditing into the same OA2 record so I'll enable audit file creation for those 9. I also have a nightmare mess on my hands with 3+ copies of every server in OA2 are you aware of any easy way to fix that, while trying to avoid taking the nightmare mess to the next level? thanks

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 09, 2018 1:31 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
starting to think the system isn't usable anymore as is (with so many duplicate systems), and I may have to blow it away and get a fresh start.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 09, 2018 1:42 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Starting over is probably easiest but you'll lose the audit history so only do that if you don't care.

Otherwise, a query to identify the duplicates and then set everything but the oldest one to System.Status=Deleted. The duplicate systems all have the same Name, Hostname or DNS Hostname?


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 09, 2018 3:34 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
as far as I know, every system should have a unique hostname, DNS name, and netbios name whatever you want to call them. Still can't figure out how/why I ended up with this mess. How would anybody in a corporate network survive if you really had multiple different systems sharing the same hostnames and/or FQDN's? I don't think you'd last 15 minutes in this industry if you tried to work with duplicate names on any level.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 09, 2018 3:36 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Sorry, my poor communications skills strike again. I mean to say that if you have a bunch of duplicate systems in your OpenAudit hopefully they have something in common that we can use to select them and then mark the extraneous ones as Deleted.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group