Child pages
  • How to audit a single Windows computer
Skip to end of metadata
Go to start of metadata

Cannot Audit

If you are having issues auditing a Windows PC, see our page that specifies the client configuration and provides some hints for configuration, here - Target Client Configuration.

Auditing using a GUI

To do this, go to the Open-AudIT logon page at http://YOUR-SERVER/omk/oae (but do not log in) using Internet Explorer on a Windows PC. You should see a page as below. Click the "Audit My PC" button and run the script. You should see your computer being audited and the data should be posted to the Open-AudIT server.

You should now be able to log in and see the details from your Windows PC.

Auditing using a GUI #2

In Open-AudIT, go to Menu -> Admin -> Discovery -> Discover a Device. You will see the below form.

If you have set the "Local Network Address" in the config (Menu -> Admin -> Config) it will be pre-populated. This should be the ip address of your Open-Audit server.

Add the ip address of the target computer, along with credentials (again, if you have set these in the config, they will be pre-populated).

In general you should NOT use the "Debug" option. This is for troubleshooting.

Click the "Submit" button and you will be directed to the Log page. You can refresh this page to see the status of the audit being performed.

Auditing using a script

Assuming you have an XAMPPLite install of Open-AudIT on a Microsoft Windows machine.

Copy the file c:\xampplite\open-audit\other\audit_windows.vbs to a suitable location. Do not remove this file from it's original location as it is needed by the web interface.

Open your copy of audit_windows.vbs in a text editor. Check the following variables are set as below:

Open a command prompt and run the script with cscript audit_windows.vbs. Do not double click the script to run it as this will use wscript instead of cscript and spawn many popup windows.

It should run and post the result to the database. Go back to your web browser and load Open-AudIT. You should have a group or two created. Go into one of them and click the machine name. You should see the machine details.

 

NOTE - To prevent any output to the command window you can set debugging = "0" and run the script with cscript //nologo audit_windows.vbs .


Options


All variables can be passed via the command line at run time. You don't need to create one audit script for each different (say) set of remote user credentials. A couple of examples -

  • cscript audit_windows.vbs REMOTE_PC strUser=REMOTE_USER strPass=PASSWORD - will audit a remote machine with credentials other than those of the local user running the script.
  • cscript audit_windows.vbs . submit_online=n create_file=y - will run the audit on the local PC and output to a file (in the current directory). The "." can be used in place of the local machine name.

The command line arguments are as follows, variable [default] (valid options):

create_file [n] (y|n) - create a text file names COMPUTERNAME_YYYYMMDDHHMMSS.xml in the directory the audit script is run.

debugging [1] (0-3) - Verbosity of the output to the command line. Set to "0" for no output.

ldap [] (string) - This value is passed in when running the audit_domain script. Only set this value if your audit host is on a different domain than audit targets and you are not using audit_domain.vbs - IE, you are running "cscript audit_windows.vbs COMPUTER" where COMPUTER is on a seperate domain than the PC you are running the command on. This would then apply to ALL systems audited like this. This would be the exception rather than the rule.

org_id [] (org_id) - If set the PC will be automatically assigned to the organisation. Get the organisation id by using the web interface.

ping_target [n] (y|n) - Attempt to ping the target PC before attempting to audit it.

self_delete [n] (y|n) - Delete the audit script itself upon completion.

skip_printer [n] (y|n) - Do not attempt to retrieve any printer details.

skip_software [n] (y|n) - Do not attempt to retrieve any installed software details.

skip_dns [n] (y|n) - Do not attempt to retrieve any DNS details.

skip_mount_point [n] (y|n) - Do not attempt to retrieve mount point details.

strcomputer [.] (string) - The name of the target PC. "." means the local PC on which the script is running.

struser [] (string) - Should be of the format DOMAIN/USERNAME. Runs the script against the target PC using these credentials.

strpass [] (string) - Runs the script against the target PC using these credentials.

submit_online [y] (y|n) - Submit the audit result to the webserver upon completion.

url [http://localhost/index.php/system] (string) - The URL of the Open-AudIT server to submit the audit to. The variable submit_online must be set to "y".

use_proxy [n] (y|n) - Unused at present.

windows_user_work_1 [physicalDeliveryOfficeName] (string) - The Active Directory attribute to use as a first preference to determining the target PCs user work unit.

windows_user_work_2 [company] (string) - The Active Directory attribute to use as a second preference to determining the target PCs user work unit.

details_to_lower [y] (y|n) = Details like domain, hostname, username, etc are usually set to lower case for consistency. If you would like these kept as retrieved, set to "n".

 

Unusual Auditing


Not every Windows computer will be a simple domain connected machine. Sometimes you may have a server in a DMZ with no network connectivity to the internal network, a machine not on a domain, a standalone machine not networked at all, etc. There are various options to overcome these. 

Computer with no network connectivity to the Open-AudIT server.

Copy the audit script to a USB drive, go to the remote computer and insert the USB drive. Open a command prompt and navigate to where you copied the script. Run the script and output to an XML file using the command

cscript audit_windows strcomputer=. submit_online=n create_file=y

An XML file named COMPUTERNAME_DATE.xml should be created. Close the terminal window. Remove the USB drive and go to a computer with Open-AudIT connectivity. Open the XML file and copy the XML and paste into http://YOUR_SERVER/index.php/system or log in to the Open-AudIT web application and go to menu -> Admin -> Devices -> Add a Computer (using an audit result).

Computer not on the domain.

If you can see the computer on the network and it has it's firewall opened to allow remote WMI/VBscript, you can run the audit script using the remote credentials.

cscript audit_windows.vbs strcomputer=REMOTE_COMPUTER_NAME struser=REMOTE_DOMAIN/REMOTE_USERNAME strpass=REMOTE_PASSWORD

You may need to substitute the string "workgroup" or the remote computer name for REMOTE_DOMAIN above.

 

Computer than can see the Open-AudIT server, but the audit host cannot see the computer (unusual).

You can copy the audit script to the target computer and set it to run on a scheduled task and submit the result to the Open-AudIT server.

  • No labels

5 Comments

  1. Windows Core Servers do not correctly report within Open-AudIT. I have two domain controllers and a SQL server running Windows Core 2008 R2 and they don't show up on the list.

  2. Anyone have a clean way to upload the XML files into open-audit from script? I have many many servers in DMZ's that do not have access to my audit server. So far I've tried multiple curl options without luck. If I get it working I'll report back. Thanks all.

    Attempts:
    curl -X PUT http://openauditserver/open-audit/index.php/system -F upload_file=dmzserver06-20160607135741.xml
    curl -X PUT http://openauditserver/open-audit/index.php/system -F "upload_file=dmzserver06-20160607135741.xml"
    curl http://openauditserver/open-audit/index.php/system --form upload_file=dmzserver06-20160607135741.xml
    curl http://openauditserver/open-audit/index.php/system --form upload_file=dmzserver06-20160607135741.xml --form submit=submit
    curl http://openauditserver/open-audit/index.php/system --form upload_file=audits/dmzserver06-20160607135741.xml --form submit=submit
    curl http://openauditserver/open-audit/index.php/system --form upload_file=@audits/dmzserver06-20160607135741.xml --form submit=submit
    curl -F "upload_file=@audits/dmzserver06-20160607135741.xml" http://openauditserver/open-audit/index.php/system
    curl -F "upload_file=@audits/dmzserver06-20160607135741.xml" -F "submit=submit" http://openauditserver/open-audit/index.php/system
    curl http://openauditserver/open-audit/index.php/system --upload-file upload_file=audits/dmzserver06-20160607135741.xml
    curl --upload-file audits/dmzserver06-20160607135741.xml http://openauditserver/open-audit/index.php/system


    1. Try the below where result.xml is your offline audit result.