3 answers
- 10-1
I upgraded to the latest version today, deleted the devices, and re ran the discovery to the same results. When the addresses are pinged they come back with nothing, but they are still showing up in the device list. Any other ideas? When in the testing phase of using this it was being used on a windows box with no issues, now on a Ubuntu install it seems to be acting up.
- Mark Unwin
Can you run a discovery on a single IP that is in this list and use the Debug option. Wait for the output to complete and post it here.
- sllcbhs
Below is the output of the debug, verified 192.168.6.7 did not return a ping request prior to running, it did show it in the list again after the discovery. - 192.168.6.7 unknown BENCHMARKS Loading Time: Base Classes 0.0007 Controller Execution Time ( Main / List Devices ) 0.0363 Total Execution Time 0.0371 GET DATA No GET data exists MEMORY USAGE 2,042,120 bytes POST DATA No POST data exists URI STRING main/list_devices/20 CLASS/METHOD main/list_devices DATABASE: openaudit QUERIES: 15 (Hide) 0.0001 SET SESSION sql_mode="" 0.0001 SELECT * FROM (`oa_user_sessions`) WHERE `session_id` = '365f2700fa5132f2b65f22b9c5100607' AND `user_agent` = 'Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (K' 0.0150 UPDATE `oa_user_sessions` SET `last_activity` = 1459431164, `session_id` = '1e9a125ce9a1638673d53bc3f923a59b' WHERE session_id = '365f2700fa5132f2b65f22b9c5100607' 0.0001 /* M_oa_config::load_config */ SELECT config_value FROM oa_config WHERE config_name = 'internal_version' 0.0001 /* M_oa_config::load_config */ SELECT oa_config.*, oa_user.user_full_name FROM oa_config LEFT JOIN oa_user ON oa_config.config_edited_by = oa_user.user_id 0.0001 /* M_oa_config::load_config */ SELECT count(system_id) as device_count FROM system WHERE man_status = 'production' 0.0001 /* M_oa_user::validate_user */ SELECT * FROM oa_user WHERE oa_user.user_id = '1' LIMIT 1 0.0001 UPDATE `oa_user_sessions` SET `last_activity` = 1459431164, `user_data` = 'a:3:{s:3:\"url\";s:0:\"\";s:7:\"user_id\";s:1:\"1\";s:10:\"user_debug\";s:1:\"y\";}' WHERE `session_id` = '1e9a125ce9a1638673d53bc3f923a59b' 0.0001 /* M_oa_report::list_reports_in_menu */ SELECT report_id, report_name, '' as report_url, report_description FROM oa_report WHERE report_display_in_menu = 'y' and report_view_file != 'v_help_oae' ORDER BY report_name 0.0001 /* M_oa_group::get_group_access */ SELECT group_user_access_level FROM oa_group_user WHERE user_id = '1' AND group_id = '20' LIMIT 1 0.0001 /* M_oa_group::get_group_name */ SELECT group_name from oa_group WHERE group_id = '20' LIMIT 1 0.0001 /* M_oa_group_column::get_group_column */ SELECT * FROM oa_group_column WHERE group_id = '20' ORDER BY column_order 0.0001 /* M_oa_group_column::get_group_column */ SELECT * FROM oa_group_column WHERE group_id = '1' ORDER BY column_order 0.0001 /* M_systems::get_group_systems */ SELECT group_display_sql FROM oa_group WHERE group_id = '20' 0.0002 /* M_systems::get_group_systems */ SELECT system.system_id, system.hostname, system.domain, system.man_description, system.man_ip_address, system.man_type, system.man_os_family, system.man_os_name, system.man_icon, system.man_manufacturer, system.man_model, system.man_serial, system.man_icon, system.type FROM system, oa_group_sys WHERE system.system_id = oa_group_sys.system_id AND oa_group_sys.group_id = '20' AND system.man_status = 'production' GROUP BY system.system_id HTTP HEADERS (Show) SESSION DATA (Show) CONFIG VARIABLES (Show)
- sllcbhs
EDIT: That layout of the basic text may be difficult to read, if you want it in a txt or screen shot i can do that later, i have to run to a meeting right now.
- Mark Unwin
My apologies for not being clearer. Go to menu -> Admin -> Discovery -> Discover a Device using SNMP. Put in the IP of 192.168.6.7 and check the Debug checkbox. Submit the form and wait for the next page to completely finish rendering. It does output to the page as it goes, so wait for the indicator on your browser to stop spinning. Post this (text) output. Devices do not need to respond to a ping anymore. If they have an open port on any of Nmap's "top 1000" ports (or port 161 on UDP) the do exist and will therefore be inserted into Open-AudIT. You could even run the below on the command line of the Open-AudIT server and post that result - it's basically the same as above. nmap -vv -n -Pn --host-timeout 90 -T4 192.168.6.7 2>&1
- sllcbhs
I apologize, below is the output of doing it that way: LOG - Discovery submitted for 192.168.6.7 DEBUG - Command Executed: /usr/local/open-audit/other/discover_subnet.sh subnet_range=192.168.6.7 url=http://192.168.1.101/open-audit/index.php/discovery/process_subnet submit_online=n echo_output=y create_file=n debugging=0 subnet_timestamp="2016-03-31 16:29:23" os_scan=n 2>&1 DEBUG - Return Value: 0 DEBUG - Command Output: Array ( [0] => <devices> [1] => <device> [2] => <subnet_range>192.168.6.7</subnet_range> [3] => <man_ip_address>192.168.6.7</man_ip_address> [4] => <mac_address></mac_address> [5] => <manufacturer><![CDATA[]]></manufacturer> [6] => <description><![CDATA[]]></description> [7] => <org_id></org_id> [8] => <snmp_status>true</snmp_status> [9] => <ssh_status>false</ssh_status> [10] => <wmi_status>false</wmi_status> [11] => <subnet_timestamp>2016-03-31 16:29:23</subnet_timestamp> [12] => <nmap_result><![CDATA[ [13] => Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-31 16:29 CDT [14] => WARNING: Running Nmap setuid, as you are doing, is a major security risk. [15] => [16] => Initiating SYN Stealth Scan at 16:29 [17] => Scanning 192.168.6.7 [1000 ports] [18] => SYN Stealth Scan Timing: About 30.50% done; ETC: 16:31 (0:01:11 remaining) [19] => SYN Stealth Scan Timing: About 60.50% done; ETC: 16:31 (0:00:40 remaining) [20] => 192.168.6.7 timed out during SYN Stealth Scan (0 hosts left) [21] => Completed SYN Stealth Scan at 16:30, 90.10s elapsed (1 host timed out) [22] => Nmap scan report for 192.168.6.7 [23] => Host is up. [24] => Skipping host 192.168.6.7 due to host timeout [25] => Read data files from: /usr/bin/../share/nmap [26] => Nmap done: 1 IP address (1 host up) scanned in 90.14 seconds [27] => Raw packets sent: 1780 (78.320KB) | Rcvd: 1170 (46.800KB)]]></nmap_result> [28] => </device><device><subnet_range>192.168.6.7</subnet_range><subnet_timestamp>2016-03-31 16:29:23</subnet_timestamp><complete>y</complete></device></devices> ) DEBUG - Starting process_subnet. *********************************************************************************** * NOTE - THIS PAGE WILL CONTINUOUSLY RENDER UNTIL THE DISCOVERY HAS FINISHED * * WATCH YOUR BROSWER TO SEE WHEN THE PAGE FINISHES RENDERING * * DO NOT REFRESH THIS PAGE OR ATTEMPT TO GO 'back' UNTIL THE PAGE HAS COMPLETED * *********************************************************************************** DEBUG - Back to input page DEBUG - Front Page LOG - Start processing 192.168.6.7 LOG - Start DNS checking for 192.168.6.7 LOG - No FQDN set for 192.168.6.7 LOG - Using gethostbyaddr because no hostname set but IP is set for 192.168.6.7 LOG - Finish DNS checking for 192.168.6.7 LOG - System Key being generated for at 192.168.6.7 LOG - System Key is 192.168.6.7 for type ipad at 192.168.6.7 LOG - WMI Status is false on 192.168.6.7 LOG - SNMP Status is true on 192.168.6.7 LOG - SSH Status is false on 192.168.6.7 LOG - Attempting SNMP discovery on 192.168.6.7 DEBUG - Command Executed: which ipmitool 2>&1 DEBUG - Return Value: 0 DEBUG - Command Output: Array ( [0] => /usr/bin/ipmitool ) LOG - Ipmitools detected and used (as per config) when discovering 192.168.6.7 DEBUG - Command Executed: ipmitool -H 192.168.6.7 -U -P ****** lan print 2>/dev/null | grep "^MAC Address" | cut -d":" -f2- | cut -d" " -f2 DEBUG - Return Value: 0 DEBUG - Command Output: Array ( ) LOG - System Key being generated for 192.168.6.7 at 192.168.6.7 LOG - System Key is 192.168.6.7 for 192.168.6.7 type ipad at 192.168.6.7 LOG - Start DNS checking for 192.168.6.7 LOG - Hostname contains an ip 192.168.6.7 LOG - FQDN does not contain a . so removing LOG - Using gethostbyaddr because no hostname set but IP is set for 192.168.6.7 LOG - Finish DNS checking for 192.168.6.7 LOG - System ID not found. DEBUG --------------- stdClass Object ( [subnet_range] => 192.168.6.7 [man_ip_address] => 192.168.6.7 [snmp_status] => true [ssh_status] => false [wmi_status] => false [subnet_timestamp] => 2016-03-31 16:29:23 [nmap_result] => SimpleXMLElement Object ( ) [timestamp] => 2016-03-31 16:30:53 [last_seen] => 2016-03-31 16:30:53 [last_seen_by] => nmap [audits_ip] => 192.168.001.110 [system_key] => 192.168.6.7 [system_key_type] => ipad [limit] => 1000000 [count] => 0 [snmp_community] => ****** [snmp_version] => 2c [snmp_port] => 161 [show_output] => 1 ) DEBUG --------------- LOG - NMAP insert for 192.168.6.7 LOG - System insert start for 192.168.6.7 ()
- Mark Unwin
Nmap has detected SNMP is responding from that device. That is why it is being inserted into Open-AudIT. From there, Open-AudIT does not have the correct credentials to query the device, so it is inserted with very little information. But _something_ is responding to an SNMP prove on that ip address.
Add your comment... - 10-1
Thanks for the response, i will upgrade to the newer version and check back with results.
Add your comment... - 10-1
A device should only appear in Open-AudIT if it responds to a ping. If every IP is appearing, then for some reason Nmap on the Open-AudIT server is receiving a ping response from every IP address.
We are releasing Open-AudIT 1.12.4 immediately which does change the way we use Nmap. Would suggest you upgrade ASAP and see if the issue still occurs.
FYI - You can easily remove many devices at once by utilising the Bulk Edit functionality. I would enable the group for Unknown Devices (menu -> Admin -> Groups -> Activate Group) and then select all devices (checkbox in top right of table header) then bulk edit the device's status to deleted.
How to Bulk Edit device attributes (link)
Add your comment...
When doing a discovery on a different sub net, I am having an issue where each IP address is showing up in the "All devices" List. The system is running on Ubuntu with Open-Audit 1.12. I am new to open audit but this is a second install of it after testing. Ubuntu is running on XenServer. Any idea's as to why each IP Address is being shown in the devices list even tho there is nothing associated with that address?