6 answers
- 10-1
Hi Mark,
I have run discovery after having updated the two files, now I have only two devices that duplicates on every run:
- the Open Audit server on his own "default_network_address", it doesn't store the mac address of this interface. This is not a big problem, I can exclude this ip from discovery
- an access point Apple Airport Extreme which seems to have multiple network interfaces.
Here you can see the exported csv from the duplicated Airport Extreme device:
"id","system_id","username","type","ip","debug","wmi_fails","timestamp","version" "50674","1034","","snmp","127.0.0.1","","","2018-02-06 10:40:29","2.2" "id","system_id","db_table","db_row","db_action","details","user_id","ack_time","external_link","external_ident","note","change_id","change_type","timestamp" "61110","1034","system","1034","create","Item added to system","","2000-01-01 00:00:00","","","","","","2018-02-06 10:40:29" "61111","1034","ip","2600","create","Item added to ip - ip is 169.254.191.065, netmask is 255.255.0.0","","2000-01-01 00:00:00","","","","","","2018-02-06 10:40:29" "61112","1034","ip","2601","create","Item added to ip - ip is 192.168.003.242, netmask is 255.255.255.0","","2000-01-01 00:00:00","","","","","","2018-02-06 10:40:29" "61113","1034","ip","2599","delete","Item removed from ip - ip is 192.168.003.242, mac is 00:1f:f3:40:9e:fe, netmask is 255.255.255.0","","2000-01-01 00:00:00","","","","","","2018-02-06 10:40:29" "id","user_id","system_id","details","source","weight","db_table","db_column","timestamp","value","previous_value" "21166","0","1034","Data was changed","snmp","3000","system","name","2018-02-06 10:40:29","airport-extreme-edisu","" "21167","0","1034","Data was changed","snmp","3000","system","type","2018-02-06 10:40:29","computer","" "21168","0","1034","Data was changed","snmp","3000","system","sysDescr","2018-02-06 10:40:29","Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.","" "21169","0","1034","Data was changed","snmp","3000","system","ip","2018-02-06 10:40:29","192.168.003.242","" "21170","0","1034","Data was changed","snmp","3000","system","hostname","2018-02-06 10:40:29","airport-extreme-edisu","" "21171","0","1034","Data was changed","snmp","3000","system","description","2018-02-06 10:40:29","Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.","" "21172","0","1034","Data was changed","snmp","3000","system","sysContact","2018-02-06 10:40:29","default_user@contact.domain","" "21173","0","1034","Data was changed","snmp","3000","system","sysName","2018-02-06 10:40:29","airport-extreme-edisu","" "21174","0","1034","Data was changed","snmp","3000","system","sysLocation","2018-02-06 10:40:29","defaultlocation","" "21175","0","1034","Data was changed","snmp","3000","system","sysUpTime","2018-02-06 10:40:29","53043608","" "21176","0","1034","Data was changed","snmp","3000","system","uptime","2018-02-06 10:40:29","530436","" "21177","0","1034","Data was changed","snmp","3000","system","sysObjectID","2018-02-06 10:40:29","1.3.6.1.4.1.8072.3.2.255","" "21178","0","1034","Data was changed","snmp","3000","system","snmp_oid","2018-02-06 10:40:29","1.3.6.1.4.1.8072.3.2.255","" "21179","0","1034","Data was changed","snmp","3000","system","manufacturer","2018-02-06 10:40:29","Apple, Inc.","" "21180","0","1034","Data was changed","snmp","3000","system","org_id","2018-02-06 10:40:29","1","" "21181","0","1034","Data was changed","snmp","3000","system","location_id","2018-02-06 10:40:29","1","" "21182","0","1034","Data was changed","snmp","3000","system","status","2018-02-06 10:40:29","production","" "id","system_id","current","first_seen","last_seen","mac","net_index","ip","netmask","cidr","version","network","set_by" "2600","1034","y","2018-02-06 10:40:29","2018-02-06 10:40:29","","6","169.254.191.065","255.255.0.0","16","4","169.254.0.0/16","" "2601","1034","y","2018-02-06 10:40:29","2018-02-06 10:40:29","","6","192.168.003.242","255.255.255.0","24","4","192.168.3.0/24","" "id","system_id","current","first_seen","last_seen","mac","manufacturer","model","description","alias","ip_enabled","net_index","dhcp_enabled","dhcp_server","dhcp_lease_obtained","dhcp_lease_expires","dns_host_name","dns_server","dns_domain","dns_domain_reg_enabled","type","connection","connection_status","speed","slaves","ifadminstatus","iflastchange" "431","1034","y","2018-02-06 10:40:29","2018-02-06 10:40:29","00:1f:f3:40:9e:fe","","gec0","gec0","","up","1","","","","","","","","","ethernet","","","1000000000","","up","0" "432","1034","y","2018-02-06 10:40:29","2018-02-06 10:40:29","","","ath0","ath0","","up","2","","","","","","","","","ieee 80211","","","300000000","","up","0" "433","1034","y","2018-02-06 10:40:29","2018-02-06 10:40:29","00:1e:52:7c:18:93","","wlan0","wlan0","","up","4","","","","","","","","","ethernet","","","300000000","","up","3620"
"id","system_id","username","type","ip","debug","wmi_fails","timestamp","version" "50825","1051","","snmp","127.0.0.1","","","2018-02-06 11:55:03","2.2" "id","system_id","db_table","db_row","db_action","details","user_id","ack_time","external_link","external_ident","note","change_id","change_type","timestamp" "61453","1051","system","1051","create","Item added to system","","2000-01-01 00:00:00","","","","","","2018-02-06 11:55:03" "61454","1051","ip","2621","create","Item added to ip - ip is 169.254.191.065, netmask is 255.255.0.0","","2000-01-01 00:00:00","","","","","","2018-02-06 11:55:03" "61455","1051","ip","2622","create","Item added to ip - ip is 192.168.003.242, netmask is 255.255.255.0","","2000-01-01 00:00:00","","","","","","2018-02-06 11:55:03" "61456","1051","ip","2620","delete","Item removed from ip - ip is 192.168.003.242, mac is 00:1f:f3:40:9e:fe, netmask is 255.255.255.0","","2000-01-01 00:00:00","","","","","","2018-02-06 11:55:03" "id","discovery_id","system_id","timestamp","severity","severity_text","pid","ip","file","function","message","command","command_status","command_time_to_execute","command_output" "id","user_id","system_id","details","source","weight","db_table","db_column","timestamp","value","previous_value" "21355","0","1051","Data was changed","snmp","3000","system","name","2018-02-06 11:55:03","airport-extreme-edisu","" "21356","0","1051","Data was changed","snmp","3000","system","type","2018-02-06 11:55:03","computer","" "21357","0","1051","Data was changed","snmp","3000","system","sysDescr","2018-02-06 11:55:03","Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.","" "21358","0","1051","Data was changed","snmp","3000","system","ip","2018-02-06 11:55:03","192.168.003.242","" "21359","0","1051","Data was changed","snmp","3000","system","hostname","2018-02-06 11:55:03","airport-extreme-edisu","" "21360","0","1051","Data was changed","snmp","3000","system","description","2018-02-06 11:55:03","Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.","" "21361","0","1051","Data was changed","snmp","3000","system","sysContact","2018-02-06 11:55:03","default_user@contact.domain","" "21362","0","1051","Data was changed","snmp","3000","system","sysName","2018-02-06 11:55:03","airport-extreme-edisu","" "21363","0","1051","Data was changed","snmp","3000","system","sysLocation","2018-02-06 11:55:03","defaultlocation","" "21364","0","1051","Data was changed","snmp","3000","system","sysUpTime","2018-02-06 11:55:03","53490953","" "21365","0","1051","Data was changed","snmp","3000","system","uptime","2018-02-06 11:55:03","534909","" "21366","0","1051","Data was changed","snmp","3000","system","sysObjectID","2018-02-06 11:55:03","1.3.6.1.4.1.8072.3.2.255","" "21367","0","1051","Data was changed","snmp","3000","system","snmp_oid","2018-02-06 11:55:03","1.3.6.1.4.1.8072.3.2.255","" "21368","0","1051","Data was changed","snmp","3000","system","manufacturer","2018-02-06 11:55:03","Apple, Inc.","" "21369","0","1051","Data was changed","snmp","3000","system","org_id","2018-02-06 11:55:03","1","" "21370","0","1051","Data was changed","snmp","3000","system","location_id","2018-02-06 11:55:03","1","" "21371","0","1051","Data was changed","snmp","3000","system","status","2018-02-06 11:55:03","production","" "id","system_id","current","first_seen","last_seen","mac","net_index","ip","netmask","cidr","version","network","set_by" "2621","1051","y","2018-02-06 11:55:03","2018-02-06 11:55:03","","6","169.254.191.065","255.255.0.0","16","4","169.254.0.0/16","" "2622","1051","y","2018-02-06 11:55:03","2018-02-06 11:55:03","","6","192.168.003.242","255.255.255.0","24","4","192.168.3.0/24","" "id","system_id","current","first_seen","last_seen","mac","manufacturer","model","description","alias","ip_enabled","net_index","dhcp_enabled","dhcp_server","dhcp_lease_obtained","dhcp_lease_expires","dns_host_name","dns_server","dns_domain","dns_domain_reg_enabled","type","connection","connection_status","speed","slaves","ifadminstatus","iflastchange" "437","1051","y","2018-02-06 11:55:03","2018-02-06 11:55:03","00:1f:f3:40:9e:fe","","gec0","gec0","","up","1","","","","","","","","","ethernet","","","1000000000","","up","0" "438","1051","y","2018-02-06 11:55:03","2018-02-06 11:55:03","","","ath0","ath0","","up","2","","","","","","","","","ieee 80211","","","300000000","","up","0" "439","1051","y","2018-02-06 11:55:03","2018-02-06 11:55:03","00:1e:52:7c:18:93","","wlan0","wlan0","","up","4","","","","","","","","","ethernet","","","300000000","","up","3620"
- Mark Unwin
Hi Davide, The issue with the AirPort is that Open-AudIT is receiving two different IPs, each with its own MAC and has no way to associated that the two are from the same device. Are there ANY ports open on the device we can use to query it (I'm guessing not). If not, then I think you're stuck with "two" devices. You could extract the relevant rows from the IP table, massage them, delete the second AirPort device and insert new IP rows. The next time a discovery runs it would see the MAC and associate it with the first device. But we're getting beyond community forum support here and into paid support territory. I'm happy to make an internal ticket to (try to, unsure) facilitate this in the GUI, but I cannot allocate any time to it unless asked for by a customer. Sorry I'm not of more use, but you can see the issue - two different IPs with different MAC and no way to associate them to a single device...
- Mark Unwin
Davide, I just reread the discovery log and see that SNMP is working. In that case if we are able to retrieve a serial, that would be enough and should cause the match and hence only a single device. I'll see if I can find the correct SNMP OID to query for this. Stay tuned and apologies for the bum steer above.
- Mark Unwin
I have found the issue. SNMP on an AirPort doesn't provide a serial number. It's likely your IPs are attached to the "bridge" (a virtual) adapter. Those adapter in SNMP (for an AirPort) don't have a MAC address. If Nmap doesn't retrieve the MAC, we have noting to match the device to. I have made modifications to the code (which you already have) so that if Nmap does retrieve the MAC, it should be stored. It should not remove the MAC if it's stored. I'm guessing at least one of the AirPorts IPs is on a different subnet? This would explain no MAC and hence no match :-( See my answer above about being able to "combine" devices (see, I wasn't far off after all!).
- Mark Unwin
I'll see if I can have the code ALSO check the network card table (as well as the IP table) for matching mac addresses. I "think" in this particular case it might resolve the issue.
Add your comment... - 10-1
I've upgraded to Open-Audit Enterprise 2.1 and the new IP Addresses section has appeared but MAC address on existing hosts was not populated despite the discovery job had run several time since upgrade.
I need that mac address of existing devices will be stored in Open-Audit.
- Mark Unwin
If the device is on a remote subnet and you have no credentials (as indicated by "nmap" scans, you cannot retrieve the MAC address. That is a fundamental networking issue and nothing to do with Open-AudIT. You could put a Collector on the remote subnet and (because it's on the same subnet as the devices) it would be able to retrieve the MAC address. Or you could use appropriate credentials. https://community.opmantek.com/pages/viewpage.action?pageId=24676399
- Davide Yachaya
Devices are all on the same subnet and in the same LAN. Open Audit has stored the device manufacturer correctly in the device data, so the mac address is known. The problem is that Open Audit 2.1 doesn't add mac address to device already discovered before the upgrade. To solve this I have deleted all devices and run discovery task again, now mac address are stored correctly.
- Mark Unwin
Hi Davide, I have (finally) found this bug. There are actually 2x bugs here. First, we were not using the MAC address as reported by the discover_subnet script. Second, we were only populating the IP table on a NEW device. If a device was subsequently discovered in a following run (this time with a MAC), it was not updated. There are valud reasons for this - but I know that doesn't help you. I have rewritten the code to now allow for this scenario. I shall post the updated files ASAP. These are obviously included for our next release. Stay tight - a fix is on its way. Apologies for the inconvenience cause, and thanks for persisting. Mark.
- Mark Unwin
Davide, I have created a wiki page for this with a detailed explanation and the required files for the fix. You can find it below. Once you have updated with the fix and rerun a discovery on an affected IP, please advise if this is then working as intended. https://community.opmantek.com/display/OA/Errata+-+2.1+Updating+MAC+Addresses+from+Nmap
Add your comment... - 10-1
Thanks for persisting. I have found and fixed a bug in the discovery processing routine. FYI, we were using $device->mac instead of $device->mac_address. Silly mistake on my part. My apologies.
This is now working and I have also added display code so when a device doesn't have network card records but does have IP records, we display a new section called IP Addresses.
This code will be available in the next release of Open-AudIT (2.1).
Click the image below to enlarge.
Add your comment... - 10-1
So the answer is - it depends...
If you don't have the Hardware menu item, this indicates that only Nmap was used in Discovery and that you do not have valid credentials for these devices (SSH, SNMP, WMI, etc).
In this case, there may or may not be an entry in the network cards table.
The best option is to work through these devices and get working credentials for them. That way you will not only get the MAC Addresses but a whole lot more information as well.
- Davide Yachaya
Many of those devices are smartphones connected over wifi and they don't have credentials to use. Why OpenAudit doesn't store mac addresses obtained from nmap scan in any table?
Add your comment... - 10-1
I don't have "Hardware" voice in the left menu on those devices but I can see the manufacturer so mac addresses were discovered when devices were seen the first time. OpenAudit server is on the same network.
I can't see those devices in "network" table.
It seems that when a device goes offline network table and discovery log are cleaned by the next discovery task.
This is an example:
Add your comment... - 10-1
Any found MAC addresses are stored in the "network" table and associated to the device.
On the device details page, in the left side menu, click Hardware -> Network.
- Davide Yachaya
I don't have "Hardware" voice in the left menu on those devices but I can see the manufacturer so mac addresses were discovered when devices were seen the first time. OpenAudit server is on the same network. I can't see those devices in "network" table. It seems that when a device goes offline network table and discovery log are cleaned by the next discovery task.
Add your comment...
Hi all,
I have a discovery that runs every hour and I don't know how to retreive mac address of offline devices in my DB. With some devices I can look in the discovery log where I can find a line like "MAC XX:XX:XX:XX:XX:XX matched to manufacturer XXXXXX", but with other devices that were offline when the last discovery runs I don't have the discovery log. I can see the manufacturer, so the mac address was known but I can't retreive it.
How to find the mac address of those devices?