4 answers
- 10-1
Posting a follow-up.
Jonathon and I corresponded via email and determined the Linux audits were timing out. Using the "root" user imposes a timeout on the SSH session in Open-AudIT and it was set to 20 seconds. Jonathon had the option of using a user with sudo, or changing the configuration item for discovery_ssh_timeout. This was then resolved.
FYI - The code takes a different path when using the actual root user, versus a user with sudo access. Root user uses the timeout, sudo access tests for a response and doesn't need to use the timeout.
The default value for discovery_ssh_timeout is 300 seconds (5 minutes).
Add your comment... - 10-1
Here is what the validation tool produced
An error has been found!
Click on
to jump to the error. In the document, you can point at 
with your mouse to see the error message.
Errors in the XML document:
1: 1 Content is not allowed in prolog.
XML document:1 
data=<?xml version="1.0" encoding="UTF-8"?>Only Some systems are getting this and all of them are either RHEL 6 or 7
- Mark Unwin
In the audit script, the "data=" section should have been removed. I'll take a look as we have RHEL 7 machines here.
Add your comment... - 10-1
Unknown User (mark.unwin@gmail.com) Thanks for the response, these are all Linux systems and I see the XML files are produced and on the OpenAudit server it is storing a copy of the XML file,
0-07-16 02:03:58 9476 192.148.93.202 fail Could not convert audit result from XML. 2020-07-16 02:03:58 9477 192.148.93.202 fail Audit result left on filesystem at /usr/local/open-audit/other/scripts/Blah-20200716055839.xml, please check. So I am assuming that your thinking that the server bein audited is producing garbage XML, hmm interesting. I will investigate that more.
Thanks again
- Mark Unwin
I have just tested on Centos 6 and Redhat 7, both via discoveries and manually running it on the target machines. Both work as intended.I'm unsure why the data= would still be in the XML. Are your script options using submit_online=y, by chance?
- ADCADMIN adcadmin
Sorry for the delay, the option is set to y. I will change it to n and remove the agent on a system having the issue and run it on just the one to see what happens
- ADCADMIN adcadmin
Unknown User (mark.unwin@gmail.com) Nope, the Same issue. Any other suggestions?
- Mark Unwin
Can you send a copy of the XML file as left on the Open-AudIT server to marku@opmantek.com please.
Add your comment... - 10-1
Then the most likely issue is that the XML is invalid.
Have you tried an online XML Validator to make sure it's OK?
To get the file, on a device having this issue copy open-audit\other\audit_windows.vbs (assuming it's a Windows machine) to the device and run:
cscript audit_windows.vbs submit_online=n create_file=y
And it will produce an XML file.
Add your comment...
Getting "Could not convert audit result from XML." for a bunch of systems. Some are working just fine.