| Table of Contents |
|---|
How do we process and store data?
NOTE - Updated for 1.12.8 with new fields and logic.
Each system (computer, network device, printer, et al) has an entry in the "system" table.
Each system (from the "system" table) has a an "system_id" column.
This value is unique - it's an auto incrementing id.
A system is determined to be unique by a the table below.
A system is audited and the result submitted to the server.
The first table processed is the "system" table.
The "system_id" is determined and passed (along with the other details) to each other section (table).
Every table has two timestamp columns, "first_timestampseen" and "timestamplast_seen".
The "first_timestampseen" value is populated whenever an insert occurs - hence this value reflects the first time an item was reported in the audit script.
The "timestamplast_seen" value is inserted when an item is first seen, or updated when an item is seen in subsequent audit script(s).
There is a an "oa_audit_log" table that contains details of each time an audit is submitted (including timestamp). Each sub-table also contains a 'current' column which is an enum with possible values of 'y' and 'n'.
So, for an example - "hard_drive".
- The
...
- system
...
- .id
...
- is retrieved, along with the timestamp of the previous audit submission and the "status" column.
- For each entry in the hard_drive audit result, the database is queried.
- It checks for hard drive model, serial, index and size.
- These values vary according to the item being processed - see the
...
- PHP page at /code_igniter/application/models/
...
- m_devices_components.php
- If it gets a match on the above values, combined with component.status = 'y' and the system
...
- .id and a system.status of "production", then an existing entry exists for this piece of equipment.
- In the case of hard drives, it simply updates the
...
- current flag to 'y' to reflect the component is still current
...
- .
- If it does not get a match, it does an insert of the relevant details.
So, we can determine if something is currently installed - the timestamps match (on the system table and the relevant item table)current column is 'y'.
We can determine when something was detected - the "first_timestampseen".
We can determine if something was installed after the initial audit - first timestamps seen will be different.
We can determine if something is not currently installed, but previously was - the timestamp on the item is less than the timestamp on the systemcurrent = 'n'.
We can determine the last time we detected an item - the timestamp on the item, when the timestamp is less than the current system timestamplast_seen.
At any given point, we can determine what was on a system - by using the oa_ audit_log table and selecting the relevant components based on timestampsfirst_seen and last_seen.
So, that's how we determine what's on or has been on a system.
How do we determine device uniqueness?
When we receive data about a device we check the following columns for matches. If we get a match and the existing entry has a status of 'production', we update this device.
The code for this currently resides in code_igniter/application/models/m_system.php.
Devices are considered the same if they have the following attributes in common: UUID & hostname, dbus_identifier*, FQDN, serial & device type, MAC address and config item**, ip address and config item**, hostname and config item**.
* In 1.12.8 we use the dbus_uuid in Linux to determine uniqueness. This is being reverted in 1.12.8.1 because ESX does not recreate this identifier upon cloning a mchine, hence possibly causing false positive matching.
** In the configuration of Open-AudIT you can select discovery_hostname_match (and mac, ip) to enable this matching.
What do we use for a name?
Where possible, the first option will be chosen and where possible on subsequent audits, will be changed to the first option: hostname, dns_hostname, sysName.