"..Invalid XML audit result"

 
1
0
-1

Hi all 

After upgrading to the latest version we receive the following error on some (few) systems "Apr 04 15:22:15 opmantek 44212 5 U:- C:system F:add_system I:xxx.xxx.xxx.xxx M:Invalid XML audit result for user".

Looks like the known bug (invalid XML error in open audit version 1.10 of Open-AudIT..) but this should have  been fixed since version 1.10_2.

Many thanks! 

    CommentAdd your comment...

    2 answers

    1.  
      1
      0
      -1

      Have found and fixed this for our next release - 1.12.6.

      In audit_windows.vbs
      find

      item = item & " <value><![CDATA[" & escape_xml(objItem.VariableValue) & "]]></value>" & vbcrlf

      replace

      item = item & " <value>" & escape_xml(objItem.VariableValue) & "</value>" & vbcrlf



        CommentAdd your comment...
      1.  
        1
        0
        -1

        On the console (dos prompt or bash shell) of an affected machine, can you run the below and post the XML from the "user" section. There should be a file generated called TARGET-YYMMDDHHMMSS.xml.

        Windows

        cscript c:\windows\audit_windows.vbs submit_online=n create_file=y

        Linux

        /tmp/audit_linux.sh submit_online=n create_file=y
        1. Drossery Michopoulou

          Hi Mark 

          Thanks for taking the time to look into this.

          Please find here the created file : 

          user-section-20160406083835.txt

        2. Mark Unwin

          Hi, I cannot reproduce the error with the data supplied. I'm just guessing here... 1 - What OS is Open-AudIT running on? 2 - If it's linux, do you have the PHP extension phpmb installed? 3 - When you inspect the XML, do you see anyt " or other unusual characters? 4 - You could try using an XML validator to point you to the exact issue.

        3. Drossery Michopoulou

          Hi Mark Thanks again for your suggestions. Indeed there was an error while validating the xml (I was able to upload the report after removing the specific line) Question is how to bypass this error without manual intervension (via normal scheduled job like the rest of the workstations) PS : The line with the error follows if it helps: "<value><![CDATA[<![CDATA[C:\ProgramData\Oracle\Java\javapath;%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;%SYSTEMROOT%\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\Program Files\TortoiseSVN\bin;C:\Program Files (x86)\Bitvise SSH Client;C:\Program Files\TortoiseGit\bin;C:\Users\xxxxxxxxxxxx\AppData\Local\Apps\cURL\bin;C:\Program Files (x86)\Skype\Phone\;C:\Program Files\nodejs\;C:\Program Files (x86)\MySQL\MySQL Fabric 1.5 & MySQL Utilities 1.5\;C:\Program Files (x86)\MySQL\MySQL Fabric 1.5 & MySQL Utilities 1.5\Doctrine extensions for PHP\]]>]]></value>

        CommentAdd your comment...