Whenever i try to discover i always get the last row like this :
timeout 5m /usr/local/open-audit/other/winexe-static-2 -U "domain/user%pass" --uninstall //192.168.1.138 "cscript C:\WINDOWS\audit_windows.vbs submit_online=n create_file=w debugging=0 self_delete=y last_seen_by=audit_wmi system_id=1 discovery_id=2"
My question is:
Why i get submit online no every time? If i run the VBS manually it posts the hardware and software info.
If i rewrite the discover file it still gets N and i dont know where.
There is recent functionality in OpenAudit where it copies the audit script to a remote machine, performs the audit on the remote machine, waits for the audit to create an XML file and then retrieves the data from the audit file. When performing an audit this way it uses submit_online=n and create_file=w options.
If the audits are not getting data then there could be a problem. But the audit options are valid.
I understand that theres a function wich does that. My problem still exsist wich is , it does not post the software and hardware info on my audit server. Where should i start searching to change the above mentioned submit_online into Y ? I reinstalled everything so i can start over.
My thinking is that maybe i can do it the other way.
I don't use Linux for OpenAudit so it's hard for me to troubleshoot. What output do you get if you run the command above without changing any options?
My problem is that i see a command wich says submit online =y also its the default audit_windows.vbs
It wants to run this command:
nohup /usr/local/open-audit/other/discover_subnet.sh subnet_range=192.168.1.138 url=openauditIP/open-audit/index.php/input/discoveries submit_online=y echo_output=n create_file=n debugging=0 discovery_id=2 > /dev/null 2>&1 &
and the end result says submit online=n
it gets it from somewhere , but theres is no sign from where. So basically it detects that theres a device, but no hardware and software info wich i need. If i Run the copied vbs manually it does everything as it should and gets the hard/software info aswell. If i need to do that on every computer it would take hours...
I don't know how can i make it more clrear , so please if you need any info feel free to.
I spun up an Ubuntu 18.10 vm. Installed OpenAudit 2.3.1. Added a domain account in OpenAudit credentials. Then created a discovery that audited one machine by IP. I executed the discovery and waited a few minutes then hit Refresh. It all looks good for me. In the logs I can see the audit file is copied to the machine by smbclient. Then winexe-static-w executes the auidt with submit_online=n and create_file=x. This is successfull so the XML file with the audit data is retrieved with smbclient. Then the logs show OpenAudit processing the XML. After the discovery I have one machine in OpenAudit with all the info including hardware and software.
To be honest, i am using the default settings. I added a user with admin rights as windows user to the credentials. (user@domain) Where can i change the winexe-statics command line? Mine says create-file=W(!!) I am confused how it is even possible. It creates the vbs on the target pc, and does absolutly nothing after. I can run the vbs manually and it finishes what OpenAudit cannot start or read. :(
Wow, I had a lot of typos in my previous post. Sorry. Mine does work with submit_online=n and create_file=w. You don't want to change the command line because you'd then have to maintain that going forward.
You should review the discovery log for your machine in detail to see what is failing. It sounds like the script is successfully copied to the target and the audit initiated which creates the audit xml file. There must be a failure in retrieving the file or inserting that data into OpenAudit. Does the log give any hints?
It looks like a future version will have better logging to help with this. OpenAudit is probably failing silently right now.
Looks like it has a problem with the AD. It can log in with the ADuser put the vbs file, but fails to read something from the AD and says the the AD Directory Service is not working. I guess it tries to get where the user is in the AD and fails that.
The Settings you were talkin about is submitonline= Y and the create file is N in my default audit scripts. The command line at the top looks like that:
nohup /usr/local/open-audit/other/discover_subnet.sh subnet_range=192.168.1.138 url=0.0.0.0/open-audit/index.php/input/discoveries submit_online=y echo_output=n create_file=n debugging=0 discovery_id=2 > /dev/null 2>&1 &
Still the command looks like that at the end :
Looks like someone has adjusted your default settings. Select Discover->Audit Scripts->List Audit Scripts from the Open-AudIT Menu, then select Display for the audit Windows Script. Your default settings are set on that page.
Please note, you also need to adjust create_file to either y or n, it is w in your code.
Powered by a free Atlassian Confluence Open Source Project License granted to Opmantek. Evaluate Confluence today.