1
0
-1

Hello,


Is re-running a subnet discovery supposed to update the details for devices found in that subnet?  For example software, uptime, OS version, last seen on attribute, etc?  I'm not seeing these update on subsequent runs of the discovery.


Thank you




    CommentAdd your comment...

    1 answer

    1.  
      1
      0
      -1

      Yes, it most definitely should. What are you not seeing that you're expecting to see? Have you checked the discovery log to make sure you're getting a full audit (credentials are working, the audit script is working)?

      1. Jason

        Yes, for an example system (IP 10.85.8.32 ), I see it was scanned again, however not clear that it ran a new audit against it.  Below is the log.  I've hidden sensitive items with "HIDDEN"

        For the system itself, the "Last seen on" date is 2020-07-03 17:42:31 and the software inventory is not up to date.


        Would one of these configuration options prevent re-inventorying a system? Some other configuration setting?

        match_dbus n system 2000-01-01 00:00:00 Should we match a device based on its dbus id.
        match_fqdn y system 2000-01-01 00:00:00 Should we match a device based on its fqdn.
        match_dns_fqdn n system 2000-01-01 00:00:00 Should we match a device based on its DNS fqdn.
        match_dns_hostname n system 2000-01-01 00:00:00 Should we match a device based on its DNS hostname.
        match_hostname y system 2000-01-01 00:00:00 Should we match a device based only on its hostname.
        match_hostname_dbus y system 2000-01-01 00:00:00 Should we match a device based on its hostname and dbus id.
        match_hostname_serial y system 2000-01-01 00:00:00 Should we match a device based on its hostname and serial.
        match_hostname_uuid y system 2000-01-01 00:00:00 Should we match a device based on its hostname and UUID.
        match_ip y Administrator 2020-09-17 12:47:10 Should we match a device based on its ip.
        match_mac y Administrator 2020-01-11 21:39:55 Should we match a device based on its mac address.
        match_mac_vmware n system 2000-01-01 00:00:00 Should we match a device based mac address even if its a
        known likely duplicate from VMware.
        match_serial y system 2000-01-01 00:00:00 Should we match a device based on its serial number.
        match_serial_type y system 2000-01-01 00:00:00 Should we match a device based on its serial and type.
        match_sysname y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName.
        match_sysname_serial y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName and serial.
        match_uuid y system 2000-01-01 00:00:00 Should we match a device based on its UUID.
        match_dbus n system 2000-01-01 00:00:00 Should we match a device based on its dbus id.
        match_fqdn y system 2000-01-01 00:00:00 Should we match a device based on its fqdn.
        match_dns_fqdn n system 2000-01-01 00:00:00 Should we match a device based on its DNS fqdn.
        match_dns_hostname n system 2000-01-01 00:00:00 Should we match a device based on its DNS hostname.
        match_hostname y system 2000-01-01 00:00:00 Should we match a device based only on its hostname.
        match_hostname_dbus y system 2000-01-01 00:00:00 Should we match a device based on its hostname and dbus id.
        match_hostname_serial y system 2000-01-01 00:00:00 Should we match a device based on its hostname and serial.
        match_hostname_uuid y system 2000-01-01 00:00:00 Should we match a device based on its hostname and UUID.
        match_ip y Administrator 2020-09-17 12:47:10 Should we match a device based on its ip.
        match_mac y Administrator 2020-01-11 21:39:55 Should we match a device based on its mac address.
        match_mac_vmware n system 2000-01-01 00:00:00 Should we match a device based mac address even if its a
        known likely duplicate from VMware.
        match_serial y system 2000-01-01 00:00:00 Should we match a device based on its serial number.
        match_serial_type y system 2000-01-01 00:00:00 Should we match a device based on its serial and type.
        match_sysname y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName.
        match_sysname_serial y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName and serial.
        match_uuid y system 2000-01-01 00:00:00 Should we match a device based on its UUID.
        53650145 2020-09-17 16:53:28 discover_subnet.sh logs Scanning Host: 10.85.8.32 notice
        53650146 2020-09-17 16:53:29 discover_subnet.sh logs Nmap Command (Custom TCP Ports) 1.000000 notice
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650147 2020-09-17 16:53:30 discover_subnet.sh logs Host 10.85.8.32 is up, received wmi (TCP port 135 open) response notice
        
        135/tcp open msrpc
        
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650148 2020-09-17 16:53:30 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice
        
        Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
        
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650149 2020-09-17 16:53:31 discover_subnet.sh logs Nmap Command (Custom UDP Ports) 1.000000 notice
        
        /usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports
        
        53650150 2020-09-17 16:53:32 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice
        
        Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
        
        
        /usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports
        
        53650151 2020-09-17 16:53:33 discover_subnet.sh logs IP 10.85.8.32 responding, received open TCP port (135/tcp, msrpc), adding to device list. SSH Status: false, WMI Status: true, SNMP Status: false. 4.000000 (23 of 33)
        
        https://127.0.0.1/open-audit/index.php/input/discoveries
        
        53650152 2020-09-17 16:53:33 m_device match WMI Status is true on 10.85.8.6 notice
        53650153 2020-09-17 16:53:33 m_device match SSH Status is false on 10.85.8.6 notice
        53650154 2020-09-17 16:53:33 m_device match SNMP Status is false on 10.85.8.6 notice
        53650155 2020-09-17 16:53:33 discovery_helper discoveries Testing Windows credentials for 10.85.8.6 notice
        53650156 2020-09-17 16:53:33 wmi_helper windows_credentials Windows credentials starting notice
        53650157 2020-09-17 16:53:33 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.899158 success
        
        ["UUID","22903842-8194-DFE4-B389-AC959CDF0A57",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN****** --uninstall //10.85.8.6 "wmic csproduct get uuid" 2>&1
        
        53650158 2020-09-17 16:53:34 input discoveries The discovery_id was used to successfully retrieve information for the discovery entry named VLAN 38 success
        53650159 2020-09-17 16:53:34 input discoveries Received data for 10.85.8.32, now starting to process success
        53650160 2020-09-17 16:53:34 input discoveries Set DNS FQDN for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN
        
        
        53650161 2020-09-17 16:53:34 input discoveries Set DNS hostname for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN
        
        
        53650162 2020-09-17 16:53:34 input discoveries Set DNS domain for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN
        
        
        53650163 2020-09-17 16:53:34 m_device match Running devices::match function. notice
        53650164 2020-09-17 16:53:34 m_device match Not running match_hostname_uuid, uuid not set. notice
        53650165 2020-09-17 16:53:34 m_device match Not running match_hostname_dbus, dbus_identifier not set. notice
        53650166 2020-09-17 16:53:34 m_device match Not running match_hostname_serial, serial not set. notice
        53650167 2020-09-17 16:53:34 m_device match Not running match_dbus, matching rule set to: n. notice
        53650168 2020-09-17 16:53:34 m_device match Not running match_dns_fqdn, matching rule set to: n. notice
        53650169 2020-09-17 16:53:34 m_device match Not running match_dns_hostname, matching rule set to: n. notice
        53650170 2020-09-17 16:53:34 m_device match Not running match_fqdn, fqdn not set. notice
        53650171 2020-09-17 16:53:34 m_device match Not running match_serial_type, serial not set. notice
        53650172 2020-09-17 16:53:34 m_device match Not running match_serial, serial not set. notice
        53650173 2020-09-17 16:53:34 m_device match Not running match_sysname_serial, sysname not set. notice
        53650174 2020-09-17 16:53:34 m_device match Not running match_sysname, sysname not set. notice
        53650175 2020-09-17 16:53:34 m_device match Not running match_mac (ip table), mac_address not set. notice
        53650176 2020-09-17 16:53:34 m_device match Not running match_mac (network table), mac_address not set. notice
        53650177 2020-09-17 16:53:34 m_device match Not running match_mac (addresses), mac_addresses not set. notice
        53650178 2020-09-17 16:53:34 m_device match HIT on IP Address (network table). success
        
        IP: 10.85.8.32, SystemID : 1259
        
        
        53650179 2020-09-17 16:53:34 m_device match Device named HIDDEN found on initial Nmap result. success
        53650180 2020-09-17 16:53:34 m_device match Delete the previous log entries for this device 0.002614 success
        
        /* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 1259 and discovery_id != 9847
        
        53650181 2020-09-17 16:53:34 m_device match Update the current log entries with our new device success
        
        /* input::discoveries */ UPDATE discovery_log SET system_id = 1259 WHERE discovery_id = 9847 and ip = '10.85.8.32'



      2. Jason

        If I run a discovery of system directly (rather than through the subnet discovery), I get this:

        53650640 2020-09-18 10:33:39 discover_subnet.sh logs Starting discovery for 10.85.8.32 start
        53650641 2020-09-18 10:33:39 discover_subnet.sh logs Discovery for 10.85.8.32 using Nmap version 6.40 at /usr/bin/nmap notice
        53650642 2020-09-18 10:33:40 discover_subnet.sh logs IPs in subnet: 1 notice
        
        nmap -n -sL 10.85.8.32 2>/dev/null | grep "Nmap done" | cut -d" " -f3
        
        53650643 2020-09-18 10:33:40 discover_subnet.sh logs IPs after exclusions in subnet: 1 notice
        
        nmap -n -sL 10.85.8.32 2>/dev/null | grep "Nmap done" | cut -d" " -f3
        
        53650644 2020-09-18 10:33:41 discover_subnet.sh logs IPs responding to Nmap ping in subnet (to be scanned): 1 notice
        
        nmap -n -oG - -sP 10.85.8.32 2>/dev/null | grep "Host:" | cut -d" " -f2
        
        53650645 2020-09-18 10:33:42 discover_subnet.sh logs Updating discovery log with non-responding IPs notice
        53650646 2020-09-18 10:33:42 discover_subnet.sh logs Scanning Host: 10.85.8.32 notice
        53650647 2020-09-18 10:33:43 discover_subnet.sh logs Nmap Command (Custom TCP Ports) 1.000000 notice
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650648 2020-09-18 10:33:44 discover_subnet.sh logs Host 10.85.8.32 is up, received wmi (TCP port 135 open) response notice
        
        135/tcp open msrpc
        
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650649 2020-09-18 10:33:45 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice
        
        Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
        
        
        /usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports
        
        53650650 2020-09-18 10:33:46 discover_subnet.sh logs Nmap Command (Custom UDP Ports) notice
        
        /usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports
        
        53650651 2020-09-18 10:33:46 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice
        
        Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
        
        
        /usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports
        
        53650652 2020-09-18 10:33:47 discover_subnet.sh logs IP 10.85.8.32 responding, received open TCP port (135/tcp, msrpc), adding to device list. SSH Status: false, WMI Status: true, SNMP Status: false. 4.000000 (1 of 1)
        
        https://127.0.0.1/open-audit/index.php/input/discoveries
        
        53650653 2020-09-18 10:33:48 input discoveries The discovery_id was used to successfully retrieve information for the discovery entry named Device Discovery - HIDDEN success
        53650654 2020-09-18 10:33:48 input discoveries Received data for 10.85.8.32, now starting to process success
        53650655 2020-09-18 10:33:48 input discoveries Set DNS FQDN for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN.HIDDEN
        
        
        53650656 2020-09-18 10:33:48 input discoveries Set DNS hostname for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN
        
        
        53650657 2020-09-18 10:33:48 input discoveries Set DNS domain for 10.85.8.32 in network_helper::dns_validate notice
        
        HIDDEN
        
        
        53650658 2020-09-18 10:33:48 m_device match Running devices::match function. notice
        53650659 2020-09-18 10:33:48 m_device match Not running match_hostname_uuid, uuid not set. notice
        53650660 2020-09-18 10:33:48 m_device match Not running match_hostname_dbus, dbus_identifier not set. notice
        53650661 2020-09-18 10:33:48 m_device match Not running match_hostname_serial, serial not set. notice
        53650662 2020-09-18 10:33:48 m_device match Not running match_dbus, matching rule set to: n. notice
        53650663 2020-09-18 10:33:48 m_device match Not running match_dns_fqdn, matching rule set to: n. notice
        53650664 2020-09-18 10:33:48 m_device match Not running match_dns_hostname, matching rule set to: n. notice
        53650665 2020-09-18 10:33:48 m_device match Not running match_fqdn, fqdn not set. notice
        53650666 2020-09-18 10:33:48 m_device match Not running match_serial_type, serial not set. notice
        53650667 2020-09-18 10:33:48 m_device match Not running match_serial, serial not set. notice
        53650668 2020-09-18 10:33:48 m_device match Not running match_sysname_serial, sysname not set. notice
        53650669 2020-09-18 10:33:48 m_device match Not running match_sysname, sysname not set. notice
        53650670 2020-09-18 10:33:48 m_device match Not running match_mac (ip table), mac_address not set. notice
        53650671 2020-09-18 10:33:48 m_device match Not running match_mac (network table), mac_address not set. notice
        53650672 2020-09-18 10:33:48 m_device match Not running match_mac (addresses), mac_addresses not set. notice
        53650673 2020-09-18 10:33:48 m_device match HIT on IP Address (network table). success
        
        IP: 10.85.8.32, SystemID : 1259
        
        
        53650674 2020-09-18 10:33:48 m_device match Device named HIDDEN found on initial Nmap result. success
        53650675 2020-09-18 10:33:48 m_device match Delete the previous log entries for this device 0.010361 success
        
        /* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 1259 and discovery_id != 9943
        
        53650676 2020-09-18 10:33:48 m_device match Update the current log entries with our new device 50.006006 success
        
        /* input::discoveries */ UPDATE discovery_log SET system_id = 1259 WHERE discovery_id = 9943 and ip = '10.85.8.32'
        
        53650677 2020-09-18 10:33:49 input discoveries Set discovery entry status to complete
        53650678 2020-09-18 10:33:49 discover_subnet.sh logs Completed discovery, scanned 1 IP addresses 11.000000 finish
        53650679 2020-09-18 10:34:38 m_device match WMI Status is true on 10.85.8.32 notice
        53650680 2020-09-18 10:34:38 m_device match SSH Status is false on 10.85.8.32 notice
        53650681 2020-09-18 10:34:38 m_device match SNMP Status is false on 10.85.8.32 notice
        53650682 2020-09-18 10:34:38 discovery_helper discoveries Testing Windows credentials for 10.85.8.32 notice
        53650683 2020-09-18 10:34:38 wmi_helper windows_credentials Windows credentials starting notice
        53650684 2020-09-18 10:34:38 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.450474 success
        
        ["UUID","24BF3842-D0E4-6401-A3EB-17E68DAE3411",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get uuid" 2>&1
        
        53650685 2020-09-18 10:34:38 wmi_helper wmi_command Windows credentials complete. Credential set windows administrator working on 10.85.8.32 success
        53650686 2020-09-18 10:34:38 wmi_helper wmi_audit WMI audit starting notice
        53650687 2020-09-18 10:34:38 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.476761 success
        
        ["UUID","24BF3842-D0E4-6401-A3EB-17E68DAE3411",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get uuid" 2>&1
        
        53650688 2020-09-18 10:34:39 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.461463 success
        
        ["IdentifyingNumber","VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get IdentifyingNumber" 2>&1
        
        53650689 2020-09-18 10:34:39 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.467804 success
        
        ["Vendor","VMware, Inc.",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get vendor" 2>&1
        
        53650690 2020-09-18 10:34:40 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.477938 success
        
        ["Description","HIDDEN",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic os get description" 2>&1
        
        53650691 2020-09-18 10:34:40 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.474132 success
        
        ["Name","HIDDEN",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic computersystem get name" 2>&1
        
        53650692 2020-09-18 10:34:41 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.493441 success
        
        ["Domain","HIDDEN",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic computersystem get domain" 2>&1
        
        53650693 2020-09-18 10:34:41 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.490732 success
        
        ["Name","Microsoft Windows Server 2012 R2 Datacenter|C:\\Windows|\\Device\\Harddisk0\\Partition2",""]
        
        
        timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic os get name" 2>&1
        
        53650694 2020-09-18 10:34:42 wmi_helper wmi_audit WMI audit complete notice
        53650695 2020-09-18 10:34:42 m_rules execute Running rules::match function. notice
        
        {"id":"1259","name":"HIDDEN","type":"computer","os_family":"","os_group":"Windows","sysDescr":"","last_seen":"2020-09-18 10:33:47","timestamp":"2020-09-18 10:33:47","ip":"10.85.8.32","audits_ip":"127.0.0.1","last_seen_by":"windows","discovery_id":"9943","credentials":"[3]","dns_hostname":"HIDDEN","dns_fqdn":"HIDDEN.HIDDEN","dns_domain":"HIDDEN","fqdn":"HIDDEN.HIDDEN","uuid":"24BF3842-D0E4-6401-A3EB-17E68DAE3411","serial":"VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11","manufacturer":"VMware, Inc.","description":"HIDDEN","hostname":"HIDDEN","domain":"HIDDEN","os_name":"Microsoft Windows Server 2012 R2 Datacenter","install_dir":"C:\\Windows","where":"supplied"}
        
        
        Device Input (return).
        
        53650696 2020-09-18 10:34:42 m_rules execute Hit on manufacturer VMware, Inc. li vmware 0.014236 notice
        
        {"form_factor":"Virtual"}
        
        
        Rules Match - Form Factor based on Manufacturer (like VMware), ID: 43
        
        53650697 2020-09-18 10:34:42 m_rules execute Hit on form_factor Virtual eq Virtual Hit on os_group Windows eq Windows Hit on os_name Microsoft Windows Server 2012 R2 Datacenter li Server Hit on os_group is not empty Hit on class is empty 0.016354 notice
        
        {"class":"virtual server"}
        
        
        Rules Match - Class based on Form Factor and OS (Virtual Windows Server), ID: 49
        
        53650698 2020-09-18 10:34:42 m_rules execute Completed rules::match function. 0.016354 notice
        53650699 2020-09-18 10:34:42 include_input_discoveries discoveries Start of WINDOWS update for 10.85.8.32 notice
        53650700 2020-09-18 10:34:42 audit_helper audit_convert Formatting system details notice
        53650701 2020-09-18 10:34:42 audit_helper audit_convert Windows VMware style serial detected, creating vm_uuid. notice
        
        VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11 -> 4238bf24-e4d0-0164-a3eb-17e68dae3411
        
        
        53650702 2020-09-18 10:34:42 discovery_helper discoveries End of WINDOWS update for 10.85.8.32 notice
        53650703 2020-09-18 10:34:42 include_input_discoveries discoveries Processing found ip addresses (non-snmp) for 10.85.8.32 notice
        53650704 2020-09-18 10:34:42 include_input_discoveries discoveries Updating ip with ID 4192 notice
        53650705 2020-09-18 10:34:42 include_input_discoveries discoveries Processing Nmap ports for 10.85.8.32 notice
        53650706 2020-09-18 10:34:42 m_rules execute Running rules::match function. notice
        
        Device ID supplied: 1259
        
        
        Device ID Input (update).
        
        53650707 2020-09-18 10:34:42 m_rules execute Hit on manufacturer VMware, Inc. li vmware 0.010172 notice
        
        {"form_factor":"Virtual"}
        
        
        Rules Match - Form Factor based on Manufacturer (like VMware), ID: 43
        
        53650708 2020-09-18 10:34:42 m_rules execute Completed rules::match function. 0.010172 notice
        53650709 2020-09-18 10:34:42 include_input_discoveries discoveries At IP 10.85.8.32, discovery found a device of type 'computer'. 54.292378 notice
        53650710 2020-09-18 10:34:42 include_input_discoveries discoveries Script details retrieved 54.292378 success
        
        /* discovery::process_subnet */ SELECT * FROM `scripts` WHERE `name` = 'audit_windows.vbs' AND `based_on` = 'audit_windows.vbs' ORDER BY `id` LIMIT 1
        
        53650711 2020-09-18 10:34:42 include_input_discoveries discoveries Starting windows script audit for 10.85.8.32 notice
        53650712 2020-09-18 10:34:43 wmi_helper copy_to_windows Linux attempt (SMB2 user@domain) to copy file to 10.85.8.32 succeeded in wmi_helper::copy_to_windows success
        
        smbclient -m SMB2 \\\\10.85.8.32\\\admin$ -U "HIDDEN*******" -c "put /usr/local/open-audit/other/scripts/audit_windows_20_09_18_10_34_42_52328300.vbs audit_windows.vbs 2>&1"
        
        53650713 2020-09-18 10:34:43 wmi_helper execute_windows Using winexe-static-2 to run audit. success
        
        timeout 5m /usr/local/open-audit/other/winexe-static-2 -U "HIDDEN%******" --uninstall //10.85.8.32 "cscript C:\Windows\audit_windows.vbs submit_online=n create_file=w debugging=0 self_delete=y last_seen_by=audit_wmi system_id=1259 discov
      3. Mark Unwin
        Would one of these configuration options prevent re-inventorying a system? Some other configuration setting?

        In short, no.

      4. Mark Unwin

        What version of Open-AudIT are you using?

        Are you using the GUI to run the discovery, or using the script discover_subnet.sh ?

        You should only use the GUI. The script has been deprecated.

      5. Jason

        I'm using 3.2.2


        I tried the newer version of the newer discovery process again recently, however it hangs on discoveries sometimes and they end up in failed status or just run forever.


        Yes, running it through the GUI only results in the above. 

      6. Mark Unwin

        I'd suggest using 3.4.0 as there have been multiple fixes since 3.2.2 and discover_subnet is no longer used. See:

        Release Notes for Open-AudIT v3.3.0

        Release Notes for Open-AudIT v3.3.1

        Release Notes for Open-AudIT v3.3.2

        Release Notes for Open-AudIT v3.4.0

      7. Jason

        I upgraded to the latest version 3.4.  Discovery mostly works on smaller subnets, but occasionally hangs (no updates in the discovery log for several hours) so I have to execute it again to get it to run.  But at least existing systems are getting their details updated.

        However now, on a larger subnet (a /19) it has hung and no discoveries will do anything now.  cpu use is totally flat.   I have 6,331 items in the queue table in my database.  Seems I am back at the last place I was last time I tried this newer version (3.3) where discoveries just stop working.  Here is my older question:


        New discovery process in 3.3 does not work after upgrade from 3.2.2



      8. Mark Unwin

        Jason,

        If you call the below URL from the server, it should start the queue.

        curl http://localhost/open-audit/index.php/util/queue

        Once done, does the queue appear to be processing?


      9. Jason

        So, eventually after ~24 hours, it finally marked the discovery as "failed" so then some other discoveries started actually trying to run, however now they all appear stuck again, no cpu, nothing.

        I've tried curling that link, but no change in behavior. 

        Is there any way to see what is going on?  This new discovery process seems odd in that it is idle quite often...

      10. Mark Unwin

        In Enterprise (or Professional) on the discoveries list page, at the top right you'll see a drop down arrow. Click it and a panel should expand to show you the number of items in the queue, etc. There are some options to delete queue items, etc.

      11. Jason

        Anything I can look at in community edition?  The system appears totally idle and there is not much for logs.


        Thanks


      12. Mark Unwin

        You can try this on the command line.

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM queue;" > queue_output.txt

        That will dump the contents of the queue database table.

        Now select a discovery that is not completing. Get its ID and run the below (substitue the actual ID for $id).

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discoveries WHERE id = $id;" > discovery_output.txt

        And it's logs.

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discovery_log WHERE discovery_id = $id;" > discovery_log_output.txt

        Parse the discovery log and see if there are any IP addresses that haven't been scanned that are in the queue_output.

        Go to the end of the discovery_log and see if there is something amiss.

        The last entry should  resemble below (note, the output format will differ, but the contents should be the same). Note the message  column and the command_status.

                             id: 10914
                   discovery_id: 7
                      system_id: NULL
                      timestamp: 2020-09-24 15:37:04
                       severity: 7
                  severity_text: debug
                            pid: 13952
                             ip: 127.0.0.1
                           file: wmi_helper
                       function: copy_from_windows
                        message: Discovery has finished.
                        command: 
                 command_status: finished
        command_time_to_execute: 41.165920
                 command_output: 

        If all else fails, email me those files at marku@opmantek.com and I can take a quick look to see if anything obvious stands out.

        Mark.

      13. Jason

        Thanks.

        Below is info for one that is hung.

        nothing is in the queue.

        here is the discovery info:


        id name org_id description type devices_assigned_to_org devices_assigned_to_location network_address system_id other options discard last_run last_finished duration status ip_all_count ip_responding_count ip_scanned_count ip_discovered_count ip_audited_count edited_by edited_date
        9863 VLAN 96 1 Subnet - 10.84.96.0/19 subnet 1 1 http://127.0.0.1/open-audit/ 0 {"nmap":{},"match":{},"subnet":"10.84.96.0\\/19"} n 2020-09-28 20:15:12 2020-09-28 20:15:12 11:26:00 running 8192 6591 6591 3921 127 Administrator 2020-03-10 13:20:45


        Here are the last few log lines.  Note the current time is 14:44



        60536344 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials Processing found ip addresses (non-snmp) for 10.84.127.254 notice 0.000000
        
        60536345 9863 128756 2020-09-29 06:22:22 6 info 24911 10.84.127.254 m_devices_components nmap_ip Inserting ip 10.84.127.254 notice 0.000000
        
        60536346 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials Processing Nmap ports for 10.84.127.254 notice 0.000000
        
        60536347 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 128756
        
        60536348 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Completed rules::execute function. notice 0.000000
        
        60536349 9863 128756 2020-09-29 06:22:22 5 debug 24911 10.84.127.254 wmi_helper windows_credentials No valid credentials for 10.84.127.254 fail 0.000000
        
        60536350 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials At IP 10.84.127.254, discovery found a device of type 'unknown'. notice 0.000000
        
        60536351 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 128756
        
        60536352 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Completed rules::execute function. notice 0.000000
        
        60536353 9863 128756 2020-09-29 06:22:31 7 debug 24911 10.84.127.254 wmi_helper windows_credentials IP Audit finish on device 10.84.127.254 Peak Memory device complete 202.496848 118.941 MiB







      14. Mark Unwin

        So it looks like the discovery is running and completing, but not updating that fact.

        What's the time difference between discovery start and the last discovery log?

        What happens on a /24 discovery?

        Can you confirm the version of Open-AudIT you're running?

        I upgraded to the latest version 3.4.

        and

        this newer version (3.3)

        Mark.

      15. Jason

        If it was completing, would it not show this as the last line, like a successfully finished discovery?

        55037557 9848 NULL 2020-09-23 11:21:23 7 debug 23885 127.0.0.1 discoveries_helper ip_audit Discovery has finished. finished 1382.215097


        Time from start to last entry in the discovery log is ~10 hours 7 minutes

        59104748 9863 NULL 2020-09-28 20:15:12 6 info 19298 127.0.0.1 discoveries_helper discover_subnet Starting discovery for VLAN 96 start 0.000000
        
        .
        .
        .
        
        60536353 9863 128756 2020-09-29 06:22:31 7 debug 24911 10.84.127.254 wmi_helper windows_credentials IP Audit finish on device 10.84.127.254 Peak Memory device complete 202.496848 118.941 MiB



        It also still shows as running.

        Here is the same detail from a successful /24

        Discovery detail

        id name org_id description type devices_assigned_to_org devices_assigned_to_location network_address system_id other options discard last_run last_finished duration status ip_all_count ip_responding_count ip_scanned_count ip_discovered_count ip_audited_count edited_by edited_date
        9848 VLAN 39 1 Subnet - 10.85.9.0/24 subnet 1 1 https://127.0.0.1/open-audit/ 0 {"nmap":{},"match":{},"subnet":"10.85.9.0\\/24"} n2020-09-23 10:40:01 2020-09-23 11:21:23 00:41:22 complete 256 201 201 172 41 Administrator 2020-03-10 13:20:45

        Last few log lines


        55037464 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->snmp_oid 1.3.6.1.4.1.11.2.3.2.6 eq 1.3.6.1.4.1.11.2.3.2.6 Rules Match - SNMP OID for Itanium notice 0.000470 {"model":"Itanium","type":"switch"}
        
        55037465 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->mac_address 00:18:fe:28:e0:6e st 00:18:fe Rules Match - Mac Address for Hewlett Packard notice 0.002763 {"model":"Itanium","type":"switch","manufacturer":"Hewlett Packard"}
        
        55037466 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Completed rules::execute function. notice 0.002763
        
        55037467 9848 36952 2020-09-23 11:16:07 5 debug 13398 10.85.9.76 wmi_helper windows_credentials No valid credentials for 10.85.9.76 fail 0.000000
        
        55037468 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 wmi_helper windows_credentials At IP 10.85.9.76, discovery found an unknown device. notice 0.000000
        
        55037469 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 36952
        
        55037470 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->snmp_oid 1.3.6.1.4.1.11.2.3.2.6 eq 1.3.6.1.4.1.11.2.3.2.6 Rules Match - SNMP OID for Itanium notice 0.000030 {"model":"Itanium","type":"switch"}
        
        55037471 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Completed rules::execute function. notice 0.000030
        
        55037472 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 wmi_helper windows_credentials IP Audit finish on device 10.85.9.76 Peak Memory device complete 1367.767546 82.993 MiB
        
        55037557 9848 NULL 2020-09-23 11:21:23 7 debug 23885 127.0.0.1 discoveries_helper ip_audit Discovery has finished. finished 1382.215097
        
        


        I'm running the latest version, 3.4.0

        Thank you for looking



      16. Mark Unwin

        I'd suggest splitting the discovery into smaller chunks. As small as realistic. Personally I try to use a single /24 per discovery.

        You can also try (depending on server specification, network performance, et al) increasing the queue limit. Default is 20. That means 20 IPs (after an initial 'ping') will be discovered at once. If you have the resources, try increasing it. All things being equal, it should process the IPs faster and may help.

        Ideally your discoveries should complete within an hour.

        Items affecting Discovery times

      CommentAdd your comment...