Does subnet discovery update existing devices?

 
1
0
-1

Hello,


Is re-running a subnet discovery supposed to update the details for devices found in that subnet?  For example software, uptime, OS version, last seen on attribute, etc?  I'm not seeing these update on subsequent runs of the discovery.


Thank you




    CommentAdd your comment...

    1 answer

    1.  
      1
      0
      -1

      Yes, it most definitely should. What are you not seeing that you're expecting to see? Have you checked the discovery log to make sure you're getting a full audit (credentials are working, the audit script is working)?

      1. Jason

        Yes, for an example system (IP 10.85.8.32 ), I see it was scanned again, however not clear that it ran a new audit against it.  Below is the log.  I've hidden sensitive items with "HIDDEN"

        For the system itself, the "Last seen on" date is 2020-07-03 17:42:31 and the software inventory is not up to date.


        Would one of these configuration options prevent re-inventorying a system? Some other configuration setting?

        match_dbus n system 2000-01-01 00:00:00 Should we match a device based on its dbus id.
match_fqdn y system 2000-01-01 00:00:00 Should we match a device based on its fqdn.
match_dns_fqdn n system 2000-01-01 00:00:00 Should we match a device based on its DNS fqdn.
match_dns_hostname n system 2000-01-01 00:00:00 Should we match a device based on its DNS hostname.
match_hostname y system 2000-01-01 00:00:00 Should we match a device based only on its hostname.
match_hostname_dbus y system 2000-01-01 00:00:00 Should we match a device based on its hostname and dbus id.
match_hostname_serial y system 2000-01-01 00:00:00 Should we match a device based on its hostname and serial.
match_hostname_uuid y system 2000-01-01 00:00:00 Should we match a device based on its hostname and UUID.
match_ip y Administrator 2020-09-17 12:47:10 Should we match a device based on its ip.
match_mac y Administrator 2020-01-11 21:39:55 Should we match a device based on its mac address.
match_mac_vmware n system 2000-01-01 00:00:00 Should we match a device based mac address even if its a
known likely duplicate from VMware.
match_serial y system 2000-01-01 00:00:00 Should we match a device based on its serial number.
match_serial_type y system 2000-01-01 00:00:00 Should we match a device based on its serial and type.
match_sysname y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName.
match_sysname_serial y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName and serial.
match_uuid y system 2000-01-01 00:00:00 Should we match a device based on its UUID.
match_dbus n system 2000-01-01 00:00:00 Should we match a device based on its dbus id.
match_fqdn y system 2000-01-01 00:00:00 Should we match a device based on its fqdn.
match_dns_fqdn n system 2000-01-01 00:00:00 Should we match a device based on its DNS fqdn.
match_dns_hostname n system 2000-01-01 00:00:00 Should we match a device based on its DNS hostname.
match_hostname y system 2000-01-01 00:00:00 Should we match a device based only on its hostname.
match_hostname_dbus y system 2000-01-01 00:00:00 Should we match a device based on its hostname and dbus id.
match_hostname_serial y system 2000-01-01 00:00:00 Should we match a device based on its hostname and serial.
match_hostname_uuid y system 2000-01-01 00:00:00 Should we match a device based on its hostname and UUID.
match_ip y Administrator 2020-09-17 12:47:10 Should we match a device based on its ip.
match_mac y Administrator 2020-01-11 21:39:55 Should we match a device based on its mac address.
match_mac_vmware n system 2000-01-01 00:00:00 Should we match a device based mac address even if its a
known likely duplicate from VMware.
match_serial y system 2000-01-01 00:00:00 Should we match a device based on its serial number.
match_serial_type y system 2000-01-01 00:00:00 Should we match a device based on its serial and type.
match_sysname y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName.
match_sysname_serial y system 2000-01-01 00:00:00 Should we match a device based only on its SNMP sysName and serial.
match_uuid y system 2000-01-01 00:00:00 Should we match a device based on its UUID.
        53650145 2020-09-17 16:53:28 discover_subnet.sh logs Scanning Host: 10.85.8.32 notice
53650146 2020-09-17 16:53:29 discover_subnet.sh logs Nmap Command (Custom TCP Ports) 1.000000 notice

/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650147 2020-09-17 16:53:30 discover_subnet.sh logs Host 10.85.8.32 is up, received wmi (TCP port 135 open) response notice

135/tcp open msrpc


/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650148 2020-09-17 16:53:30 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds


/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650149 2020-09-17 16:53:31 discover_subnet.sh logs Nmap Command (Custom UDP Ports) 1.000000 notice

/usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports

53650150 2020-09-17 16:53:32 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds


/usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports

53650151 2020-09-17 16:53:33 discover_subnet.sh logs IP 10.85.8.32 responding, received open TCP port (135/tcp, msrpc), adding to device list. SSH Status: false, WMI Status: true, SNMP Status: false. 4.000000 (23 of 33)

https://127.0.0.1/open-audit/index.php/input/discoveries

53650152 2020-09-17 16:53:33 m_device match WMI Status is true on 10.85.8.6 notice
53650153 2020-09-17 16:53:33 m_device match SSH Status is false on 10.85.8.6 notice
53650154 2020-09-17 16:53:33 m_device match SNMP Status is false on 10.85.8.6 notice
53650155 2020-09-17 16:53:33 discovery_helper discoveries Testing Windows credentials for 10.85.8.6 notice
53650156 2020-09-17 16:53:33 wmi_helper windows_credentials Windows credentials starting notice
53650157 2020-09-17 16:53:33 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.899158 success

["UUID","22903842-8194-DFE4-B389-AC959CDF0A57",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN****** --uninstall //10.85.8.6 "wmic csproduct get uuid" 2>&1

53650158 2020-09-17 16:53:34 input discoveries The discovery_id was used to successfully retrieve information for the discovery entry named VLAN 38 success
53650159 2020-09-17 16:53:34 input discoveries Received data for 10.85.8.32, now starting to process success
53650160 2020-09-17 16:53:34 input discoveries Set DNS FQDN for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN


53650161 2020-09-17 16:53:34 input discoveries Set DNS hostname for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN


53650162 2020-09-17 16:53:34 input discoveries Set DNS domain for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN


53650163 2020-09-17 16:53:34 m_device match Running devices::match function. notice
53650164 2020-09-17 16:53:34 m_device match Not running match_hostname_uuid, uuid not set. notice
53650165 2020-09-17 16:53:34 m_device match Not running match_hostname_dbus, dbus_identifier not set. notice
53650166 2020-09-17 16:53:34 m_device match Not running match_hostname_serial, serial not set. notice
53650167 2020-09-17 16:53:34 m_device match Not running match_dbus, matching rule set to: n. notice
53650168 2020-09-17 16:53:34 m_device match Not running match_dns_fqdn, matching rule set to: n. notice
53650169 2020-09-17 16:53:34 m_device match Not running match_dns_hostname, matching rule set to: n. notice
53650170 2020-09-17 16:53:34 m_device match Not running match_fqdn, fqdn not set. notice
53650171 2020-09-17 16:53:34 m_device match Not running match_serial_type, serial not set. notice
53650172 2020-09-17 16:53:34 m_device match Not running match_serial, serial not set. notice
53650173 2020-09-17 16:53:34 m_device match Not running match_sysname_serial, sysname not set. notice
53650174 2020-09-17 16:53:34 m_device match Not running match_sysname, sysname not set. notice
53650175 2020-09-17 16:53:34 m_device match Not running match_mac (ip table), mac_address not set. notice
53650176 2020-09-17 16:53:34 m_device match Not running match_mac (network table), mac_address not set. notice
53650177 2020-09-17 16:53:34 m_device match Not running match_mac (addresses), mac_addresses not set. notice
53650178 2020-09-17 16:53:34 m_device match HIT on IP Address (network table). success

IP: 10.85.8.32, SystemID : 1259


53650179 2020-09-17 16:53:34 m_device match Device named HIDDEN found on initial Nmap result. success
53650180 2020-09-17 16:53:34 m_device match Delete the previous log entries for this device 0.002614 success

/* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 1259 and discovery_id != 9847

53650181 2020-09-17 16:53:34 m_device match Update the current log entries with our new device success

/* input::discoveries */ UPDATE discovery_log SET system_id = 1259 WHERE discovery_id = 9847 and ip = '10.85.8.32'



      2. Jason

        If I run a discovery of system directly (rather than through the subnet discovery), I get this:

        53650640 2020-09-18 10:33:39 discover_subnet.sh logs Starting discovery for 10.85.8.32 start
53650641 2020-09-18 10:33:39 discover_subnet.sh logs Discovery for 10.85.8.32 using Nmap version 6.40 at /usr/bin/nmap notice
53650642 2020-09-18 10:33:40 discover_subnet.sh logs IPs in subnet: 1 notice

nmap -n -sL 10.85.8.32 2>/dev/null | grep "Nmap done" | cut -d" " -f3

53650643 2020-09-18 10:33:40 discover_subnet.sh logs IPs after exclusions in subnet: 1 notice

nmap -n -sL 10.85.8.32 2>/dev/null | grep "Nmap done" | cut -d" " -f3

53650644 2020-09-18 10:33:41 discover_subnet.sh logs IPs responding to Nmap ping in subnet (to be scanned): 1 notice

nmap -n -oG - -sP 10.85.8.32 2>/dev/null | grep "Host:" | cut -d" " -f2

53650645 2020-09-18 10:33:42 discover_subnet.sh logs Updating discovery log with non-responding IPs notice
53650646 2020-09-18 10:33:42 discover_subnet.sh logs Scanning Host: 10.85.8.32 notice
53650647 2020-09-18 10:33:43 discover_subnet.sh logs Nmap Command (Custom TCP Ports) 1.000000 notice

/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650648 2020-09-18 10:33:44 discover_subnet.sh logs Host 10.85.8.32 is up, received wmi (TCP port 135 open) response notice

135/tcp open msrpc


/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650649 2020-09-18 10:33:45 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds


/usr/bin/nmap -n -T4 -sS -p 22,135,62078 10.85.8.32 # Custom TCP Ports

53650650 2020-09-18 10:33:46 discover_subnet.sh logs Nmap Command (Custom UDP Ports) notice

/usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports

53650651 2020-09-18 10:33:46 discover_subnet.sh logs Host 10.85.8.32 is up, received Nmap ping response notice

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds


/usr/bin/nmap -n -T4 -sU -p 161 10.85.8.32 # Custom UDP Ports

53650652 2020-09-18 10:33:47 discover_subnet.sh logs IP 10.85.8.32 responding, received open TCP port (135/tcp, msrpc), adding to device list. SSH Status: false, WMI Status: true, SNMP Status: false. 4.000000 (1 of 1)

https://127.0.0.1/open-audit/index.php/input/discoveries

53650653 2020-09-18 10:33:48 input discoveries The discovery_id was used to successfully retrieve information for the discovery entry named Device Discovery - HIDDEN success
53650654 2020-09-18 10:33:48 input discoveries Received data for 10.85.8.32, now starting to process success
53650655 2020-09-18 10:33:48 input discoveries Set DNS FQDN for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN.HIDDEN


53650656 2020-09-18 10:33:48 input discoveries Set DNS hostname for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN


53650657 2020-09-18 10:33:48 input discoveries Set DNS domain for 10.85.8.32 in network_helper::dns_validate notice

HIDDEN


53650658 2020-09-18 10:33:48 m_device match Running devices::match function. notice
53650659 2020-09-18 10:33:48 m_device match Not running match_hostname_uuid, uuid not set. notice
53650660 2020-09-18 10:33:48 m_device match Not running match_hostname_dbus, dbus_identifier not set. notice
53650661 2020-09-18 10:33:48 m_device match Not running match_hostname_serial, serial not set. notice
53650662 2020-09-18 10:33:48 m_device match Not running match_dbus, matching rule set to: n. notice
53650663 2020-09-18 10:33:48 m_device match Not running match_dns_fqdn, matching rule set to: n. notice
53650664 2020-09-18 10:33:48 m_device match Not running match_dns_hostname, matching rule set to: n. notice
53650665 2020-09-18 10:33:48 m_device match Not running match_fqdn, fqdn not set. notice
53650666 2020-09-18 10:33:48 m_device match Not running match_serial_type, serial not set. notice
53650667 2020-09-18 10:33:48 m_device match Not running match_serial, serial not set. notice
53650668 2020-09-18 10:33:48 m_device match Not running match_sysname_serial, sysname not set. notice
53650669 2020-09-18 10:33:48 m_device match Not running match_sysname, sysname not set. notice
53650670 2020-09-18 10:33:48 m_device match Not running match_mac (ip table), mac_address not set. notice
53650671 2020-09-18 10:33:48 m_device match Not running match_mac (network table), mac_address not set. notice
53650672 2020-09-18 10:33:48 m_device match Not running match_mac (addresses), mac_addresses not set. notice
53650673 2020-09-18 10:33:48 m_device match HIT on IP Address (network table). success

IP: 10.85.8.32, SystemID : 1259


53650674 2020-09-18 10:33:48 m_device match Device named HIDDEN found on initial Nmap result. success
53650675 2020-09-18 10:33:48 m_device match Delete the previous log entries for this device 0.010361 success

/* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 1259 and discovery_id != 9943

53650676 2020-09-18 10:33:48 m_device match Update the current log entries with our new device 50.006006 success

/* input::discoveries */ UPDATE discovery_log SET system_id = 1259 WHERE discovery_id = 9943 and ip = '10.85.8.32'

53650677 2020-09-18 10:33:49 input discoveries Set discovery entry status to complete
53650678 2020-09-18 10:33:49 discover_subnet.sh logs Completed discovery, scanned 1 IP addresses 11.000000 finish
53650679 2020-09-18 10:34:38 m_device match WMI Status is true on 10.85.8.32 notice
53650680 2020-09-18 10:34:38 m_device match SSH Status is false on 10.85.8.32 notice
53650681 2020-09-18 10:34:38 m_device match SNMP Status is false on 10.85.8.32 notice
53650682 2020-09-18 10:34:38 discovery_helper discoveries Testing Windows credentials for 10.85.8.32 notice
53650683 2020-09-18 10:34:38 wmi_helper windows_credentials Windows credentials starting notice
53650684 2020-09-18 10:34:38 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.450474 success

["UUID","24BF3842-D0E4-6401-A3EB-17E68DAE3411",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get uuid" 2>&1

53650685 2020-09-18 10:34:38 wmi_helper wmi_command Windows credentials complete. Credential set windows administrator working on 10.85.8.32 success
53650686 2020-09-18 10:34:38 wmi_helper wmi_audit WMI audit starting notice
53650687 2020-09-18 10:34:38 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.476761 success

["UUID","24BF3842-D0E4-6401-A3EB-17E68DAE3411",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get uuid" 2>&1

53650688 2020-09-18 10:34:39 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.461463 success

["IdentifyingNumber","VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get IdentifyingNumber" 2>&1

53650689 2020-09-18 10:34:39 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.467804 success

["Vendor","VMware, Inc.",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic csproduct get vendor" 2>&1

53650690 2020-09-18 10:34:40 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.477938 success

["Description","HIDDEN",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic os get description" 2>&1

53650691 2020-09-18 10:34:40 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.474132 success

["Name","HIDDEN",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic computersystem get name" 2>&1

53650692 2020-09-18 10:34:41 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.493441 success

["Domain","HIDDEN",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic computersystem get domain" 2>&1

53650693 2020-09-18 10:34:41 wmi_helper wmi_command Attempting to execute command using winexe-static-2 0.490732 success

["Name","Microsoft Windows Server 2012 R2 Datacenter|C:\\Windows|\\Device\\Harddisk0\\Partition2",""]


timeout 1m /usr/local/open-audit/other/winexe-static-2 -U 'HIDDEN'%****** --uninstall //10.85.8.32 "wmic os get name" 2>&1

53650694 2020-09-18 10:34:42 wmi_helper wmi_audit WMI audit complete notice
53650695 2020-09-18 10:34:42 m_rules execute Running rules::match function. notice

{"id":"1259","name":"HIDDEN","type":"computer","os_family":"","os_group":"Windows","sysDescr":"","last_seen":"2020-09-18 10:33:47","timestamp":"2020-09-18 10:33:47","ip":"10.85.8.32","audits_ip":"127.0.0.1","last_seen_by":"windows","discovery_id":"9943","credentials":"[3]","dns_hostname":"HIDDEN","dns_fqdn":"HIDDEN.HIDDEN","dns_domain":"HIDDEN","fqdn":"HIDDEN.HIDDEN","uuid":"24BF3842-D0E4-6401-A3EB-17E68DAE3411","serial":"VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11","manufacturer":"VMware, Inc.","description":"HIDDEN","hostname":"HIDDEN","domain":"HIDDEN","os_name":"Microsoft Windows Server 2012 R2 Datacenter","install_dir":"C:\\Windows","where":"supplied"}


Device Input (return).

53650696 2020-09-18 10:34:42 m_rules execute Hit on manufacturer VMware, Inc. li vmware 0.014236 notice

{"form_factor":"Virtual"}


Rules Match - Form Factor based on Manufacturer (like VMware), ID: 43

53650697 2020-09-18 10:34:42 m_rules execute Hit on form_factor Virtual eq Virtual Hit on os_group Windows eq Windows Hit on os_name Microsoft Windows Server 2012 R2 Datacenter li Server Hit on os_group is not empty Hit on class is empty 0.016354 notice

{"class":"virtual server"}


Rules Match - Class based on Form Factor and OS (Virtual Windows Server), ID: 49

53650698 2020-09-18 10:34:42 m_rules execute Completed rules::match function. 0.016354 notice
53650699 2020-09-18 10:34:42 include_input_discoveries discoveries Start of WINDOWS update for 10.85.8.32 notice
53650700 2020-09-18 10:34:42 audit_helper audit_convert Formatting system details notice
53650701 2020-09-18 10:34:42 audit_helper audit_convert Windows VMware style serial detected, creating vm_uuid. notice

VMware-42 38 bf 24 e4 d0 01 64-a3 eb 17 e6 8d ae 34 11 -> 4238bf24-e4d0-0164-a3eb-17e68dae3411


53650702 2020-09-18 10:34:42 discovery_helper discoveries End of WINDOWS update for 10.85.8.32 notice
53650703 2020-09-18 10:34:42 include_input_discoveries discoveries Processing found ip addresses (non-snmp) for 10.85.8.32 notice
53650704 2020-09-18 10:34:42 include_input_discoveries discoveries Updating ip with ID 4192 notice
53650705 2020-09-18 10:34:42 include_input_discoveries discoveries Processing Nmap ports for 10.85.8.32 notice
53650706 2020-09-18 10:34:42 m_rules execute Running rules::match function. notice

Device ID supplied: 1259


Device ID Input (update).

53650707 2020-09-18 10:34:42 m_rules execute Hit on manufacturer VMware, Inc. li vmware 0.010172 notice

{"form_factor":"Virtual"}


Rules Match - Form Factor based on Manufacturer (like VMware), ID: 43

53650708 2020-09-18 10:34:42 m_rules execute Completed rules::match function. 0.010172 notice
53650709 2020-09-18 10:34:42 include_input_discoveries discoveries At IP 10.85.8.32, discovery found a device of type 'computer'. 54.292378 notice
53650710 2020-09-18 10:34:42 include_input_discoveries discoveries Script details retrieved 54.292378 success

/* discovery::process_subnet */ SELECT * FROM `scripts` WHERE `name` = 'audit_windows.vbs' AND `based_on` = 'audit_windows.vbs' ORDER BY `id` LIMIT 1

53650711 2020-09-18 10:34:42 include_input_discoveries discoveries Starting windows script audit for 10.85.8.32 notice
53650712 2020-09-18 10:34:43 wmi_helper copy_to_windows Linux attempt (SMB2 user@domain) to copy file to 10.85.8.32 succeeded in wmi_helper::copy_to_windows success

smbclient -m SMB2 \\\\10.85.8.32\\\admin$ -U "HIDDEN*******" -c "put /usr/local/open-audit/other/scripts/audit_windows_20_09_18_10_34_42_52328300.vbs audit_windows.vbs 2>&1"

53650713 2020-09-18 10:34:43 wmi_helper execute_windows Using winexe-static-2 to run audit. success

timeout 5m /usr/local/open-audit/other/winexe-static-2 -U "HIDDEN%******" --uninstall //10.85.8.32 "cscript C:\Windows\audit_windows.vbs submit_online=n create_file=w debugging=0 self_delete=y last_seen_by=audit_wmi system_id=1259 discov
      3. Mark Unwin
        Would one of these configuration options prevent re-inventorying a system? Some other configuration setting?

        In short, no.

      4. Mark Unwin

        What version of Open-AudIT are you using?

        Are you using the GUI to run the discovery, or using the script discover_subnet.sh ?

        You should only use the GUI. The script has been deprecated.

      5. Jason

        I'm using 3.2.2


        I tried the newer version of the newer discovery process again recently, however it hangs on discoveries sometimes and they end up in failed status or just run forever.


        Yes, running it through the GUI only results in the above. 

      6. Mark Unwin

        I'd suggest using 3.4.0 as there have been multiple fixes since 3.2.2 and discover_subnet is no longer used. See:

        Release Notes for Open-AudIT v3.3.0

        Release Notes for Open-AudIT v3.3.1

        Release Notes for Open-AudIT v3.3.2

        Release Notes for Open-AudIT v3.4.0

      7. Jason

        I upgraded to the latest version 3.4.  Discovery mostly works on smaller subnets, but occasionally hangs (no updates in the discovery log for several hours) so I have to execute it again to get it to run.  But at least existing systems are getting their details updated.

        However now, on a larger subnet (a /19) it has hung and no discoveries will do anything now.  cpu use is totally flat.   I have 6,331 items in the queue table in my database.  Seems I am back at the last place I was last time I tried this newer version (3.3) where discoveries just stop working.  Here is my older question:


        New discovery process in 3.3 does not work after upgrade from 3.2.2



      8. Mark Unwin

        Jason,

        If you call the below URL from the server, it should start the queue.

        curl http://localhost/open-audit/index.php/util/queue

        Once done, does the queue appear to be processing?


      9. Jason

        So, eventually after ~24 hours, it finally marked the discovery as "failed" so then some other discoveries started actually trying to run, however now they all appear stuck again, no cpu, nothing.

        I've tried curling that link, but no change in behavior. 

        Is there any way to see what is going on?  This new discovery process seems odd in that it is idle quite often...

      10. Mark Unwin

        In Enterprise (or Professional) on the discoveries list page, at the top right you'll see a drop down arrow. Click it and a panel should expand to show you the number of items in the queue, etc. There are some options to delete queue items, etc.

      11. Jason

        Anything I can look at in community edition?  The system appears totally idle and there is not much for logs.


        Thanks


      12. Mark Unwin

        You can try this on the command line.

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM queue;" > queue_output.txt

        That will dump the contents of the queue database table.

        Now select a discovery that is not completing. Get its ID and run the below (substitue the actual ID for $id).

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discoveries WHERE id = $id;" > discovery_output.txt

        And it's logs.

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discovery_log WHERE discovery_id = $id;" > discovery_log_output.txt

        Parse the discovery log and see if there are any IP addresses that haven't been scanned that are in the queue_output.

        Go to the end of the discovery_log and see if there is something amiss.

        The last entry should  resemble below (note, the output format will differ, but the contents should be the same). Note the message  column and the command_status.

                             id: 10914
           discovery_id: 7
              system_id: NULL
              timestamp: 2020-09-24 15:37:04
               severity: 7
          severity_text: debug
                    pid: 13952
                     ip: 127.0.0.1
                   file: wmi_helper
               function: copy_from_windows
                message: Discovery has finished.
                command: 
         command_status: finished
command_time_to_execute: 41.165920
         command_output:

        If all else fails, email me those files at marku@opmantek.com and I can take a quick look to see if anything obvious stands out.

        Mark.

      13. Jason

        Thanks.

        Below is info for one that is hung.

        nothing is in the queue.

        here is the discovery info:


        id name org_id description type devices_assigned_to_org devices_assigned_to_location network_address system_id other options discard last_run last_finished duration status ip_all_count ip_responding_count ip_scanned_count ip_discovered_count ip_audited_count edited_by edited_date
9863 VLAN 96 1 Subnet - 10.84.96.0/19 subnet 1 1 http://127.0.0.1/open-audit/ 0 {"nmap":{},"match":{},"subnet":"10.84.96.0\\/19"} n 2020-09-28 20:15:12 2020-09-28 20:15:12 11:26:00 running 8192 6591 6591 3921 127 Administrator 2020-03-10 13:20:45


        Here are the last few log lines.  Note the current time is 14:44



        60536344 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials Processing found ip addresses (non-snmp) for 10.84.127.254 notice 0.000000

60536345 9863 128756 2020-09-29 06:22:22 6 info 24911 10.84.127.254 m_devices_components nmap_ip Inserting ip 10.84.127.254 notice 0.000000

60536346 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials Processing Nmap ports for 10.84.127.254 notice 0.000000

60536347 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 128756

60536348 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Completed rules::execute function. notice 0.000000

60536349 9863 128756 2020-09-29 06:22:22 5 debug 24911 10.84.127.254 wmi_helper windows_credentials No valid credentials for 10.84.127.254 fail 0.000000

60536350 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 wmi_helper windows_credentials At IP 10.84.127.254, discovery found a device of type 'unknown'. notice 0.000000

60536351 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 128756

60536352 9863 128756 2020-09-29 06:22:22 7 debug 24911 10.84.127.254 m_rules execute Completed rules::execute function. notice 0.000000

60536353 9863 128756 2020-09-29 06:22:31 7 debug 24911 10.84.127.254 wmi_helper windows_credentials IP Audit finish on device 10.84.127.254 Peak Memory device complete 202.496848 118.941 MiB







      14. Mark Unwin

        So it looks like the discovery is running and completing, but not updating that fact.

        What's the time difference between discovery start and the last discovery log?

        What happens on a /24 discovery?

        Can you confirm the version of Open-AudIT you're running?

        I upgraded to the latest version 3.4.

        and

        this newer version (3.3)

        Mark.

      15. Jason

        If it was completing, would it not show this as the last line, like a successfully finished discovery?

        55037557 9848 NULL 2020-09-23 11:21:23 7 debug 23885 127.0.0.1 discoveries_helper ip_audit Discovery has finished. finished 1382.215097


        Time from start to last entry in the discovery log is ~10 hours 7 minutes

        59104748 9863 NULL 2020-09-28 20:15:12 6 info 19298 127.0.0.1 discoveries_helper discover_subnet Starting discovery for VLAN 96 start 0.000000

.
.
.

60536353 9863 128756 2020-09-29 06:22:31 7 debug 24911 10.84.127.254 wmi_helper windows_credentials IP Audit finish on device 10.84.127.254 Peak Memory device complete 202.496848 118.941 MiB



        It also still shows as running.

        Here is the same detail from a successful /24

        Discovery detail

        id name org_id description type devices_assigned_to_org devices_assigned_to_location network_address system_id other options discard last_run last_finished duration status ip_all_count ip_responding_count ip_scanned_count ip_discovered_count ip_audited_count edited_by edited_date
9848 VLAN 39 1 Subnet - 10.85.9.0/24 subnet 1 1 https://127.0.0.1/open-audit/ 0 {"nmap":{},"match":{},"subnet":"10.85.9.0\\/24"} n2020-09-23 10:40:01 2020-09-23 11:21:23 00:41:22 complete 256 201 201 172 41 Administrator 2020-03-10 13:20:45

        Last few log lines


        55037464 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->snmp_oid 1.3.6.1.4.1.11.2.3.2.6 eq 1.3.6.1.4.1.11.2.3.2.6 Rules Match - SNMP OID for Itanium notice 0.000470 {"model":"Itanium","type":"switch"}

55037465 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->mac_address 00:18:fe:28:e0:6e st 00:18:fe Rules Match - Mac Address for Hewlett Packard notice 0.002763 {"model":"Itanium","type":"switch","manufacturer":"Hewlett Packard"}

55037466 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Completed rules::execute function. notice 0.002763

55037467 9848 36952 2020-09-23 11:16:07 5 debug 13398 10.85.9.76 wmi_helper windows_credentials No valid credentials for 10.85.9.76 fail 0.000000

55037468 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 wmi_helper windows_credentials At IP 10.85.9.76, discovery found an unknown device. notice 0.000000

55037469 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Running rules::execute function. Device ID Input (update). notice 0.000000 Device ID supplied: 36952

55037470 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Hit on $device->snmp_oid 1.3.6.1.4.1.11.2.3.2.6 eq 1.3.6.1.4.1.11.2.3.2.6 Rules Match - SNMP OID for Itanium notice 0.000030 {"model":"Itanium","type":"switch"}

55037471 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 m_rules execute Completed rules::execute function. notice 0.000030

55037472 9848 36952 2020-09-23 11:16:07 7 debug 13398 10.85.9.76 wmi_helper windows_credentials IP Audit finish on device 10.85.9.76 Peak Memory device complete 1367.767546 82.993 MiB

55037557 9848 NULL 2020-09-23 11:21:23 7 debug 23885 127.0.0.1 discoveries_helper ip_audit Discovery has finished. finished 1382.215097


        I'm running the latest version, 3.4.0

        Thank you for looking



      16. Mark Unwin

        I'd suggest splitting the discovery into smaller chunks. As small as realistic. Personally I try to use a single /24 per discovery.

        You can also try (depending on server specification, network performance, et al) increasing the queue limit. Default is 20. That means 20 IPs (after an initial 'ping') will be discovered at once. If you have the resources, try increasing it. All things being equal, it should process the IPs faster and may help.

        Ideally your discoveries should complete within an hour.

        Items affecting Discovery times

      17. Jason

        Hello,


        I finally got around to working on this again.  I deleted all my discoveries in preparation of importing a CSV of them all broken down in /24 networks.

        However now I'm finding import does not work on this version (3.5.0)  No matter what I try, I get this error message:

        Permission denied for OrgID.


        I am logged in as admin. 

        I've even tried a simple CSV formatted as such, but it fails.


        name,org_id,type,network_address,other.subnet
192.168.1.0/24,1,subnet,http://127.0.0.1/open-audit/,192.168.1.0/24


        Looking in the system log, I see this error:

        User not authorised to use Org (discoveries:sub_resource_create).

        Followed by this error

        User not permittied to perform sub_resource_create on discoveries ID discoveries




      18. Mark Unwin

        I'm /afk for Christmas. Will check when I return.

      19. Mark Unwin

        This looks to be a bug. But it hasn't been triggered until now.

        The POST url is to /discoveries/discoveries/import. It should be to discoveries/import. Because of that, the new response helper is assuming you have posted an ID (of "discoveries"), and the incorrect action is being chosen.

        Fortunately it's an easy fix.

        Edit the file open-audit/code_igniter/application/views/theme-bootstrap/v_collection_import. Replace the line

        <form action="<?php echo $this->response->meta->collection; ?>/import" method="post" enctype="multipart/form-data">

        with

        <form action="import" method="post" enctype="multipart/form-data">

        And it should work.

        Also, make sure you enclose your CSV fields in double quotes, as per the import HTML page.

        Mark.

      20. Jason

        Thanks, I'll try it out this week.

      21. Jason

        That worked for import. Thanks!

      22. Jason

        I'm back to the problem where a discovery doesn't appear to do anything.

        Any advice what to look at? 

        [root@openaudit ~]# mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM queue;"
+------+----------+--------+--------+-----+--------+------------------------------------------------------+---------------------+---------------------+
| id   | name     | type   | org_id | pid | status | details                                              | edited_date         | started_date        |
+------+----------+--------+--------+-----+--------+------------------------------------------------------+---------------------+---------------------+
| 1524 | VLAN 348 | subnet |      1 |   0 | queued | {"name":"VLAN 348","org_id":"1","discovery_id":9921} | 2021-01-06 09:50:00 | 2000-01-01 00:00:00 |
+------+----------+--------+--------+-----+--------+------------------------------------------------------+---------------------+---------------------+


        [root@openaudit ~]# mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discoveries WHERE id = 9921;"
+------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+---------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+
| id   | name     | org_id | description            | type   | devices_assigned_to_org | devices_assigned_to_location | network_address | system_id | other                                            | options | discard | last_run            | last_finished       | duration | status  | ip_all_count | ip_responding_count | ip_scanned_count | ip_discovered_count | ip_audited_count | edited_by     | edited_date         |
+------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+---------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+
| 9921 | VLAN 348 |      1 | Subnet - 10.84.48.0/21 | subnet |                       1 |                            1 |                 |         0 | {"nmap":{},"match":{},"subnet":"10.84.48.0\/21"} |         | n       | 2021-01-06 09:50:00 | 2021-01-06 09:50:01 | 00:22:09 | running |            0 |                   0 |                0 |                   0 |                0 | Administrator | 2021-01-06 09:48:21 |
+------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+---------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+


        [root@openaudit ~]# mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discovery_log WHERE discovery_id = 9921;"
      23. Mark Unwin

        The queue can take a minute to start - it's not necessarily instant. It should start though.

        Maybe check cron and apache (access and error) logs?

        What happens if you curl http://localhost/open-audit/index.php/util/queue ?

      24. Jason

        It failed after 22 minutes.


        [root@openaudit ~]# mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discoveries WHERE id = 9921;"
        +------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+--------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+
        | id | name | org_id | description | type | devices_assigned_to_org | devices_assigned_to_location | network_address | system_id | other | options | discard | last_run | last_finished | duration | status | ip_all_count | ip_responding_count | ip_scanned_count | ip_discovered_count | ip_audited_count | edited_by | edited_date |
        +------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+--------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+
        | 9921 | VLAN 348 | 1 | Subnet - 10.84.48.0/21 | subnet | 1 | 1 | | 0 | {"nmap":{},"match":{},"subnet":"10.84.48.0\/21"} | | n | 2021-01-06 09:50:00 | 2021-01-06 09:50:01 | 00:22:09 | failed | 0 | 0 | 0 | 0 | 0 | Administrator | 2021-01-06 09:48:21 |
        +------+----------+--------+------------------------+--------+-------------------------+------------------------------+-----------------+-----------+--------------------------------------------------+---------+---------+---------------------+---------------------+----------+--------+--------------+---------------------+------------------+---------------------+------------------+---------------+---------------------+


        apache log is full of items like this:

        127.0.0.1 - - [06/Jan/2021:17:37:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:37:29 -0600] "GET /open-audit/index.php/widgets HTTP/1.1" 200 41512 "-" "Mojolicious (Perl)"
127.0.0.1 - - [06/Jan/2021:17:38:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:39:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:40:03 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:41:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:41:33 -0600] "GET /open-audit/index.php/widgets HTTP/1.1" 200 41512 "-" "Mojolicious (Perl)"
127.0.0.1 - - [06/Jan/2021:17:42:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:43:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:44:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:45:04 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:46:02 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:47:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:47:39 -0600] "GET /open-audit/index.php/widgets HTTP/1.1" 200 41512 "-" "Mojolicious (Perl)"
127.0.0.1 - - [06/Jan/2021:17:48:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:49:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:50:02 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:51:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:52:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:53:02 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:54:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:55:08 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:55:14 -0600] "GET /open-audit/index.php/util/queue HTTP/1.1" 200 - "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:56:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"
127.0.0.1 - - [06/Jan/2021:17:57:01 -0600] "POST /omk/open-audit/tasks/execute HTTP/1.1" 200 2 "-" "curl/7.72.0"


        cron log full of this

        Jan  6 17:55:08 openaudit CROND[22651]: (root) CMD (   /usr/local/omk/bin/open-audit_tasks.sh >/dev/null 2>&1)
Jan  6 17:56:01 openaudit CROND[22888]: (root) CMD (   /usr/local/omk/bin/open-audit_tasks.sh >/dev/null 2>&1)
Jan  6 17:57:01 openaudit CROND[22981]: (root) CMD (   /usr/local/omk/bin/open-audit_tasks.sh >/dev/null 2>&1)
Jan  6 17:58:01 openaudit CROND[23066]: (root) CMD (   /usr/local/omk/bin/open-audit_tasks.sh >/dev/null 2>&1)
Jan  6 17:59:01 openaudit CROND[23183]: (root) CMD (   /usr/local/omk/bin/open-audit_tasks.sh >/dev/null 2>&1)


        I started the discovery again and waited a while but nothing happened.

        Running curl http://localhost/open-audit/index.php/util/queue does not result in anything happening.

      25. Mark Unwin

        It failed after 22 minutes.

        Sounds right, if no logs are received for 20 minutes AND the last log is not "Discovery has finished", then it's classed as failed.

        Have you allowed http from localhost? This is a requirement, see - Configuring Open-Audit with HTTPS/SSL

        Is there anything in the apache error_log?

        What do you get if you query as below?

        mysql -u openaudit -popenauditpassword openaudit -e "SELECT * FROM discovery_log WHERE discovery_id = 9921;"

        Mark.


      26. Jason

        yes, http is enabled and validated works via curl.


        The discovery_log is empty.

      27. Mark Unwin

        Is there anything in the apache error_log?

      28. Jason

        Hello, 

        No, there was nothing in the error log.

        I've found that once openaudit hangs on a few discoveries and if it has enough of these in a failed/forever running state, nothing will discover any more when you start it.   And even though it shows several discoveries "running" the queue is empty.


        If I delete ALL discoveries, then re-import them from csv as new ones, discoveries will start up again, however eventually one or more of them fail/run forever.





      29. Mark Unwin

        If you're using the Pro/Ent GUI, there is an Advanced section where you can delete existing queue items.

        Also make sure you're running the latest release. There have been some discovery bugs addressed.

      CommentAdd your comment...