Much of our workforce works remotely, and most of those employees, 700+ have Windows 10 Tablets. When our tablets connect to the Internet SALT communicates back to our datacenter. One of the things it does is update a custom field in Open-Audit with a last seen date/time. This happens every 10 minutes. As a result, the Edit logs for our end-user devices are filled with SALT last seen entries.
Is there a way to stop the custom field from generating an entry in the Edit log when it changes?
Is it an option to have SALT update the Last Seen and Last Seen by fields found on the Summary>Details section?
SALT works over the internet (devices can be connected to WiFi or cellular) and we can still manage them. Our devices are glorified thin clients used to connect to Citrix (we don't use VPNs). Whereas Open-Audit is for our domain attached devices. We have over 700 cell-enabled tablets deployed to our staff, and in the current Covid environment, they rarely come to the office to connect to our network.
SALT polls the connected devices every hour, and when a device responds, it is updated to the custom field SALT Last Seen. So if our staff is on their device for 60 minutes we are guaranteed to have that entry updated. We tried changing to process to update the Last_Seen and Last_Seen_By, but rather than having one entry in the Edit Log, we now have 2 entries.
It would appear that using the API, results in the Edit log having an entry added.
Going in a completely different direction, would there be a way to run a query against Edit_Log database and remove all entries containing SALT Last Seen? Our Edit DB has 7.2 million records.
I was able to run from the MariaDB prompt
DELETE QUICK FROM openaudit.edit_log WHERE db_column = "SALT Last Seen";
which deleted 7,060,000 entries.
How would I run this on a single line
c:\xampp\mysql\bin\mysql.exe -u root -popenauditrootuserpassword -e "DELETE QUICK FROM openaudit.edit_log WHERE db_column = "SALT Last Seen";"
did not work.
You didn't specify the database and you cannot use double quotes inside double quotes... Try the below command.
c:\xampp\mysql\bin\mysql.exe -u root -popenauditrootuserpassword openaudit -e "DELETE QUICK FROM openaudit.edit_log WHERE db_column = 'SALT Last Seen';"
That was the change I needed, now we can continue to use the API to update information without be concerned about flooding the Edit log with additional entries. The flood will occur, but now it can be managed.
The short answer is no - changes are kept for audit purposes. I would definitely look at updating the last_seen attribute instead. That's what it is for I'd leave your custom field for last seen by though. This is deliberately set to one of a list of options (nmap, snmp, ssh, ssh_audit, wmi, wmi_audit, audit).
What is Salt sending back to the server - an audit result? If so, just remove the custom field from the audit and it should "just work" for last_seen. What is Salt using for Last Seen By?
Information received from SALT is added to Open-Audit using the API, it is not an audit result, simply a date/timestamp of the device being present on our network. SALT checks every hour.
We do hope to explore having SALT load the windows.vbs script on our end-user Windows devices and have it generate an audit file locally so SALT can then copy the audit file over the internet to our SALT server and from there eventually to our Open-Audit server.
Powered by a free Atlassian Confluence Open Source Project License granted to Opmantek. Evaluate Confluence today.