Auditor Help: Auditor Troubleshooting

Architecture Overview

Diagram of Auditor Architecture

Ecora Auditor Professional software collects configuration settings from remote machines using remote API calls to the target machines into data sets (repo.dat.bz2). The data sets are used to when generating full-documentation, change, and baseline reports. If the database option is turned on the data sets are stored in a database (MSDE or MS-SQL). FFR and CCL reports are generated from the information stored in the database.
 Note: If the database option is not selected, FFR and CCL reports cannot be generated.

The flow of information consists of the following steps:

Discovery → Collection → Database Import → Report Generation

  1. Discovery: finding the target systems in the environment. There are a variety of methods that can be used to specify and select the systems of interest. Some modules support auto-discovery using Active Directory, NetBIOS, or by specifying IP ranges. Most modules support manual entry by IP address, FQDN, domain/computer name, or via a file containing system specification.
  2. Collection: remote querying of target machines to gather configuration data via a variety of APIs: remote registry API, NET (NETBIOS) API, LDAP API, WMI API. The data gathered is stored in a repo.dat.bz2 file.
     Note:  In debugging mode, a set of intermediate files are generated (domainX.data, serverX.data) - these intermediate files are used to build the repo.dat file which is compressed using bzip into a repo.dat.bz2 file.
  3. Database import: The data in the repo.dat.bz2 file is imported into the database.
  4. Report generation: Fact-Finding Reports and Consolidated Change Log reports can be generated from information in the database. Full-Documentation, Change, and Baseline reports are generated from a specific repo.dat.bz2 file.

Other features of the software include:

  • Scheduling: scheduling data collection, report generation, archiving, etc.
  • Alerting: STMP and SNMP alerts may be configured.
  • Archiving: file archiving can be used to copy or move files from one location to another. File archiving can also be used to keep directories free of old information. For example, Ecora.log files can be scheduled for deletion regularly. This is especially important if running with the log level set to debugging as the log files can grow very large (GB).
  • Database Archiving: database archiving creates an offline compressed version of the database for use at a later time. The database archiving feature also allows the user the ability to delete information for a specified time period.

General: Installation, Database, Credentials

Common Issues When System Requirements Are Not Met

Note Note: The System Requirements on the website are actively maintained and are authoritative. The following references which requirements might be at issue based on symptoms during troubleshooting.

Slow performance:
  • Pentium IV processor or higher
  • 700 MHz CPU or higher
  • 512 MB RAM or greater
  • Swap file of 1 GB or more (or twice the RAM, whichever is higher).
Unable to view HTML reports:
  • Microsoft Internet Explorer 5.0 SP1 or higher
  • To view the .DOC reports, MSWord or StarOffice must be installed
  • To view the Visio diagrams, Visio 5.0c, Visio 2000, or Visio 2003 English-version on the installation system and the viewing system.
Unable to view tree-control in HTML reports - verify the following requirements are met:
  • Java Virtual Machine;
  • Note Note: Manual installation may be necessary if running Windows 2003 or Windows XP. In the final release of Windows 2003 Server (all versions) and Windows XP (since SP1a), there is NO integrated Microsoft Java Virtual Machine.
If the database is not functioning as expected or fails completely:
  • Check to ensure MDAC 2.6 or higher.
Alerts problems:
  • To use alerts and triggers, a SNMP manager (v2c traps) or a mail server must be available on the network;
  • To use NetSend alerts, Windows Messenger Service must be running.
NetBIOS discovery doesn't work or unable to browse systems in Network Neighborhood:
  • NetBIOS (over TCP/IP) protocol support;
  • To collect and report Domain AND System level information completely in one report;
  • Client for Microsoft Networks;
  • RPC Service;
  • Note Note: To report Active Directory, the AD/DS Client is also required.
Systems do not show in Network Neighborhood:
  • Systems not showing in Network Neighborhood can be caused by target systems are marked as hidden or the Master Browser is not updated with system name - in either case, the workaround is to enter the target machine name in the selection set manually and set the hidden flag in the selection set for the machine and domain to true.

Databases

MSDE

This database is restricted to 2GB of data; MSDE requires frequent deletions of data from the database and to limit the number of collection options to avoid hitting the size limit.

Resources The following link describes the various MSDE and MS-SQL editions, scalability, and system requirements: http://www.databasejournal.com/features/mssql/article.php/1432091.

MS-SQL

Database and Database Log Files - Automatic Growth rate

Ecora software is installed using the default MS-SQL 10% growth rate set for both the database and the database log file.

According to Microrosft: "This growth rate may or may not be ideal for all situations. The growth rate may be adjusted by the database administrator. If you find that your database is growing automatically often (such as daily or several times a week), change the growth percentage to a larger number, such as 20% or 30%. Each time the database has to be increased, SQL Server suffers a small performance hit. By increasing the amount the database grows each time, the less often it will have to grow. If your database is very large, 10GB or larger, you may want to use a fixed growth amount instead of a percentage growth amount. This is because a percentage growth amount can be large on a large database. For example, a 10% growth rate on a 10GB database means that when the database grows, it will increase by 1GB. This may or may not be what you want. For example, a fixed growth rate, such as 100MB at a time, might be more appropriate. [7.0, 2000]"

Resources  http://www.sql-server-performance.com/database_settings.asp

Import the repo.dat.bz2 files into the database via command line

In the Auditor 3.5 or later, repos can be imported via command line.
The sample of cmd line to write a repo:
"C:\Program Files\Ecora\Auditor35\bin\auditor.exe" -i "C:\Outer Data" -m windows -k delete
where options are:
-i = "C:\Outer Data" is the path where a repo.dat file to be written is located
-m = module name (windows, ad, exchange, etc)
-k = {keep | delete} = how to handle a repo file after writing

Performance Problems

NTFS Permissions

Consider limiting depth to no more than 4.

Nested shares

NTFS performance problem. Consider limiting depth to no more than 4.

Custom Files and Custom Registry Collection

These are strategic tools to be used judiciously to meet specific needs. Creating a custom file configuration to gather all files on the c drive and then applying it to 100 computers would be overkill and problematic. Select HKLM on specific machines vs globally.

Users and Groups

Enabling this option increases collection time significantly in large environments. All user information is in the database; only a subset of the information shows up in the full-documentation report.

Reports

For very large collections, consider running data collection only. Target the number and type of reports as separate job after data collection finishes. Enabling only the type of desired output can increase performance if you plan to do collection and reporting in the same job.

WMI Browser

Event logs can be very large - the entire file is saved with each collection. If this feature is used, the database archiving feature should be used to reduce the size of the database regularly. Set up a delete with initial WMI event log collection.

Restricting Remote Registry Access

Auditor Professional requires registry connect and registry read privileges on the target computer.

Resources  The following Microsoft KB article discusses restricting remote registry access: http://support.microsoft.com/default.aspx?scid=kb;en-us;153183.

Create and Delete Hidden or Administrative Shares

Resources  http://support.microsoft.com/default.aspx?scid=kb;en-us;314984

Access Denied / Problems with Credentials

Auditor requires domain administrator rights for domains of interest. Credentials can be entered separately for each target system using the Properties... button in System Management.

Runas

The runas command can be used to run Auditor with the domain administrator credentials.

At the command prompt, type:
Runas /netonly /user:domain\username c:/program files/ecora/auditor36/bin/auditor.exe
This prompts for the password, then loads the application.

Note Note: The command needs the full path to auditor.exe or to be run from the auditor/bin directory.

Workgroups

To function properly in a Workgroup, there must be a matching administrator account with domain/acct/pwd of installed console.

Discovery and Data Collection

Test Systems Prior to Collection

The first line of defense with collection problems is to ensure that all devices meet the system requirements prior to attempting collection. Testing systems (in selection sets) prior to collection can help ensure successful data collection. Unix systems connections can be verified using telnet. Windows system connection can be tested within the Ecora software using system discovery and the test methods provided in systems management. Ensure all devices meet the system requirements prior to attempting collection.

Unix Systems

Use telnet to verify credentials associated with each machine.

Windows Systems

The Auditor Systems Management feature is helpful in identifying systems that do not meet system requirements prior to data collection.

  1. Click on the Systems button in the toolbar.
  2. Select systems for testing from the systems management screen.
     Tip:If testing systems schedule for collection, click on the column heading to sort by the selection set and select all systems within that selection set.
  3. Click Test... The test feature checks: ping, connecting via the admin$ share, registry connect, registry read, WMI connect, WMI read, and share disconnect. A system failing WMI read can be collected, but WMI-based information is not gathered.
  4. Click Start to run the test of connections.
  5. Report systems that fail to the appropriate owner/administrator of the system for corrections.
  6. Proceed with reporting or schedule the selection set for collection.

Troubleshooting Collection Failures

Missing information in the collections

  • Determine if specific data is being collected or if it can be acquired.
  • Check data collection parameters in the associated selection set.
  • Check custom WMI collection parameters.
  • Check custom registry file parameters.
  • For Unix - check appendix and custom methods.

Machine not collected

  • Verify the machine in a selection set.
  • Verify the selection set is part of a scheduled task.
  • Verify the scheduled task ran successfully.
  • Check the selection set for correct domain (DNS look up to ensure this is accurate).
  • Check selection set for IP address accuracy if discovery method is IP. (If IP is NOT the discovery method, remove IP addresses.)
  • System can hanging during collection when a folder is created, but no repo.dat.bz2 file is created. Check for an orphaned process.