cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 20

Audit results unknown in Policy Auditor

I'm not receiving any results when I schedule and run audits using ePO 4.0 and PA 5.2.0.152.  The audit status shows unknown for every audit/benchmark I attempt.  Any sugestions?  How can I tell if the audit is even running on the client?

Thanks,

Lost in policy...  🙂

19 Replies
Highlighted

Re: Audit results unknown in Policy Auditor

Check and make sure your McAfee Audit Management service is running on your target machine.

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 20

Re: Audit results unknown in Policy Auditor

Checked - The McAfee Audit Management service was already running on the target systems.  Any other thoughts?

Highlighted

Re: Audit results unknown in Policy Auditor

Do you see the audit launch in the paagent.log on the target machine?  Do you have the process audit results server task running?  Would you be willing to provide the afore mentioned paagent log?

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 20

Re: Audit results unknown in Policy Auditor

Process audit results runs daily on the server.  The audit appears to run, although I'm not sure what to check!

here are the log snippets:

AUDIT MANAGER:


(initial install of agent)

2010-Aug-21 11:42:39 INFO AuditManager : ======================================================
2010-Aug-21 11:42:39 INFO AuditManager : Startup Date/Time: 2010-Aug-21 11:42:39
2010-Aug-21 11:42:39 INFO AuditManager : Version 5.2.0, built on Aug 27 2009 at 15:47:30
2010-Aug-21 11:42:39 INFO AuditManager : ======================================================
2010-Aug-21 11:42:40 INFO AuditManager : ======================================================
2010-Aug-21 11:42:40 INFO AuditManager : End TIme:  2010-Aug-21 11:42:40
2010-Aug-21 11:42:40 INFO AuditManager : ======================================================
2010-Aug-21 11:42:40 INFO AuditManager : ======================================================
2010-Aug-21 11:42:40 INFO AuditManager : Startup Date/Time: 2010-Aug-21 11:42:40
2010-Aug-21 11:42:40 INFO AuditManager : Version 5.2.0, built on Aug 27 2009 at 15:47:30
2010-Aug-21 11:42:40 INFO AuditManager : ======================================================
2010-Aug-21 11:42:40 INFO AuditManager : Service Name: McAfeeAuditManager
2010-Aug-21 11:42:40 INFO AuditManager : Report - Start Service Pending
2010-Aug-21 11:42:40 INFO AuditManager : Initialize Service
2010-Aug-21 11:42:40 INFO AuditManager : Report - Service Running
2010-Aug-21 11:42:40 INFO AuditManager : EventLog - Service Started Successfully
2010-Aug-21 11:42:40 INFO AuditManager : Waiting for next event...
2010-Aug-21 11:42:47 INFO AuditManager : Event signaled: Processing event...
2010-Aug-21 11:42:47 INFO AuditManager : Enforcing content policy
2010-Aug-21 11:42:47 INFO AuditEngine : ContentDatabase::open()
2010-Aug-21 11:42:47 INFO AuditEngine : Content has never been updated
2010-Aug-21 11:42:47 INFO AuditEngine : Content has never been updated
2010-Aug-21 11:42:47 INFO AuditManager : XCCDF content is out of date
2010-Aug-21 11:42:47 INFO AuditManager : OVAL content is out of date
2010-Aug-21 11:42:47 ERROR AuditEngine : 3 error preparing create statement: no such table: benchmark
2010-Aug-21 11:42:47 ERROR AuditManager : A fatal error occurred importing custom oval content: 3 error preparing create statement: no such table: benchmark
2010-Aug-21 11:42:47 INFO AuditManager : Enforced content policy
2010-Aug-21 11:42:47 INFO AuditManager : Completed processing event...
2010-Aug-21 11:42:47 INFO AuditManager : Waiting for next event...
2010-Aug-21 11:47:49 INFO AuditManager : Event signaled: Processing event...
2010-Aug-21 11:47:49 INFO AuditManager : Enforcing content policy
2010-Aug-21 11:47:49 INFO AuditEngine : ContentDatabase::open()
2010-Aug-21 11:47:49 INFO AuditEngine : Content has never been updated
2010-Aug-21 11:47:49 INFO AuditEngine : Content has never been updated
2010-Aug-21 11:47:49 INFO AuditManager : XCCDF content is out of date
2010-Aug-21 11:47:49 INFO AuditManager : OVAL content is out of date
2010-Aug-21 11:47:56 INFO AuditEngine : ContentDatabase::setLastUpdate(56520a0f-e117-4c95-a450-ba50a9bd583c, BENCHMARK)
2010-Aug-21 11:47:57 INFO AuditEngine : ContentDatabase::setLastUpdate(2, OVAL)
2010-Aug-21 11:47:58 INFO AuditManager : Enforced content policy
2010-Aug-21 11:47:58 INFO AuditManager : Completed processing event...
2010-Aug-21 11:47:58 INFO AuditManager : Waiting for next event...
2010-Aug-21 11:52:51 INFO AuditManager : Event signaled: Processing event...
2010-Aug-21 11:52:51 INFO AuditManager : Enforcing content policy
2010-Aug-21 11:52:51 INFO AuditEngine : ContentDatabase::open()
2010-Aug-21 11:52:51 INFO AuditManager : XCCDF content is current
2010-Aug-21 11:52:51 INFO AuditManager : OVAL content is current
2010-Aug-21 11:52:51 INFO AuditManager : Enforced content policy
2010-Aug-21 11:52:51 INFO AuditManager : Completed processing event...
2010-Aug-21 11:52:51 INFO AuditManager : Waiting for next event...

... (following reboot?)

2010-Aug-24 14:05:58 INFO AuditManager : ======================================================
2010-Aug-24 14:05:58 INFO AuditManager : End TIme:  2010-Aug-24 14:05:58
2010-Aug-24 14:05:58 INFO AuditManager : ======================================================
2010-Aug-24 14:08:58 INFO AuditManager : ======================================================
2010-Aug-24 14:08:58 INFO AuditManager : Startup Date/Time: 2010-Aug-24 14:08:58
2010-Aug-24 14:08:58 INFO AuditManager : Version 5.2.0, built on Aug 27 2009 at 15:47:30
2010-Aug-24 14:08:58 INFO AuditManager : ======================================================
2010-Aug-24 14:08:59 INFO AuditManager : Service Name: McAfeeAuditManager
2010-Aug-24 14:08:59 INFO AuditManager : Report - Start Service Pending
2010-Aug-24 14:08:59 INFO AuditManager : Initialize Service
2010-Aug-24 14:08:59 INFO AuditManager : Report - Service Running
2010-Aug-24 14:08:59 INFO AuditManager : EventLog - Service Started Successfully
2010-Aug-24 14:08:59 INFO AuditManager : Waiting for next event...
2010-Aug-24 14:09:29 INFO AuditManager : Event signaled: Processing event...
2010-Aug-24 14:09:29 INFO AuditManager : Enforcing content policy
2010-Aug-24 14:09:29 INFO AuditEngine : ContentDatabase::open()
2010-Aug-24 14:09:29 INFO AuditManager : XCCDF content is current
2010-Aug-24 14:09:29 INFO AuditManager : OVAL content is current
2010-Aug-24 14:09:29 INFO AuditManager : Enforced content policy
2010-Aug-24 14:09:29 INFO AuditManager : Completed processing event...
2010-Aug-24 14:09:29 INFO AuditManager : Waiting for next event...
2010-Aug-24 14:13:13 INFO AuditManager : Event signaled: Processing event...
2010-Aug-24 14:13:13 INFO AuditManager : Enforcing content policy
2010-Aug-24 14:13:13 INFO AuditEngine : ContentDatabase::open()
2010-Aug-24 14:13:13 INFO AuditManager : XCCDF content is current
2010-Aug-24 14:13:13 INFO AuditManager : OVAL content is current
2010-Aug-24 14:13:13 INFO AuditManager : Enforced content policy
2010-Aug-24 14:13:13 INFO AuditManager : Completed processing event...
2010-Aug-24 14:13:13 INFO AuditManager : Waiting for next event...
2010-Aug-24 14:17:48 INFO AuditManager : Event signaled: Processing event...
2010-Aug-24 14:17:48 INFO AuditManager : Enforcing content policy
2010-Aug-24 14:17:48 INFO AuditEngine : ContentDatabase::open()
2010-Aug-24 14:17:48 INFO AuditManager : XCCDF content is current
2010-Aug-24 14:17:48 INFO AuditManager : OVAL content is current
2010-Aug-24 14:17:48 INFO AuditManager : Enforced content policy
2010-Aug-24 14:17:48 INFO AuditManager : Completed processing event...
2010-Aug-24 14:17:48 INFO AuditManager : Waiting for next event...
2010-Aug-24 14:22:40 INFO AuditManager : Event signaled: Processing event...
2010-Aug-24 14:22:40 INFO AuditManager : Enforcing content policy
2010-Aug-24 14:22:40 INFO AuditEngine : ContentDatabase::open()
2010-Aug-24 14:22:40 INFO AuditManager : XCCDF content is current
2010-Aug-24 14:22:40 INFO AuditManager : OVAL content is current
2010-Aug-24 14:22:40 INFO AuditManager : Enforced content policy
2010-Aug-24 14:22:40 INFO AuditManager : Completed processing event...
2010-Aug-24 14:22:40 INFO AuditManager : Waiting for next event...


AUDIT CONTENT UPDATE (tail)

2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval:def:94551
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201001
2010-Aug-21 11:44:15 INFO AuditEngine : inserting mfe-filerights-nootheraccess.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201010
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201115
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201019
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201123
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201027
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201035
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201043
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201051
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201059
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201067
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201075
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201083
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201091
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201099
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201107
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.ae:def:712201131
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval:def:65839.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:65841.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:65842.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:65850.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:81180.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:81295.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting oval:com.mcafee.oval.def:83310.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : inserting mfe-filerights-common.xsl
2010-Aug-21 11:44:15 INFO AuditEngine : Content Update succeeded.
2010-Aug-21 11:44:15 INFO AuditEngine : update succeeded

Highlighted
Level 9
Report Inappropriate Content
Message 6 of 20

Re: Audit results unknown in Policy Auditor

The reason your audits were not running originally is the following error you posted:

2010-Aug-21 11:42:47 ERROR AuditEngine : 3 error preparing create statement: no such table: benchmark
2010-Aug-21 11:42:47 ERROR AuditManager : A fatal error occurred importing custom oval content: 3 error preparing create statement: no such table: benchmark

This indicates a version mismatch of Audit Engine Content between the PA Server and Agents. Now that the content has been updated (Audit Content Update log shows this) the audits should be running and returning results to the server.

If this is not the case, what indication exists that this only affects PA audit results? Keep in mind that audits may run without error, but until they are sent back to the ePO/PA server along with all of the other event types (VSE events, anything also managed by the Mcafee Agent), the results will continue to show an 'unknown' result.

Any entries in the paagent.log in the ..\Policy Auditor Agent\engine directory? This is the log which records any activity by the auditing engine (enginemain.exe). The most interesting parts of the log will begin right after the engine starts up, so if you start from the bottom of the log, search 'up' from there for "Version 5.2.".

Highlighted
Level 7
Report Inappropriate Content
Message 7 of 20

Re: Audit results unknown in Policy Auditor

>Any entries in the paagent.log in the ..\Policy Auditor Agent\engine directory?

No.  That file doesn't exist in that directory.

FWIW - tried running a manual check using a checks.xml I created, but couldn't get the syntax correct.  After attempting the check, the log file is there.

Message was edited by: jonemy on 8/26/10 11:13:01 PM CDT
Highlighted
Level 9
Report Inappropriate Content
Message 8 of 20

Re: Audit results unknown in Policy Auditor

How often are your audits configured to run? Anything recent in the paagent.log in the Audit Manager directory?

Highlighted
Level 7
Report Inappropriate Content
Message 9 of 20

Re: Audit results unknown in Policy Auditor

>> How often are your audits configured to run?

Daily?  When the audit was created, I said results no older than 1 day and clicked next.

>> Anything recent in the paagent.log in the Audit Manager directory?

Same as above - cycling with:

2010-Aug-24 14:22:40 INFO AuditManager : Event signaled: Processing event...
2010-Aug-24 14:22:40 INFO AuditManager : Enforcing content policy
2010-Aug-24 14:22:40 INFO AuditEngine : ContentDatabase::open()
2010-Aug-24 14:22:40 INFO AuditManager : XCCDF content is current
2010-Aug-24 14:22:40 INFO AuditManager : OVAL content is current
2010-Aug-24 14:22:40 INFO AuditManager : Enforced content policy
2010-Aug-24 14:22:40 INFO AuditManager : Completed processing event...
2010-Aug-24 14:22:40 INFO AuditManager : Waiting for next event...

Highlighted

Re: Audit results unknown in Policy Auditor

Have you tried deleting the Audit you currently have configured, letting the Agent complete a couple check-in cycles, then recreating the audit? You may need to contact Support for further analysis.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community