Discovery Problems

Troubleshoot Open-AudIT discovery issues including devices not found, duplicate records, Nmap problems, stuck queues, and cross-platform auditing.

ExpertUpdated Apr 10, 2026
On this page

Discovery Problems

Problem: Discovery Finds Nothing (or Very Little)

If a discovery runs but doesn't return the data you expect, work through these steps.

Step 1: Check That the Device Is Reachable

Open a terminal on the Open-AudIT server and run:

nmap -F <ip_of_device>

If this returns no open ports, the problem is on the target device side — firewall rules, the device being powered off, or a routing issue. Open-AudIT cannot discover a device that Nmap can't reach.

Step 2: Check for SNMP Only

Run this to test SNMP specifically:

nmap -sU -p 161 <ip_of_device>

If the only open port is UDP/161 (SNMP), Open-AudIT won't consider it a valid device by default, because many firewalls respond to SNMP regardless of whether a real device is there. This is a false-positive prevention measure.

Workaround: If you're sure the device is real, edit /usr/local/open-audit/other/discover_subnet.sh and set consider_161_enough to "y".

Step 3: Check Whether a Full Audit Ran

Log in to Open-AudIT and view the device details. Under Summary → Details, look at the Last Seen By field:

  • If it says NMAP — a full audit has not completed. Open-AudIT found the device but couldn't authenticate.
  • If it says SNMP, SSH, or Audit — authentication worked but something else may be incomplete.

Step 4: Increase Log Level and Re-run

Set log_level to 7 (under Menu → Admin → Configuration), then re-run the discovery for that device. Check the Discovery Log (on the device details page, under Discovery Log in the left sidebar).

Look for:

  • Which ports are showing as open (SSH Status, WMI Status, SNMP — should be true for the protocol you're using)
  • Whether credential testing is succeeding
  • Any error messages during the audit script execution

Step 5: Verify Credential Configuration

Check that you have valid credentials of the right type:

  • Windows devices need WMI credentials (Administrator account preferred)
  • Linux/Mac/Unix devices need SSH credentials (root or sudo-enabled user)
  • Network devices need SNMP community strings

See Setting Up Credentials for details.

Step 6: Check Firewall and Port Requirements

ProtocolRequired Ports
WMI (Windows)TCP 135 + dynamic ports (see Microsoft documentation)
SSH (Linux/Mac)TCP 22
SNMPUDP 161

For Windows Core servers, you may need to explicitly allow WMI through the firewall remotely.


Problem: Duplicate Devices or Missing Devices

If the same physical device keeps getting created as a new record, or an existing record gets unexpectedly overwritten, this is a matching problem.

See Matching Devices for a full explanation. The short version:

  • Duplicate devices — None of the match rules fired. Usually caused by VM cloning, DHCP address changes, or devices that have very little identifying information.
  • Overwritten devices — A match rule fired incorrectly. Common with cloned VMs where identifiers like D-Bus ID or MAC addresses are shared.

To diagnose, check the Discovery Log for the device and look at which field triggered (or failed to trigger) a match. Then review your match rule configuration under Menu → Admin → Configuration (search for match_).


Problem: Discovery Stopped Working After an Nmap Upgrade

On Red Hat / CentOS systems, upgrading or downgrading Nmap can sometimes remove the SUID bit. Fix it with:

chmod u+s /usr/bin/nmap

Problem: Discovery Queue Is Stuck

If you suspect the discovery queue has hung (jobs in the queue but no progress for an hour or more):

Check queue depth:

mysql -u openaudit -popenauditpassword openaudit -e "SELECT COUNT(id) FROM queue;"

Clear the queue:

mysql -u openaudit -popenauditpassword openaudit -e "DELETE FROM queue;"
mysql -u openaudit -popenauditpassword openaudit -e "UPDATE configuration SET value = 0 WHERE name = 'queue_count';"

Restart Apache to kill any stuck processes:

sudo service httpd restart      # RHEL/CentOS
sudo service apache2 restart    # Debian/Ubuntu

Restart queue processing by visiting this URL in a browser (after Apache is back up):

http://YOUR_SERVER/open-audit/index.php/util/queue

Problem: Windows Device Not Being Audited From Linux Open-AudIT Server

When Open-AudIT runs on Linux and audits Windows machines, it copies the audit script to the Windows target via SMB and runs it remotely. This requires:

  • SMB (port 445) open from the Open-AudIT server to the Windows target
  • A valid Windows Administrator account in your credentials
  • The Windows target configured to allow remote script execution

See Auditing Windows from Linux on the wiki for more detail.

Was this page helpful?