DirectAudit FindSessions Utility on Version 3.2.x and below
Findsessions query returns no session and ends with “Illegal characters in path”.
In older version of DirectAudit FindSession utility, exporting session to a file would fail if session user’s name contained one or more special characters such as <unknown>. If the username that is coming from the agent is being sent as "<unknown>@doman.com", note that it has two characters (< and >) that are invalid for a file name.
Since the code is combining the username and machinename to come up with exported files' name, it results into an invalid file name. c:\ProgramFiles\Centrify\DirectManageAudit\AuditAnalyzer>FindSessions.exe /i=nikki1114 /a="1 time is in today" /export=UnixInputOutput /format=csv /path=c:\session
c:\Program Files\Centrify\DirectManage Audit\AuditAnalyzer>Illegal characters in
Example record from database:
10299739,49D3B177-994C-BD42-B9EF-8ACDA933640B,0,2015-10-19 15:38:01.767,635808658817674640,0,NULL,NULL,NULL,NULL,NULL,ups3yj6xk76q1.domain.com dalapg0g.domain.com /dev/pts/0 <unknown>@dalapg0g.domain.com <unknown> <unknown> dzdo su - webmaint,NULL,0
Cause:The issue where the username is reported as <unknown> usually results when the agent does not send the "StartTerminalSession" packet type. One possibility this may happen is if the local spool file that contains this packet has been deleted.Workaround:
Apply the following SQL command to clear these special characters from username column of all session records. This should be run against the Audit Store database to fix the issue.
Note: It is safe to run against all attached Audit Store databases
UPDATE dbo.Session SET UserName = 'unknown@' + MachineName WHERE UserName LIKE '<unknown>@%'
This is fixed in Enterprise Suite 2016 (Centrify DirectAudit 3.3.0).