Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6309: Findsessions query returns no session and ends with 'Illegal characters in path'

Centrify DirectAudit ,  

2 March,16 at 06:55 PM

Applies to:

DirectAudit FindSessions Utility on Version 3.2.x and below
 
Problem:

Findsessions query returns no session and ends with “Illegal characters in path”.  
 
Reason:

In older version of DirectAudit FindSession utility, exporting session to a file would fail if session user’s name contained one or more special characters such as <unknown>.  If the username that is coming from the agent is being sent as "<unknown>@doman.com", note that it has two characters (< and >) that are invalid for a file name.

Since the code is combining the username and machinename to come up with exported files' name, it results into an invalid file name.   


c:\ProgramFiles\Centrify\DirectManageAudit\AuditAnalyzer>FindSessions.exe /i=nikki1114 /a="1 time is in today" /export=UnixInputOutput /format=csv /path=c:\session

c:\Program Files\Centrify\DirectManage Audit\AuditAnalyzer>Illegal characters in
path.

 

Example record from database:

10299739,49D3B177-994C-BD42-B9EF-8ACDA933640B,0,2015-10-19 15:38:01.767,635808658817674640,0,NULL,NULL,NULL,NULL,NULL,ups3yj6xk76q1.domain.com dalapg0g.domain.com /dev/pts/0 <unknown>@dalapg0g.domain.com <unknown> <unknown> dzdo su - webmaint,NULL,0


Cause:

The issue where the username is reported as <unknown> usually results when the agent does not send the "StartTerminalSession" packet type.  One possibility this may happen is if the local spool file that contains this packet has been deleted.

Workaround:

Apply the following SQL command to clear these special characters from username column of all session records.  This should be run against the Audit Store database to fix the issue. 


Note:  It is safe to run against all attached Audit Store databases


UPDATE dbo.Session SET UserName = 'unknown@' + MachineName WHERE UserName LIKE '<unknown>@%'


Resolution:

This is fixed in Enterprise Suite 2016 (Centrify DirectAudit 3.3.0). 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles