HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

271

272

273

274

275

276

277

278

279

280

• /var/opt/ids/gui/logs/Trace.log

• /var/opt/ids/gui/guiError.log

Agent needs further troubleshooting

□ Create a directory for the logging information (for example, /var/log)

□ Restart the idsagent process with debugging enabled:

• /sbin/init.d/idsagent stop

• /opt/ids/bin/idsagent -d -e -l /var/log/idslog

□ The debug information can be found in the following files:

• /var/log/idslog

• /var/log/idslog_idskerndsp

• /var/log/idslog_idssysdsp

• /var/log/idslog_idscor

Agent does not start after installation

□ Verify that there are no errors from the install: /var/adm/sw/swagent.log

□ Be sure the product has been run as user ids. (No other user will work.)

□ Verify that all keys have been generated as described in “Setting Up HP-UX HIDS

Secure Communications” (page 34).

□ Run /opt/ids/bin/IDS_checkInstall to verify that all required patches

have been installed properly prior to installing IDS. IDS_checkInstall should

be run on an OS where IDS is installed. If patches are missing, uninstall IDS

(swremove), install the patches (see the HP-UX HIDS Release 4.1 Release Notes ),

and reinstall IDS (swinstall).

Agents appear to be stuck in polling status

In some instances, the combination of the autostatus and autosync processes leave

some agents in “polling” status. The workaround is to use autostatus only or to perform

a manual status to get the agent display into a known state.

Aggregated alerts targets or details field are truncated and the same aggregated alert

has several entries logged in the IDS_ALERTFILE

Problem: You may notice that the targets field or details field of an aggregated alert

are truncated. You may also notice that the aggregated alert has several entries in the

IDS_ALERTFILE.

Cause: The maximum size of a message on an IPC message queue is smaller than the

size of the aggregated alert. The idscor process that generates the alerts and sends

alerts to the idsagent process using an IPC message queue, must therefore send the

aggregated alert in chunks. The idsagent process logs the alert chunks to

IDS_ALERTFILE and then sends only the first chunk to the System Manager.

Action: Increase the value of msgmax and msgmnb kernel tunables, preferably to a

value greater than or equal to the size of the aggregrated alert.

Troubleshooting 271