[ossec-list] Re: HP-UX process lock / Incorrectly formated message question

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Nick,

Can you try the following? Go to src/Makeall and on line 67, (inside
the if HP-UX),
change from:

echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED" >> Config.OS

to:

echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED -DHIGHFIRST" >> Config.OS

And run "make clean; make all;make build". After that, copy the new
binaries from
../bin to /var/ossec/bin and start the agent (this on the HP-UX
system). I am thinking
it can be a byte ordering issue (hp-ux is big endian). I have it fixed
for solaris and AIX,
but not for HP-UX.. Let us know if it fixes the problem or not (so it
can be included in the
next version).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net




On 4/3/07, Nick Baronian <kvetch@xxxxxxxxx> wrote:
> Hello, I have an agent on a HP-UX 11i box that is generating some odd
> things in the logs and I was hoping someone might be able to help me
> figure out what might be wrong.
>
> After install I first added the agent to the ossec server (linux) and saw
> 2007/04/03 10:18:38 ossec-logcollector: Started (pid: 29826).
> 2007/04/03 10:19:11 ossec-remoted(1403): Incorrectly formated message
> from '192.168.1.2'.
> I assumed this was because the agent hadn't been started.
>
> The agent was started and below is the output of the HP-UX agent's log.
> 2007/04/03 10:21:57 ossec-execd(1350): Active response disabled. Exiting.
> 2007/04/03 10:21:57 ossec-agentd: Started (pid: 25721).
> 2007/04/03 10:21:57 ossec-agentd: Connecting to server (192.168.1.1:1514).
> 2007/04/03 10:21:59 ossec-syscheckd: Started (pid: 25729).
> 2007/04/03 10:22:03 ossec-agentd(1210): Queue '/queue/alerts/execq'
> not accessible.
> 2007/04/03 10:22:03 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'.
> 2007/04/03 10:22:03 ossec-logcollector: Started (pid: 25725).
> 2007/04/03 10:22:18 ossec-agentd(1301): Unable to connect to active
> response queue.
> 2007/04/03 10:24:13 ossec-logcollector: Process locked. Waiting for
> permission...
> 2007/04/03 10:26:55 ossec-syscheckd: Process locked. Waiting for permission...
>
> I didn't know what the process locked messages were all about so I had
> the agent restarted (thinking that if the admin had not properly
> started or restart the agent earlier and a process was still out
> there)
> 2007/04/03 13:55:20 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:20 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:20 ossec-agentd(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:55 ossec-execd(1350): Active response disabled. Exiting.
> 2007/04/03 13:55:55 ossec-agentd: No previous counter available for 'sysX'.
> 2007/04/03 13:55:55 ossec-agentd: Assigning counter for agent sysX: '0:0'.
> 2007/04/03 13:55:55 ossec-agentd: Assigning sender counter: 0:1
> 2007/04/03 13:55:55 ossec-agentd: Started (pid: 27630).
> 2007/04/03 13:55:55 ossec-agentd: Connecting to server (192.168.1.1:1514).
> 2007/04/03 13:55:57 ossec-syscheckd: Started (pid: 27638).
> 2007/04/03 13:56:01 ossec-agentd(1210): Queue '/queue/alerts/execq'
> not accessible.
> 2007/04/03 13:56:01 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'.
> 2007/04/03 13:56:01 ossec-logcollector: Started (pid: 27634).
> 2007/04/03 13:56:16 ossec-agentd(1301): Unable to connect to active
> response queue
>
> Now we still see the following on the ossec linux server and so far we
> haven't seen any alerts from the HP-UX agent.
> 2007/04/03 13:56:16 ossec-remoted(1403): Incorrectly formated message
> from '192.168.1.2'
>
> Anyone have any clues to what might be up with our configuration?
> Thanks,
> Nick Baronian