[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: HP-UX process lock / Incorrectly formated message question

To: "Daniel Cid" <daniel.cid@xxxxxxxxx>, ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: HP-UX process lock / Incorrectly formated message question
From: "Nick Baronian" <kvetch@xxxxxxxxx>
Date: Thu, 5 Apr 2007 09:41:32 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bb9ABDBtbMbAtU08h63wogjINXtbsiocY/oR0Ysqn+ZLXx52IEOjssbzRWoe3WQBc0wErTf0ADIUa01e/IBgCeasJrMcM/hupHJiECD71G6HCtuwuoccj3LU83PS4W9nz6lQDBeE0DDaoo/jQv2HgqbZh87P4VrIg2o0WMoUz60=


Hey Daniel, that seemed to correct the issue.
The admin of these boxes recompiled it on a development box moved it
over to the two systems that were displaying the incorrectly formated
issues.  It corrected the issue on one box and alerts are coming
through fine.  It corrected the issue on the other system also but
this system isn't alerting us for some reason.  I don't have access to
these systems but my guess is something isn't configured properly on
this box and I will have to wait till the admin gets a chance to look
at them but my guess is yes it is corrected with the endian order
change.

Once again thanks for the help and an awesome application.
-Nick Baronian


On 4/3/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:

Hi Nick,

Can you try the following? Go to src/Makeall and on line 67, (inside
the if HP-UX),
change from:

echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED" >> Config.OS

to:

echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED -DHIGHFIRST" >> Config.OS

And run "make clean; make all;make build". After that, copy the new
binaries from
../bin to /var/ossec/bin and start the agent (this on the HP-UX
system). I am thinking
it can be a byte ordering issue (hp-ux is big endian). I have it fixed
for solaris and AIX,
but not for HP-UX.. Let us know if it fixes the problem or not (so it
can be included in the
next version).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net




On 4/3/07, Nick Baronian <kvetch@xxxxxxxxx> wrote:
>
> Hello, I have an agent on a HP-UX 11i box that is generating some odd
> things in the logs and I was hoping someone might be able to help me
> figure out what might be wrong.
>
> After install I first added the agent to the ossec server (linux) and saw
> 2007/04/03 10:18:38 ossec-logcollector: Started (pid: 29826).
> 2007/04/03 10:19:11 ossec-remoted(1403): Incorrectly formated message
> from '192.168.1.2'.
> I assumed this was because the agent hadn't been started.
>
> The agent was started and below is the output of the HP-UX agent's log.
> 2007/04/03 10:21:57 ossec-execd(1350): Active response disabled. Exiting.
> 2007/04/03 10:21:57 ossec-agentd: Started (pid: 25721).
> 2007/04/03 10:21:57 ossec-agentd: Connecting to server (192.168.1.1:1514).
> 2007/04/03 10:21:59 ossec-syscheckd: Started (pid: 25729).
> 2007/04/03 10:22:03 ossec-agentd(1210): Queue '/queue/alerts/execq'
> not accessible.
> 2007/04/03 10:22:03 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'.
> 2007/04/03 10:22:03 ossec-logcollector: Started (pid: 25725).
> 2007/04/03 10:22:18 ossec-agentd(1301): Unable to connect to active
> response queue.
> 2007/04/03 10:24:13 ossec-logcollector: Process locked. Waiting for
> permission...
> 2007/04/03 10:26:55 ossec-syscheckd: Process locked. Waiting for permission...
>
> I didn't know what the process locked messages were all about so I had
> the agent restarted (thinking that if the admin had not properly
> started or restart the agent earlier and a process was still out
> there)
> 2007/04/03 13:55:20 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:20 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:20 ossec-agentd(1225): SIGNAL Received. Exit Cleaning...
> 2007/04/03 13:55:55 ossec-execd(1350): Active response disabled. Exiting.
> 2007/04/03 13:55:55 ossec-agentd: No previous counter available for 'sysX'.
> 2007/04/03 13:55:55 ossec-agentd: Assigning counter for agent sysX: '0:0'.
> 2007/04/03 13:55:55 ossec-agentd: Assigning sender counter: 0:1
> 2007/04/03 13:55:55 ossec-agentd: Started (pid: 27630).
> 2007/04/03 13:55:55 ossec-agentd: Connecting to server (192.168.1.1:1514).
> 2007/04/03 13:55:57 ossec-syscheckd: Started (pid: 27638).
> 2007/04/03 13:56:01 ossec-agentd(1210): Queue '/queue/alerts/execq'
> not accessible.
> 2007/04/03 13:56:01 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'.
> 2007/04/03 13:56:01 ossec-logcollector: Started (pid: 27634).
> 2007/04/03 13:56:16 ossec-agentd(1301): Unable to connect to active
> response queue
>
> Now we still see the following on the ossec linux server and so far we
> haven't seen any alerts from the HP-UX agent.
> 2007/04/03 13:56:16 ossec-remoted(1403): Incorrectly formated message
> from '192.168.1.2'
>
> Anyone have any clues to what might be up with our configuration?
> Thanks,
> Nick Baronian
>

References:
- [ossec-list] HP-UX process lock / Incorrectly formated message question
  - From: Nick Baronian
- [ossec-list] Re: HP-UX process lock / Incorrectly formated message question
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Possible kernel level rootkit and wui0.2
Next by Date: [ossec-list] Usage Stats from Client?
Previous by thread: [ossec-list] Re: HP-UX process lock / Incorrectly formated message question
Next by thread: [ossec-list] Possible kernel level rootkit and wui0.2
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.