HPE Community
Operating System - HP-UX
1834137 Members
2388 Online
110064 Solutions
New Discussion

audisp failed to display, error code

 
Leahi
Frequent Advisor

‎06-12-2006 07:35 AM

‎06-12-2006 07:35 AM

audisp failed to display, error code

Getting error code when audisp is executed on CLI and via SAM:

The attempt to retrieve the audit log output using audisp(1M) failed. The command return was "-1" and the standard error output was: audisp: cannot back-reference pid indent. information.

Any help is appreciated. Thank you.
0 Kudos
Reply
11 REPLIES 11
ratan nalumasu
Occasional Advisor

‎06-14-2006 07:19 AM

‎06-14-2006 07:19 AM

Re: audisp failed to display, error code

Sounds like there was a problem parsing the data or the data was corrupted at the collection time. What was the OS on which the data was collected, and how many processors did it have, and if it is 11.23: was the machine in trusted mode or not (check for the /tcb directory) and was the machine an IA64 box?

Thanks
Ratan
0 Kudos
Reply
Leahi
Frequent Advisor

‎06-14-2006 12:09 PM

‎06-14-2006 12:09 PM

Re: audisp failed to display, error code

Running b.11.11
on b2600 box
on trusted mode

What's IA64? How can I check if this is so (syntax on CLI)? Thanks.
0 Kudos
Reply
ratan nalumasu
Occasional Advisor

‎06-14-2006 01:44 PM

‎06-14-2006 01:44 PM

Re: audisp failed to display, error code

IA64 is the architecture--you can find this by running "model" or "uname -m". 11.11 runs only on PA architecture. So, that is not a problem. How many processors does the machine have? Though the symptoms differe, it occurs to me that this was fixed in PHKL_28446 (but if the machine has multiple processors, that theory won't hold). Does the output of "what /usr/conf/lib/libaudit.a" show either PHKL_28446 or PHKL_32126 (which superceds the PHKL_28446)?

When does the audisp print the above error message? As soon as it starts up or after printing a few records? Also, as a diagnostic to see if only a couple of audit records got corrupted, could you run a command, say "audisp -e admin " so that it tries to skip over all audit records other than admin related events? If that works, we can conclude that the so called identification record got written to a different trail and figure out how to get it back.
0 Kudos
Reply
ratan nalumasu
Occasional Advisor

‎06-14-2006 01:45 PM

‎06-14-2006 01:45 PM

Re: audisp failed to display, error code

IA64 is the architecture--you can find this by running "model" or "uname -m". 11.11 runs only on PA architecture. So, that is not a problem. How many processors does the machine have? Though the symptoms differ, it occurs to me that this was fixed in PHKL_28446 (but if the machine has multiple processors, that theory won't hold). Does the output of "what /usr/conf/lib/libaudit.a" show either PHKL_28446 or PHKL_32126 (which supersedes the PHKL_28446)?

When does the audisp print the above error message? As soon as it starts up or after printing a few records? Also, as a diagnostic to see if only a couple of audit records got corrupted, could you run a command, say "audisp -e admin " so that it tries to skip over all audit records other than admin related events? If that works, we can conclude that the so called identification record got written to a different trail and figure out how to get it back.
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎06-14-2006 02:43 PM

‎06-14-2006 02:43 PM

Re: audisp failed to display, error code

Think you ought to patch up beginning with SAM and audisp:

s700_800 11.11 audisp(1M) cumulative patch PHCO_27704
posted: 2002/10/03
notes: PHCO_27704
posted: 2002/10/03
notes:
s700_800 11.11 audit subsystem cumulative patch PHKL_32126
posted: 2005/03/24
notes: PHKL_32126
posted: 2005/03/24
notes:
s700_800 11.11 CDE Applications Patch PHSS_33326
posted: 2005/07/20
notes: PHSS_34101
posted: 2006/01/25
notes:


Support Fatherhood - Stop Family Law
0 Kudos
Reply
Darren Prior
Honored Contributor

‎06-14-2006 08:18 PM

‎06-14-2006 08:18 PM

Re: audisp failed to display, error code

Hi Leahi,

I've seen something similar to this before:

How frequently do you change audit log files?
What server model are you using?
How accurate is the server clock - if you're using NTP does it need to update the clock frequently?

best regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Leahi
Frequent Advisor

‎06-15-2006 06:39 AM

‎06-15-2006 06:39 AM

Re: audisp failed to display, error code

Thanks, all.

I'll research all your questions and get back with you ASAP.

I need this fix before our security inspection.
0 Kudos
Reply
Leahi
Frequent Advisor

‎06-15-2006 06:43 AM

‎06-15-2006 06:43 AM

Re: audisp failed to display, error code

Thanks, all.

I'll research all your questions and get back with you ASAP.

I need this fix before our security inspection.

also, it happened on our HP9000 rp4410 servers running on 11.11i, dual processor, trusted mode.
0 Kudos
Reply
Leahi
Frequent Advisor

‎06-15-2006 07:39 AM

‎06-15-2006 07:39 AM

Re: audisp failed to display, error code

all machines have identical patches.
Model: 9000/785/b2600, single processor

Output /usr/conf/lib/libaudit.a: missing PHKL_32126 patch.

Error prints as soon as it starts up; no records shown.

audisp -e admin : "can't open filename"

I'm missing patches: PHKL_32126/PHSS_3326.

Also, we haven't worked out how we would backup audfile2, so we've just been clearing it when it fills-up with "cp /dev/null audfile2".

How do I check if NTP server is in sync with clients or how to config?

Thank you.
0 Kudos
Reply
Darren Prior
Honored Contributor

‎06-15-2006 09:41 PM

‎06-15-2006 09:41 PM

Re: audisp failed to display, error code

Hi Leahi,

The fact that the message appears immediately suggests to me that the error is at the start of the file. It is important to note that you should be using audomon and audsys to monitor and switch audit files otherwise there's a possibility of corruption.

I would also suggest that you ensure that the patches you mentioned are installed correctly.

Regarding NTP, I believe it logs information into syslog showing how much it has had to adjust the clock by.

best regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
LyleC
New Member

‎07-05-2006 07:27 AM

‎07-05-2006 07:27 AM

Re: audisp failed to display, error code

We've also seen this message and believe its due to modifying (mv, cp) the audit log file while the system is auditing. Try changing the file the system uses for audit logs via SAM first and then mv or cp the original log. Example, if you have audfile1 as primary and audfile2 as secondary, move audfile2 to primary, audfile3 as secondary, then do what you want with audfile1.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.