GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- HIDS/9000 A.02.02 /var almost full
Operating System - HP-UX
1847186
Members
3431
Online
110263
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2004 11:08 PM
10-24-2004 11:08 PM
Subject: HIDS/9000 A.02.02 /var almost full
My /var directory is almost full.
In the HIDS Admin Guide 02.02 on page 191 "log file rotation" mentions that we may rotate
the alert.log and the error.log file without any problems.
However I see a list of following files (10 Mb each):
10240000 Oct 25 12:38 ids_1000
10240000 Dec 1 2003 ids_1001
10240000 Dec 19 2003 ids_1002
10240000 Apr 2 2004 ids_1003
10240000 Apr 6 2004 ids_1004
10240000 May 14 16:51 ids_1005
10240000 Sep 2 08:26 ids_1006
I found on pg. 204 that these are memory-mapped files and that we may remove any lingering files in the form of ids_10*? Sorry, that is not clear to me.
However, on page 219 it is a little bit explained what the purpose is of these
memory-mapped files, and that we may not delete these files normally.
When I stopped the idsagent I noticed that the following processes were still running:
$ ps -ef|grep ids
idssysdsp -c 407 -o /var/opt/ids//ids_1000 -s 408 -q 65535 -
idskerndsp -c 409 -o /var/opt/ids//ids_1000 -s 410 -q 65535
idscor -i /var/opt/ids//ids_1000 -o 404 -c 405 -s 406 -q 655
Finally, my questions are:
1/ is it safe to delete all ids_10* files (except ids_1000 as still in use)
2/ do I still need these files for something (audit back in time?)
3/ why is this not better explained in the admin guide? The explanation on pg 204 and 219
are confusing.
4/ does the content of these files overlap with alert/error.log files?
best regards,
Gratien
My /var directory is almost full.
In the HIDS Admin Guide 02.02 on page 191 "log file rotation" mentions that we may rotate
the alert.log and the error.log file without any problems.
However I see a list of following files (10 Mb each):
10240000 Oct 25 12:38 ids_1000
10240000 Dec 1 2003 ids_1001
10240000 Dec 19 2003 ids_1002
10240000 Apr 2 2004 ids_1003
10240000 Apr 6 2004 ids_1004
10240000 May 14 16:51 ids_1005
10240000 Sep 2 08:26 ids_1006
I found on pg. 204 that these are memory-mapped files and that we may remove any lingering files in the form of ids_10*? Sorry, that is not clear to me.
However, on page 219 it is a little bit explained what the purpose is of these
memory-mapped files, and that we may not delete these files normally.
When I stopped the idsagent I noticed that the following processes were still running:
$ ps -ef|grep ids
idssysdsp -c 407 -o /var/opt/ids//ids_1000 -s 408 -q 65535 -
idskerndsp -c 409 -o /var/opt/ids//ids_1000 -s 410 -q 65535
idscor -i /var/opt/ids//ids_1000 -o 404 -c 405 -s 406 -q 655
Finally, my questions are:
1/ is it safe to delete all ids_10* files (except ids_1000 as still in use)
2/ do I still need these files for something (audit back in time?)
3/ why is this not better explained in the admin guide? The explanation on pg 204 and 219
are confusing.
4/ does the content of these files overlap with alert/error.log files?
best regards,
Gratien
Solved! Go to Solution.
8 REPLIES 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 09:44 AM
10-25-2004 09:44 AM
Re: HIDS/9000 A.02.02 /var almost full
I am not 100% sure, but i think you will see the next time you push a new template to the node, a new file ids_1007 will show up. I think you can delete the older ones.
Regards
Scott Palmer
Regards
Scott Palmer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 10:16 AM
10-25-2004 10:16 AM
Solution
Gratien -
idssysdsp, idskerndsp, and idscor should not be running without idsagent (their parent process). This can happen if you kill -9 idsagent or idsagent dies abnormally. Did you terminate idsagent as documented in the manual (i.e., /sbin/init.d/idsagent stop)?
First, cleanup those three processes (hard kill -9). Then delete all /var/opt/ids/ids_* files. Then, following p. 217 under "Agent halts abnormally, leaving message queue entries," remove any ids owned message queues.
To answer your questions:
1. It is safe to delete these when the ids processes are no longer running as describe on p. 219 . They are normally deleted automatically when a schedule stops running.
2. These files are used internally by ids.
3. Please elaborate on how we can make this clearer. Would mentioning that these memory mapped files are used internally help? What other details would you like to know?
4. No, they do not overlap at all.
BTW, rotation of alert.log is supported but there is an open defect for the rotation of error.log. Basically, error.log is successfully rotated and idsagent will write subsequent error messages to the new error.log but some messages from other IDS components will continue to write to the rotated error.log. This will not be addressed in V3.0 but in a later release. Ordinarily, error.log should not grow large.
Pierre
idssysdsp, idskerndsp, and idscor should not be running without idsagent (their parent process). This can happen if you kill -9 idsagent or idsagent dies abnormally. Did you terminate idsagent as documented in the manual (i.e., /sbin/init.d/idsagent stop)?
First, cleanup those three processes (hard kill -9). Then delete all /var/opt/ids/ids_* files. Then, following p. 217 under "Agent halts abnormally, leaving message queue entries," remove any ids owned message queues.
To answer your questions:
1. It is safe to delete these when the ids processes are no longer running as describe on p. 219 . They are normally deleted automatically when a schedule stops running.
2. These files are used internally by ids.
3. Please elaborate on how we can make this clearer. Would mentioning that these memory mapped files are used internally help? What other details would you like to know?
4. No, they do not overlap at all.
BTW, rotation of alert.log is supported but there is an open defect for the rotation of error.log. Basically, error.log is successfully rotated and idsagent will write subsequent error messages to the new error.log but some messages from other IDS components will continue to write to the rotated error.log. This will not be addressed in V3.0 but in a later release. Ordinarily, error.log should not grow large.
Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 07:14 PM
10-25-2004 07:14 PM
Re: HIDS/9000 A.02.02 /var almost full
Hi,
Thanks for the replies!
To answer on your questions:
- yes, I did a kill -9 on idsagent which caused this situation (had another posting yesterday which explained this).
- and yes, it would improve the documentation if HP would describe (briefly) the use of memory-mapped files in Chapter 1. Mention memory-mapped files in the glossary and maybe add another picture which explains the piping a bit - enough so that we understand the big picture.
It was surprising to me that I suddently saw plenty of these containers popping up (I did not know where they came from).
As a side note, in the installation guide HP mentions that 10 MB must be forseen for the /var - that is clearly not enough - please increase this to min. 50 Mb which is closer to the reality.
- thanks for the warning about trimming the error.log file (I found this in the forum once, but thought it was fixed in the meantime).
- Concerning HIDS A.03.00: is there any chance we can see the release notes before the official release date?
Thanks for a great product!
Gratien
Thanks for the replies!
To answer on your questions:
- yes, I did a kill -9 on idsagent which caused this situation (had another posting yesterday which explained this).
- and yes, it would improve the documentation if HP would describe (briefly) the use of memory-mapped files in Chapter 1. Mention memory-mapped files in the glossary and maybe add another picture which explains the piping a bit - enough so that we understand the big picture.
It was surprising to me that I suddently saw plenty of these containers popping up (I did not know where they came from).
As a side note, in the installation guide HP mentions that 10 MB must be forseen for the /var - that is clearly not enough - please increase this to min. 50 Mb which is closer to the reality.
- thanks for the warning about trimming the error.log file (I found this in the forum once, but thought it was fixed in the meantime).
- Concerning HIDS A.03.00: is there any chance we can see the release notes before the official release date?
Thanks for a great product!
Gratien
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 10:39 PM
10-25-2004 10:39 PM
Re: HIDS/9000 A.02.02 /var almost full
Hi Gratien.
If these files are going to grow large again, you might like to give them their own logical volume with a mountpoint of /var/opt/ids so they won't affect /var.
Mark Syder (like the drink but spelt different)
If these files are going to grow large again, you might like to give them their own logical volume with a mountpoint of /var/opt/ids so they won't affect /var.
Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2004 09:03 AM
10-26-2004 09:03 AM
Re: HIDS/9000 A.02.02 /var almost full
Gratien -
Always shutdown the idsagent using the documented method. Otherwise, the message queues will not be released and memory mapped files will accumulate and eventually fill up your /var. Kill -9 should only be done if for some reason the idsagent is not responding to the TERM signal.
I will see what we can do to make the admin guide clearer about the memory mapped file.
BTW, the size of the memory mapped file for V3.0 is now 20Meg so that we can buffer more system call audit events during peak loads to reduce the chances of having to drop them.
The RN will not be available until the depots are posted. What kind of information were you looking?
Pierre
Always shutdown the idsagent using the documented method. Otherwise, the message queues will not be released and memory mapped files will accumulate and eventually fill up your /var. Kill -9 should only be done if for some reason the idsagent is not responding to the TERM signal.
I will see what we can do to make the admin guide clearer about the memory mapped file.
BTW, the size of the memory mapped file for V3.0 is now 20Meg so that we can buffer more system call audit events during peak loads to reduce the chances of having to drop them.
The RN will not be available until the depots are posted. What kind of information were you looking?
Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2004 12:47 AM
10-28-2004 12:47 AM
Re: HIDS/9000 A.02.02 /var almost full
Pierre,
Concerning the Release Notes: I would like the bits around the upgrade from A.02.02 towards A.03 for HP-UX 11.x
But If it is too much work I can wait 'till the release date.
Thx,
Gratien
Concerning the Release Notes: I would like the bits around the upgrade from A.02.02 towards A.03 for HP-UX 11.x
But If it is too much work I can wait 'till the release date.
Thx,
Gratien
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2004 07:21 AM
11-03-2004 07:21 AM
Re: HIDS/9000 A.02.02 /var almost full
Gratien -
V3.0 will come with a migration tool to upgrade your V2.2 schedules to V3.0 schedules. If your V2.2 schedules contain template properties which are specified using the ECS regular expression syntax, these properties will need to be manually modified by you to convert them to use Unix regular expressions. We have also consolidated the "login/logout" template and the "start of interactive sessions" template into one "login/logout" template. The conversion tool will also handle this.
Details will be in the RN.
Pierre
V3.0 will come with a migration tool to upgrade your V2.2 schedules to V3.0 schedules. If your V2.2 schedules contain template properties which are specified using the ECS regular expression syntax, these properties will need to be manually modified by you to convert them to use Unix regular expressions. We have also consolidated the "login/logout" template and the "start of interactive sessions" template into one "login/logout" template. The conversion tool will also handle this.
Details will be in the RN.
Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2004 07:15 PM
11-07-2004 07:15 PM
Re: HIDS/9000 A.02.02 /var almost full
Thanks to all for the replies.
Gratien
Gratien
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2026 Hewlett Packard Enterprise Development LP