Re: HIDS agent error.

Hi,

I just installed an HP instrusion detection on my system running 11.00 64bit. but when i tried to bring up the idsagent im getting this error.

libcomm: thread_id=1: comm_init: gethostbyname failed for connect_host idsadmin
ids/9000: idsagent initialization failed. See /var/opt/ids/error.log for details. Exiting
libcomm: thread_id=1: queue_get (Read Queue): comm layer not initialized
libcomm: thread_id=1: queue_get (Write Queue): comm layer not initialized.

thanks,
den

11 REPLIES 11

typo error on the subject. it's HP IDS/9000

HI Den,

Sounds to me like the IDS Agent system cannot resolve the name or IP of the IDS Server or Adminstration system.
Check your setup & manually try to resolve what you've defined as the IDS server or admin system.

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Hi Den,

Did you generate the certificate for the client from the server and installed it on the client? I believe even if your server and client is the same node, you need to do that.

I will be interested to know that as I am in the process of defining my schedules/groups/templates.

HTH
...Manjeet

work is fun ! (my manager is standing behind me!!)

And if you generated the certificate and installed it on the client, did you change the IP address of the server/client?

Does /var/opt/ids/error.log give you any relevant information? Is client/server able to resolve each other?

...Manjeet

work is fun ! (my manager is standing behind me!!)

Hi,

Jeff: I check my entry on my host file and on the dns all of them are defined the same as my IDS server.

Manjeet: The certificate a created successfully. The output of my error.log are libcomm: thread_id=1.

thanks,
Den

Hi Den,

Not very sure but from above error msg (first posting), it looks as if your client is trying to connect to IDS server name - idsadmin. Is this your IDS server name?

Also, did you run "IDS_genAdminKeys install" on the server 'after' distributing the certificate to the client? That step will invalidate the agent certificate. If you are just setting this up, I would suggest to redo the following as user "ids" -

1. run 'IDS_genAdminKeys install' on the server
2. run IDS_genAgentCerts for the client
3. move the certificate (client.tar.Z) from server to client's /var/opt/ids/tmp/ directory.
4. run IDS_importAgentKeys from the client -
IDS_importAgentKeys /var/opt/ids/tmp/client.tar.Z
5. run /sbin/init.d/idsagent start (as root)

Also, the document talks about some more steps for multihomed agent system. But lets see if the above solution works for you.

HTH
...Manjeet

work is fun ! (my manager is standing behind me!!)

hi manjeet,

I have done with those step and it goes successfull. to make it short i decided to remove the IDS/9000 from the client and the server. What i'm doing now is working on one server as IDS server and client. when i bring up the agent the error that i'm getting is :

idsagent: failed to open schedule path file /var/opt/ids/schedule for reading and writing

Also on the idsgui it says that there is no available agent. but when i run

ps -ef | grep idsagent

it's running.

thanks,
den

Hello again,

>idsagent: failed to open schedule path file /var/opt/ids/schedule for reading and writing

This is a first time message and is expected because till now, this client hasn't been given any schedule.

>Also on the idsgui it says that there is no available agent

This one had stumped me as well. But the solution was simple - bring up idsgui and add the client (as user ids and setting DISPLAY variable). Now highlight the client and click on 'Status' button on the far left. The client status will change to 'available'. Now its just a matter of selecting one of the pre-defined schedules (for testing) and clicking on 'Activate' button.

Let me know if it helps.
...Manjeet

work is fun ! (my manager is standing behind me!!)

manjeet,

it didn't work. any more idea.

thanks,
den

Hi Den,

At this point, I will check if something is different on your server because the problem changed when you installed server and client on the same box. It may be patch issue. The server needs Java RTE 1.3.x but I am assuming that those prereqs are completed.

If you have a spare box, you may load it with hpux-11.11 and retry. Involving HP Support is another option.

Thanks
...Manjeet

work is fun ! (my manager is standing behind me!!)

Den -

Let me know if you are still having problems with IDS/9000.

The "can't open schedule file" error is expected if no schedule has yet been downloaded by the admin to the agent and you are starting the agent using the /sbin/init.d/idsagent startup script or if you are running /opt/ids/bin/idsagent with the -a option.

Assuming that you attempted to get the status of the agent using the admin GUI and it returns "Not available" even though an agent is running, there is a defect that has been fixed for this type of failure. The fix will be in the next minor release of HP-UX Host IDS (new name for IDS/9000) which is currently scheduled to be available sometime around late Spring.

Pierre