HPE Community
Operating System - HP-UX
1849236 Members
2802 Online
104042 Solutions
New Discussion

HIDS == "Please Shoot Me"

 
Court Campbell
Honored Contributor

‎06-12-2007 07:34 AM

‎06-12-2007 07:34 AM

HIDS == "Please Shoot Me"

OS 11.11
Java 1.5
HIDS 4.1 <-- Latest piece

All was working well up until a few days ago. I have no idea what started the issue. Basically the schedules and surveillance groups i created got hosed. Even if I recreate them or create new ones I get the following sorts of error:

Skipping schedule /etc/opt/ids/schedules/.txt due to parse error. See logs for details.

Found duplicate group /etc/opt/ids/schedules/groups/.txt in the groupList. See logs for details.

I have looked at the Trace.log file and don;t see anything providing verbose output. I just see this:

************************************************************
HP-UX Host IDS 4.1
Trace Started: 06/12/2007 08:05:11 Level: 3
JavaVM: 1.5.0.05, Vendor: Hewlett-Packard Co., Home: /opt/java1.5/jre
Os: HP-UX B.11.11 PA_RISC2.0

06/12/2007 08:05:11: ScheduleParser::parseGroup: Thread Name: main
MAJOR: ERROR PARSING GROUP
06/12/2007 08:06:05: ScheduleParser::parseGroup: Thread Name: main
MAJOR: ERROR PARSING GROUP
06/12/2007 08:06:24: ScheduleParser: Thread Name: main
FATAL: ERROR PARSING SCHEDULE
06/12/2007 08:06:31: ScheduleParser: Thread Name: main
FATAL: ERROR PARSING SCHEDULE
06/12/2007 08:06:35: ScheduleParser: Thread Name: main
FATAL: ERROR PARSING SCHEDULE

WOW, this file is informative. Anyway, I have a call open with HP. No answers yet. Not sure if anyone else has ran into this issue. I searched the forums and I seem to be the first (OH JOY!). NOTE: the placement of files is not the same as 4.0. Please do not give me answers related to 4.0. I am hoping Pierre Pasturel has an answer.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎06-12-2007 09:14 AM

‎06-12-2007 09:14 AM

Re: HIDS == "Please Shoot Me"

Shalom,

Is there a newer JAVA?

Do you have the suggested JAVA patches. They aren't suggestions, they should be mandatory. http://www.hp.com/go/java

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Court Campbell
Honored Contributor

‎06-13-2007 07:21 AM

‎06-13-2007 07:21 AM

Re: HIDS == "Please Shoot Me"

Installed latest Java for giggles but no go. I did notice that if i use the gui to create new schedules and groups I get the error. If I cp the templates to a new file and use those everything works well.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Pierre Pasturel
Respected Contributor

‎06-13-2007 09:24 AM

‎06-13-2007 09:24 AM

Re: HIDS == "Please Shoot Me"

Hi Court -

Please run the following commands:

% cd /etc/opt/ids/schedules
% grep TEMPLATE *.txt

If there are any .txt files that have lines with the keywords TEMPLATE or ENDTEMPLATE, then I know the problem. The fix is to run the migrator tool as follows (as user ids):

% /opt/ids/bin/migrator -i .txt

The issue is that when a schedule is activated using the GUI, some legacy code saves the schedule in the old format that is no longer valid for V4.1. When the GUI exits properly it re-saves all the schedules in correct format. However, if the idsgui crashes or does not exit properly, it will leave any schedule that was activated during that session in the pre-V4.1 format. A subsequent attempt to parse the schedule will fail.

Sorry for this inconvenience. I'll do what I can to restore your confidence in the product. Until we post a fix, please consider using the idsadmin command (CLUI) to activate your schedules.

Pierre
0 Kudos
Court Campbell
Honored Contributor

‎06-14-2007 12:42 AM

‎06-14-2007 12:42 AM

Re: HIDS == "Please Shoot Me"

Pierre,

I did not find the words TEMPLATE in any of the schedules. But I did find those words in the group files. Once again I am starting to get these errors:

Found duplicate group /etc/opt/ids/schedules/groups/.txt in the groupList. See logs for details.

Skipping schedule /etc/opt/ids/schedules/.txt due to parse error. See logs for details.

This is just weird.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Pierre Pasturel
Respected Contributor

‎06-14-2007 06:26 AM

‎06-14-2007 06:26 AM

Re: HIDS == "Please Shoot Me"

Hi Court -

I am having our GUI engineer take a look at this. It would be helpful if you could describe the steps to reproduce this problem, preferably starting with a fresh installaton of the IDS-Admin subproduct.

Pierre

0 Kudos
Court Campbell
Honored Contributor

‎06-14-2007 06:47 AM

‎06-14-2007 06:47 AM

Re: HIDS == "Please Shoot Me"

Well I did remove and re-install the hids admin product this past monday. I recreated the secure connecitons and added the hosts back to the admin to be montiored.

Here is basically what I did:

1. After I got the errors I removed my schedules and group files that I created under /etc/opt/ids/schedules and /etc/opt/ids/schedules/groups.

2. I then started idsgui. No complaints.

3. I opened the schedule mamanger.

4. I clicked on new to create a new schedule. I call it say "XYZ_schedule".

5. I then go to the groups under that schedule and copy FileModificationGroup. I name it "XYZ_Filemod". I then make a few changes to the templates under that group and save.

6. I then apply the schedule to a host. All is good.

7. I close the system manager.

8. I then open idsgui later and see the wonderful aforementioned errors when the manager starts. It might mention FileModificationGroup in this error:

Found duplicate group /etc/opt/ids/schedules/groups/FileModificationGroup.txt in the groupList. See logs for details.

I then do a cksum on that file and the one in the newconfig directory and notice that they are different. I then copy the newconfig file and restart idsgui and no errors.

It's off and on. Maybe it's me. I just know that I have been using this since around May and only started having this issue recently. The only recent change was installing the December 2006 patches.

For know I have been tar'ing the schedules directory after each successful change to the schedules, etc. When the error occurs I just replace the affected files. The thing I would like to know most is what

Found duplicate group /etc/opt/ids/schedules/groups/.txt in the groupList.

means. Does it mean it sees a duplicate template in that file?

Sorry, I wish I had better info to give you. I just can't figure out if this is a pebkac or if the app is creating the issue.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Pierre Pasturel
Respected Contributor

‎06-14-2007 10:24 AM

‎06-14-2007 10:24 AM

Re: HIDS == "Please Shoot Me"

Thanks. I will try to reproduce with the steps you describe. Stay tuned....
0 Kudos
Pierre Pasturel
Respected Contributor

‎06-14-2007 11:31 AM

‎06-14-2007 11:31 AM

Re: HIDS == "Please Shoot Me"

Can't reproduce.

> The thing I would like to know most is what
> Found duplicate group /etc/opt/ids/schedules/groups/.txt in the groupList.
> means. Does it mean it sees a duplicate template in that file?

No.

It appears to think that it has already parsed a group with the same name, but this doesn't make sense since it gets the group name from the filename .txt.

I'd rather triage this with you off-line. Please contact me using the standard FirstName.LastName@hp.com convention... Once we root cause this, we can post the problem and solution/workaround for the benefit of others.

Pierre
0 Kudos
Court Campbell
Honored Contributor

‎06-19-2007 06:02 AM

‎06-19-2007 06:02 AM

Re: HIDS == "Please Shoot Me"

I worked with Pierre and we could not recreate the problem. The error was resolved by starting from scratch. I was able to provide Pierre with some feedback about the product. I am looking forward to future enhancements.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Court Campbell
Honored Contributor

‎06-22-2007 07:47 AM

‎06-22-2007 07:47 AM

Re: HIDS == "Please Shoot Me"

I learned to tar my files after editing them. I would have thought I should know that by now.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.