HPE Community
Operating System - HP-UX
1833846 Members
1999 Online
110063 Solutions
New Discussion

Re: idsagent problem

 
David_711
Frequent Advisor

‎10-07-2004 05:47 AM

‎10-07-2004 05:47 AM

idsagent problem

Hi,
I had a problem with the idsagent on my hpux 11.11, the idsagent process used 98% of the cpu and i can´t stopped it.
In the /var/opt/ids/error.log file, i found this message:

rcm_init: Could not initialize communication library: errno=226:Address already in use.

Please somebody can tellme what happend?
Thanks
Davi
0 Kudos
Reply
6 REPLIES 6
Steffi Jones_2
New Member

‎10-07-2004 07:14 AM

‎10-07-2004 07:14 AM

Re: idsagent problem

Hi David,

check with swlist -l fileset -a state if the IDS software is installed properly.
It should show 'configured'.

If it shows 'installed' run swconfig against the fileset and see if that helps.

Steffi
0 Kudos
Reply
Olivier Decorse
Respected Contributor

‎10-07-2004 07:39 AM

‎10-07-2004 07:39 AM

Re: idsagent problem

Does idsagent shutdown before ? It seems that it was running and has not correctly stopped. So now, some ports/address are always in use.
Try to kill any ids process still in memory, from a previous run and let us know.

Olivier.
They say "install windows 2k, xp or better", so i install unix !
0 Kudos
Reply
David_711
Frequent Advisor

‎10-07-2004 08:59 AM

‎10-07-2004 08:59 AM

Re: idsagent problem

Ok,thanks.
I stopped the idsagent with kill command, but why the idsagent used 98% of my processor and why i can not stopped it with /sbin/init.d/idsagent stop??

Thanks

David
0 Kudos
Reply
Olivier Decorse
Respected Contributor

‎10-07-2004 07:31 PM

‎10-07-2004 07:31 PM

Re: idsagent problem

High cpu idsagent usage can be explained with a bad ids configuration.
For example, monitoring "buffer overflow" and "race condition" produce high load.

Also, having scripts in /opt/ids/response make the system running this scripts on every ids event !!! If you don't use (mail or vpo) alerts, move any program in an other directory.

And for stopping ids with "/etc/init.d/idsagent stop", what are the error message displayed ? you have to be root to run this script, etc.

Olivier.

PS : please don't forget to assign points : it is important for other peer to see if you receive the solution, and you will have more chance to receive responses for any other question !
They say "install windows 2k, xp or better", so i install unix !
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎10-11-2004 04:54 AM

‎10-11-2004 04:54 AM

Re: idsagent problem

David -

The "Address already in use" error most likely means that the port used by the idsagent to communicate with the admin GUI is in use. You can run "netstat -na |grep 2985" to see if the default port used by the agent is in use (run this when idsagent is not running).

The templates you are running has nothing to do with the CPU usage of idsagent. idscor is the process that runs the templates and can show high CPU. I don't know why idsagent used up so much CPU.

IDS v3.0 is due out soon and addresses performance and CPU utilization issues, as well as providing more powerful filtering of unwanted alerts. I am very excited about this release.

Pierre
0 Kudos
Reply
Petr Simik_1
Valued Contributor

‎10-13-2004 03:01 AM

‎10-13-2004 03:01 AM

Re: idsagent problem

did you performed correctly Authkeys?

I get this err when I did bad import of Client keys.
Try to repeat conf steps.

su - ids
/opt/ids/bin/IDS_genAdminKeys
/opt/ids/bin/IDS_genAgentCerts
/opt/ids/bin/IDS_importAgentKeys /var/opt/ids/tmp/hostname.tar.Z manager-hostname
/sbin/init.d/idsagent start
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.