HPE Community
Operating System - HP-UX
1826004 Members
3387 Online
109690 Solutions
New Discussion

questions on using IDS

 
Greta Blamire
Frequent Advisor

‎03-14-2002 01:50 PM

‎03-14-2002 01:50 PM

questions on using IDS

I've installed the IDS agent and server on a test system. I read the IDS admin guide which answered most of my questions, but I'm still having some problems. I wanted to start out simple so I just have the login monitoring scheduled for 24x7. However, it doesn't send an alert when I log off and on the system. Also, everytime I bring up the system manager the agent isn't in "running" status even though it was in running status the last time I wan in sytem manager. Shouldn't it be running whether I have the system manager up or not
If you can't face the facts, change them!
0 Kudos
Reply
6 REPLIES 6
Krishnan Viswanathan
Frequent Advisor

‎03-14-2002 08:18 PM

‎03-14-2002 08:18 PM

Re: questions on using IDS

Couple of things:

a) Is your "schedule" on the agents supposed to be running all the time ? If so, to verify, pl log into your agent boxes and check this :
ps -ef |grep ids . If you see processes such as idskerndsp, idscor, idssysdsp etc.. then it means that the scheduler is active.

b) When you start up the idsgui, typically the admin console first "polls" for agents, if they are there, then they are synchronised and the status is shown as "available". If there is schedule running then the status is shown as "running". However, if you had disabled the automatic polling/synchronisation option at startup then (via the "preferences" menu) then you would have do a manual polling to make the status "available" or "running" as the case maybe

Hope this helps
Krishnan
0 Kudos
Reply
Greta Blamire
Frequent Advisor

‎03-26-2002 02:24 PM

‎03-26-2002 02:24 PM

Re: questions on using IDS

Thanks for the reply, when I check for the agent, I do see idskern and idsagent in the processes. And it does the polling automatically when I bring up the ids system manager. But, even with those processes showing up, whenever I bring up the IDS system manager the status is "no agent available" after the polling is complete. So then I resync it, which takes about 10 minutes to complete, but still it comes up with no agent. But in the processes there is idskerndsp and idscor. How can I get my agent to run all the time
If you can't face the facts, change them!
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎04-22-2002 04:49 PM

‎04-22-2002 04:49 PM

Re: questions on using IDS

Which version of IDS are you running?

Which templates are running in your schedule? If you are running the preconfigured LoginMonitoringAlwaysOn, you should only see the processes idsagent, idssysdsp, and idscor. If you see idskerneldsp, then you must also be running a template which requires audit data.

Run "top" and let me the CPU usage of idscor.

Pierre



0 Kudos
Reply
Joanne Keegan
Regular Advisor

‎04-22-2002 06:42 PM

‎04-22-2002 06:42 PM

Re: questions on using IDS

Hi Greta,

I have been working with IDS on my site, and find that once I start the IDS gui, if I check its status once the polling has completed, it ususally comes back saying that the agent is available, etc.

Good luck,

Jo
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎04-22-2002 11:05 PM

‎04-22-2002 11:05 PM

Re: questions on using IDS

Greta,


two things to check

1) are you running 1.0 or 2.0
running on 1.0 will always produce this problems

2)
running on 2.0 (which is a must!!) check the timeout values using your gui. Getting messages 'no agent running' usually means you'll have to double this time out values.

There will be a patched version of IDS out soon I guess. I did some beta testing on this and most of this problems will be gone with 2.x.


Regards
Rainer


He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Greta Blamire
Frequent Advisor

‎04-23-2002 05:42 AM

‎04-23-2002 05:42 AM

Re: questions on using IDS

Thanks everyone,
I ended up opening a log on this and we came up with the following solutions:
1. Fully patch IDS - I was missing PHCO_16127, PHKL_24266, KL-24502 & KL_25210.
This made a huge difference in the cpu usage of IDS. After I patched then the problem with "no agent available" status was resolved. I found that when my CPU was pegged at 100% IDS often reported no agent, even though the agent was running.
2. Copying the template and running that as a schedule, not running the template. The templates are in a read only sector and so when you run a template it can't write alert log entries.
So it's working for me now, it's great product once you figure out how to use it!
If you can't face the facts, change them!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.