HP Host Intrusion Detection System (HIDS) manual Agent needs further troubleshooting, 242

Troubleshooting

Troubleshooting

Agent halts abnormally, leaving ids_* files and message queues

❏If a running agent was not halted as described in “Halting HP-UX HIDS Agents” on page 53 (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.

You should also remove any file in /var/opt/ids/ whose name starts with the string “ids_” and ends with a number (e.g., ids_1001). These are memory mapped files that are used by HIDS processes for interprocess communication. If they are not cleaned up, the corresponding partition might become full. A new memory mapped file will be automatically created the next time the agent starts a schedule. You should *not* remove any memory mapped files when a schedule is running.

Here’s an example of a hard kill followed by a message queue cleanup.

#kill -9 16546 # hard kill of idsagent

#ipcs -q grep ids # display the message queue

#ipcrm -q 602 # delete the message queue

Agent host appears to hang and/or you see message “disk full”

❏Check the local disk for available capacity. The following files have a tendency to become large and may need to be archived and truncated, or moved to a different disk partition with more space:

•/var/opt/ids/alert.log

•/var/opt/ids/gui/logs/hostname_alert.log

•/var/opt/ids/error.log

•/var/opt/ids/gui/logs/Trace.log

•/var/opt/ids/gui/guiError.log

Agent needs further troubleshooting

❏Create a directory for the logging information (for example, /var/log)

❏Restart the idsagent process with debugging enabled:

• /sbin/init.d/idsagent stop