Troubleshooting
Troubleshooting
❏Determine whether any changes have been made to the detection templates, which may filter out the alerts (such as ignoring whole directories or users).
❏If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run the last command and see if it prints an error or segmentation faults. If so, you need to do the following as root:
#rm /var/adm/wtmp
#touch /var/adm/wtmp
#chown adm:adm /var/adm/wtmp
❏Is the communication to the agent timing out? Check the agent’s /var/opt/ids/error.log for timeout messages. If timeout messages appear, try increasing the timeout values in the agent’s /etc/opt/ids/ids.cf configuration file; see “Remote Communication Configuration” on page 209.
❏If /var/opt/ids/error.log contains "out of memory" errors, the maximum data segment size may need to be increased or more swap space might need to be added. Run kmtune
Buffer overflow triggers false positives
❏Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does, please document what actions were performed that generated the alert, and contact HP support so we can improve the heuristic.
For more information on buffer overflow, see “Some Template Configuration Guidelines” on page 74.
Duplicate alerts appear in System Manager
If you see duplicate alerts, you might have multiple instances of the same template configured in your schedule within different surveillance groups with overlapping time tables.
Idsadmin needs installed agent certificates
You must run the idsadmin program on an administration host where agent certificates are installed. You can use IDS_genAgentCerts to generate a local agent certificate on the administration host. If the agent filesets, which include IDS_genAgentCerts, are not installed, you can copy the directory /etc/opt/ids/ids/certs/agent (and its contents) from a remote agent host to the administration host.
Idsadmin notifies of bad certificate when pinging a remote agent
Idsamin may notify of bad certificates if the certificate created on the admin host for the agent is not yet valid on the agent host due to the system time difference between the admin host and the remote agent host. For example:
./idsadmin
244 | Appendix G |