Hi Nick,
Can you try the following? Go to src/Makeall and on line 67, (inside the if HP-UX), change from: echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED" >> Config.OS to: echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED -DHIGHFIRST" >> Config.OS And run "make clean; make all;make build". After that, copy the new binaries from ../bin to /var/ossec/bin and start the agent (this on the HP-UX system). I am thinking it can be a byte ordering issue (hp-ux is big endian). I have it fixed for solaris and AIX, but not for HP-UX.. Let us know if it fixes the problem or not (so it can be included in the next version). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 4/3/07, Nick Baronian <[EMAIL PROTECTED]> wrote:
Hello, I have an agent on a HP-UX 11i box that is generating some odd things in the logs and I was hoping someone might be able to help me figure out what might be wrong. After install I first added the agent to the ossec server (linux) and saw 2007/04/03 10:18:38 ossec-logcollector: Started (pid: 29826). 2007/04/03 10:19:11 ossec-remoted(1403): Incorrectly formated message from '192.168.1.2'. I assumed this was because the agent hadn't been started. The agent was started and below is the output of the HP-UX agent's log. 2007/04/03 10:21:57 ossec-execd(1350): Active response disabled. Exiting. 2007/04/03 10:21:57 ossec-agentd: Started (pid: 25721). 2007/04/03 10:21:57 ossec-agentd: Connecting to server (192.168.1.1:1514). 2007/04/03 10:21:59 ossec-syscheckd: Started (pid: 25729). 2007/04/03 10:22:03 ossec-agentd(1210): Queue '/queue/alerts/execq' not accessible. 2007/04/03 10:22:03 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'. 2007/04/03 10:22:03 ossec-logcollector: Started (pid: 25725). 2007/04/03 10:22:18 ossec-agentd(1301): Unable to connect to active response queue. 2007/04/03 10:24:13 ossec-logcollector: Process locked. Waiting for permission... 2007/04/03 10:26:55 ossec-syscheckd: Process locked. Waiting for permission... I didn't know what the process locked messages were all about so I had the agent restarted (thinking that if the admin had not properly started or restart the agent earlier and a process was still out there) 2007/04/03 13:55:20 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning... 2007/04/03 13:55:20 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning... 2007/04/03 13:55:20 ossec-agentd(1225): SIGNAL Received. Exit Cleaning... 2007/04/03 13:55:55 ossec-execd(1350): Active response disabled. Exiting. 2007/04/03 13:55:55 ossec-agentd: No previous counter available for 'sysX'. 2007/04/03 13:55:55 ossec-agentd: Assigning counter for agent sysX: '0:0'. 2007/04/03 13:55:55 ossec-agentd: Assigning sender counter: 0:1 2007/04/03 13:55:55 ossec-agentd: Started (pid: 27630). 2007/04/03 13:55:55 ossec-agentd: Connecting to server (192.168.1.1:1514). 2007/04/03 13:55:57 ossec-syscheckd: Started (pid: 27638). 2007/04/03 13:56:01 ossec-agentd(1210): Queue '/queue/alerts/execq' not accessible. 2007/04/03 13:56:01 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'. 2007/04/03 13:56:01 ossec-logcollector: Started (pid: 27634). 2007/04/03 13:56:16 ossec-agentd(1301): Unable to connect to active response queue Now we still see the following on the ossec linux server and so far we haven't seen any alerts from the HP-UX agent. 2007/04/03 13:56:16 ossec-remoted(1403): Incorrectly formated message from '192.168.1.2' Anyone have any clues to what might be up with our configuration? Thanks, Nick Baronian
