Hey Daniel, that seemed to correct the issue. The admin of these boxes recompiled it on a development box moved it over to the two systems that were displaying the incorrectly formated issues. It corrected the issue on one box and alerts are coming through fine. It corrected the issue on the other system also but this system isn't alerting us for some reason. I don't have access to these systems but my guess is something isn't configured properly on this box and I will have to wait till the admin gets a chance to look at them but my guess is yes it is corrected with the endian order change.
Once again thanks for the help and an awesome application. -Nick Baronian On 4/3/07, Daniel Cid <[EMAIL PROTECTED]> wrote:
Hi Nick, Can you try the following? Go to src/Makeall and on line 67, (inside the if HP-UX), change from: echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED" >> Config.OS to: echo "EEXTRA=-DHPUX -D_XOPEN_SOURCE_EXTENDED -DHIGHFIRST" >> Config.OS And run "make clean; make all;make build". After that, copy the new binaries from ../bin to /var/ossec/bin and start the agent (this on the HP-UX system). I am thinking it can be a byte ordering issue (hp-ux is big endian). I have it fixed for solaris and AIX, but not for HP-UX.. Let us know if it fixes the problem or not (so it can be included in the next version). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 4/3/07, Nick Baronian <[EMAIL PROTECTED]> wrote: > > Hello, I have an agent on a HP-UX 11i box that is generating some odd > things in the logs and I was hoping someone might be able to help me > figure out what might be wrong. > > After install I first added the agent to the ossec server (linux) and saw > 2007/04/03 10:18:38 ossec-logcollector: Started (pid: 29826). > 2007/04/03 10:19:11 ossec-remoted(1403): Incorrectly formated message > from '192.168.1.2'. > I assumed this was because the agent hadn't been started. > > The agent was started and below is the output of the HP-UX agent's log. > 2007/04/03 10:21:57 ossec-execd(1350): Active response disabled. Exiting. > 2007/04/03 10:21:57 ossec-agentd: Started (pid: 25721). > 2007/04/03 10:21:57 ossec-agentd: Connecting to server (192.168.1.1:1514). > 2007/04/03 10:21:59 ossec-syscheckd: Started (pid: 25729). > 2007/04/03 10:22:03 ossec-agentd(1210): Queue '/queue/alerts/execq' > not accessible. > 2007/04/03 10:22:03 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'. > 2007/04/03 10:22:03 ossec-logcollector: Started (pid: 25725). > 2007/04/03 10:22:18 ossec-agentd(1301): Unable to connect to active > response queue. > 2007/04/03 10:24:13 ossec-logcollector: Process locked. Waiting for > permission... > 2007/04/03 10:26:55 ossec-syscheckd: Process locked. Waiting for permission... > > I didn't know what the process locked messages were all about so I had > the agent restarted (thinking that if the admin had not properly > started or restart the agent earlier and a process was still out > there) > 2007/04/03 13:55:20 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning... > 2007/04/03 13:55:20 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning... > 2007/04/03 13:55:20 ossec-agentd(1225): SIGNAL Received. Exit Cleaning... > 2007/04/03 13:55:55 ossec-execd(1350): Active response disabled. Exiting. > 2007/04/03 13:55:55 ossec-agentd: No previous counter available for 'sysX'. > 2007/04/03 13:55:55 ossec-agentd: Assigning counter for agent sysX: '0:0'. > 2007/04/03 13:55:55 ossec-agentd: Assigning sender counter: 0:1 > 2007/04/03 13:55:55 ossec-agentd: Started (pid: 27630). > 2007/04/03 13:55:55 ossec-agentd: Connecting to server (192.168.1.1:1514). > 2007/04/03 13:55:57 ossec-syscheckd: Started (pid: 27638). > 2007/04/03 13:56:01 ossec-agentd(1210): Queue '/queue/alerts/execq' > not accessible. > 2007/04/03 13:56:01 ossec-logcollector(1950): Analyzing file: '/var/adm/syslog'. > 2007/04/03 13:56:01 ossec-logcollector: Started (pid: 27634). > 2007/04/03 13:56:16 ossec-agentd(1301): Unable to connect to active > response queue > > Now we still see the following on the ossec linux server and so far we > haven't seen any alerts from the HP-UX agent. > 2007/04/03 13:56:16 ossec-remoted(1403): Incorrectly formated message > from '192.168.1.2' > > Anyone have any clues to what might be up with our configuration? > Thanks, > Nick Baronian >
