Data are not sent from OES 2 to the OES collector in Sentinel

  • 7003012
  • 14-Apr-2009
  • 26-Apr-2012

Environment

Novell Sentinel 6.1
Novell Open Enterprise Server 2 (OES 2) SP1
Sentinel Open Enterprise Server 2 (OES 2) Collector

Situation

When setting up the Novell Open Enterprise Server (OES) 2 collector scripts are used to send data to Sentinel over a TCP connection.  Despite an established connection data are never successfully received by the Sentinel server.

Connections are building up between the OES 2 servers and Sentinel servers, all with a status of ESTABLISHED and all between 'socat' on the OES 2 server and 'java' on the Sentinel server.  These connections use the TCP port configured for use by the syslog connector.

Resolution

The scripts used to pass audit data between OES 2 and Sentinel use a utility named 'socat'.  This utility's use can be seen in the /usr/sbin/novl-aud2sent script, currently on line 51 in the following form:

/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5,connect-timeout=10

The last parameter used by 'socat' is to set a connection timeout to ten seconds.  The version of socat currently in use in OES 2 is 1.7.0.0 which has a bug with this connection parameter causing the problems seen during the use of this script.

Workarounds for this include either removing the connect-timeout parameter from the line in the novl-aud2sent script or upgrading to socat 1.7.0.1 or later.  The resulting script line with the fix should look like the following:

/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5


Status

Reported to Engineering

Additional Information

A patched version of socat 1.7.0.1 can be downloaded from its homepage at the following location:
http://www.dest-unreach.org/socat/download/socat-1.7.0.1.tar.bz2

Compiling from source can be done with the following commands, on a system with the same architecture as the destination system, once the archive is extracted and the user is in the socat source directory:

#As a regular user
cd /path/to/socat-1.7.0.1
./configure && make

#As root
cd /path/to/socat-1.7.0.1
cp ./socat /usr/bin/socat-1.7.0.1

Overwriting the existing socat binary located at /usr/bin/socat is also an option to immediately implement the fixed file system wide.  After creating the new executable file be sure to modify any scripts using the file to point to the new path and filename if applicable.  Creating a backup of old files is recommended before overwriting them with new versions.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.