Environment
Novell Sentinel 6.1
Novell Open Enterprise Server 2 (OES 2) SP1
Sentinel Open Enterprise Server 2 (OES 2) Collector
Novell Open Enterprise Server 2 (OES 2) SP1
Sentinel Open Enterprise Server 2 (OES 2) Collector
Situation
When setting up the Novell Open Enterprise Server (OES) 2 collector
scripts are used to send data to Sentinel over a TCP
connection. Despite an established connection data are never
successfully received by the Sentinel server.
Connections are building up between the OES 2 servers and Sentinel servers, all with a status of ESTABLISHED and all between 'socat' on the OES 2 server and 'java' on the Sentinel server. These connections use the TCP port configured for use by the syslog connector.
Connections are building up between the OES 2 servers and Sentinel servers, all with a status of ESTABLISHED and all between 'socat' on the OES 2 server and 'java' on the Sentinel server. These connections use the TCP port configured for use by the syslog connector.
Resolution
The scripts used to pass audit data between OES 2 and Sentinel use
a utility named 'socat'. This utility's use can be seen in
the /usr/sbin/novl-aud2sent script, currently on line 51 in the
following form:
/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5,connect-timeout=10
The last parameter used by 'socat' is to set a connection timeout to ten seconds. The version of socat currently in use in OES 2 is 1.7.0.0 which has a bug with this connection parameter causing the problems seen during the use of this script.
Workarounds for this include either removing the connect-timeout parameter from the line in the novl-aud2sent script or upgrading to socat 1.7.0.1 or later. The resulting script line with the fix should look like the following:
/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5
/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5,connect-timeout=10
The last parameter used by 'socat' is to set a connection timeout to ten seconds. The version of socat currently in use in OES 2 is 1.7.0.0 which has a bug with this connection parameter causing the problems seen during the use of this script.
Workarounds for this include either removing the connect-timeout parameter from the line in the novl-aud2sent script or upgrading to socat 1.7.0.1 or later. The resulting script line with the fix should look like the following:
/usr/bin/tail -F /var/log/audit/audit.log | /sbin/ausearch -i -l -if /dev/stdin | /usr/local/bin/socat -d -u - TCP:$1:$2,interval=30,forever,keepalive,linger=5
Status
Reported to EngineeringAdditional Information
A patched version of socat 1.7.0.1 can be downloaded from its
homepage at the following location:
http://www.dest-unreach.org/socat/download/socat-1.7.0.1.tar.bz2
Compiling from source can be done with the following commands, on a system with the same architecture as the destination system, once the archive is extracted and the user is in the socat source directory:
#As a regular user
cd /path/to/socat-1.7.0.1
./configure && make
#As root
cd /path/to/socat-1.7.0.1
cp ./socat /usr/bin/socat-1.7.0.1
Overwriting the existing socat binary located at /usr/bin/socat is also an option to immediately implement the fixed file system wide. After creating the new executable file be sure to modify any scripts using the file to point to the new path and filename if applicable. Creating a backup of old files is recommended before overwriting them with new versions.
http://www.dest-unreach.org/socat/download/socat-1.7.0.1.tar.bz2
Compiling from source can be done with the following commands, on a system with the same architecture as the destination system, once the archive is extracted and the user is in the socat source directory:
#As a regular user
cd /path/to/socat-1.7.0.1
./configure && make
#As root
cd /path/to/socat-1.7.0.1
cp ./socat /usr/bin/socat-1.7.0.1
Overwriting the existing socat binary located at /usr/bin/socat is also an option to immediately implement the fixed file system wide. After creating the new executable file be sure to modify any scripts using the file to point to the new path and filename if applicable. Creating a backup of old files is recommended before overwriting them with new versions.