To resolve this issue do the following:
A. Edit the initialization code of the bsm source in UAM and apply to the agents.
1. Go to UAM.
2. Edit the initialization code of the bsm source:
- Select File->Rules Manager->Manage Rule Sets.
- Select the Rule Set to modify and click Edit Rule Set.
- In the Edit Rules, dialog box right-click on Source:bsm and click Edit.
- Select Initialization tab and do the following changes:
a. Go to line 41 and add a comma ',' at the end of the line as follows:
["Effective user from Subject token", \$effective_user],
b. Go to line 132 and replace if(defined(@$val)) with if(@$val)
3. Save the changes.
4. Apply the modified rule set to the agents.
B. UNIX Agent hotfix p762p100 has to be applied.
Installing This Hotfix:
Complete the following steps to install this hotfix.
Note: UA Hotfix to be applied only for 7.6.2 and the UAM workaround remains the same.
1. Click Patch > Patch Manager.
2. Click Load Patch to add the p762p100.zip patch to the list of available patches.
3. Select the computers on which you want to apply the patch.
4. Select the patch.
5. Click Start Install.
6. Click Back to close the Patch Manager.
The bsm source in the rule set has a compilation error, hence the group using the bsm source is causing the error in the deployed agents. The installed agents are missing few CPAN modules of perl in the bundle, hence causing the error and the events are not sent to Sentinel.
Errors associated with the problem rule set:
network.err
-----------------------
Fri Dec 27 07:59:26 2019 7791 DBG grp 0: at main line 98: Terminating - received TERMINATE command from detectd
pid: 8159
Fri Dec 27 08:04:04 2019 8159 DBG grp 0: at main line 98: Terminating - received TERMINATE command from detectd
-----------------------
sulog.err shows me:
-----------------------
pid: 7832
Fri Dec 27 07:59:16 2019 7832 DBG grp 0: at event source initialization line 10: terminating - host is not running an applicable OS.
pid: 8095
Fri Dec 27 08:00:42 2019 8095 DBG grp 0: at event source initialization line 10: terminating - host is not running an applicable OS.
-----------------------
SolarisAuditObject__singleton.err:
-----------------
pid: 28546
syntax error at event source initialization line 41, near "["
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at event source initialization line 131.
pid: 28790
syntax error at event source initialization line 41, near "["
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at event source initialization line 131.
-----------------
oracle_audit.err:
-----------------
pid: 28865
Smartmatch is experimental at PS_OracleAudit::list_audit_file_dests() line 3.
Fri Dec 27 08:50:02 2019 28865 DBG grp 0: at main line 98: Terminating - received TERMINATE command from detectd
-----------------
And errors in Open_Enterprise_Server.err:
-----------------
pid: 28733
Can't locate XML/Simple.pm in @INC (you may need to install the XML::Simple module) (@INC contains: /usr/netiq/AM/lib /usr/netiq/AM/lib/site_perl /usr/netiq/vsau/lib/5.26.3/x86_64-linux-thread-multi /usr/netiq/vsau/lib/5.26.3 /usr/netiq/vsau/lib /usr/netiq/vsau/lib/site_perl/5.26.3/x86_64-linux-thread-multi /usr/netiq/vsau/lib/site_perl/5.26.3 /usr/netiq/vsau/lib/site_perl /usr/netiq/common/lib /usr/netiq/common/lib/site_perl /usr/netiq/vsau/lib/site_perl/5.26.3/x86_64-linux-thread-multi /usr/netiq/vsau/lib/site_perl/5.26.3 /usr/netiq/vsau/lib/5.26.3/x86_64-linux-thread-multi /usr/netiq/vsau/lib/5.26.3) at PS_OESAgent::BEGIN line 1.
BEGIN failed--compilation aborted at PS_OESAgent::BEGIN line 1.
-----------------