How do I troubleshoot issues with the VigilEnt Security Agent for UNIX sending alerts to the Securit (NETIQKB46530)

  • 7746530
  • 02-Feb-2007
  • 10-Oct-2007

Resolution

goal
How do I troubleshoot issues with the VigilEnt Security Agent for UNIX sending alerts to the Security Manager central computer?

goal
Does NetIQ Technical Support provide any root cause analysis procedures to find problems with how VSAU sends information to the central computer?

fact
Vigilent Security Agent for Unix 5.0

fact
VigilEnt Security Agent for Unix 4.0

fix

To troubleshoot issues with the VigilEnt Security Agent for UNIX sending alerts to the Security Manager central computer:

  1. Verify that the agent configuration file /etc/vsaunix.cfg contains the correct IP address and port number for the Security Manager Consolidator. The following line should appear in the file IDMEF_DESTINATIONS={IP_address}:{port}
  2. If this line does not exist, enter it manually or using the Unix Manager console.
  3. Replace the IP address and port with the correct information for the Security Manager console computer:

    • If you have VigilEnt Security Agent for Unix 4.0: In Unix Manager, click Rules ManagerFile > Configure Hosts, click your host name, then enter the IP address and port for IDMEF_DESTINATIONS, and click Select. The default value for the port is 1723.
    • In VigilEnt Security Agent for Unix 5.0: In Unix Manager, click Manage AgentsHosts > Configure Agent, click your agent, click Parameters, then enter the IP address and port for the central computer, and click OK. The default value for the port is 1636.

  4. Restart the detectd process on the UNIX agent computer after the initial set or making changes.
  5. From a command prompt on the Microsoft Windows computer, enter netstat -anp TCP
  6. The results could have many entries, but one should correspond to the specific port the Security Manager console is using.
  7. On the Unix computer, verify that a rule set has been pushed down to the Unix agent and then subsequently the alerts generated by the rule set are being delivered to the agents spool directory. The rule set is pushed down via Unix Manager, Rules Manager, File, To Host. The spool files containing the IDMEF alerts are in the /{vsaunix install directory}/vsaunix/{platform}/vsau/local/spool  directory. The file name should look similar to wtmp.1070478098.idmef_alerts and have permissions of - rw - - - - - - - with root ownership. Only the root user can read the file.
  8. Verify that alerts are delivered to Security Manager:
  9. If the event delivery failed, an IP address will appear in the entry in the spool file. The IP address should match the Security Manager console computer IP address. For example: 1070475876 2100 IDMEF 10.50.65.100
  10. If the event delivery succeeded, the IP address will not be included. For example: 1070475876 2100 IDMEF
  11. The event files in the c:\Program Files\MCSOnePoint\OnePoint\VigilEnt\Event.nn  (For SM5.1 and 5.5 C:\Program Files\NetIQ Security Manager\Vigilent\event.nn) directory on the Security Manager console computer should look similar to the following example that shows an event was received from host hpuxsys02 and the wtmp rule was executed:

    2003-12-3T18:52:49 GMT|303010008|hpuxsys02.unknown.domain|101.50.65.100|
    HP-UX|B.11.00|root logout from host :
    n/a|hpuxsys02.unknown.domain|101.50.65.100|LOGIN|n/a|console|14964|n/a|n/a|n/a|n/a|
    n/a|n/a|n/a|username=LOGIN|wtmp_id=dt|wtmp_type=8|wtmp|type|name=DEAD_PROC
    ESS|wtmp_e_termination=0|wtmp_e_exit=1|wtmp_session=n/a


  12. Verify that the consolidator computer is part of the HID ? Unix Consolidators computer group.
  13. Verify that the provider has been pushed out to the consolidator?s agent.

Contact NetIQ Security Manager support if you need further assistance.



Additional Information

Formerly known as NETIQKB46530

Feedback service temporarily unavailable. For content questions or problems, please contact Support.