Re: IDS sig Updates (IDS-K9-sp-4.1-5-s189.rpm.pkg) Problem

emad.mohamed · ‎09-07-2005

I am trying to upgrade some IDS sensors from S188 to the new service pack which is S189. The IDS device show this message (The System will rebooted upon completion of the update)

After I rebooted the IDS, it still running the old version S188. ANY IDEA why????

Thank you

wrh123456789 · ‎09-08-2005

I experience the same issue. My 2 IDSes did not take the service pack. They both complained about a lack of space:

Shutting down all CIDS processes. All connections will be terminated.

The system will be rebooted upon completion of the update.

Error: The update requires 115000 KB in /usr/cids/idsRoot/var, there are only 113708 KB available.

I'm not sure what I can delete from / to free up 2MB of space to accomodate this update. Any information is welcome.

emad.mohamed · ‎09-08-2005

is there is any one from CISCO that can help us on this issue.

thank you

jamesand · ‎09-08-2005

We are looking at the storage space error that can occur when installing the 4.1(5) pkg. Here is a workaround for freeing up space:

- log into service account and become root (use the su command with the same svc acct PW)

- remove the following directories:

# rm -rf /usr/cids/idsRoot/var/updates/files/S69

# rm -rf /usr/cids/idsRoot/var/updates/files/common

- retry the 4.1(5) upgrade

wrh123456789 · ‎09-08-2005

several other things that I removed and seems to still funciton okay:

after you clear all events, then rm -rf /usr/cids/idsRoot/var/events.tar.gz

This did it for one sensor, but the second sensor still doesn't have enough room for the update.

wrh123456789 · ‎09-08-2005

After performing the 2 deletions you mentioned, below is my space available:

Filesystem 1k-blocks Used Available Use% Mounted on

/dev/hda4 362625 246733 97169 72% /

/dev/hda1 115149 57087 52117 53% /bootmnt

/dev/hda2 2475 14 2436 1% /usr/cids/idsRoot/shared

/dev/hda3 4389 23 4321 1% /core

none 525312 500500 24812 96% /usr/cids/idsRoot/var/eventStore

none 525312 40 525272 1% /usr/cids/idsRoot/var/iplogs

none 533504 0 533504 0% /usr/cids/idsRoot/tmp

none 5120 0 5120 0% /tmp

none 8192 200 7992 3% /varmnt

none 1940776 0 1940776 0% /dev/shm

Clearly / still is not coming even close to havin enough space as required by this update.

emad.mohamed · ‎09-08-2005

The Sig updates S189 file size is 21.6M, there is enough space on the IDS sensore (17G avaliable). is there is some mantainance that we sould run on the IDS before insalling the new SP?

jamesand · ‎09-08-2005

You may not be facing the same issue. Did you get any error message duirng your upgrade to 4.1(5)?

wrh123456789 · ‎09-08-2005

Other than the lack of space, no. And as for the sensor that worked later after the removal of some files, the installation completed without errors.

jamesand · ‎09-08-2005

I just re-read your original problem description. You do not need to reboot the sensor during the upgrade. You should wait for it to reboot itself (thie may take several minutes).

jamesand · ‎09-08-2005

Look for any large old .pkg files in the /usr/cids/idsRoot/var/updates directory. If this does not do it then reboot the sensor and please email me the following output (jamesand@cisco.com):

df -k

du -hs /*

du -hs /usr/cids/idsRoot/*

marcabal · ‎09-08-2005

Some additional things to try:

1) Execute "show version" to determine you current Signature level.

2) Now login as user service and switch to user root.

3) cd /usr/cids/idsRoot/var/updates

4) ls

5) Remove the IDS-sig-4.1-4-SXXX.rpm.pkg files for any signature level that is less than the current sig level installed on your sensor. (Only the latest needs to be in this directory, and be sure not to remove any of the other directories/files)

6) Remove the IDS-K9-sp-4.1-5-S189.rpm.pkg that may be there from the previous installation attempt.

7) cd /usr/cids/idsRoot/var/updates/scripts

8) Again remove any IDS-sig-4.1-4-SXXX.rpm.pkg files older than the current signature level.

9) Reboot the sensor (This will help clear out temporary files on sensors that have been running for a long time)

Now check the disk space, and if there is enough then go ahead and try the install again.

If more room is still needed then you can try the following:

Try to find abnormally large files:

As user root go to the / directory and execute "du -sk *". It will calculate disk usage per directory.

You can then cd into a directory that looks too high. Use "ls -l" to look for large files that don't need to be there. Also you can execute "du -sk *" within the directory to get disk usage on it's subdirectories. Repeat the process as needed in each of the subdirectories until you find the problem files.

I have heard that /var/log has had some large files in the past, so you may want to start there.

If you are worried about deleting any of the files, then send me the output of your findings with "du -sk" and "ls -l" and I can let you know if they are OK to delete.

Marco

rsmith · ‎09-08-2005

I have the same issue, and somewhat of a newbie on the IPS sensor (4250). I noted that the IdsEventStore file is 256Mb. (usr/cids/idsRoot/var/eventStore).

Can this file be safely deleted? (New sensor, we are not archiving events yet, just logging and trying to tune).

jamesand · ‎09-08-2005

No, this is where all events (alarms, errors, status) get logged on the sensor to be pulled off by your monitoring applications (very key file).

Please send me the following info in email (jamesand@cisco.com). You can open a Cisco TAC case if you feel more comfortable doing that.

- 4.1(5) upgrade err msg

- from service account, su to root (same PW as svc acct PW)

# df -k

# du -hs /*

# du -hs /usr/cids/idsRoot/*

emad.mohamed · ‎09-20-2005

I expanded the FTPTIME-OUT on the IDS devices from the default 300sc to 1000sc. Then I reboot the IDS sensor, after that I was able to update it from S188 to the new SP S189.

Please let me know if you have nay questions.

Thank you,