03-13-2002 09:19 AM - edited 03-08-2019 10:03 PM
It appears that the IDS services on my CSPM 2.3.3i(Windows NT) machine is no longer running. I have not been able to discover why these services won't start. I was wondering if anyone has experienced this type of problem before and could offer any suggestions?
Thanks
03-13-2002 10:36 AM
This happens to me all the time. I start the service every four hours with AT:
C:\>at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
19 Each M T W Th F S Su 12:00 AM d:\cspm\start_cspm.bat
20 Each M T W Th F S Su 8:00 AM d:\cspm\start_cspm.bat
21 Each M T W Th F S Su 4:00 AM d:\cspm\start_cspm.bat
22 Each M T W Th F S Su 12:00 PM d:\cspm\start_cspm.bat
23 Each M T W Th F S Su 4:00 PM d:\cspm\start_cspm.bat
24 Each M T W Th F S Su 8:00 PM d:\cspm\start_cspm.bat
start_cspm.bat:
net start "Cisco Controlled Host Component"
03-13-2002 11:01 AM
Thanks for this information, which I will used. However, when I check the service to see if it is running, it shows that it is running. In this case using the "net start" to start the service didn't seem to make a difference. Perhaps I'm not understanding the error that I'm getting correctly. When I to open the database by going to "Tools" then "View Sensor Events" then "Database" I receive the following error:
Services Not Running!
03-13-2002 11:28 AM
Let me try proving a little more information. When I checked the service Cisco Controlled Host Component to see if it is running, it shows that it is running. I also used the "net start" command to start this service just to make sure, which didn't seem to make any difference. Perhaps I do not understand the error that I'm getting. When I go to open the Event Browser by going to "Tools" then "View Sensor Events" then "Database" I receive the following error:
*****
Services Not Running!
Your local machines IDS services do not appear to be running.
Your Connection Status Panel will not be operational and you will not be able to view Live Event Feeds.
If you want to use the Connection Status Panel or Live Event Feeds, then it is recommended that you shut down the Event Browser, start the services, then restart the Event Browser.
*****
I am also receiving this Warning.
*****
Warning!
The Window Event Viewer Database Events CSIDS Alarms reached the Maximum number of events as specified in the Preferences Panel.
Consider increasing the appropriate value in the Preferences Panel.
*****
I have rebooted the NT machine, stopped and started the Cisco Controlled Host Component, but nothing I do seems to change or correct this problem.
Also, I have not been able to find the Preferences Panel that is referred to in the warning message.
Any and all suggestions are welcome.
03-13-2002 01:20 PM
Sounds like you turned logging on for your ids but are not archiving the files off to a ftp server. The ids has about a 9GB drive and the ids logs will fill it up real fast.
You will have to delete the files and then reboot the ids to have the ids start & then turn logging off or have the log files sent to a ftp server.
03-13-2002 02:26 PM
Thank you for your response, I have CSPM installed in a raid environment with 45 GBs available and Ive only used 1 GB so far. However, there maybe some thresholds set somewhere that Im not aware of. I did a shutdown of the database services and tried to run fmcompact.exe. This ran for a minute or so until it reached Create frames for type EventStreams it then stops and I get message stating that an application error has occurred.
fmcompact.exe
Exception: access violation (0xc0000005), Address: 0x102636ea.
I tried rebooting the system and ran fmcompact.exe again receiving the same error. Also, there is nothing in my log folder.
Do you think I have a corrupted database?
Do you have any other suggestions?
03-14-2002 06:14 AM
I was directing the disk space answer (9GBs) towards the IDS itself - not the CSPM NT server. If you telnet or ssh to the IDS as netrangr - cd bin - run nrstatus - does it show your services are running there? If not, cd to the /usr/nr/var directory & look at the directories under there and see if you have alot of log files. If you do - delete some or all - do a su to switch to being the root id - issue a reboot & see after the ids reboots if you can talk to it from your CSPM NT server.
If not - then I would back my CSPM database and profiles up - reinstall CSPM ...
That's all I know and that is what I would do.
03-14-2002 10:38 AM
Thanks for your advice. I have 5 services running on each of my netrangers, they are nr.configd, nr.packetd, nr.postofficed, nr.fileXferd, and nr.sapd
I trimed the logfiles as you suggested, which were getting to big.
However, I'm still getting the same message about services on my local machine not running. Go figure. Anyway, your suggestion was helpful, even if it didn't solve the issue.
03-15-2002 04:38 AM
I have the same problem, on the ids there is enought disc space and also on the nt server. the Cisco Controlled Host Component seems to be running but i get the same messages that the IDS SERVICE is not running.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide