Re: Management Center for IDS Sensors fails to query sensor

d.rehfeldt · ‎09-02-2004

The sensor is a IDSM-2 in a 6509. My other IDSM-2 module does not give me this problem.

I receive an error message when attempting to query the sensor after a signature upgrade to check on the signature version on the sensor: "Query Sensor version failed. Please check the Audit Log for details"

I notice entries in the audit log when this problem occurs: "RDEP Collector (sensor_name_here) parsed an evError: errSyslog lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory"

A restart of the sensor corrects the problem a short time. Has anyone else experienced this problem.

piseli · ‎09-03-2004

Have you upgarded your IDS MC to the latest IDS version. Otherwise the IDS MC will not be able to communicate with !

IDS MC SIGNATURE UPDATE INSTRUCTIONS

The IDS-sig-4.1-4-S106.zip signature update can only be applied to IDS MC

version 1.2 or later.

INSTALLATION

To install the version S10x signature update on an IDS MC, follow these

steps:

1. Download the S10x MC signature update ZIP file,

IDS-sig-4.1-4-S10x.zip to the /MDC/etc/ids/updates

directory on the server where you have installed IDS MC from the

following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids

2. Start IDS MC from the CiscoWorks2000 Server desktop.

3 Select Configuration > Updates.

4. In the TOC, select Update Network IDS Signatures.

5. Select a file from the Update File list box and click Next.

6. Select the sensor(s) you want to update and click Next.

7. Click Finish.

sincerly

Patrick

d.rehfeldt · ‎09-07-2004

Thank you for the reply. Yes, I have upgraded the MC. I am able to communicate, and update, the other sensor's, including another IDSM-2, without any problems.

flyingmunk · ‎09-03-2004

i think the 'evError' is probably a benign error, and not related causing the issue with the sensor query.

try logging in to the sensor as the 'service' account, and go to the var log directory. just for giggles, do a 'touch lastlog'. see if this resolves that problem.

i don't have a 'lastlog' on any of my sensors, but i do know, that if i run '/usr/bin/lastlog', i receive the message you are getting. anyway, i don't think this is a big issue.

what version is currently on the blade? not what you have listed in the 'mc', but when you run a 'show ver' on the sensor.

my guess is that when you are querying the sensor, either the update is not finished, or some of the services are not back up, or busy. after you get the 'query error', if you ssh to the sensor and run 'show ver', had it done the update?

next time you get this error, ssh to the sensor, and run the 'sho ver' command'. see if all of the services are running, and note if the update was successful.

with older versions of 4.x updates (S53 down, i think) there were some issues with updates failing with the above message.

since this is an idsm-2, give it 10 or 15 minutes, after you update the sigs, to run the query. if you are running the update, and then query immediately, you can almost be sure you'll get an error.

hope this helps.

chris

d.rehfeldt · ‎09-07-2004

Thank you for the reply. You are correct where /var/log/lastlog does not exist on either of my IDSM-2 modules. I usually check the signature version update after a couple hours and the other sensors all show that they have been updated. A workaround for me has been to reset the IDSM-2 module that is experiencing this problem just before the signature upgrade and the upgrade process is always successful. I will continue to troubleshoot this issue some more before opening a support ticket.