cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
827
Views
0
Helpful
8
Replies

IDS CSPM Services stopped running on NT

vpoole
Level 1
Level 1

It appears that the IDS services on my CSPM 2.3.3i(Windows NT) machine is no longer running. I have not been able to discover why these services won't start. I was wondering if anyone has experienced this type of problem before and could offer any suggestions?

Thanks

8 Replies 8

dmorone
Level 1
Level 1

This happens to me all the time. I start the service every four hours with AT:

C:\>at

Status ID Day Time Command Line

-------------------------------------------------------------------------------

19 Each M T W Th F S Su 12:00 AM d:\cspm\start_cspm.bat

20 Each M T W Th F S Su 8:00 AM d:\cspm\start_cspm.bat

21 Each M T W Th F S Su 4:00 AM d:\cspm\start_cspm.bat

22 Each M T W Th F S Su 12:00 PM d:\cspm\start_cspm.bat

23 Each M T W Th F S Su 4:00 PM d:\cspm\start_cspm.bat

24 Each M T W Th F S Su 8:00 PM d:\cspm\start_cspm.bat

start_cspm.bat:

net start "Cisco Controlled Host Component"

Thanks for this information, which I will used. However, when I check the service to see if it is running, it shows that it is running. In this case using the "net start" to start the service didn't seem to make a difference. Perhaps I'm not understanding the error that I'm getting correctly. When I to open the database by going to "Tools" then "View Sensor Events" then "Database" I receive the following error:

Services Not Running!

vpoole
Level 1
Level 1

Let me try proving a little more information. When I checked the service “Cisco Controlled Host Component” to see if it is running, it shows that it is running. I also used the "net start" command to start this service just to make sure, which didn't seem to make any difference. Perhaps I do not understand the error that I'm getting. When I go to open the Event Browser by going to "Tools" then "View Sensor Events" then "Database" I receive the following error:

*****

Services Not Running!

Your local machine’s IDS services do not appear to be running.

Your Connection Status Panel will not be operational and you will not be able to view Live Event Feeds.

If you want to use the Connection Status Panel or Live Event Feeds, then it is recommended that you shut down the Event Browser, start the services, then restart the Event Browser.

*****

I am also receiving this Warning.

*****

Warning!

The Window “Event Viewer – Database Events – CSIDS Alarms” reached the Maximum number of events as specified in the Preferences Panel.

Consider increasing the appropriate value in the Preferences Panel.

*****

I have rebooted the NT machine, stopped and started the “Cisco Controlled Host Component”, but nothing I do seems to change or correct this problem.

Also, I have not been able to find the “Preferences Panel” that is referred to in the warning message.

Any and all suggestions are welcome.

Sounds like you turned logging on for your ids but are not archiving the files off to a ftp server. The ids has about a 9GB drive and the ids logs will fill it up real fast.

You will have to delete the files and then reboot the ids to have the ids start & then turn logging off or have the log files sent to a ftp server.

Thank you for your response, I have CSPM installed in a raid environment with 45 GB’s available and I’ve only used 1 GB so far. However, there maybe some thresholds set somewhere that I’m not aware of. I did a shutdown of the database services and tried to run fmcompact.exe. This ran for a minute or so until it reached “Create frames for type EventStreams” it then stops and I get message stating that an application error has occurred.

fmcompact.exe

Exception: access violation (0xc0000005), Address: 0x102636ea.

I tried rebooting the system and ran fmcompact.exe again receiving the same error. Also, there is nothing in my log folder.

Do you think I have a corrupted database?

Do you have any other suggestions?

I was directing the disk space answer (9GBs) towards the IDS itself - not the CSPM NT server. If you telnet or ssh to the IDS as netrangr - cd bin - run nrstatus - does it show your services are running there? If not, cd to the /usr/nr/var directory & look at the directories under there and see if you have alot of log files. If you do - delete some or all - do a su to switch to being the root id - issue a reboot & see after the ids reboots if you can talk to it from your CSPM NT server.

If not - then I would back my CSPM database and profiles up - reinstall CSPM ...

That's all I know and that is what I would do.

Thanks for your advice. I have 5 services running on each of my netrangers, they are nr.configd, nr.packetd, nr.postofficed, nr.fileXferd, and nr.sapd

I trimed the logfiles as you suggested, which were getting to big.

However, I'm still getting the same message about services on my local machine not running. Go figure. Anyway, your suggestion was helpful, even if it didn't solve the issue.

I have the same problem, on the ids there is enought disc space and also on the nt server. the Cisco Controlled Host Component seems to be running but i get the same messages that the IDS SERVICE is not running.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: