Collects reported as 'still in progress'

Technote (troubleshooting)


Problem(Abstract)

The actuator process cannot be started on a TSIEM Windows Agent machine, audit controller reports the collects as in-progress

Symptom

The scheduled collects on a TSIEM Windows agent do not complete, with the audit controller reporting the following error in auditctl.log

<20121210 14:30:12 utc> P259M902V0.0.1L2855A4S4E255:AudCont: Collect for AUDITHOST Microsoft Windows (18.1.267) on AUDITHOST(12.1.100) still in progress.



Diagnosing the problem

Enable dynamical tracing for the agent component on the TSIEM Windows Agent (see related information section).

The CeSystemLog shows that the actuator process is being started repeatedly, however each time the actuator process exits immediately with an error code 128

Below is excerpt of CeSystemLog :

    <20121210 16:18:04 utc> P261M902V0.0.1L1739A4S0E30:IPCSer: Starting '..\bin\actuator A:localhost:49152:15.1.267 ..\log\actuator267.log 12.1.100 28.1.162'
    <20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:IpcKillProgram(ObjVal *povAdapt)
    <20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:IpcSer (15.1.267) ::IpcKillProgram(). No job to kill
    <20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:Crypt: Key_index used for crypting outgoing message: 1
    <20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:CrmTimer: TimerRemove(): Deleting a timer with address 004C9F80
    <20121210 16:18:04 utc> P261M902V0.0.1L599A2S0E0:Route: RouteConnectionSetTimeOut(): TIMER : 12.1.1 in 3600000 msecs
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcJobCallBack(CRM_JOB_DESCR *pJob,ObjVal *povAdapt,int iStatus)
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IPCSER:jobcallback->kill con ( status = 128)
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcKillConnection(ObjVal *povAdapt)
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcKillConnection: removing Connection handle: 00922C50
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IPCSER:killcon:S:Connecting
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:TCPIP Conn: Cancel connect localhost:49152
    <20121210 16:18:07 utc> P261M902V0.0.1L599A2S0E0:IpcSetState: 15.1.267 setting state ( S:Connecting -> S:No Connection )

With the help of Microsoft's Process Monitor (formerly part of Sysinternals toolset), it was found that the actuator.exe process aborts while trying to load kernel32.dll and ntdll.dll


    Description:
    Company:
    Name: actuator.exe
    Version:
    Path: D:\IBM\TSIEM\actuator\bin\actuator.exe
    Command Line: ..\bin\actuator A:localhost:49152:15.1.267 ..\log\actuator267.log 12.1.100 28.1.162
    PID: 2372
    Parent PID: 4736
    Session ID: 0
    User: TSIEM
    Auth ID: 00000000:3e567b49
    Architecture: 32-bit
    Virtualized: n/a
    Integrity: n/a
    Started: 10.12.2012 17:18:07
    Ended: 10.12.2012 17:18:07
    Modules:
    actuator.exe 0x400000 0x3a000 D:\IBM\TSIEM\actuator\bin\actuator.exe
    kernel32.dll 0x7c800000 0x115000 C:\WINDOWS\system32\kernel32.dll Microsoft Corporation 5.2.3790.4480 (srv03_sp2_gdr.090321-1244)
    ntdll.dll 0x7c920000 0xc9000 C:\WINDOWS\system32\ntdll.dll Microsoft Corporation 5.2.3790.4937 (srv03_sp2_qfe.111121-0236)

Resolving the problem

Investigation with Microsoft Support indicated that the problem was due to Operating System running out of desktop heap memory. See Microsoft Knowledge Base article:

Article ID Q184802: User32.dll or Kernel32.dll fails to initialize

(See Related Information section for the URL link)

Use the procedure in the above knowledgebase article with your system administrator and configure / tune the SharedSection parameter in the following Windows Registry path of the TSIEM Windows agent

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\Windows

A reboot is required for the changes to the registry to take effect.


Related information

Enabling Dynamical Tracing
User32.dll or Kernel32.dll fails to initialize

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Security Information and Event Manager

Software version:

All Versions

Operating system(s):

Windows

Software edition:

All Editions

Reference #:

1621229

Modified date:

2012-12-30

Translate my page

Machine Translation

Content navigation