Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3047: DA agent in offline mode and collector returned "Offset and length were out of bounds" error

Auditing and Monitoring Service ,  

2 March,17 at 05:39 PM

Applies to: Centrify DirectAudit 3.0.x only on all platforms
1. The DA agent is in offline mode as seen in dainfo --diag. Telnet on port 5063 works fine.
dainfo --diag
Establishing connection with dad: Success
Dad's current state: The agent is not connected to a Collector
Attempting to connect to collectors:
Host: - Error: Timed out connecting to server (AIX handler)
a. The database is up and running and the collectors are online as well. This was verified from the Collector control panel and the DirectAudit Console. 
b. An attempt was made to restart dad (DA daemon) on the Linux/Unix machine and the collector service on the Windows machine, but it did not resolve the issue.
Collector logs show the following messages:
[2013-04-18 14:06:23.151 -0400] collector.exe[15380,7] Warning: DadSession.ProcessStdinData: Stdin buffer not big enough. Need 260 bytes. Assume not a command line.
[2013-04-18 14:06:23.154 -0400] collector.exe[15380,7] Error: DadConnection.Process: Centrify DirectAudit internal error: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
[2013-04-18 14:06:23.154 -0400] collector.exe[15380,7] Error: DadConnection.Process: at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
The collector throws an exception when multiple lines of stdin data comes in one packet. The assumption in stdin processing code is that there is only one stdin line in a packet, in the case of a 300+ by multi-line stdin data, the data buffer copying code hits an exception.
On the audited machine(s), perform the following as root:
1. Open the centrifyda.conf file (located in /etc/centrifyda)
2. Search and change the value of dash.auditstdin from true to false by uncommenting it.
3. If the audited data is NOT needed, issue a /usr/sbin/dastop command to stop the audit daemon. 
4.  Under /var/centrifyda/spool-dbqc, the offline spool file should be renamed to say (or anything else). This is a critical step that needs to be followed for auditing to resume in future.
4. Restart DirectAudit daemon by running /usr/sbin/dad restart(for example: Linux).
Note: Standard input won't be audited by setting dash.auditstdin to false
Additional info about the parameter:
dash.auditstdin (true) Specifies whether the agent captures STDIN data, for example, to capture input when the user runs echo off.
true:  Records all session activity, including STDIN, STDOUT, and STDERR.
false: Records session activity, but does not capture STDIN data
The above steps is a workaround. Centrify fixed this issue in Suite 2013.2 (specifically the Collector component needs to be upgraded).  Those running into this issue can send the corrupted spool file located in /var/centrifyda/spool-dbqc to Support for troubleshooting/recovery  purposes.
Examples of Standard input:
Input to Unix commands is normally given from the keyboard. For example you can use the cat command interactively:
%  cat
Hello Centrify
Note that input from the keyboard is terminated with the end-of-file character, usually ^D. 
For another example consider the spell command, which is the unix spelling checker:
% spell       
The spell command outputs words that are incorrectly spelled in the input.
% vi /tmp/test
Copy and paste text from another file.
The above commands will not be audited if  dash.auditstdin is set to false


This issue has been fixed in DirectAudit version 3.1.0 a.k.a Centrify Suite 2013.2.