1. The DA agent is in offline mode as seen in dainfo --diag. Telnet on port 5063 works fine.
dainfo --diag
Establishing connection with dad: Success
Dad's current state: The agent is not connected to a Collector
...
Attempting to connect to collectors:
Host: CENTRIFYTEST.yourdomain.com - Error: Timed out connecting to server (AIX handler)
a. The database is up and running and the collectors are online as well. This was verified from the Collector control panel and the DirectAudit Console.
b. An attempt was made to restart dad (DA daemon) on the Linux/Unix machine and the collector service on the Windows machine, but it did not resolve the issue.
Collector logs show the following messages:
[2013-04-18 14:06:23.151 -0400] collector.exe[15380,7] Warning: DadSession.ProcessStdinData: Stdin buffer not big enough. Need 260 bytes. Assume not a command line.
[2013-04-18 14:06:23.154 -0400] collector.exe[15380,7] Error: DadConnection.Process: Centrify DirectAudit internal error: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
[2013-04-18 14:06:23.154 -0400] collector.exe[15380,7] Error: DadConnection.Process: at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
Cause:
The collector throws an exception when multiple lines of stdin data comes in one packet. The assumption in stdin processing code is that there is only one stdin line in a packet, in the case of a 300+ by multi-line stdin data, the data buffer copying code hits an exception.
Workaround:
On the audited machine(s), perform the following as root:
1. Open the centrifyda.conf file (located in /etc/centrifyda)
2. Search and change the value of dash.auditstdin from true to false by uncommenting it.
3. If the audited data is NOT needed, issue a /usr/sbin/dastop command to stop the audit daemon.
4. Under /var/centrifyda/spool-dbqc, the offline spool file should be renamed to say spool-dbqc.date (or anything else). This is a critical step that needs to be followed for auditing to resume in future.
dash.auditstdin (true) Specifies whether the agent captures STDIN data, for example, to capture input when the user runs echo off.
true: Records all session activity, including STDIN, STDOUT, and STDERR.
false: Records session activity, but does not capture STDIN data
Examples of Standard input:
Input to Unix commands is normally given from the keyboard. For example you can use the cat command interactively:
% cat
Hello Centrify
Note that input from the keyboard is terminated with the end-of-file character, usually ^D.
For another example consider the spell command, which is the unix spelling checker:
% spell
The spell command outputs words that are incorrectly spelled in the input.
Copy and paste text from another file.
