This section examines some problems that often occur and how to resolve them.
Why can't I download the CSA Agent kit from CSA MC on Windows 2003?
You may have problems with downloading the CSA Agent kit on Windows 2003 directly from CSA MC due to the extra Internet Explorer (IE) security settings in Windows 2003. To take off the extra security go to:
Add/Remove Programs > Windows Components > Internet Explorer Enhanced Security Configuration
Removing this Windows component should remove some of the security on IE that could be blocking the download of the agent kit installer.
Where can I find CSA MC and Security Agent documentation?
For CSA MC and CSAgent documentation refer to the following:
Where can I download the latest versions and patches for CSA MC?
Go to the following location to get the latest version and patches of CSA (you must be a registered user):
Where can I find information on existing bugs for CSA MC?
You can go to the following link to find the details on existing bugs:
CSA MC keeps saying I need to generate rules, even after I generate them. What should I do now?
This is a time issue. Set the clock to the correct time.
What ports do I need to open in my firewall to allow agents to communicate with CSA MC?
These agent components and relevant ports are needed for communication to the CSA MC:
- - Registration By default, the CSAgents communicate to the CSA MC on TCP port 5401. If that port is not available, the agents try TCP port 443 instead.
- - Browsing If you use a Web browser to communicate to the CSA MC, open TCP ports 1741, 1742, and 443.
- - Profiler The Profiler communicates with CSA MC on TCP port 5402.
I have disabled logging for a particular rule. However, I am still receiving logs for this rule. Is this normal?
In CSA MC Version 4.0.2 when the group is in test mode, these rule types are logged regardless of the configuration:
- Application control
- COM component access control
- File access control
- File version control
- Registry access control
For all other rule types, logging will be enabled or disabled as configured. In CSA MC Version 4.5 and later, the logging configuration is utilized for all rules types regardless of whether the group is in test or production mode.
How do I switch an agent from test mode to production?
To place a CSAgent in production mode, use the CSA MC to place the CSAgent's group into production mode:
From CSA MC, go to Systems > Groups.
Select the group that the agent is in.
In the group properties, uncheck the Test mode check box.
Click on Generate rules. The next time the agent polls the CSA MC and downloads the new setup, it is placed in production mode.
Where can I get information about each policy and a description for the rules?
In CSA MC, go to Configuration > Policies and select the policy you want to view. Then click the Explain rules link for a detailed description of each rule in the policy. This link is also available for a group in which multiple policies are applied, and for an individual host that may belong to multiple groups.
What are the run levels for the CSA Agent on UNIX?
These are the run levels for the CSA Agent on UNIX:
For information about run levels, type the main init command to refer to the manual for init on UNIX.
Can I generate Reports Using Crystal Reports from CSA MC Database?
You can get events directly from the CSA MC DB if you choose, but Cisco changes the database schema often enough that any application written for a specific version of the CSA MC product will most likely not work when the next version comes out. It should not be a surprise that CSA MC DB will be modified whenever necessary to make the product better. However, there is a view in the product that you may use (or use a FULL version of SQL Server and look at CSA MC Schema). Refer to the following link for additional details: http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_chapter09186a0080424781.html#wp953202
How can I change the Profiler port from default?
If you have a firewall blocking the default port between the profiler and the CSAgent, use the following procedure to change the port from default:
Open a DOS window and change the directory to program files\Cisco\CSAgent\bin.
Type report_install u to uninstall the existing port number, which is 5402 by default.
Type report_install -p 8000 i to install the new port number. In this example, 8000 is the new port number that you want Profiler to use.
To see which port is used by Profiler, look at sfront.cf in the program files\Cisco\CSAgent\cfg directory.
Is it possible to attach a saved database instead of export and import?
Yes, it is possible. Actually, if for some reason you forget to export the database and then uninstall the CSA MC, and during uninstall you save the database, you can attach the saved database files with the following procedure:
Reinstall CiscoWorks VMS, and then reinstall CSA MC. This will install a generic database. You must first detach this generic database so you can use the saved database files.
To detach the database, at the CMD prompt type the command on DOS prompt (osql -E is case sensitive) as shown in Example 21-14.
Example 21-14. Detaching the Database Using SQL
osql -E osql>sp_detach_db csamc45 <enter> osql>go <enter> osql>exit <enter>
Delete or rename the generic database files found in Program Files\CSCOpx\CSAMC45\db\(csamc45.mdf and csamc45_log.ldf)
Copy or move the saved database files (csamc45.mdf and csamc45_log.ldf) into the Program Files\CSCOpx\CSAMC45\db\ directory.
Open a CMD prompt and type the commands shown in Example 21-15 (anything after the at sign ( @ ) is the exact path to your CSA MC system. This example uses the e:\drive).
Example 21-15. Attaching the Database
osql -E <enter> osql>sp_attach_db @dbname='csamc45' , @filename1='e:\program files\CSCOpx\csamc\db\csamc45.mdf `, @filename2='e:\program files\CSOpx\csamc\db\csamc45_log.ldf ` <enter> osql>go <enter> osql>exit <enter> net start csamc.
Restore the certificates used by this database.