This is the std. procedure which needs to be followed if you are having IBM_AIX Event collector for AIX Event collection, which is log file based Event collector.
You can upgrde it to UNIX OS Event collector, which is Syslog based event collection.
1) Uninstalling SSIM Agent & Collector:
Uninstalling the collector component
When you uninstall the collector component, only the collector component is
removed. The collector component includes the part of the collector that collects
events from the third-party security products, processes them, and passes them
to the Symantec Event Agent.
To uninstall the collector component
- On UNIX, the default directory is /opt/Symantec/sesa/Agent/collectors/ibm_aix.
- At the command prompt, type the following command:
./uninstall.sh
- Now we can proceed further with Uninstallation of SSIM Event Agent.
Uninstalling the Symantec Event Agent
Uninstalling the Symantec Event Agent removes the Java application that performs
communication functions between Information Manager and the collector.
To uninstall the Symantec Event Agent
1. Navigate to the Agent installation directory as follows:
navigate to the installation directory /opt/Symantec/sesa/Agent
2. To uninstall the Symantec Event Agent, Type following command on command prompt:
sh install.sh -u
3. Manually delete the Symantec Event Agent files in the following directories:
/opt/Symantec/sesa/Agent folder
2) Installing SSIM Agent & Collector:
Updating the hosts file
To update the hosts file
1. Navigate to the /etc directory.
2. Use a text editor vi to open the hosts file.
3. Add the IP address and host name entries for the Information Manager
appliance.
4 After you have added the IP address and host name, save and close the file.
You should ensure that the text editor that you use did not add a file extension.
Installing Symantec Event Agents
The Symantec Event Agent sends the data that is collected by the collector to the
Information Manager appliance.
Before you installthe Symantec Event Agent, you should complete the following
steps in the order presented:
- Uninstall any previous version of the agent
- Ensure that there is network connectivity between the system where the agent
will be installed and the Information Manager appliance
- If there is a firewall between the agent computer and the Information Manager
appliance, ensure that the following ports are open:
TCP 5998
TCP 8086
TCP 443
TCP 80
To install the Symantec Event Agent:
- copy the SSIM Agent file named symevtagent_4.5.0.12.tar to Linux server.
- Navigate to the directory where you copied the .tar file.
- At the command prompt, type the following command:
tar -xvf symevtagent_4.5.0.12.tar
This command creates a subdirectory that is named Agent, and then unpacks the Event Agent installation files into that directory.
- At the command prompt, to run the install script, type the following commands:
cd Agent
sh ./install.sh
- At the prompts, enter the appropriate information.
To verify Symantec Event Agent connectivity from Information Manager:
- From a Windows computer that has the SSIM Client installed, log on with an Information Manager user account with sufficient rights to view events.
- In the Information Manager console, in the left pane, click System.
- Onthe Administration tab, expand the tree until you see Organizational Units.
- Expand Organizational Units > Default.
- Verify that the name of the collector computer is listed.
- Right-click the computer name, and then click Properties.
- In the Computer Properties dialog box, on the Services tab, verify that the Agent Service displays Yes in the Started column.
Installing the collector on a remote computer:
The collector component reads the data from the security product, formats the
data, and forwards it to the Symantec Event Agent
To install the collector on a remote computer
- On Linux machine, navigate to install subdirectory of the collector installation files. The installation files are located in a temporary directory.
- At a command prompt, enter following command:
sh ./install.sh
- Follow the installation wizard prompts.
- Liveupdate the installed collector component.
After completion of the installation procedure if the logs are not resumed with new collector, then we can follow std. troubleshooting steps listed below:
1. You can try disabling FIPSmode for for the Agent installed on LINUX box.
2. check for the iptables of linux box, if possible try disabling it.
3. check if your LINUX box is gettting syslogs through other AIX servers.