rolling argus logs...

Carter Bullard carter at qosient.com
Sun Aug 6 22:18:47 EDT 2000 

Hey Russell,
   Argus doesn't close the file between writes, it
does an fstat() on the pathname to see if its still
there.  When it sees that the filename is gone,
it closes its open file descriptor and then creates
the original filename, writing out an appropriate
initial management record.  This is faster than,
closing and opening on each record.

   If we want some process control, what can we
do to support it in Argus-2.0?

Carter

-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Sunday, August 06, 2000 8:31 PM
To: argus
Subject: Re: rolling argus logs...



On Fri, 4 Aug 2000 16:03:41 -0700 (PDT) Peter Van Epp <vanepp at sfu.ca>
wrote:

> >
> > Wow, a lot of work today ;o)
> > I will look into all of this over the weekend and see what
> > the best approach will be.
> >
> > One thing, David.  You don't have to kill argus to get the
> > output file.  All you have to do is rename the file and
> > argus recreates the original file and keeps going.
> >
>
> 	I didn't know that! All this time I've been killing argus and and
> restarting it. Isn't the file busy (and thus argus keeps writing to the
> now nameless inode)? I'll have to try it out on a test copy and see what
> happens because that would simplify life (to say nothing of stopping
losing
> packets while switching log files)!

Argus closes and reopens the file between writes, as does ra and
friends (I think?  confirmation Carter?).

My hourly script simply mv's the file and runs
raconnections -w - | gzip -9.

Hmmm.... I tell a lie ;-) I nolonger run raconnections -- the
performance of our Internet feed jumped by about 25% a month back and
raconnections started running out of memory :-(

Currently I am not 'centrally' managing my argus servers but that is
about to change.  I am considering using scp (with RSA authentication)
to move the files from the monitor up to central control as part of
the hourly job.  It gets a bit messy because I don't want the monitors
to 'trust' the central box.

Like David if other have good ways to manage this then I would be
interested in hearing about it.

Cheers, Russell.

More information about the argus mailing list