Stats from argus logs
Carter Bullard
carter at qosient.com
Sat Nov 4 09:21:35 EST 2000
Hey John,
Yes, I can reproduce your problem here. It must
be one of the undocumented new features of the "u" code.
It is fixed in the "v" release which I'll be putting out
on Sunday.
Argus-2.0 does store more information than Argus-1.x
records, and so converted files will be bigger.
This happens because we've introduced a Type, Length,
Value (TLV) style record format, and the added overhead
adds bytes. But we get a huge amount of flexibility
with it so it's worth the extra space.
It seems that you have bumped into a functional bug
in the argus clients that most on the list don't run
into. When you run argus (and this also applies to
some of the clients), and write the output to a file,
when you terminate, the program will write an explicit
STOP record as the last record, indicating that the
stream was terminated because of an administrative
STOP condition (i.e. it was killed). If you
run argus (or some ra* clients) again, writing into the
same file, it just appends, and so you get a file that
looks something like this:
START record
..... (data records)
STOP record
START record
..... (data records)
STOP record
ra* style clients, right now, stop when they see a STOP
record. This is so they can handshake with socket based
remote argus data sources before closing the socket and
going away. Right now, we don't test if we're reading
from the socket or a file when we get these records, so
there is chance where we will terminate too early.
I'll fix that this weekend.
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of John A. Lauro
Sent: Friday, November 03, 2000 4:31 PM
To: argus at lists.andrew.cmu.edu
Subject: RE: Stats from argus logs
> Well, welcome to the group!!! So how did you call it?
> There are some small changes in the way that things are
> called in Argus-2.0, so exact command line would be helpful.
> Were you reading 2.0 data or 1.8 data? What system?
Asking for the memory fault I assume?
The system is running Linux 2.2.16.
Same memory fault error with a 1.8.1 log file or 2.0 log file.
However... I just noticed that it only gives the error if the output
file does not already exist.
Exact command
./ra -r arglog1 -w xxx
> There is a sample config file in
> ./examples/fmodel.conf.
Thanks. I'll try to figure it out this weekend.
Also, reading in argus 1.8.1 file with
ra -r arglog1
produces lots of output
A little more testing... ra with an 1.8.1 log file....
ra -r arglog1 (produces lots of detail records)
ra -r arglog1 -w xxx (first fails and creates a 0 byte file)
ra -r arglog1 -w xxx (xxx is about double the size of arglog1)
ra -r xxx (produces only a couple of lines, and the file is
bigger!)
Same procedure as above with a 2.0 log file works as expected (except
of course the memory fault if xxx doesn't exist).
> Carter
>
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of John A. Lauro
> Sent: Friday, November 03, 2000 3:39 PM
> To: Russell Fulton; argus at lists.andrew.cmu.edu
> Subject: Re: Stats from argus logs
>
> Bug report:
> Running ra on version 2.0u with -r and -w produces a memory fault.
> It might not sound very useful, but... it works with 1.8.1...
---------------------------------------------------------------------------
John Lauro email: jlauro at flint.umich.edu
University of Michigan - Flint jlauro at umich.edu
Information Technology Services
303 E. Kearsley St. phone: (810) 762-3123
Flint, MI 48502 fax: (810) 766-6805
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001104/5b57edae/attachment.html>
More information about the argus
mailing list