Fixed one bug, got some more for ya though :)

Carter Bullard carter at qosient.com
Thu Jun 14 11:15:32 EDT 2001 

Hey Chris,
One value for you to play with is ARGUS_MAXWRITENUM in
ArgusUtil.c.  This is the maximum number of records
that we will write out to the socket on each pass.  For
some situations we only process 10 passes a second, and
so increasing this number to say 1024, or 2048 may be
more than appropriate.  Now, large numbers here will
get in the way of argus getting back to process packets,
so you don't want to go toooo high here.

ARGUS_LISTREPORTLEN is just the number in the queue
that will trigger syslog events saying that you're queues
are getting a bit full.  The ARGUS_LISTREPORTTIME is just
how frequently are you going to get messages once the
queue has gotten over the limit.  Current we send out
syslog messages every 30 seconds.

So when these messages are being printed, there are
currently 10,000 argus records queue'd to be written
out to, say the file, or the remote socket.  That's not
a huge number, as in some situations, argus can generate
10,000 records a second.  We don't give up on the
queue until about 200,000 records, so 10K is a bit low
for a warning condition.

Carter

-----Original Message-----
From: Chris Newton [mailto:newton at unb.ca] 
Sent: Thursday, June 14, 2001 11:08 AM
To: Carter Bullard
Cc: Argus (argus-info)
Subject: RE: Fixed one bug, got some more for ya though :)


>One thing you can do is to increase the values of the thresholds. If 
>you double the value for ARGUS_MAXERROR in ArgusUtil.c, that will help 
>a bit.  Also raising the watermark for printing out when queues are 
>getting big will help, so increase the value of ARGUS_LISTREPORTLEN to 
>something like 50,000. This is also in ArgusUtil.c.

  So, what does ARGUS_LISTREPORTLEN actually control?  The number of
flows to 
burst out at a time?

  I also notice a ARGUS_LISTREPORTTIME set to 30, is this a delay
setting?  
Reason I'm asking is it _seems_ to me, that during these times of issue
on our 
net, argus gets bunged up a bit because it isn't dumping records out as
fast 
as it could be.

  What values control this?  I'd be willing to try various values
here... so 
that I can find some 'best middle ground', between letting the collector
and 
stats parts of argus do it's job, and the 'dumper' push records out as
fast as 
possible.

Thanks

Chris

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

"The best way to have a good idea is to have a lot of ideas." Linus
Pauling (1901 - 1994) US chemist

More information about the argus mailing list