FWD: RE: Argus, and moving 'live files'

Chris Newton newton at unb.ca
Sat Mar 10 18:21:53 EST 2001 

Ok, happened again, tonight at 8:12pm.

  Here is the lsof output, below.... which is interesting, because it shows 
Argus having open the file /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50,  
What is odd about that is that argus was started with this command line:

/usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w 
/usr/local/nva/flowlogs/argus.out

  And, I have a program called argproc that runs continually.  What it does is 
moves the argus.out file to argus-{data/timestamp}, waits for 1 minute (minus 
the amount of time it took to move that file), and does it again.  Right now 
it is complaining that the argus.out file doesnt exist when it tries to do the 
move.

  And, yup, all three argii are running:
[root at epic conf]# ps axfw |grep argus
  519 ?        R     83:22 /usr/local/nva/bin/argus -d -F 
/usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
  522 ?        S      1:59  \_ /usr/local/nva/bin/argus -d -F 
/usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
  523 ?        S      3:16      \_ /usr/local/nva/bin/argus -d -F 
/usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.ou


  Some output from top, showing at least one of the argii consuming CPU, in 
this case, about 4.1% CPU.


519 root      14   0 12808  12M   628 S       0  4.0 10.1  83:29 
/usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w
  
Operating system is redhat 6.2, upgraded to 2.4 kernel:

[root at epic conf]# uname -a
Linux epic.csd.unb.ca 2.4.0-test12 #1 Sat Dec 16 23:51:30 AST 2000 i686 
unknown

[root at epic conf]# /usr/sbin/lsof |grep argus
argus       519   root  cwd    DIR        3,1     4096          2 /
argus       519   root  rtd    DIR        3,1     4096          2 /
argus       519   root  txt    REG        3,1   551451     754834 
/usr/local/nva/bin/argus
argus       519   root  mem    REG        3,1   340663     311343 
/lib/ld-2.1.3.so
argus       519   root  mem    REG        3,1   527442     311361 
/lib/libm-2.1.3.so
argus       519   root  mem    REG        3,1  4101324     311350 
/lib/libc-2.1.3.so
argus       519   root  mem    REG        3,1   246652     311381 
/lib/libnss_files-2.1.3.so
argus       519   root    0r   REG        3,1     8105     754878 
/usr/local/nva/conf/argus.conf
argus       519   root    3u  sock        0,0                1331 can't 
identify protocol
argus       519   root    4r  FIFO        0,0                1337 pipe
argus       519   root    5w  FIFO        0,0                1337 pipe
argus       519   root    6w   CHR        1,3              180352 /dev/null
argus       522   root  cwd    DIR        3,1     4096          2 /
argus       522   root  rtd    DIR        3,1     4096          2 /
argus       522   root  txt    REG        3,1   551451     754834 
/usr/local/nva/bin/argus
argus       522   root  mem    REG        3,1   340663     311343 
/lib/ld-2.1.3.so
argus       522   root  mem    REG        3,1   527442     311361 
/lib/libm-2.1.3.so
argus       522   root  mem    REG        3,1  4101324     311350 
/lib/libc-2.1.3.so
argus       522   root  mem    REG        3,1   246652     311381 
/lib/libnss_files-2.1.3.so
argus       522   root    0r   REG        3,1     8105     754878 
/usr/local/nva/conf/argus.conf
argus       522   root    1u   CHR        5,1              180385 /dev/console
argus       522   root    2u   CHR        5,1              180385 /dev/console
argus       522   root    3u  sock        0,0                1331 can't 
identify protocol
argus       522   root    4r  FIFO        0,0                1337 pipe
argus       522   root    5w  FIFO        0,0                1337 pipe
argus       523   root  cwd    DIR        3,1     4096          2 /
argus       523   root  rtd    DIR        3,1     4096          2 /
argus       523   root  txt    REG        3,1   551451     754834 
/usr/local/nva/bin/argus
argus       523   root  mem    REG        3,1   340663     311343 
/lib/ld-2.1.3.so
argus       523   root  mem    REG        3,1   527442     311361 
/lib/libm-2.1.3.so
argus       523   root  mem    REG        3,1  4101324     311350 
/lib/libc-2.1.3.so
argus       523   root  mem    REG        3,1   246652     311381 
/lib/libnss_files-2.1.3.so
argus       523   root    0r   REG        3,1     8105     754878 
/usr/local/nva/conf/argus.conf
argus       523   root    1u   CHR        5,1              180385 /dev/console
argus       523   root    2u   CHR        5,1              180385 /dev/console
argus       523   root    3u  sock        0,0                1331 can't 
identify protocol
argus       523   root    4r  FIFO        0,0                1337 pipe
argus       523   root    5w  FIFO        0,0                1337 pipe
argus       523   root    6r  FIFO        0,0                1338 pipe
argus       523   root    7w  FIFO        0,0                1338 pipe
argus       523   root    8u   REG        3,1   323624     821089 
/usr/local/nva/flowlogs/argus-2001-03-10-18:14:50









>===== Original Message From <carter at qosient.com> =====
>Hey Chris,
>What others have seen, is that the second process that argus
>spawns, is either eating up a lot of CPU or none at all.
>This is the flow record multiplexor, and so if its not doing
>what its suppose to do, then nothing is going to come out of
>the argus.
>
>There are several debugging strategies to find out what is
>going on.  The first is to do a simple ps() to make sure that all
>the processes are there.  In the case of writing out to a file,
>you should have at least 3 argus processes running all the time.
>If you do have 3 processes, you can use gdb to attach to each
>running process, and then step through them for a few
>instructions to see what they are doing.
>
>Another strategy is to turn debug support on for each process.
>If you've compiled in debug support, then you can send SIGUSR1
>signals to any argus process to turn on its debug reporting.
>So as an example, assuming that the 3 processes are 200, 201
>and 202:
>
>   # kill -USR1 202
>
>will turn on debug reporting and set the debug level to one.
>Sending another SIGUSR1 will increment the debug level.  To
>turn it off, send a SIGUSR2 to the process.
>
>   # kill -USR2 202
>
>So you can test them all, by getting their debug level to 3 or
>4 and see what they think is going on.
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax   +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: Chris Newton [mailto:newton at unb.ca]
>> Sent: Thursday, March 08, 2001 1:33 PM
>> To: Carter Bullard; argus; Peter Van Epp
>> Subject: RE: FWD: RE: Argus, and moving 'live files'
>>
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >Hey Guys,
>> >   Chris, more than likely your problem doesn't have anything
>> >to do with the file moving itself.  If Argus breaks, you will
>> >see that your file moving strategy will suddenly stop, as
>> >there won't be a file to move any more.  So the file moving
>> >makes the problem much more apparent.
>>
>>   Thats whats happening.  I get errors from my script that
>> the 'argus-output'
>> file does not exist, and therefore, can't be moved.  Argus is
>> still running
>> happily though.
>>
>>   It happens out of the blue (the couple of times it has
>> happened).  The
>> moving script runs happily along.. then, boom... errors, 'no
>> such file'.  I
>> check, sure enough, Argus isn't recreating the new
>> 'argus-output' file
>> anymore.  Kill restart argus, everything returns to normal.
>>
>> Chris
>>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

More information about the argus mailing list