FWD: RE: Argus, and moving 'live files'
Carter Bullard
carter at qosient.com
Sat Mar 10 18:20:34 EST 2001
Is the file /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50
getting bigger?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Chris Newton [mailto:newton at unb.ca]
> Sent: Saturday, March 10, 2001 6:22 PM
> To: Carter Bullard; argus; Peter Van Epp
> Subject: RE: FWD: RE: Argus, and moving 'live files'
>
>
> Ok, happened again, tonight at 8:12pm.
>
> Here is the lsof output, below.... which is interesting,
> because it shows
> Argus having open the file
> /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50,
> What is odd about that is that argus was started with this
> command line:
>
> /usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w
> /usr/local/nva/flowlogs/argus.out
>
> And, I have a program called argproc that runs continually.
> What it does is
> moves the argus.out file to argus-{data/timestamp}, waits for
> 1 minute (minus
> the amount of time it took to move that file), and does it
> again. Right now
> it is complaining that the argus.out file doesnt exist when
> it tries to do the
> move.
>
> And, yup, all three argii are running:
> [root at epic conf]# ps axfw |grep argus
> 519 ? R 83:22 /usr/local/nva/bin/argus -d -F
> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
> 522 ? S 1:59 \_ /usr/local/nva/bin/argus -d -F
> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
> 523 ? S 3:16 \_ /usr/local/nva/bin/argus -d -F
> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.ou
>
>
> Some output from top, showing at least one of the argii
> consuming CPU, in
> this case, about 4.1% CPU.
>
>
> 519 root 14 0 12808 12M 628 S 0 4.0 10.1 83:29
> /usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w
>
> Operating system is redhat 6.2, upgraded to 2.4 kernel:
>
> [root at epic conf]# uname -a
> Linux epic.csd.unb.ca 2.4.0-test12 #1 Sat Dec 16 23:51:30 AST
> 2000 i686
> unknown
>
> [root at epic conf]# /usr/sbin/lsof |grep argus
> argus 519 root cwd DIR 3,1 4096 2 /
> argus 519 root rtd DIR 3,1 4096 2 /
> argus 519 root txt REG 3,1 551451 754834
> /usr/local/nva/bin/argus
> argus 519 root mem REG 3,1 340663 311343
> /lib/ld-2.1.3.so
> argus 519 root mem REG 3,1 527442 311361
> /lib/libm-2.1.3.so
> argus 519 root mem REG 3,1 4101324 311350
> /lib/libc-2.1.3.so
> argus 519 root mem REG 3,1 246652 311381
> /lib/libnss_files-2.1.3.so
> argus 519 root 0r REG 3,1 8105 754878
> /usr/local/nva/conf/argus.conf
> argus 519 root 3u sock 0,0
> 1331 can't
> identify protocol
> argus 519 root 4r FIFO 0,0 1337 pipe
> argus 519 root 5w FIFO 0,0 1337 pipe
> argus 519 root 6w CHR 1,3
> 180352 /dev/null
> argus 522 root cwd DIR 3,1 4096 2 /
> argus 522 root rtd DIR 3,1 4096 2 /
> argus 522 root txt REG 3,1 551451 754834
> /usr/local/nva/bin/argus
> argus 522 root mem REG 3,1 340663 311343
> /lib/ld-2.1.3.so
> argus 522 root mem REG 3,1 527442 311361
> /lib/libm-2.1.3.so
> argus 522 root mem REG 3,1 4101324 311350
> /lib/libc-2.1.3.so
> argus 522 root mem REG 3,1 246652 311381
> /lib/libnss_files-2.1.3.so
> argus 522 root 0r REG 3,1 8105 754878
> /usr/local/nva/conf/argus.conf
> argus 522 root 1u CHR 5,1
> 180385 /dev/console
> argus 522 root 2u CHR 5,1
> 180385 /dev/console
> argus 522 root 3u sock 0,0
> 1331 can't
> identify protocol
> argus 522 root 4r FIFO 0,0 1337 pipe
> argus 522 root 5w FIFO 0,0 1337 pipe
> argus 523 root cwd DIR 3,1 4096 2 /
> argus 523 root rtd DIR 3,1 4096 2 /
> argus 523 root txt REG 3,1 551451 754834
> /usr/local/nva/bin/argus
> argus 523 root mem REG 3,1 340663 311343
> /lib/ld-2.1.3.so
> argus 523 root mem REG 3,1 527442 311361
> /lib/libm-2.1.3.so
> argus 523 root mem REG 3,1 4101324 311350
> /lib/libc-2.1.3.so
> argus 523 root mem REG 3,1 246652 311381
> /lib/libnss_files-2.1.3.so
> argus 523 root 0r REG 3,1 8105 754878
> /usr/local/nva/conf/argus.conf
> argus 523 root 1u CHR 5,1
> 180385 /dev/console
> argus 523 root 2u CHR 5,1
> 180385 /dev/console
> argus 523 root 3u sock 0,0
> 1331 can't
> identify protocol
> argus 523 root 4r FIFO 0,0 1337 pipe
> argus 523 root 5w FIFO 0,0 1337 pipe
> argus 523 root 6r FIFO 0,0 1338 pipe
> argus 523 root 7w FIFO 0,0 1338 pipe
> argus 523 root 8u REG 3,1 323624 821089
> /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50
>
>
>
>
>
>
>
>
>
> >===== Original Message From <carter at qosient.com> =====
> >Hey Chris,
> >What others have seen, is that the second process that argus
> >spawns, is either eating up a lot of CPU or none at all.
> >This is the flow record multiplexor, and so if its not doing
> >what its suppose to do, then nothing is going to come out of
> >the argus.
> >
> >There are several debugging strategies to find out what is
> >going on. The first is to do a simple ps() to make sure that all
> >the processes are there. In the case of writing out to a file,
> >you should have at least 3 argus processes running all the time.
> >If you do have 3 processes, you can use gdb to attach to each
> >running process, and then step through them for a few
> >instructions to see what they are doing.
> >
> >Another strategy is to turn debug support on for each process.
> >If you've compiled in debug support, then you can send SIGUSR1
> >signals to any argus process to turn on its debug reporting.
> >So as an example, assuming that the 3 processes are 200, 201
> >and 202:
> >
> > # kill -USR1 202
> >
> >will turn on debug reporting and set the debug level to one.
> >Sending another SIGUSR1 will increment the debug level. To
> >turn it off, send a SIGUSR2 to the process.
> >
> > # kill -USR2 202
> >
> >So you can test them all, by getting their debug level to 3 or
> >4 and see what they think is going on.
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York 10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax +1 212 588-9134
> >http://qosient.com
> >
> >> -----Original Message-----
> >> From: Chris Newton [mailto:newton at unb.ca]
> >> Sent: Thursday, March 08, 2001 1:33 PM
> >> To: Carter Bullard; argus; Peter Van Epp
> >> Subject: RE: FWD: RE: Argus, and moving 'live files'
> >>
> >>
> >> >===== Original Message From <carter at qosient.com> =====
> >> >Hey Guys,
> >> > Chris, more than likely your problem doesn't have anything
> >> >to do with the file moving itself. If Argus breaks, you will
> >> >see that your file moving strategy will suddenly stop, as
> >> >there won't be a file to move any more. So the file moving
> >> >makes the problem much more apparent.
> >>
> >> Thats whats happening. I get errors from my script that
> >> the 'argus-output'
> >> file does not exist, and therefore, can't be moved. Argus is
> >> still running
> >> happily though.
> >>
> >> It happens out of the blue (the couple of times it has
> >> happened). The
> >> moving script runs happily along.. then, boom... errors, 'no
> >> such file'. I
> >> check, sure enough, Argus isn't recreating the new
> >> 'argus-output' file
> >> anymore. Kill restart argus, everything returns to normal.
> >>
> >> Chris
> >>
>
> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>
> Chris Newton, Systems Analyst
> Computing Services, University of New Brunswick
> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010310/e3e5bb6a/attachment.html>
More information about the argus
mailing list