FWD: RE: Argus, and moving 'live files'

Chris Newton newton at unb.ca
Sat Mar 10 18:39:03 EST 2001


Nope:

[newton at epic flowlogs]$ ls -l argus-2001-03-10-18:14:50 
-rw-r--r--    1 root     root       323624 Mar 10 18:14 
argus-2001-03-10-18:14:50

  And, in fact, it seems a little small, compared to the others from the same 
time.  So, maybe it isn't the moving of the files thats causing the problem...
 Here is an ls of the other files from that hour... right up to when it 
stopped outputing.  So, either that was a slow minute.. or, argus stopped 
writing to that file part way through the minute.


[newton at epic flowlogs]$ ls -l argus-2001-03-10-18:*
-rw-r--r--    1 root     root       569956 Mar 10 18:00 
argus-2001-03-10-18:00:49
-rw-r--r--    1 root     root       580148 Mar 10 18:01 
argus-2001-03-10-18:01:49
-rw-r--r--    1 root     root       593456 Mar 10 18:02 
argus-2001-03-10-18:02:49
-rw-r--r--    1 root     root       584564 Mar 10 18:03 
argus-2001-03-10-18:03:49
-rw-r--r--    1 root     root       507604 Mar 10 18:04 
argus-2001-03-10-18:04:49
-rw-r--r--    1 root     root       451776 Mar 10 18:05 
argus-2001-03-10-18:05:49
-rw-r--r--    1 root     root       500492 Mar 10 18:06 
argus-2001-03-10-18:06:49
-rw-r--r--    1 root     root       499104 Mar 10 18:07 
argus-2001-03-10-18:07:50
-rw-r--r--    1 root     root       467036 Mar 10 18:08 
argus-2001-03-10-18:08:50
-rw-r--r--    1 root     root       431164 Mar 10 18:09 
argus-2001-03-10-18:09:50
-rw-r--r--    1 root     root       465376 Mar 10 18:10 
argus-2001-03-10-18:10:50
-rw-r--r--    1 root     root       415984 Mar 10 18:11 
argus-2001-03-10-18:11:50
-rw-r--r--    1 root     root       500576 Mar 10 18:12 
argus-2001-03-10-18:12:50
-rw-r--r--    1 root     root       521964 Mar 10 18:13 
argus-2001-03-10-18:13:50
-rw-r--r--    1 root     root       323624 Mar 10 18:14 
argus-2001-03-10-18:14:50
[newton at epic flowlogs]$



>===== Original Message From <carter at qosient.com> =====
>Is the file /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50
>getting bigger?
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax   +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: Chris Newton [mailto:newton at unb.ca]
>> Sent: Saturday, March 10, 2001 6:22 PM
>> To: Carter Bullard; argus; Peter Van Epp
>> Subject: RE: FWD: RE: Argus, and moving 'live files'
>>
>>
>> Ok, happened again, tonight at 8:12pm.
>>
>>   Here is the lsof output, below.... which is interesting,
>> because it shows
>> Argus having open the file
>> /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50,
>> What is odd about that is that argus was started with this
>> command line:
>>
>> /usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w
>> /usr/local/nva/flowlogs/argus.out
>>
>>   And, I have a program called argproc that runs continually.
>>  What it does is
>> moves the argus.out file to argus-{data/timestamp}, waits for
>> 1 minute (minus
>> the amount of time it took to move that file), and does it
>> again.  Right now
>> it is complaining that the argus.out file doesnt exist when
>> it tries to do the
>> move.
>>
>>   And, yup, all three argii are running:
>> [root at epic conf]# ps axfw |grep argus
>>   519 ?        R     83:22 /usr/local/nva/bin/argus -d -F
>> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
>>   522 ?        S      1:59  \_ /usr/local/nva/bin/argus -d -F
>> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.out
>>   523 ?        S      3:16      \_ /usr/local/nva/bin/argus -d -F
>> /usr/local/nva/conf/argus.conf -w /usr/local/nva/flowlogs/argus.ou
>>
>>
>>   Some output from top, showing at least one of the argii
>> consuming CPU, in
>> this case, about 4.1% CPU.
>>
>>
>> 519 root      14   0 12808  12M   628 S       0  4.0 10.1  83:29
>> /usr/local/nva/bin/argus -d -F /usr/local/nva/conf/argus.conf -w
>>
>> Operating system is redhat 6.2, upgraded to 2.4 kernel:
>>
>> [root at epic conf]# uname -a
>> Linux epic.csd.unb.ca 2.4.0-test12 #1 Sat Dec 16 23:51:30 AST
>> 2000 i686
>> unknown
>>
>> [root at epic conf]# /usr/sbin/lsof |grep argus
>> argus       519   root  cwd    DIR        3,1     4096          2 /
>> argus       519   root  rtd    DIR        3,1     4096          2 /
>> argus       519   root  txt    REG        3,1   551451     754834
>> /usr/local/nva/bin/argus
>> argus       519   root  mem    REG        3,1   340663     311343
>> /lib/ld-2.1.3.so
>> argus       519   root  mem    REG        3,1   527442     311361
>> /lib/libm-2.1.3.so
>> argus       519   root  mem    REG        3,1  4101324     311350
>> /lib/libc-2.1.3.so
>> argus       519   root  mem    REG        3,1   246652     311381
>> /lib/libnss_files-2.1.3.so
>> argus       519   root    0r   REG        3,1     8105     754878
>> /usr/local/nva/conf/argus.conf
>> argus       519   root    3u  sock        0,0
>> 1331 can't
>> identify protocol
>> argus       519   root    4r  FIFO        0,0                1337 pipe
>> argus       519   root    5w  FIFO        0,0                1337 pipe
>> argus       519   root    6w   CHR        1,3
>> 180352 /dev/null
>> argus       522   root  cwd    DIR        3,1     4096          2 /
>> argus       522   root  rtd    DIR        3,1     4096          2 /
>> argus       522   root  txt    REG        3,1   551451     754834
>> /usr/local/nva/bin/argus
>> argus       522   root  mem    REG        3,1   340663     311343
>> /lib/ld-2.1.3.so
>> argus       522   root  mem    REG        3,1   527442     311361
>> /lib/libm-2.1.3.so
>> argus       522   root  mem    REG        3,1  4101324     311350
>> /lib/libc-2.1.3.so
>> argus       522   root  mem    REG        3,1   246652     311381
>> /lib/libnss_files-2.1.3.so
>> argus       522   root    0r   REG        3,1     8105     754878
>> /usr/local/nva/conf/argus.conf
>> argus       522   root    1u   CHR        5,1
>> 180385 /dev/console
>> argus       522   root    2u   CHR        5,1
>> 180385 /dev/console
>> argus       522   root    3u  sock        0,0
>> 1331 can't
>> identify protocol
>> argus       522   root    4r  FIFO        0,0                1337 pipe
>> argus       522   root    5w  FIFO        0,0                1337 pipe
>> argus       523   root  cwd    DIR        3,1     4096          2 /
>> argus       523   root  rtd    DIR        3,1     4096          2 /
>> argus       523   root  txt    REG        3,1   551451     754834
>> /usr/local/nva/bin/argus
>> argus       523   root  mem    REG        3,1   340663     311343
>> /lib/ld-2.1.3.so
>> argus       523   root  mem    REG        3,1   527442     311361
>> /lib/libm-2.1.3.so
>> argus       523   root  mem    REG        3,1  4101324     311350
>> /lib/libc-2.1.3.so
>> argus       523   root  mem    REG        3,1   246652     311381
>> /lib/libnss_files-2.1.3.so
>> argus       523   root    0r   REG        3,1     8105     754878
>> /usr/local/nva/conf/argus.conf
>> argus       523   root    1u   CHR        5,1
>> 180385 /dev/console
>> argus       523   root    2u   CHR        5,1
>> 180385 /dev/console
>> argus       523   root    3u  sock        0,0
>> 1331 can't
>> identify protocol
>> argus       523   root    4r  FIFO        0,0                1337 pipe
>> argus       523   root    5w  FIFO        0,0                1337 pipe
>> argus       523   root    6r  FIFO        0,0                1338 pipe
>> argus       523   root    7w  FIFO        0,0                1338 pipe
>> argus       523   root    8u   REG        3,1   323624     821089
>> /usr/local/nva/flowlogs/argus-2001-03-10-18:14:50
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >Hey Chris,
>> >What others have seen, is that the second process that argus
>> >spawns, is either eating up a lot of CPU or none at all.
>> >This is the flow record multiplexor, and so if its not doing
>> >what its suppose to do, then nothing is going to come out of
>> >the argus.
>> >
>> >There are several debugging strategies to find out what is
>> >going on.  The first is to do a simple ps() to make sure that all
>> >the processes are there.  In the case of writing out to a file,
>> >you should have at least 3 argus processes running all the time.
>> >If you do have 3 processes, you can use gdb to attach to each
>> >running process, and then step through them for a few
>> >instructions to see what they are doing.
>> >
>> >Another strategy is to turn debug support on for each process.
>> >If you've compiled in debug support, then you can send SIGUSR1
>> >signals to any argus process to turn on its debug reporting.
>> >So as an example, assuming that the 3 processes are 200, 201
>> >and 202:
>> >
>> >   # kill -USR1 202
>> >
>> >will turn on debug reporting and set the debug level to one.
>> >Sending another SIGUSR1 will increment the debug level.  To
>> >turn it off, send a SIGUSR2 to the process.
>> >
>> >   # kill -USR2 202
>> >
>> >So you can test them all, by getting their debug level to 3 or
>> >4 and see what they think is going on.
>> >
>> >Carter
>> >
>> >Carter Bullard
>> >QoSient, LLC
>> >300 E. 56th Street, Suite 18K
>> >New York, New York  10022
>> >
>> >carter at qosient.com
>> >Phone +1 212 588-9133
>> >Fax   +1 212 588-9134
>> >http://qosient.com
>> >
>> >> -----Original Message-----
>> >> From: Chris Newton [mailto:newton at unb.ca]
>> >> Sent: Thursday, March 08, 2001 1:33 PM
>> >> To: Carter Bullard; argus; Peter Van Epp
>> >> Subject: RE: FWD: RE: Argus, and moving 'live files'
>> >>
>> >>
>> >> >===== Original Message From <carter at qosient.com> =====
>> >> >Hey Guys,
>> >> >   Chris, more than likely your problem doesn't have anything
>> >> >to do with the file moving itself.  If Argus breaks, you will
>> >> >see that your file moving strategy will suddenly stop, as
>> >> >there won't be a file to move any more.  So the file moving
>> >> >makes the problem much more apparent.
>> >>
>> >>   Thats whats happening.  I get errors from my script that
>> >> the 'argus-output'
>> >> file does not exist, and therefore, can't be moved.  Argus is
>> >> still running
>> >> happily though.
>> >>
>> >>   It happens out of the blue (the couple of times it has
>> >> happened).  The
>> >> moving script runs happily along.. then, boom... errors, 'no
>> >> such file'.  I
>> >> check, sure enough, Argus isn't recreating the new
>> >> 'argus-output' file
>> >> anymore.  Kill restart argus, everything returns to normal.
>> >>
>> >> Chris
>> >>
>>
>> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>>
>> Chris Newton, Systems Analyst
>> Computing Services, University of New Brunswick
>> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
>>
>>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)



More information about the argus mailing list