ra crashes on output file rotate

David Ressman davidr+argus at portnoy.uchicago.edu
Mon Feb 25 14:58:08 EST 2002 

Hi all,

We've recently set up argus at our site and everything seems to be
running well with one exception.  Here's a little background info:

We're running the argus daemon (2.0.5b1) on an 866mhz PIII running
OpenBSD 3.0.  It's listening on a gigabit ethernet interface that
averages about 80mpbs combined traffic.  It will occasionally peak at
200mbps or more.  (Of course, those are the times when the argus data
will come in the most handy.)

We collect data from the server using ra -S (2.0.4 through 2.0.5b3) on
our data analysis machine, an ultrasparc running sunos 5.8.  We're not
using SASL or doing anything fancy.

ra collects and writes the data to disk just fine, but when traffic is
heavy, ra will crash (exit code 255) when we rotate the log files,
(which we do hourly) and I can't figure out what's wrong.  An average
hour's uncompressed argus flow file will be about 250-300MB.  In the
middle of the night, when they're 1/4 to 1/10th the size, we don't
usually see this problem.

The script we use to rotate is very simple, and doesn't do anything
fancy:


  #!/bin/ksh

  date=`date`  # we use some extra formatting, but that's not important

  flowdir="/path/to/flowfile"
  flowfile="argusflowfile"

  if [ -r ${flowdir}/${flowfile} ]; then
      cd ${flowdir} || exit 1
      mv ${flowfile} ${flowfile}.temporary && \
      gzip -1 ${flowfile}.temporary && \
      mv ${flowfile}.temporary.gz ArgusFlow.${date}
  fi


ra will crash as soon as the file that ra is writing to is moved out
of the way.  If it did this every time, I might know where to start
looking, but as it is, I'm just confused.

The analysis machine has gigs and gigs of ram, plenty of disk, and lots
of other processes that open and close much larger files, so I don't
think that it has anything to do with the machine proper.

We could just wrap ra in a respawning program, but that seems kind of
hackish to me.

Any help would be greatly appreciated.  If anyone needs additional
information, please don't hesitate to ask.

Thanks,

David

-- 
David Ressman                                        davidr at uchicago.edu
Network Security Officer                            Phone: (773)702-6236   
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the argus mailing list