[ARGUS] Peculiar cross platform argus/ra non-interoperability
Peter Van Epp
vanepp at sfu.ca
Sun Aug 8 15:23:30 EDT 2004
Nothing springs to mind as likely wrong. I'd guess the best bet is to
touch .devel and .debug in the linux argus source directory, re run configure
and make clean; make to get a debug copy of ra. Then start the ra with a -D8
or so (which dumps debug messages to the console) to see where it dies which
should give a clue as to why.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Sun, Aug 08, 2004 at 10:37:21AM -0700, Joe Christy wrote:
> After an upgrade to a FreeBSD gateway, I've started seeing the following
> weird problem.
>
> Gateway: FreeBSD-4-STABLE (4.10 w/ rolling updates as of 2004-08-04),
> argus{,-clients}-2.0.6.fixes.1, runs argus w/ ARGUS_ACCESS_PORT=561 &
> ARGUS_BIND_IP=172.24.4.1
>
> Monitoring Station: Fedora Core 2 Linux, argus{,-clients}-2.0.6.fixes.1,
> built from source.
>
> On the Gateway, argus is happily writing to /var/log/argus/argus.out,
> and ra -a -S 172.24.4.1:561 tracks traffic in real time, as it should.
> So, it looks like the argus server is OK
>
> For the past two years, through earlier versions of FreeBSD, Linux, and
> argus{,-clients}, I've successfully been running ra -S 172.24.4.1:561
> -w/var/log/argus/gateway-argus.out to capture the argus data securely on
> an Internet-inaccessable Monitoring Station. Since upgrading FreeBSD
> last week, this always returns immediately:
> moby(joe) ra -a -S 172.24.4.1
>
> No data seen.
>
> Now, I can run argus on the Monitoring Station and use ra there to
> connect to its own bound IP and track traffic successfully, and I can
> read a copy of the Gateway's locally written /var/log/argus/argus.out,
> so it looks like the ra client is OK. I can even connect to the
> Gateway's port 561 from the monitoring station with nc, and receive a
> stream of unintelligble (to me at least) binary data, so the network
> connection between the Monitoring Station and the Gateway's port 561 is
> passing data. Nonetheless, the ra client on the Monitoring Station
> steadfastly refuses to admit that it is seeing any data from argus on
> the Gateway. Sigh.
>
> Has anyone else seen this sort of behavior? Any ideas on a fix?
>
> Joe
More information about the argus
mailing list