argusarchive (rasort) segfaulting
Richard Johnson
rdump at river.com
Wed Aug 10 20:45:29 EDT 2005
At 12:05 -0700 on 2005-08-10, Peter Van Epp wrote:
> Check for a per task memory rlimit. On FreeBSD you need to reconfig the
> kernel to allow a process to use more than (I think) 512K of memory which is
> usually what bites rasort. Of course you can also usefully fix this problem
> (and save some time) by commenting out rasort in argusarchive and only sort
> if you really need to. I know we had to boost a kernel memory limit to give
> the ring buffer code a couple hundred meg buffer on Linux, but my post
> processing is still on FreeBSD (where the limit above has bitten me before).
Same on OpenBSD. Adding the following types of commands to argusarchive
might help (modulo the size of your RAM, of course):
ulimit -d 1048576
ulimit -m 3316384
Of course, 4GB total on the machine isn't enough for us when we're trying
to sort a 30 minute slot in which we've been hit by a serious port scan.
(Traffic levels are peak 350Mbps and about 90kpps without the scans.) Thus
I now muck about with building amd64 RAID kernels for OpenBSD 3.8-current,
which will run on a box with more than 4GB of RAM.
Richard
More information about the argus
mailing list