racluster crash

Carter Bullard carter at qosient.com
Thu Aug 10 09:58:40 EDT 2006 

Hey Dietmar,
    A few things that might help to get you past the problem until
I can figure it out.   Your status time value really should to be larger
than the idle timeout value.    (i'm sure that we're going to time out
your record before we print it out, and that is probably where we
get into trouble with the record not being in the queue).
Try making the 2 timeouts equal on line 2 (at least) and see if
that doesn't clear it up.   I would suggest making the idle timeouts
longer than the status interval, (I know, I know, logically they should
be independent) in all your entries, if that doesn't help.

    The only way to debug this type of problem is to have a file
that contains the set of records that generates the error.  If you
can just capture a bunch of records and run racluster against
that file, you should get the same behavior?

Carter



On Aug 10, 2006, at 12:51 AM, Dietmar Goldbeck wrote:

>
>   Hello,
>
> if i run racluster with -S 127.0.0.1 it crashes after a few minutes.
>
> racluster[12903]: 08-09-06 21:13:38.830670 ArgusRemoveFromQueue 
> (0x81a80a0, 0x81cca20) obj not in queue
>
> This is Racluster Version 3.0.0.rc.15 on Debian.
> Commandline is
>
> /usr/local/argus-3.0.0.rc.14/bin/racluster -nz -f /etc/tux-misst/ 
> racluster.conf -s stime ltime proto saddr sport daddr dport spkts  
> dpkts -S 127.0.0.1
>
> and racluster.conf has only 3 lines:
>
> filter="icmp" status=60 idle=60
> filter="tcp or udp" model="saddr sport daddr proto dport" status=60  
> idle=30
> filter="" model="saddr daddr proto" status=60 idle=60
>
> I will compile a newer snapshot soon.
>
>   regards
>         Dietmar
>
> -- 
>  Alles Gute / best wishes
>      Dietmar Goldbeck         E-Mail: dietmar.goldbeck at schotterweg.de
> Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
> Civilization?  Gandhi: I think it would be a good idea.
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060810/3f0189b8/attachment.html>

More information about the argus mailing list