Argus stops writing to file!

Karl Tatgenhorst karlt at uchicago.edu
Fri Nov 3 11:11:06 EST 2006


   A more simple answer maybe to check and see if your argus process is
running as a daemon. If it is running as a daemon and you remove the
file, yes it generates a new file as anticipated... however, if the
daemon halts and starts back up the file is already there so it can't
create a new one and it is not set up (as I understand it) to open the
file in 'append' mode. In this scenario it would sit there until your
argus rotate script moves the file again.

Karl

On Fri, 2006-11-03 at 10:40 -0500, Carter Bullard wrote:
> Hey Kjell,
> Sorry for the delayed response.  Argus should to a stat() on the  
> filename to see if
> the name is still there, and if not it should recreate the file and  
> start writing into the
> new file.
> 
> Are there any system messages in your system error log (/var/log/ 
> messages ?).
> If you ran ./configure with a '.devel' file present, then you should  
> be able to
> attach to it using gdb() and trace to see what it thinks its doing.   
> Look in the
> routine ArgusWriteSocket(), (you can set a break in this routine  
> after you
> attach to it), to see what filename it thinks its using.
> 
> You can also use lsof(), to see what file descriptors argus() is  
> currently using.
> It maybe that argus chroot'd() somewhere and it changed your path?
> 
> Carter
> 
> 
> On Oct 30, 2006, at 8:16 AM, Kjell Tore Fossbakk wrote:
> 
> > Hello!
> >
> > I have some difficulties understanding why my Argus (v.2.0.5),  
> > running on a Gentoo 64bit system, stops writing flows to it's  
> > output file.
> >
> > I got a system which moves away the output file on a regular basis,  
> > and then puts the flows into a database. For the past year Argus  
> > has never failed to create a new file, as the old file is movied  
> > away, and continuing writing flows.
> >
> > Is there any debugging feature I could enable?
> >
> > Please advice!
> >
> > -- 
> >
> > Social Engineering Specialist
> > - Because there's no patch for Human Stupidity
> 
> 




More information about the argus mailing list