Argus stops writing to file!

Carter Bullard carter at qosient.com
Fri Nov 3 11:53:10 EST 2006 

Hey Karl,
I'm not aware of this possibility.  Have you seen this behavior or
have you looked at the code to verify that this is the case?
Can you point me at where you think the problem may be?
I was just now looking at 2.0.6 and couldn't see where this might
happen.

Carter


On Nov 3, 2006, at 11:11 AM, Karl Tatgenhorst wrote:

>
>    A more simple answer maybe to check and see if your argus  
> process is
> running as a daemon. If it is running as a daemon and you remove the
> file, yes it generates a new file as anticipated... however, if the
> daemon halts and starts back up the file is already there so it can't
> create a new one and it is not set up (as I understand it) to open the
> file in 'append' mode. In this scenario it would sit there until your
> argus rotate script moves the file again.
>
> Karl
>
> On Fri, 2006-11-03 at 10:40 -0500, Carter Bullard wrote:
>> Hey Kjell,
>> Sorry for the delayed response.  Argus should to a stat() on the
>> filename to see if
>> the name is still there, and if not it should recreate the file and
>> start writing into the
>> new file.
>>
>> Are there any system messages in your system error log (/var/log/
>> messages ?).
>> If you ran ./configure with a '.devel' file present, then you should
>> be able to
>> attach to it using gdb() and trace to see what it thinks its doing.
>> Look in the
>> routine ArgusWriteSocket(), (you can set a break in this routine
>> after you
>> attach to it), to see what filename it thinks its using.
>>
>> You can also use lsof(), to see what file descriptors argus() is
>> currently using.
>> It maybe that argus chroot'd() somewhere and it changed your path?
>>
>> Carter
>>
>>
>> On Oct 30, 2006, at 8:16 AM, Kjell Tore Fossbakk wrote:
>>
>>> Hello!
>>>
>>> I have some difficulties understanding why my Argus (v.2.0.5),
>>> running on a Gentoo 64bit system, stops writing flows to it's
>>> output file.
>>>
>>> I got a system which moves away the output file on a regular basis,
>>> and then puts the flows into a database. For the past year Argus
>>> has never failed to create a new file, as the old file is movied
>>> away, and continuing writing flows.
>>>
>>> Is there any debugging feature I could enable?
>>>
>>> Please advice!
>>>
>>> -- 
>>>
>>> Social Engineering Specialist
>>> - Because there's no patch for Human Stupidity
>>
>>
>
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061103/cac847a8/attachment.html>

More information about the argus mailing list