Argus stops writing to file!

Fri Nov 3 12:02:45 EST 2006

   I have not looked at the code to verify this is the case I am
reporting on behavior. Here is why I notice this (it also occurs in vers
3.0 as late as rc 32):

We rotate the files every hour

when we rotate the files we leave no file in place as argus creates it 

originally we had tried creating the file, if we do this argus can not
use it (no perms or ownership problems)

also if I stop and start argus without removing the file that file will
not be written to again and once rotate occurs all is normal.

Karl

   I think I will actually look at the ra code today to see if I can
pinpoint the problem. I am guessing that you check to see if the file
exists and if not you create it... you should also have the result that
if it exists open in append mode (I think that might be missing)

Karl

On Fri, 2006-11-03 at 11:53 -0500, Carter Bullard wrote:
> Hey Karl,
> I'm not aware of this possibility.  Have you seen this behavior or
> have you looked at the code to verify that this is the case?
> Can you point me at where you think the problem may be?
> I was just now looking at 2.0.6 and couldn't see where this might
> happen.
> 
> 
> Carter
> 
> 
> 
> On Nov 3, 2006, at 11:11 AM, Karl Tatgenhorst wrote:
> 
> > 
> > 
> >    A more simple answer maybe to check and see if your argus process
> > is
> > running as a daemon. If it is running as a daemon and you remove the
> > file, yes it generates a new file as anticipated... however, if the
> > daemon halts and starts back up the file is already there so it
> > can't
> > create a new one and it is not set up (as I understand it) to open
> > the
> > file in 'append' mode. In this scenario it would sit there until
> > your
> > argus rotate script moves the file again.
> > 
> > 
> > Karl
> > 
> > 
> > On Fri, 2006-11-03 at 10:40 -0500, Carter Bullard wrote:
> > > Hey Kjell,
> > > Sorry for the delayed response.  Argus should to a stat() on the  
> > > filename to see if
> > > the name is still there, and if not it should recreate the file
> > > and  
> > > start writing into the
> > > new file.
> > > 
> > > 
> > > Are there any system messages in your system error log (/var/log/ 
> > > messages ?).
> > > If you ran ./configure with a '.devel' file present, then you
> > > should  
> > > be able to
> > > attach to it using gdb() and trace to see what it thinks its
> > > doing.   
> > > Look in the
> > > routine ArgusWriteSocket(), (you can set a break in this routine  
> > > after you
> > > attach to it), to see what filename it thinks its using.
> > > 
> > > 
> > > You can also use lsof(), to see what file descriptors argus() is  
> > > currently using.
> > > It maybe that argus chroot'd() somewhere and it changed your path?
> > > 
> > > 
> > > Carter
> > > 
> > > 
> > > 
> > > 
> > > On Oct 30, 2006, at 8:16 AM, Kjell Tore Fossbakk wrote:
> > > 
> > > 
> > > > Hello!
> > > > 
> > > > 
> > > > I have some difficulties understanding why my Argus (v.2.0.5),  
> > > > running on a Gentoo 64bit system, stops writing flows to it's  
> > > > output file.
> > > > 
> > > > 
> > > > I got a system which moves away the output file on a regular
> > > > basis,  
> > > > and then puts the flows into a database. For the past year
> > > > Argus  
> > > > has never failed to create a new file, as the old file is
> > > > movied  
> > > > away, and continuing writing flows.
> > > > 
> > > > 
> > > > Is there any debugging feature I could enable?
> > > > 
> > > > 
> > > > Please advice!
> > > > 
> > > > 
> > > > -- 
> > > > 
> > > > 
> > > > Social Engineering Specialist
> > > > - Because there's no patch for Human Stupidity
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 
> 