Argus stops writing to file!

Carter Bullard carter at qosient.com
Fri Nov 3 12:22:14 EST 2006


Hey Karl,
I'll look in the argus-3.0 code.  Thanks!!!!!
Carter


On Nov 3, 2006, at 12:02 PM, Karl Tatgenhorst wrote:

>
>    I have not looked at the code to verify this is the case I am
> reporting on behavior. Here is why I notice this (it also occurs in  
> vers
> 3.0 as late as rc 32):
>
> We rotate the files every hour
>
> when we rotate the files we leave no file in place as argus creates it
>
> originally we had tried creating the file, if we do this argus can not
> use it (no perms or ownership problems)
>
> also if I stop and start argus without removing the file that file  
> will
> not be written to again and once rotate occurs all is normal.
>
> Karl
>
>
>
>    I think I will actually look at the ra code today to see if I can
> pinpoint the problem. I am guessing that you check to see if the file
> exists and if not you create it... you should also have the result  
> that
> if it exists open in append mode (I think that might be missing)
>
> Karl
>
> On Fri, 2006-11-03 at 11:53 -0500, Carter Bullard wrote:
>> Hey Karl,
>> I'm not aware of this possibility.  Have you seen this behavior or
>> have you looked at the code to verify that this is the case?
>> Can you point me at where you think the problem may be?
>> I was just now looking at 2.0.6 and couldn't see where this might
>> happen.
>>
>>
>> Carter
>>
>>
>>
>> On Nov 3, 2006, at 11:11 AM, Karl Tatgenhorst wrote:
>>
>>>
>>>
>>>    A more simple answer maybe to check and see if your argus process
>>> is
>>> running as a daemon. If it is running as a daemon and you remove the
>>> file, yes it generates a new file as anticipated... however, if the
>>> daemon halts and starts back up the file is already there so it
>>> can't
>>> create a new one and it is not set up (as I understand it) to open
>>> the
>>> file in 'append' mode. In this scenario it would sit there until
>>> your
>>> argus rotate script moves the file again.
>>>
>>>
>>> Karl
>>>
>>>
>>> On Fri, 2006-11-03 at 10:40 -0500, Carter Bullard wrote:
>>>> Hey Kjell,
>>>> Sorry for the delayed response.  Argus should to a stat() on the
>>>> filename to see if
>>>> the name is still there, and if not it should recreate the file
>>>> and
>>>> start writing into the
>>>> new file.
>>>>
>>>>
>>>> Are there any system messages in your system error log (/var/log/
>>>> messages ?).
>>>> If you ran ./configure with a '.devel' file present, then you
>>>> should
>>>> be able to
>>>> attach to it using gdb() and trace to see what it thinks its
>>>> doing.
>>>> Look in the
>>>> routine ArgusWriteSocket(), (you can set a break in this routine
>>>> after you
>>>> attach to it), to see what filename it thinks its using.
>>>>
>>>>
>>>> You can also use lsof(), to see what file descriptors argus() is
>>>> currently using.
>>>> It maybe that argus chroot'd() somewhere and it changed your path?
>>>>
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>>
>>>> On Oct 30, 2006, at 8:16 AM, Kjell Tore Fossbakk wrote:
>>>>
>>>>
>>>>> Hello!
>>>>>
>>>>>
>>>>> I have some difficulties understanding why my Argus (v.2.0.5),
>>>>> running on a Gentoo 64bit system, stops writing flows to it's
>>>>> output file.
>>>>>
>>>>>
>>>>> I got a system which moves away the output file on a regular
>>>>> basis,
>>>>> and then puts the flows into a database. For the past year
>>>>> Argus
>>>>> has never failed to create a new file, as the old file is
>>>>> movied
>>>>> away, and continuing writing flows.
>>>>>
>>>>>
>>>>> Is there any debugging feature I could enable?
>>>>>
>>>>>
>>>>> Please advice!
>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>>
>>>>> Social Engineering Specialist
>>>>> - Because there's no patch for Human Stupidity
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061103/d8d469bf/attachment.html>


More information about the argus mailing list