racluster exits

[Carter Bullard]

Hey Torbjörn,
You have an error with the "-T yes" option, it should be something
like "-T 20s".  And you need to have the "-f racluster.conf"  option
or racluster() won't find its configuration.  That could cause all
your problems as the default behavior is to hold all the data
until EOF.

While what you are doing should generate output (and I'll look into
what the problem maybe), I believe that you will be happier with
running radium() with the "-d -P <port>" options, and having racluster()
attach to the radium().  This will provide much more fault tolerance
and flexibility.  That way if racluster() dies or is killed for whatever
reason, the radium still runs, collecting data from the remote sources.

For others on the list, your experiment will report only those flows  
that
are idle for 900 seconds.  While that will eventually report all
the flows (theoretically), some lasting flows, such as beacons  
(persistent
pings, SNMP polling etc...) and a large class of operating system flows,
such as arps, time maintenance, etc.....  will only be reported when
one of the hosts reboots, or dies.  May not be ideal.

radium -d -S 127.0.0.1 -P 12345 -T 60s ......
racluster -f racluster.conf -S localhost:12345 -w argus.log

Carter



On Dec 28, 2007, at 8:36 AM, Torbjorn.Wictorin at its.uu.se wrote:

> Hi Cartel et al,
>
> I have a configuration with a number of argus:es (half-duplex sensors,
> multiple paths) connected together via radium.
> Output from radium is piped(|) to racluster:
>
> radium -w - -S 127.0.0.1:561 ... -e 1000 -T yes | racluster -w  
> argus.log
>
> racluster.conf:
> RACLUSTER_AUTO_CORRECTION=yes
> filter="" model="saddr sport daddr dport proto" status=0 idle=900
>
> The problem is that racluster exits after some time, after eating up  
> memory, not writing anything to argus.log before it decides to exit.
>
> Looks like racluster needs some flush-trigger. Have I misunderstood  
> something?
>
> latest clients: 3.0.0.rc.66
>
> Torbjörn Wictorin,
> Uppsala Univ