argus-3.0.0 ArgusWriteOutSocket
Michael Hornung
hornung at cac.washington.edu
Tue Jun 19 19:46:06 EDT 2007
Ok, I'll work on that angle. Thanks for the help Carter.
-Mike
On Tue, 19 Jun 2007 at 19:42, Carter Bullard wrote:
|Hey Michael,
|Your argus is generating more records than your radium
|is reading, (your argus output queue is getting too long)
|This is an indication that the remote client is either too
|slow, has gone away, or your argus is overloaded and
|can't write records out fast enough. argus closes the
|connection and throws the records away.
|
|You reported that this probe is running above 90%, so I
|suspect you need a faster machine for the link you are
|monitoring.
|
|Carter
|
|
|
|Michael Hornung wrote:
|
|> I'm running the most recent argus code on x86 Linux (Fedora Core 6). I have
|> debug logging set to level 1 and saw this:
|>
|> argus[17957]: 19 Jun 07 10:01:57.110399 ArgusWriteOutSocket(0x8fbd8bc) max
|> queue exceeded 100001
|> argus[17957]: 19 Jun 07 10:01:57.111840 ArgusWriteOutSocket(0x8fbd8bc) max
|> queue exceeded 100001
|> argus[17957]: 19 Jun 07 10:04:01.513001 connect from XX.XX.XX.XX
|>
|> It looks like something happened and the remote radium listener got
|> disconnected and then re-connected a few minutes later. Is this something to
|> be concerned about? Can it be fixed by system tuning? I have never seen
|> this message before. I would say any loss of captured data is worth concern.
|> I don't have a pcap from when this occurred.
|>
|> -Mike
|>
|
|
More information about the argus
mailing list