argus-3.0.0 ArgusWriteOutSocket

Michael Hornung hornung at cac.washington.edu
Tue Jun 19 19:46:06 EDT 2007


Ok, I'll work on that angle.  Thanks for the help Carter.

-Mike

On Tue, 19 Jun 2007 at 19:42, Carter Bullard wrote:

|Hey Michael,
|Your argus is generating more records than your radium
|is reading, (your argus output queue is getting too long)
|This is an indication that the remote client is either too
|slow, has gone away, or your argus is overloaded and
|can't write records out fast enough.  argus  closes the
|connection and throws the records away.
|
|You reported that this probe is running above 90%, so I
|suspect you need a faster machine for the link you are
|monitoring.
|
|Carter
|
|
|
|Michael Hornung wrote:
|
|> I'm running the most recent argus code on x86 Linux (Fedora Core 6).  I have
|> debug logging set to level 1 and saw this:
|> 
|> argus[17957]: 19 Jun 07 10:01:57.110399 ArgusWriteOutSocket(0x8fbd8bc) max
|> queue exceeded 100001
|> argus[17957]: 19 Jun 07 10:01:57.111840 ArgusWriteOutSocket(0x8fbd8bc) max
|> queue exceeded 100001
|> argus[17957]: 19 Jun 07 10:04:01.513001 connect from XX.XX.XX.XX
|> 
|> It looks like something happened and the remote radium listener got
|> disconnected and then re-connected a few minutes later.  Is this something to
|> be concerned about?  Can it be fixed by system tuning?  I have never seen
|> this message before.  I would say any loss of captured data is worth concern.
|> I don't have a pcap from when this occurred.
|> 
|> -Mike
|> 
|
|



More information about the argus mailing list