argus-3.0.0 ArgusWriteOutSocket

VIEAU Cédric 172196 cedric.vieau at cea.fr
Wed Jun 20 11:04:16 EDT 2007 

Hey Michael,

you can also try to lower your ARGUS_FLOW_STATUS_INTERVAL in argus.conf
I had the same problem, and I changed it from 120 to 10.
Now my argus server is generating more records, but its queue is stable.

Cedric

> -----Message d'origine-----
> De : argus-info-bounces at lists.andrew.cmu.edu 
> [mailto:argus-info-bounces at lists.andrew.cmu.edu] De la part 
> de Michael Hornung
> Envoyé : mercredi 20 juin 2007 01:46
> À : Carter Bullard
> Cc : argus-info at lists.andrew.cmu.edu
> Objet : Re: [ARGUS] argus-3.0.0 ArgusWriteOutSocket
> 
> Ok, I'll work on that angle.  Thanks for the help Carter.
> 
> -Mike
> 
> On Tue, 19 Jun 2007 at 19:42, Carter Bullard wrote:
> 
> |Hey Michael,
> |Your argus is generating more records than your radium
> |is reading, (your argus output queue is getting too long)
> |This is an indication that the remote client is either too
> |slow, has gone away, or your argus is overloaded and
> |can't write records out fast enough.  argus  closes the
> |connection and throws the records away.
> |
> |You reported that this probe is running above 90%, so I
> |suspect you need a faster machine for the link you are
> |monitoring.
> |
> |Carter
> |
> |
> |
> |Michael Hornung wrote:
> |
> |> I'm running the most recent argus code on x86 Linux 
> (Fedora Core 6).  I have
> |> debug logging set to level 1 and saw this:
> |> 
> |> argus[17957]: 19 Jun 07 10:01:57.110399 
> ArgusWriteOutSocket(0x8fbd8bc) max
> |> queue exceeded 100001
> |> argus[17957]: 19 Jun 07 10:01:57.111840 
> ArgusWriteOutSocket(0x8fbd8bc) max
> |> queue exceeded 100001
> |> argus[17957]: 19 Jun 07 10:04:01.513001 connect from XX.XX.XX.XX
> |> 
> |> It looks like something happened and the remote radium listener got
> |> disconnected and then re-connected a few minutes later.  
> Is this something to
> |> be concerned about?  Can it be fixed by system tuning?  I 
> have never seen
> |> this message before.  I would say any loss of captured 
> data is worth concern.
> |> I don't have a pcap from when this occurred.
> |> 
> |> -Mike
> |> 
> |
> |
>

More information about the argus mailing list