Argus daemon (3.0.0, 3.0.1b2) dies after time on OpenBSD 4.x

Peter Van Epp vanepp at sfu.ca
Mon Dec 8 21:22:50 EST 2008 

	How much memory is there on the sensor and how fast is the network it
is connected to? I have some recollection that when it runs out of memory 
the daemon dies silently (but memory problems have been thought to be fixed
for a long time too :-)). Doing your ps and watching memory usage over time 
is probably a good bet. If it grows towards the amount of memory available
in the days before a crash that would be one indication. 
	Otherwise you probably need to touch .devel and ./debug in the root
of the argus directory, then run ./configure and recompile with debugging 
support enabled. At that point changing 

ARGUS_DAEMON=yes
  to no (debug won't work in daemon mode I don't believe)
and

ARGUS_DEBUG_LEVEL=0

to 1 or 2 would likely be a good start although you can't run in daemon mode
anymore and need to redirect standard out to a file (which can grow very 
large on a busy link).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Mon, Dec 08, 2008 at 06:07:59PM -0700, Darren Spruell wrote:
> Hi,
> 
> I have an Argus installation on an OpenBSD 4.4 sensor for which I've
> noted the daemon running for a while (several days at a time) and then
> dying. Typical uptimes seem to be vary between 6 and 10 days. No core
> files are found, and I don't seem to have anything in syslog
> indicating an error.
> 
> I've had the same experience on both argus-3.0.0 and
> argus-3.0.1.beta.2. Started as:
> 
> /usr/local/sbin/argus -F /etc/argus/argus.conf
> 
> Config file:
> 
> ARGUS_FLOW_TYPE="Bidirectional"
> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> ARGUS_DAEMON=yes
> ARGUS_MONITOR_ID=quagmire
> ARGUS_ACCESS_PORT=561
> ARGUS_BIND_IP="x.y.241.103"
> ARGUS_INTERFACE=em1
> ARGUS_SETUSER_ID=argus
> ARGUS_SETGROUP_ID=argus
> ARGUS_OUTPUT_FILE=/var/log/argus/argus-quagmire.out
> ARGUS_SET_PID=yes
> ARGUS_PID_PATH="/var/run/argus"
> ARGUS_FLOW_STATUS_INTERVAL=5
> ARGUS_MAR_STATUS_INTERVAL=60
> ARGUS_DEBUG_LEVEL=0
> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
> ARGUS_GENERATE_PACKET_SIZE=no
> ARGUS_GENERATE_JITTER_DATA=no
> ARGUS_GENERATE_MAC_DATA=no
> ARGUS_GENERATE_APPBYTE_METRIC=no
> ARGUS_FILTER="ip and not dst host 224.0.0.2"
> 
> Running daemon:
> 
> argus    28139  0.0  0.1  1636  2208 ??  Ss    Sun12AM    0:56.27
> argus -F /etc/argus/argus.conf
> 
> Output files:
> 
> -rw-r--r--  1 argus  argus  62199296 Dec  8 17:29
> /var/log/argus/argus-quagmire.out
> -rw-r--r--  1 argus  argus  6 Dec  7 00:36 /var/run/argus/argus.em1.0.pid
> 
> OS: OpenBSD 4.4-stable (GENERIC) i386
> em1: Intel PRO/1000MT (82546EB)
> 
> Anything apparent going on? If not, how should I run the daemon to
> output useful debugging data?
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com

More information about the argus mailing list