Argus daemon (3.0.0, 3.0.1b2) dies after time on OpenBSD 4.x

Darren Spruell phatbuckett at gmail.com
Tue Dec 9 02:09:53 EST 2008 

On Mon, Dec 8, 2008 at 7:22 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
>        How much memory is there on the sensor and how fast is the network it
> is connected to? I have some recollection that when it runs out of memory
> the daemon dies silently (but memory problems have been thought to be fixed
> for a long time too :-)). Doing your ps and watching memory usage over time
> is probably a good bet. If it grows towards the amount of memory available
> in the days before a crash that would be one indication.

2 GB memory:

cpu0: Intel(R) Pentium(R) 4 CPU 3.06GHz ("GenuineIntel" 686-class) 3.07 GHz
real mem  = 2146992128 (2047MB)
avail mem = 2067632128 (1971MB)

There's a few apps running on the host but I have over 1 GB free
whenever I check, like this:

Memory: Real: 279M/530M act/tot  Free: 1479M  Swap: 0K/1028M used/tot

The link speed is 1000Mbps, but the traffic it is monitoring is a
pathetic trickle of < 15Kbps and < 10Kpps. It's only monitoring
traffic that has been sinkholed via DNS redirection.

>        Otherwise you probably need to touch .devel and ./debug in the root
> of the argus directory, then run ./configure and recompile with debugging
> support enabled. At that point changing
[...]

I'll give this a go.

DS

> On Mon, Dec 08, 2008 at 06:07:59PM -0700, Darren Spruell wrote:
>> Hi,
>>
>> I have an Argus installation on an OpenBSD 4.4 sensor for which I've
>> noted the daemon running for a while (several days at a time) and then
>> dying. Typical uptimes seem to be vary between 6 and 10 days. No core
>> files are found, and I don't seem to have anything in syslog
>> indicating an error.
>>
>> I've had the same experience on both argus-3.0.0 and
>> argus-3.0.1.beta.2. Started as:
>>
>> /usr/local/sbin/argus -F /etc/argus/argus.conf
>>
>> Config file:
>>
>> ARGUS_FLOW_TYPE="Bidirectional"
>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>> ARGUS_DAEMON=yes
>> ARGUS_MONITOR_ID=quagmire
>> ARGUS_ACCESS_PORT=561
>> ARGUS_BIND_IP="x.y.241.103"
>> ARGUS_INTERFACE=em1
>> ARGUS_SETUSER_ID=argus
>> ARGUS_SETGROUP_ID=argus
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-quagmire.out
>> ARGUS_SET_PID=yes
>> ARGUS_PID_PATH="/var/run/argus"
>> ARGUS_FLOW_STATUS_INTERVAL=5
>> ARGUS_MAR_STATUS_INTERVAL=60
>> ARGUS_DEBUG_LEVEL=0
>> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
>> ARGUS_GENERATE_PACKET_SIZE=no
>> ARGUS_GENERATE_JITTER_DATA=no
>> ARGUS_GENERATE_MAC_DATA=no
>> ARGUS_GENERATE_APPBYTE_METRIC=no
>> ARGUS_FILTER="ip and not dst host 224.0.0.2"
>>
>> Running daemon:
>>
>> argus    28139  0.0  0.1  1636  2208 ??  Ss    Sun12AM    0:56.27
>> argus -F /etc/argus/argus.conf
>>
>> Output files:
>>
>> -rw-r--r--  1 argus  argus  62199296 Dec  8 17:29
>> /var/log/argus/argus-quagmire.out
>> -rw-r--r--  1 argus  argus  6 Dec  7 00:36 /var/run/argus/argus.em1.0.pid
>>
>> OS: OpenBSD 4.4-stable (GENERIC) i386
>> em1: Intel PRO/1000MT (82546EB)
>>
>> Anything apparent going on? If not, how should I run the daemon to
>> output useful debugging data?
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>



-- 
Darren Spruell
phatbuckett at gmail.com

More information about the argus mailing list