Killing daemoized rasplit breaks output file

Kevin & Leah Branch klkbranch at hotmail.com
Wed Feb 25 23:42:52 EST 2009 

Hi Carter,

I'm just getting into using argus paired with rasplit to create hourly flow files, and I really like it.  I'm using version 3.0.0 of argus and argus-clients on a 32bit CentOS 5 platform.

After starting an argus daemon like this
   /usr/local/sbin/argus -i eth4 -P 561
I invoke rasplit like this
   /usr/local/bin/rasplit -X -S 127.0.0.1:561 -M time 1h -w /argus/%m/%d/tru-%H.arg -d
and it works beautifully.

The only problem happens when I need to shut down argus and rasplit.  Argus goes down nicely with a simple kill, but I have to do a kill -9 before rasplit will shut down.  However, this appears to corrupt the data file it was writing to.  "racluster" segfaults when trying to read the file.  "ra" returns an error like this
   ra[12831]: 22:28:59.388690 ArgusReadStreamSocket (0xb7e2517c) record length is zero
along with reporting a wierd record like this
      18:00:05.135086                                                                                 0          0   UNK

It seems I can repair the damaged file by doing an 
   ra -r DAMAGED_FILE -w FIXED_FILE
but I thought I'd inquire if there is a cleaner way to stop rasplit.

I actually have a number of argus sniff points, each with their own argus and rasplit daemon.  Since they are all on the same host, I thought running rasplit directly against argus was better than using radium.  Please correct me if I am mistaken.  

It looks like Ken Anderson mentioned this same issue on 12/08
fwiw, I was experimenting with using "rasplit -d -S $source" to connect 
directly to the source (without radium). I encountered a problem where 
rasplit doesn't die without 'kill -9'. After a 'kill -9', ragraph can no 
longer read the rasplit generated log file beyond the time when rasplit 
was killed. It looks like a partial 'UNK' record corrupts the file.
Thanks!
Kevin

_________________________________________________________________
Windows Live™: Discover 10 secrets about the new Windows Live.  
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!7540.entry?ocid=TXT_TAGLM_WL_t2_ugc_post_022009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090226/584f56e9/attachment.html>

More information about the argus mailing list