Killing daemoized rasplit breaks output file

[Carter Bullard]

Hey Kevin,
Hmmm, so this should be easy to fix.

Just a few questions.   Is rasplit() running in RELIABLE mode,
where it reconnects to its source automatically?
Are there any log messages when it gets the SIGHUP or whatever
signal you're sending it, and lastly does it still work after sending
it SIG whatever, or is it dead but not gone?

I think radium is the way to go and so we should do whatever we need
to get it so that that is the preferred way of doing it.

I'll try to fix this tomorrow before I release the new clients.

Carter

On Feb 25, 2009, at 11:42 PM, Kevin & Leah Branch wrote:

> Hi Carter,
>
> I'm just getting into using argus paired with rasplit to create  
> hourly flow files, and I really like it.  I'm using version 3.0.0 of  
> argus and argus-clients on a 32bit CentOS 5 platform.
>
> After starting an argus daemon like this
>    /usr/local/sbin/argus -i eth4 -P 561
> I invoke rasplit like this
>    /usr/local/bin/rasplit -X -S 127.0.0.1:561 -M time 1h -w /argus/ 
> %m/%d/tru-%H.arg -d
> and it works beautifully.
>
> The only problem happens when I need to shut down argus and  
> rasplit.  Argus goes down nicely with a simple kill, but I have to  
> do a kill -9 before rasplit will shut down.  However, this appears  
> to corrupt the data file it was writing to.  "racluster" segfaults  
> when trying to read the file.  "ra" returns an error like this
>    ra[12831]: 22:28:59.388690 ArgusReadStreamSocket (0xb7e2517c)  
> record length is zero
> along with reporting a wierd record like this
>        
> 18 
> : 
> 00 
> : 
> 05.135086 
>                                                                                  0 
>           0   UNK
>
> It seems I can repair the damaged file by doing an
>    ra -r DAMAGED_FILE -w FIXED_FILE
> but I thought I'd inquire if there is a cleaner way to stop rasplit.
>
> I actually have a number of argus sniff points, each with their own  
> argus and rasplit daemon.  Since they are all on the same host, I  
> thought running rasplit directly against argus was better than using  
> radium.  Please correct me if I am mistaken.
>
> It looks like Ken Anderson mentioned this same issue on 12/08
> fwiw, I was experimenting with using "rasplit -d -S $source" to  
> connect
> directly to the source (without radium). I encountered a problem where
> rasplit doesn't die without 'kill -9'. After a 'kill -9', ragraph  
> can no
> longer read the rasplit generated log file beyond the time when  
> rasplit
> was killed. It looks like a partial 'UNK' record corrupts the file.
> Thanks!
> Kevin
>
> Windows Live™: Discover 10 secrets about the new Windows Live. View  
> post.

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090226/239ecad9/attachment.html>