Problem with argus under load not reopening output file.
Carter Bullard
carter at qosient.com
Tue Jan 6 14:23:43 EST 2009
Hey Martijn,
Well that's not right at all. There is a timestamp that argus uses to
realize
when it should perform the fstat(), and I suspect that either that
timestamp
is getting corrupted, or argus's concept of current time is not right.
I'll take a look at this tonight, so that I can type more
intelligently about
the possible causes, and we can try to figure out a plan.
Sorry for the inconvenience!!
Carter
On Jan 6, 2009, at 10:09 AM, Martijn van Oosterhout wrote:
> Hoi,
>
> I'm having difficulty with argus on a high-load machine. The symptom
> is that argus archiving stops working. Specifically, normally argus
> reopens its output file argus.out once a second. However, in my case
> it's stops doing that for some reason. So when the archiving script
> moves the file away, a new file is not created again, although argus
> keep writing to the file-to-be-archived.
>
> At the same time, argus starts to consume more memory, until at some
> time it runs out of memory to allocate and crashes. A watchdog
> restarts argus again and everything works again.
>
> I've confirmed with strace that argus normally reopens the file and
> after a while stops. After it stops reopening the file, everything
> else seems normal, the data being written is correct. To me it feels
> like something causes a flag to be set within argus causing it to stop
> reopening the output file, though I can't quite see in the source why.
>
> This is argus 3.0.0, though the same behaviour was seen with
> 3.0.0.rc.36.
>
> Has anyone seen this behavior before?
>
> Thanks in advance,
> --
> Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
>
More information about the argus
mailing list