Problem with argus under load not reopening output file.
Martijn van Oosterhout
kleptog at gmail.com
Tue Jan 6 16:58:01 EST 2009
Thanks. The symptom I see is that "strace -e file" on the process
stops showing anything. It's still write()ing but nothing else.
I was looking at the debug levels but it seems that any useful debug
level is going to produce far too much output. However, I note you can
increase the debug level on the fly with SIGUSR1. I'll try that next
time I see it's gotten into that state...
Any tips as to what to look for would be helpful.
Have a nice day,
On Tue, Jan 6, 2009 at 8:23 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Martijn,
> Well that's not right at all. There is a timestamp that argus uses to
> realize
> when it should perform the fstat(), and I suspect that either that timestamp
> is getting corrupted, or argus's concept of current time is not right.
>
> I'll take a look at this tonight, so that I can type more intelligently
> about
> the possible causes, and we can try to figure out a plan.
>
> Sorry for the inconvenience!!
>
> Carter
>
> On Jan 6, 2009, at 10:09 AM, Martijn van Oosterhout wrote:
>
>> Hoi,
>>
>> I'm having difficulty with argus on a high-load machine. The symptom
>> is that argus archiving stops working. Specifically, normally argus
>> reopens its output file argus.out once a second. However, in my case
>> it's stops doing that for some reason. So when the archiving script
>> moves the file away, a new file is not created again, although argus
>> keep writing to the file-to-be-archived.
>>
>> At the same time, argus starts to consume more memory, until at some
>> time it runs out of memory to allocate and crashes. A watchdog
>> restarts argus again and everything works again.
>>
>> I've confirmed with strace that argus normally reopens the file and
>> after a while stops. After it stops reopening the file, everything
>> else seems normal, the data being written is correct. To me it feels
>> like something causes a flag to be set within argus causing it to stop
>> reopening the output file, though I can't quite see in the source why.
>>
>> This is argus 3.0.0, though the same behaviour was seen with 3.0.0.rc.36.
>>
>> Has anyone seen this behavior before?
>>
>> Thanks in advance,
>> --
>> Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
>>
>
>
--
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
More information about the argus
mailing list