Rasplit compression support

Matt Sheridan mattmail5050 at gmail.com
Mon Nov 16 16:38:38 EST 2009 

I was able to get it figured out. I admit not being fully versed in my
compile skills :). Adding the .debug to the compile directory was the
clarification that I missed.

Here are the results from stdout. Zombie processes were created when looking
at ps:

rastream -S localhost:561 -M time 10m -B 10s -f
/opt/IDS/argus/etc/rastream.sh -w
/opt/IDS/argus/log/\$srcid/argus.%Y_%m_%d_%H%M.out -D1
rastream[14067.a08e7288f12a0000]: 16:03:10.090959 main: reading files
completed
rastream[14067.4019a54100000000]: 16:03:10.091388 Trying 127.0.0.1 port 561
Expecting Argus records
rastream[14067.4019a54100000000]: 16:03:10.091652 connected
rastream[14067.4019a54100000000]: 16:03:10.091768 ArgusGetServerSocket
(0x87df0010) returning 3
rastream[14067.a08e7288f12a0000]: 16:10:15.474102 ArgusRunScript(0x87d41010,
21198c10) filename /opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1600.out
rastream[14067.a08e7288f12a0000]: 16:10:15.474201 ArgusRunScript(0x87d41010,
0x21198c10) scheduling  /opt/IDS/argus/etc/rastream.sh -r
/opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1600.out
rastream[14067.a08e7288f12a0000]: 16:10:15.474240 ArgusRunScript(0x87d41010,
21198c10) returning  /opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1600.out
rastream[16367.a08e7288f12a0000]: 16:10:16.074641 ArgusRunScript calling
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1600.out
deleting
rastream[14067.a08e7288f12a0000]: 16:10:16.468756 ArgusClientTimeout():
waitpid(16367) returned 0
rastream[14067.a08e7288f12a0000]: 16:10:16.468920 ArgusTask(16367): task
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1600.out completed
rastream[14067.a08e7288f12a0000]: 16:20:15.478998 ArgusRunScript(0x87d41010,
21198c10) filename /opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1610.out
rastream[14067.a08e7288f12a0000]: 16:20:15.479067 ArgusRunScript(0x87d41010,
0x21198c10) scheduling  /opt/IDS/argus/etc/rastream.sh -r
/opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1610.out
rastream[14067.a08e7288f12a0000]: 16:20:15.479106 ArgusRunScript(0x87d41010,
21198c10) returning  /opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1610.out
rastream[18988.a08e7288f12a0000]: 16:20:16.067329 ArgusRunScript calling
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1610.out
deleting
rastream[14067.a08e7288f12a0000]: 16:20:16.466221 ArgusClientTimeout():
waitpid(18988) returned 0
rastream[14067.a08e7288f12a0000]: 16:20:16.466318 ArgusTask(18988): task
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1610.out completed
rastream[14067.a08e7288f12a0000]: 16:30:15.677941 ArgusRunScript(0x87d41010,
21198c10) filename /opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1620.out
rastream[14067.a08e7288f12a0000]: 16:30:15.678010 ArgusRunScript(0x87d41010,
0x21198c10) scheduling  /opt/IDS/argus/etc/rastream.sh -r
/opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1620.out
rastream[14067.a08e7288f12a0000]: 16:30:15.678049 ArgusRunScript(0x87d41010,
21198c10) returning  /opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1620.out
rastream[21520.a08e7288f12a0000]: 16:30:16.268747 ArgusRunScript calling
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1620.out
deleting
rastream[14067.a08e7288f12a0000]: 16:30:16.665196 ArgusClientTimeout():
waitpid(21520) returned 0
rastream[14067.a08e7288f12a0000]: 16:30:16.665323 ArgusTask(21520): task
/opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
127.0.0.1/argus.2009_11_16_1620.out completed

As to the issue of command line ra and ratop with strange results, I will
open that in a separate thread to avoid overlap.

Matt

On Mon, Nov 16, 2009 at 4:16 PM, Peter Van Epp <vanepp at sfu.ca> wrote:

> On Mon, Nov 16, 2009 at 02:48:34PM -0500, Matt Sheridan wrote:
> > Hi Carter -
> >
> >
> >
> > Running with -D1 ran without error, however nothing was written to
> .debug. I
> > created .debug in /usr/local/bin (as root) where rastream is located.
> >
> <snip>
>
>        I expect Carter was a little too terse :-). You need to touch .debug
> (and probably .devel to get symbols as well) in the top of the argus
> clients
> source directory and then do
>
> make clobber
> ./configure
> make
> make install
>
> to remake the clients with the debug code (and gdb symbols if .devel is
> added).
> Then when you run rastream the without -d the debug messages will come to
> the
> console.
>
> Peter Van Epp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091116/9dd0b1c9/attachment.html>

More information about the argus mailing list