Rasplit compression support

Peter Van Epp vanepp at sfu.ca
Mon Nov 16 21:32:48 EST 2009


On Mon, Nov 16, 2009 at 04:38:38PM -0500, Matt Sheridan wrote:
> I was able to get it figured out. I admit not being fully versed in my
> compile skills :). Adding the .debug to the compile directory was the
> clarification that I missed.
> 
> Here are the results from stdout. Zombie processes were created when looking
> at ps:
> 
> rastream -S localhost:561 -M time 10m -B 10s -f
> /opt/IDS/argus/etc/rastream.sh -w
> /opt/IDS/argus/log/\$srcid/argus.%Y_%m_%d_%H%M.out -D1
> rastream[14067.a08e7288f12a0000]: 16:03:10.090959 main: reading files
> completed
> rastream[14067.4019a54100000000]: 16:03:10.091388 Trying 127.0.0.1 port 561
> Expecting Argus records
> rastream[14067.4019a54100000000]: 16:03:10.091652 connected
> rastream[14067.4019a54100000000]: 16:03:10.091768 ArgusGetServerSocket
> (0x87df0010) returning 3
> rastream[14067.a08e7288f12a0000]: 16:10:15.474102 ArgusRunScript(0x87d41010,
> 21198c10) filename /opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1600.out
> rastream[14067.a08e7288f12a0000]: 16:10:15.474201 ArgusRunScript(0x87d41010,
> 0x21198c10) scheduling  /opt/IDS/argus/etc/rastream.sh -r
> /opt/IDS/argus/log/127.0.0.1/argus.2009_11_16_1600.out
> rastream[14067.a08e7288f12a0000]: 16:10:15.474240 ArgusRunScript(0x87d41010,
> 21198c10) returning  /opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
> 127.0.0.1/argus.2009_11_16_1600.out
> rastream[16367.a08e7288f12a0000]: 16:10:16.074641 ArgusRunScript calling
> /opt/IDS/argus/etc/rastream.sh -r /opt/IDS/argus/log/
> 127.0.0.1/argus.2009_11_16_1600.out
> deleting
<snip>

	While I haven't used rastream (let alone run scripts from it :-)), can 
you tell what is zombieing? My first guess (although I'm not an expert on 
zombies either :-)) would be that your script isn't returning a result to 
rastream which is I think what causes a zombie. It would be instructive to 
know what the original pid of one of the zombies is (as the pids are showing
in the argus debug output, although I don't seem to have left one :-)). That
should point to what task is causing the zombie.

Peter Van Epp



More information about the argus mailing list