Radium and output files

Carter Bullard carter at qosient.com
Tue Apr 12 17:07:55 EDT 2011 

Well that is interesting.  I can't see how we could write to two file descriptors
for the same file entry, so this is a head scratcher.  I've tested this on several
architectures today, and can't get it to do anything extra ordinary, so must be
a good bug.  You aren't using the 'e' option by any chance, to write exception
records (records that failed the filter) into a separate file?

I would suggest a few things.  One is to "mv" the argus.out file, and not delete it.
To see if that creates 3 files open by this radium, or if this closes all the other files.
The other would be to attach to the running radium, with gdb, and break in
ArgusOutputProcess to see what it thinks is in the output->ArgusOutputList.

One of the unique things about netflow records, is that the timestamps can
be waaaaay in the past.  We use the timestamps to set some internal clocks,
and that may be screwing up our decision to close.  I'll have to think about that.

Carter

On Apr 12, 2011, at 4:23 PM, Mike Iglesias wrote:

> On 04/12/2011 11:13 AM, Carter Bullard wrote:
>> Hey Mike,
>> No, its suppose to do something that is useful.  The detection that the file
>> has been removed is on a timer, and it should be checked every second.
>> When it realizes the file doesn't exist, it flushes and closes the file.
>> Then it creates a new file and starts writing.
>> 
>> Is the new file growing in size?  is the old one growing?
> 
> Yes to both:
> 
> what I sent you before (taken about 9 hours after the file rename):
> radium  12671 root    3w   REG    9,0  2010741524 3932172 /log/argus/argus.out
> radium  12671 root    4w   REG    9,0 13282553300 3932171
> /log/argus/argus.out.20110411 (deleted)
> 
> 
> Now:
> radium  12671 root    3w   REG    9,0  3601908724 3932172 /log/argus/argus.out
> radium  12671 root    4w   REG    9,0 14873720500 3932171
> /log/argus/argus.out.20110411 (deleted)
> 
> The 7th column is the file size.
> 
> 
> -- 
> Mike Iglesias                          Email:       iglesias at uci.edu
> University of California, Irvine       phone:       949-824-6926
> Office of Information Technology       FAX:         949-824-2270
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110412/310bfb26/attachment.bin>

More information about the argus mailing list