Radium and output files

Carter Bullard carter at qosient.com
Tue Apr 12 17:48:40 EDT 2011 

Hey Mike,
Oh no problem.  Understanding the behavior helps to know what to do when
it crops up again.   

So, what seems to have happened, is you had the same file opened as two
separate outputs.  Argus sees these as distinct and separate output objects.

Then, after some period of time, you renamed the file.  When the next flow record,
arrives to be written, the first object sees that the file is gone, closes its file descriptor,
recreates the file, and then writes the flow record into the file.  radium() then
writes to the other output object, tests the existence of the file, and sees that its
still there just keeps writing away, but in this case, its into the older file.

I can do two things.  First test to see if we are opening the same file twice.  Avoiding
this would be a good thing.  The second thing I can do is test the creation time, to
make sure the file isn't new, even though its there, but with the same name.

These seem to be important things to do, so all is good.
Sorry for the inconvenience !!!!

Carter

On Apr 12, 2011, at 5:37 PM, Mike Iglesias wrote:

> On 04/12/2011 02:07 PM, Carter Bullard wrote:
>> Well that is interesting.  I can't see how we could write to two file descriptors
>> for the same file entry, so this is a head scratcher.  I've tested this on several
>> architectures today, and can't get it to do anything extra ordinary, so must be
>> a good bug.  You aren't using the 'e' option by any chance, to write exception
>> records (records that failed the filter) into a separate file?
> 
> Nope.  I started radium like this:  radium -C 9996 -w argus.out
> 
>> 
>> I would suggest a few things.  One is to "mv" the argus.out file, and not delete it.
>> To see if that creates 3 files open by this radium, or if this closes all the other files.
>> The other would be to attach to the running radium, with gdb, and break in
>> ArgusOutputProcess to see what it thinks is in the output->ArgusOutputList.
> 
> I mv'd the argus.out file, and it closed it and opened a new one.  The deleted
> file from early this morning is still open and being written to.
> 
> I think I figured out what I had done wrong - the radium.conf file had this in it:
> 
> RADIUM_OUTPUT_FILE=/log/argus/argus.out
> 
> and I had "-w argus.out" on the command line, so it had the argus.out file
> open twice.  I've restarted radium without the -w option, so it has the output
> file open once now.  mv'ing the argus.out file now works properly.
> 
> Sorry about that...
> 
> 
> -- 
> Mike Iglesias                          Email:       iglesias at uci.edu
> University of California, Irvine       phone:       949-824-6926
> Office of Information Technology       FAX:         949-824-2270
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110412/92c77971/attachment.bin>

More information about the argus mailing list