Rasplit issue

Vincent Stoffer vince at reed.edu
Wed Apr 13 11:49:18 EDT 2011


Hello,

I've recently upgraded to version 3.0.4.1 and I'm seeing an
interesting issue that appears to be with rasplit.  I'm running the
following command to split my Argus data into hourly files within daily
directories:

rasplit -d -M time 1h -S localhost -w /log/argus-acad/%Y/%m/%d/argus.%H.log

Most all of the records show up in the right place, however, I'm now seeing some records show up in the file system at:

/log/argus-acad/1969/12/31/argus.16.log

Within that file are just a set of records that are right around the
change of the hour...for example:

4/13/11  05:59:59  e         tcp     xxx.xxx.xxx.xxx.57034     -> xxx.xxx.xxx.xxx.18123         1         78   RST
04/13/11 06:00:00  e         tcp     xxx.xxx.xxx.xxx.57034     -> xxx.xxx.xxx.xxx.18123         1         77   RST
04/13/11 06:59:55  e         udp     xxx.xxx.xxx.xxx.46442     -> xxx.xxx.xxx.xxx.13759         1         62   INT
04/13/11 07:00:00  e         udp     xxx.xxx.xxx.xxx.46442    <- xxx.xxx.xxx.xxx.13759         1         62   RSP

There are some records for every hour change, sometimes more and
sometimes less...both TCP and UDP.  You can see that although the
records are dropped into the 1969 year directory, the actual timestamps
on the records appear to be correct.  I've been running this same
configuration for a while without this error, the only thing that changed was the
argus-server and argus-clients versions on the two respective servers
and I also recently began running with the -d option instead of
backgrounding the rasplit process.  Any idea what could be happening
here to cause the writing of this pre-epoch directory?

Thank you,

Vince

-- 
__   ___ _ __   ___ ___ 
\ \ / / | '_ \ / __/ _ \   Vincent Stoffer   Network Security Administrator
 \ V /| | | | | (_|  __/   Reed College      Portland, Oregon
  \_/ |_|_| |_|\___\___|   vince at reed.edu    503-788-6695



More information about the argus mailing list