Rasplit issue
Vincent Stoffer
vince at reed.edu
Wed Apr 13 11:49:18 EDT 2011
Hello,
I've recently upgraded to version 3.0.4.1 and I'm seeing an
interesting issue that appears to be with rasplit. I'm running the
following command to split my Argus data into hourly files within daily
directories:
rasplit -d -M time 1h -S localhost -w /log/argus-acad/%Y/%m/%d/argus.%H.log
Most all of the records show up in the right place, however, I'm now seeing some records show up in the file system at:
/log/argus-acad/1969/12/31/argus.16.log
Within that file are just a set of records that are right around the
change of the hour...for example:
4/13/11 05:59:59 e tcp xxx.xxx.xxx.xxx.57034 -> xxx.xxx.xxx.xxx.18123 1 78 RST
04/13/11 06:00:00 e tcp xxx.xxx.xxx.xxx.57034 -> xxx.xxx.xxx.xxx.18123 1 77 RST
04/13/11 06:59:55 e udp xxx.xxx.xxx.xxx.46442 -> xxx.xxx.xxx.xxx.13759 1 62 INT
04/13/11 07:00:00 e udp xxx.xxx.xxx.xxx.46442 <- xxx.xxx.xxx.xxx.13759 1 62 RSP
There are some records for every hour change, sometimes more and
sometimes less...both TCP and UDP. You can see that although the
records are dropped into the 1969 year directory, the actual timestamps
on the records appear to be correct. I've been running this same
configuration for a while without this error, the only thing that changed was the
argus-server and argus-clients versions on the two respective servers
and I also recently began running with the -d option instead of
backgrounding the rasplit process. Any idea what could be happening
here to cause the writing of this pre-epoch directory?
Thank you,
Vince
--
__ ___ _ __ ___ ___
\ \ / / | '_ \ / __/ _ \ Vincent Stoffer Network Security Administrator
\ V /| | | | | (_| __/ Reed College Portland, Oregon
\_/ |_|_| |_|\___\___| vince at reed.edu 503-788-6695
More information about the argus
mailing list