Label issues with last week's release

Craig Merchant cmerchant at responsys.com
Tue Aug 27 15:16:32 EDT 2013 

Ah…  No sweat…  The apparent resolution of our radium stability issues is a major victory!

I hope you enjoy your much deserved vacation…  Let me know if you need anything else from me to help troubleshoot the issue.

Craig

From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, August 27, 2013 2:15 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Label issues with last week's release

Hey Craig,
Haven't fixed the label issue yet, and I'm on vacation, so it wil have to wait until next week.   I had hoped that some of the changes that were made to fix other problems were going to fix yours.

The problem, I believe, is that we are overwriting the NULL in the label processing buffer and picking up some of the label from a previous record.  But not sure where yet !!!  Could be fixed by zeroing out the label buffer on every record, but that would be very expensive.

Hope you can hold out until I get back.  Sorry for the inconvenience !!!!!

Carter

On Aug 27, 2013, at 3:52 AM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
Carter,

From previous emails sent to the list I was under the impression that you had discovered some differences between how ralabel handles labels vs how radium does.  Did those differences get resolved in the latest release?  I’m still seeing some issues with duplicate labels…

For example…  For IP 10.10.10.10, my label file (in order) looks like:

10.10.10.0/24 internal,DC2,I5-Apache-UI
10.10.10.10  apacheui,ri5

Yet my Argus events look like:

"1377565200.000,e *,tcp,63.166.75.3,0,->,10.10.10.10,9051,1599,685729,SRPA_SPA,56,300.000,478334,207395,2.857,2.467,0.443,US,ZZ,daddr=internal#DC2#I5-Apache-UI#apacheui#ri5#apacheui#ri5#apacheui#ri5#apacheui#ri5"

Not sure why the host-specific label is repeated 4 times, but that’s consistent with other events I’m seeing.

In other (good) news, it would seem like the radium crashing issue has been fixed in the latest release.  I know we are a corner case as far as radium stability goes, but it’s been running for four days without stopping and that’s a positive change.

We may be experiencing some issues with rastream though…  I sent you our rastream search and the shell scripts it calls at the end of each time interval.  It’s been working fine for a few days, but it seems to have lost track of the files it’s processing, so no new events are coming in and old files aren’t being deleted.  I’ll dive deeper into that that this week and see if I can narrow down the problem.

Thanksa again for all the fixes!

C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130827/5554ffff/attachment.html>

More information about the argus mailing list