Unusual label behavior

Craig Merchant cmerchant at responsys.com
Tue Jul 23 20:24:24 EDT 2013


Hey, Carter...

Since we upgraded to the latest version, I'm getting some really strange behavior with labels.  Some events have massive incorrect labels.  Other events that should have labels don't.

For example, one event had the following in the label field:

saddr=internal,DC2,I5-PSO,app,dev-tserv2,app,dev-tserv2,app,qa-tserv2,app,qa-tserv2,app,ri5-tserv2,app,ri5-tserv2,app,ri5-tserv2,app,ri5-tserv2,app,ri5-tserv2,app,ri5-tserv2,app,sp1-tserv2,app,stage3-tserv2,app,stage3-tserv2,etldev,tserv2,Cpn01:tserv2=etlserv,tserv2,etlserv,tserv2,sa,tserv2,sa,tserv2,sa,tserv2,sa,tserv2,sa,tserv2,database,database,database,database,database,database,database,database,DME,DC2,ETL,Dev,DME,DC2,ETL,Dev,DME,DB:daddr=internal,DC2,SysOps-Admin,bi-etl,dc2,dbadmin,dc2,dbmonitor,dc2,dns-master,dc2,etltest,dc2,fly,uber,fly,uber,ldap-master,dc2,ldap-master,dc2,mailscan,uber,mon,dc2,mondb,dc2,mta,uber,mta,uber,prodops:dc2=prodopsdb,dc2,rac,01n01-dc2,rac,01n02-dc2,rac,02n01-dc2,rac,02n02-dc2,sa,dc2,sa,dc2,sa,dc2,zabbix,uber,zabbixdb,uber,database,database,database,database,database,database"

The correct label should have been:

saddr=internal,DC2,I5-PSO,app,ri5-tserv2:daddr=internal,DC2,SysOps-Admin,fly,uber

I checked through the label file for some of the hosts that were missing labels and there were definitely records that should have had labels that didn't.

If you still have that tcpdump I sent you, I can forward you the latest version of the label file and see if you can replicate the results.

Thanks.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130724/e0c8cd57/attachment.html>


More information about the argus mailing list