Rewrite of rastream
Carter Bullard
carter at qosient.com
Fri May 31 11:22:31 EDT 2013
Hey Terry,
Thanks for the suggestion, it fits in great with what we were trying
to do in the color version of ratop(), which was how to identify large
numbers of different things, for coloring and ordering of objects on the
display. If we can color something, surely we can figure out a way to
filter, formulate, analyate (is that a word?), etc …. with large configuration
data.
In 3.0.7.x we have the rarc variable RA_LOCAL, which is the basic technology
of rafilteraddr() and ralabel(), that allows all clients to ingest at least
one big list of addresses, and assign them to a variable. Right now, that
is LOCAL. Only the new ratop() uses this variable right now, so my
thought is that your suggestion would extend this feature to all clients ?
Cool, just need to understand how to configure it, and how to specify
what to do with the data….. In ratop(), you can use the LOCAL addresses
to pick colors, and you can use the local designation as a hint for
flow direction, when you don't know, see RA_LOCAL_DIRECTION in the
new sample rarc file, ./support/Config/rarc.
So you are thinking of giving all ra* clients a large address filtering capability?
How do we turn that on, in a general way? Do you want to do something
like…..
ra - src $LOCAL and dst not $LOCAL
as a filter? I'm in favor of improving the filters in any way, so that's
a fair request, although a little difficult to do with our current compiler
strategy, but not impossible….
If you can figure out a way to assign a fixed variable, and provide fixed
configuration in the rarc file, (like the direction support) we can do something
really quickly.
The other way to think about this problem of general identification, is to
use ralabel() to label the flows with the state you are looking for, and
then use standard label greping filters to do the actions your interested
in, in a pipeline. Radium is a labeler, so it can mark your flows so your
clients can figure it out later with regular expressions.
Lots of options, so if you can help to define this I'll put it in….
Thanks !!!!
Carter
On May 31, 2013, at 7:41 AM, Terry Burton <tez at terryburton.co.uk> wrote:
> On 30 May 2013 16:33, Carter Bullard <carter at qosient.com> wrote:
>> OK, so I've found a pretty bad bug in rastream() and rasqlinsert(), based on
>> your descriptions, but I'm sorry that what I've found is not supportive of
>> your thesis. This problem needs to be fixed, but existing implementations
>> can continue if you are not experiencing problems.
> <...snip...>
>> Since I'm rewriting it based on rasplit(), now would be the time to put
>> some new feature requests if there are any, and any discussions as
>> to what sucks and what works in rastream() would be great !!!!!
>
> Hi Carter,
>
> Since rasplit/rastream is fresh in your mind and you're soliciting
> feature requests...
>
> We monitor a sparsely populated /16 in which all authorised devices
> are pre-registered in a database. We perform near real-time analysis
> of the data using rafilteraddr to detect both when unregistered
> devices are connected to the network and when external hosts contact
> dark addresses during scanning/fingerprinting. We can then deploy
> appropriate responses (firewalling, shutting the switch port, ...)
>
> I would find it very helpful if the functionality of rafilteraddr were
> rolled into these clients (and perhaps the raclients in general) in
> such a way that when the address specification file is modified and
> indicated by the user (e.g. using SIGHUP, SIGUSR1, etc) the client can
> continue to process the data uninterrupted without having to restart
> some element of the real-time data processing chain.
>
>
> All the best,
>
> Terry
>
>
>> On May 29, 2013, at 3:23 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Matt,
>> Hmmmmmmmm, well, we need to get on the same page. Based on the last
>> set of information, I don't think that you are running the correct code, as
>> you
>> are reporting segfault information without symbols, which means you're
>> running
>> the wrong set of software. If you are running the wrong software there, not
>> sure that you are running the right software anywhere. I can give
>> racluster()
>> bad filenames, files without permissions, etc…. and it doesn't segfault…..
>>
>> So we have to clean things up, then we can hypothesis what the real problem
>> is.
>>
>> Now, I have been digging into rastream() and rasqlinsert() code and I've
>> found
>> an issue that may be related, but I need to have some certainty with regard
>> to
>> your setup, before I take the leap to say that I have a strategy…...
>>
>> So, we need to understand what is going on with your rastream() script.
>> One thing to do is to simplify the script, have it do some extensive logging
>> to a file in /tmp, or /var/tmp or somewhere you like, so we can see what its
>> doing…… Like printing out its environment, what it thinks is its root
>> directory,
>> its path, etc…...
>>
>> Carter
>>
>>
>> On May 29, 2013, at 1:43 PM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Hello carter,
>>
>> Thanks for replying.
>>
>> Rastream and racluster are 3.0.7.10.
>>
>>
>> Are you able to reproduce the issue when using the -d switch with rastream?
>> I can reproduce it on other systems.
>>
>> What do you think of my theory?
>>
>>
>> Hope this helps,
>>
>> Matt
>>
>>
>> On May 29, 2013, at 1:34 PM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Hey Matt,
>> So where are we on this? Its clear that you are not running the version of
>> code
>> that you think you are running, so we need to clear that up before
>> proceeding
>> any further ?
>>
>> Carter
>>
>>
>> On May 22, 2013, at 4:07 PM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Sorry about that, I was trying to be verbose in case you spotted something
>> interesting that indicated a clear problem.
>>
>> Thanks for getting back to me.
>>
>>
>> 1) racluster segfaulting:
>>
>> racluster is executed via the script assigned by the -f parameter of the
>> rastream instance (/usr/local/bin/rastream.sh).
>>
>> When racluster segfaults, its reporting the following to syslog:
>> May 22 01:00:18 ny-sentinel kernel: racluster[5558]: segfault at 46 ip
>> 002e1877 sp bfb54e10 error 4 in libc-2.12.so[281000+190000]
>> May 22 02:00:18 ny-sentinel racluster[6044]: 02:00:18.586910 open
>> '/var/opt/argus/2013-05-22/argus_01:00:00': No such file or directory
>> May 22 02:00:18 ny-sentinel kernel: racluster[6044]: segfault at 46 ip
>> 0020d877 sp bf854d50 error 4 in libc-2.12.so[1ad000+190000]
>> May 22 03:00:18 ny-sentinel racluster[6520]: 03:00:18.534326 open
>> '/var/opt/argus/2013-05-22/argus_02:00:00': No such file or directory
>> May 22 03:00:18 ny-sentinel kernel: racluster[6520]: segfault at 46 ip
>> 0019c877 sp bfaf2b30 error 4 in libc-2.12.so[13c000+190000]
>> May 22 06:00:18 ny-sentinel racluster[8015]: 06:00:18.786627 open
>> '/var/opt/argus/2013-05-22/argus_05:00:00': No such file or directory
>> May 22 06:00:18 ny-sentinel kernel: racluster[8015]: segfault at 46 ip
>> 002a2877 sp bfa74270 error 4 in libc-2.12.so[242000+190000]
>> May 22 07:00:18 ny-sentinel racluster[8517]: 07:00:18.386497 open
>> '/var/opt/argus/2013-05-22/argus_06:00:00': No such file or directory
>> May 22 07:00:18 ny-sentinel kernel: racluster[8517]: segfault at 46 ip
>> 0073c877 sp bfaeee10 error 4 in libc-2.12.so[6dc000+190000]
>> May 22 08:00:18 ny-sentinel racluster[9006]: 08:00:18.591348 open
>> '/var/opt/argus/2013-05-22/argus_07:00:00': No such file or directory
>> May 22 08:00:18 ny-sentinel kernel: racluster[9006]: segfault at 46 ip
>> 0023e877 sp bfe6f110 error 4 in libc-2.12.so[1de000+190000]
>> May 22 10:00:19 ny-sentinel racluster[10009]: 10:00:19.991831 open
>> '/var/opt/argus/2013-05-22/argus_09:00:00': No such file or directory
>> May 22 10:00:19 ny-sentinel kernel: racluster[10009]: segfault at 46 ip
>> 00627877sp bfd4cf50 error 4 in libc-2.12.so[5c7000+190000]
>> May 22 13:00:20 ny-sentinel racluster[11556]: 13:00:20.585851 open
>> '/var/opt/argus/2013-05-22/argus_12:00:00': No such file or directory
>> May 22 13:00:20 ny-sentinel kernel: racluster[11556]: segfault at 46 ip
>> 002bb877 sp bfda4480 error 4 in libc-2.12.so[25b000+190000]
>> May 22 14:00:20 ny-sentinel racluster[12106]: 14:00:20.585760 open
>> '/var/opt/argus/2013-05-22/argus_13:00:00': No such file or directory
>> May 22 14:00:20 ny-sentinel kernel: racluster[12106]: segfault at 46 ip
>> 00c3b877 sp bfbebb40 error 4 in libc-2.12.so[bdb000+190000]
>> May 22 14:00:20 ny-sentinel racluster[12109]: 14:00:20.997232 open
>> '/var/opt/argus/2013-05-22/argus_13:00:00': No such file or directory
>> May 22 14:00:20 ny-sentinel kernel: racluster[12109]: segfault at 46 ip
>> 001ba877 sp bf838800 error 4 in libc-2.12.so[15a000+190000]
>> May 22 15:00:19 ny-sentinel racluster[12619]: 15:00:19.898971 open
>> '/var/opt/argus/2013-05-22/argus_14:00:00': No such file or directory
>> May 22 15:00:19 ny-sentinel kernel: racluster[12619]: segfault at 46 ip
>> 001d4877 sp bf865ab0 error 4 in libc-2.12.so[174000+190000]
>>
>> Note that there is no easily identifiable pattern in which files cause the
>> segfault and which do not, but the problem occurs with every file.
>>
>> I can only guess that it is segfaulting because it can't open
>> '/var/opt/argus/N/argus_N' (No such file or directory).
>> It's worth noting that in the instance mentioned in the previous email,
>> '/var/opt/argus/2013-05-21/argus_10:00:00' did exist at the time racluster
>> is executed. I am concluding this because after racluster is executed, gzip
>> compresses '/var/opt/argus/2013-05-21/argus_10:00:00' successfully.
>>
>> I don't believe the segfault is the problem.
>>
>>
>> 2) Can I run racluster against the file and get good results?
>>
>> Yes, I can run racluster against both the gzipped resultant file, and the
>> file that is generated by rastream that wasn't gzipped.
>>
>>
>> 3) Multiple client versions:
>>
>> When I mention modifying which racluster is executed by the shell script
>> (executed by rastream's -f argument), I simply was attempting to have it use
>> the racluster binary that I had compiled with support for debugging and
>> symbols. My reasoning was so that it would produce more verbose output to
>> syslog, which it didn't.
>>
>> There are only two sets of binaries located on the system. One that has
>> been compiled with debugging support and one that hasn't:
>> # find / -iname racluster
>> /root/argus-clients-3.0.7.10/bin/racluster #debugging support
>> /usr/local/bin/racluster #no debugging support
>>
>> /usr/local/bin/rastream is executed and is writing the files I am concerned
>> with (and is causing the problem).
>> /usr/local/bin/racluster is currently executed by /usr/local/bin/rastream.sh
>> due to its location in the $PATH (and is the one that is segfaulting
>> occasionally).
>>
>>
>> 4) How I see the problem:
>>
>> I don't want to make any assumptions, or create a red herring, since I am
>> not familiar with the code of rastream, but I believe that the following is
>> happening:
>>
>> 1) `/usr/local/bin/rastream -d -S 127.0.0.1:561 -B 15s -M time 1h -w
>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh` is executed,
>> and then (due to -d) the daemonizing method is called and forks another
>> rastream process and starts writing to /var/opt/argus/Y-m-d/argus_T1. (which
>> is good)
>> 2) At `time 1h`, `/usr/local/bin/rastream.sh` is forked, without blocking
>> `rastream` from writing. (good)
>> 3) While #2 occurs, rastream is _still_ writing to
>> /var/opt/argus/Y-m-d/argus_T1 (the file from the previous `time 1h` time
>> span, not the new `time 1h` time span). (which is bad)
>> 4) `/usr/local/bin/rastream.sh` executes `racluster -M replace -r $FILES`
>> against the file /var/opt/argus/Y-m-d/argus_T1. (bad)
>> 5) `/usr/local/bin/rastream.sh` executes `gzip $FILES` and is able to add
>> /var/opt/argus/Y-m-d/argus_T1 (bad)
>> 6) `rastream` begins writing /var/opt/argus/Y-m-d/argus_T2 (the new `time
>> 1h` file) (bad)
>>
>> So, the daemonized fork of rastream doesn't start writing to the new file
>> (/var/opt/argus/Y-m-d/argus_T2) until _after_ it executes the -f designated
>> script `/usr/local/bin/rastream.sh`.
>> Instead, what should be happening is: the daemonized fork of rastream should
>> start writing to the new file, and _then_ execute the -f designated script
>> `/usr/local/bin/rastream.sh`.
>>
>> It would seem that the way that rastream is daemonized affects the later -f
>> logic.
>>
>>
>> Hope this helps.
>>
>>
>> Thanks for your time,
>>
>> Matt
>>
>>
>>
>> On May 22, 2013, at 10:45 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Hey Matt,
>> Hmmm, so your emails are waaayyyyy too dense for dealing with bugs /
>> problems.
>> Lets focus on one thing at a time.
>>
>> Your racluster() is segfaulting. Why is it doing that? Can you run
>> racluster()
>> against the file and get good results ? Do you have multiple versions of
>> the
>> clients installed on your machine, so that there is ambiguity in which
>> racluster()
>> or rastream() is actually running? We should clear that up before
>> proceeding
>> any further.
>>
>> Carter
>>
>>
>> On May 21, 2013, at 1:31 PM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Hello Carter,
>>
>>
>>
>> Thanks for getting back to me quickly.
>>
>>
>>
>> I've tried the following to attempt to troubleshoot the problem, but it
>> doesn't appear that anything's outstanding.
>>
>>
>>
>> Apologies for the verbosity…
>>
>>
>>
>>
>>
>> # cd ./argus-clients-3.0.7.10
>> # touch .devel .debug
>> # ./configure
>> # make clean && make
>> # kill -2 $(pgrep rastream)
>> # ./bin/rastream -d -F /etc/rastream.conf -S 127.0.0.1:561 -B 15s -M time 1h
>> -w /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh -D4
>> rastream[29500.c0567db7]: 2013-05-21 10:54:31.455541 ArgusNewQueue ()
>> returning 0x8609548
>> rastream[29500.c0567db7]: 2013-05-21 10:54:31.455612 ArgusNewHashTable
>> (65536) returning 0x8609bc0
>> rastream[29500.c0567db7]: 2013-05-21 10:54:31.455632 ArgusNewList ()
>> returning 0x860a010
>> rastream[29500.c0567db7]: 2013-05-21 10:54:31.455695 ArgusNewQueue ()
>> returning 0x8611878
>> rastream[29500]: 2013-05-21 10:54:31.455729 started
>>
>>
>>
>> syslog reports:
>> May 21 10:54:31 ny-sentinel rastream[29500]: 2013-05-21 10:54:31.455729
>> started
>> May 21 11:00:18 ny-sentinel racluster[29544]: 2013-05-21 11:00:18.635754
>> open '/var/opt/argus/2013-05-21/argus_10:00:00': No such file or directory
>> May 21 11:00:18 ny-sentinel kernel: racluster[29544]: segfault at 46 ip
>> 001d9877 sp bfb9f200 error 4 in libc-2.12.so[179000+190000]
>>
>>
>>
>> With /usr/local/bin/rastream.sh executing `racluster -M replace -r $FILES`,
>> using the racluster in $PATH (as it is originally).
>>
>>
>>
>> Note that '/var/opt/argus/2013-05-21/argus_10:00:00' did exist at the time
>> [but that doesn't mean that racluster can read it ?].
>>
>>
>>
>>
>>
>>
>>
>> This is interesting:
>> I modifed /usr/local/bin/rastream.sh to execute
>> `[path]/argus-clients-3.0.7.10/bin/racluster -D4 -M replace -r $FILES`
>> instead of just using the $PATHed racluster…
>>
>>
>>
>> # kill -2 $(pgrep rastream)
>> # ./argus-clients-3.0.7.10/bin/rastream -d -F /etc/rastream.conf -S
>> 127.0.0.1:561 -B 15s -M time 10m -w /var/opt/argus/%Y-%m-%d/argus_%T -f
>> /usr/local/bin/rastream.sh -D4
>> rastream[30131.c0f67cb7]: 2013-05-21 11:26:53.528909 ArgusNewQueue ()
>> returning 0x9e77550
>> rastream[30131.c0f67cb7]: 2013-05-21 11:26:53.528982 ArgusNewHashTable
>> (65536) returning 0x9e77bc8
>> rastream[30131.c0f67cb7]: 2013-05-21 11:26:53.529008 ArgusNewList ()
>> returning 0x9e78018
>> rastream[30131.c0f67cb7]: 2013-05-21 11:26:53.529072 ArgusNewQueue ()
>> returning 0x9e7f880
>> rastream[30131]: 2013-05-21 11:26:53.529102 started
>>
>>
>>
>> syslog reports:
>> May 21 11:26:53 ny-sentinel rastream[30131]: 2013-05-21 11:26:53.529102
>> started
>>
>>
>>
>> …and nothing from racluster or anything else at the 10 minute mark, even
>> though the rotation (and problem) still occur:
>>
>>
>>
>> # ll --full-time /var/opt/argus/2013-05-21/ | tail -n 5
>> -rw-r--r--. 1 root 159764 2013-05-21 11:30:59.466174549 -0400
>> argus_11:20:00
>> -rw-r--r--. 1 root 384117 2013-05-21 11:30:17.619561000 -0400
>> argus_11:20:00.gz
>> -rw-r--r--. 1 root 181472 2013-05-21 11:41:00.721865476 -0400
>> argus_11:30:00
>> -rw-r--r--. 1 root 394783 2013-05-21 11:40:17.511247000 -0400
>> argus_11:30:00.gz
>> -rw-r--r--. 1 root 1421440 2013-05-21 11:48:55.328587722 -0400
>> argus_11:40:00
>>
>>
>>
>>
>>
>>
>>
>> Reverting rastream.sh to execute racluster in the $PATH (as original) and
>> changing back to 'time 1h' as:
>> # kill -2 $(pgrep rastream)
>> # ./argus-clients-3.0.7.10/bin/rastream -d -F /etc/rastream.conf -S
>> 127.0.0.1:561 -B 15s -M time 1h -w /var/opt/argus/%Y-%m-%d/argus_%T -f
>> /usr/local/bin/rastream.sh -D4
>>
>>
>>
>> results in syslog:
>> May 21 12:05:37 ny-sentinel rastream[30905]: 2013-05-21 12:05:37.950988
>> started
>>
>>
>>
>> …and nothing from racluster (why and how?)), but the problem still exists:
>>
>>
>>
>> # ll --full-time /var/opt/argus/2013-05-21/ | tail -n 3
>> -rw-r--r--. 1 root 145612 2013-05-21 13:01:00.562634873 -0400
>> argus_12:00:00
>> -rw-r--r--. 1 root 2303564 2013-05-21 13:00:18.216161000 -0400
>> argus_12:00:00.gz
>> -rw-r--r--. 1 root 315520 2013-05-21 13:02:35.126692699 -0400
>> argus_13:00:00
>>
>>
>>
>> It's quite obvious that the size of the argus data has increased a very
>> large amount (due to the debugging).
>>
>>
>>
>>
>>
>> Does anything here indicate the problem?
>>
>>
>>
>> Is there anything else that I can do to further troubleshoot the issue?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Here's some freaky stuff:
>>
>>
>>
>> querying the file argus_12:00:00 for ltime doesn't correlate with the last
>> modified time of the file:
>>
>>
>>
>> # ra -nr argus_12\:00\:00 -s stime ltime -w - | rasort -m stime -s stime
>> ltime | head -n 3
>> StartTime LastTime
>> 2013-05-21 12:59:03.164195 2013-05-21 12:59:06.417385
>> 2013-05-21 12:59:03.369926 2013-05-21 12:59:03.501171
>>
>>
>>
>> # ra -nr argus_12\:00\:00 -s stime ltime -w - | rasort -m ltime -s stime
>> ltime | tail -n 2
>> 2013-05-21 12:59:17.117235 2013-05-21 13:00:00.000000
>> 2013-05-21 12:59:28.896645 2013-05-21 13:00:00.000000
>>
>>
>>
>> # ra -nr argus_12\:00\:00 -s stime ltime | head -n 3
>> StartTime LastTime
>> 2013-05-21 12:05:38.036319 2013-05-21 09:52:57.532792 # this is weird.
>> 2013-05-21 12:59:27.970584 2013-05-21 12:59:36.325653
>>
>>
>>
>>
>>
>>
>>
>> querying the file argus_12:00:00.gz:
>>
>>
>>
>> sort by stime:
>> # ra -nr argus_12\:00\:00.gz -s stime ltime -w - | rasort -m stime -s stime
>> ltime | head -n 3
>> StartTime LastTime
>> 2013-05-21 11:59:44.064216 2013-05-21 12:34:17.996512
>> 2013-05-21 11:59:44.509320 2013-05-21 11:59:59.639822
>>
>>
>>
>> # ra -nr argus_12\:00\:00.gz -s stime ltime -w - | rasort -m stime -s stime
>> ltime | tail -n 2
>> 2013-05-21 12:59:02.980166 2013-05-21 12:59:02.981078
>> 2013-05-21 12:59:02.980171 2013-05-21 12:59:02.981120
>>
>>
>>
>>
>>
>> sort by ltime:
>> # ra -nr argus_12\:00\:00.gz -s ltime -w - | rasort -m ltime -s stime ltime
>> | head -n 3
>> StartTime LastTime
>> 2013-05-21 11:59:46.214566 2013-05-21 11:59:46.314022
>> 2013-05-21 11:59:51.860594 2013-05-21 11:59:51.887852
>>
>>
>>
>> # ra -nr argus_12\:00\:00.gz -s ltime -w - | rasort -m stime ltime -s stime
>> ltime | tail -n 2
>> 2013-05-21 12:00:00.000000 2013-05-21 13:00:00.000000
>> 2013-05-21 12:38:12.914597 2013-05-21 13:00:00.000000
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thanks again,
>>
>>
>>
>> Matt
>>
>> On May 21, 2013, at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Yes you have to compile in debug support. We should turn on symbols, etc...
>> as well. In the clients root directory, try this:
>>
>> % touch .devel .debug
>> % ./configure
>> % make clean; make
>>
>> And use the resulting binaries for the testing.
>> Carter
>>
>> On May 21, 2013, at 10:08 AM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Carter,
>>
>> Do settings need to be changed at compile time in order to get debugging
>> features? I have started with -D4 and only the start time and forked time
>> are logged. I have confirmed that rastream is appending to the proper file.
>>
>>
>> Just to let you know *latest* is still 3.0.7.9, not 3.0.7.10.
>>
>>
>> Thanks very much!
>>
>> Matt
>>
>> On May 21, 2013, at 9:55 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Try the newest client distribution, just to see if any of the changes we
>> made to date affect the problem. This may be a tough one to debug,
>> but if I can recreate the issue, then we're on our way to happiness.
>>
>> We'll need you to turn on debug on your daemon, the output should
>> go to the syslog, so testing that briefly may help a bit. Run your rastream
>> with the "-d -D4" options, and see if you get any debug info in your syslog.
>>
>> Carter
>>
>> On May 21, 2013, at 9:48 AM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Good morning Carter!
>>
>>
>>
>> I wrote an init script and had some issues when starting rastream with the
>> script targetting ~/.rarc even if I set $ARGUSHOME or $HOME within the
>> script (on CentOS) (due to service's use of /bin/env).
>>
>>
>>
>>
>>
>> So, the line I use within the init script is:
>>
>>
>>
>> /usr/local/bin/rastream -d -F /etc/rastream.conf -S 127.0.0.1:561 -B 15s -M
>> time 1h -w /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh
>>
>>
>>
>> The same problem with timing occurs as had previously occur when relying on
>> the full ~/.rarc.
>>
>>
>>
>>
>>
>> Here is an etherpad with relevant
>> information:https://etherpad.mozilla.org/dmoSdfQ9H4
>>
>>
>>
>> # rastream --version
>> Rastream Version 3.0.7.9
>>
>>
>>
>>
>>
>> Thanks very much Carter!
>>
>>
>>
>> Matt
>>
>> On May 21, 2013, at 6:44 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>>
>> Hey Matt,
>> So.......any chance you are setting the timezine in a rarc file somewhere,
>> like /etc/rarc or in your yme directory ?
>> What version are you running ?
>>
>> Carter
>>
>> On May 20, 2013, at 2:42 PM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>> Hello All:
>>
>>
>>
>>
>>
>> I am having a problem with rastream that's manifested itself when using the
>> -f "shell script executor" argument to rotate files at 'time 1h'.
>>
>>
>>
>>
>>
>> If I run rastream as a daemon, then the script seems to run before the
>> "hour" is over (and the "hour" is over at the incorrect time):
>> # rastream -d -S 127.0.0.1:561 -B 15s -M time 1h -w
>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh
>>
>>
>>
>> A few hours' files look like:
>>
>>
>>
>> # ls --full-time /var/opt/argus/2013-05-18
>> total 3728
>> -rw-r--r--. 1 root 18752 2013-05-18 01:00:59.556839459 -0400 argus_00:00:00
>> -rw-r--r--. 1 root 160607 2013-05-18 01:00:17.793286000 -0400
>> argus_00:00:00.gz
>> -rw-r--r--. 1 root 12068 2013-05-18 02:00:59.619364943 -0400 argus_01:00:00
>> -rw-r--r--. 1 root 163409 2013-05-18 02:00:17.943700000 -0400
>> argus_01:00:00.gz
>> -rw-r--r--. 1 root 9032 2013-05-1803:01:00.579907536 -0400 argus_02:00:00
>> -rw-r--r--. 1 root 122920 2013-05-18 03:00:17.834317000 -0400
>> argus_02:00:00.gz
>> -rw-r--r--. 1 root 22092 2013-05-18 04:01:00.698357771 -0400 argus_03:00:00
>> -rw-r--r--. 1 root 122002 2013-05-18 04:00:17.835675000 -0400
>> argus_03:00:00.gz
>> -rw-r--r--. 1 root 17704 2013-05-18 05:01:00.450618851 -0400 argus_04:00:00
>> -rw-r--r--. 1 root 133212 2013-05-18 05:00:17.742040000 -0400
>> argus_04:00:00.gz
>> -rw-r--r--. 1 root 14592 2013-05-18 06:00:54.886285774 -0400 argus_05:00:00
>> -rw-r--r--. 1 root 160523 2013-05-18 06:00:17.562776000 -0400
>> argus_05:00:00.gz
>>
>>
>>
>> It looks like the gzipped file is last modified before the hour file, which
>> leads me to believe that rastream isn't finished writing to the argus file
>> before -f[] is executed.
>>
>>
>>
>>
>>
>> If I run rastream as follows, I have no problem:
>> # nohup rastream -S 127.0.0.1:561 -B 15s -M time 1h -w
>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh &
>>
>>
>>
>> A few hours' files look like:
>>
>>
>>
>> # ls --full-time /var/opt/argus/2013-05-20
>> total 5372
>> -rw-r--r--. 1 root 217245 2013-05-20 10:00:17.573908000 -0400
>> argus_09:00:00.gz
>> -rw-r--r--. 1 root 6377 2013-05-2011:00:17.762140000 -0400
>> argus_10:00:00.gz
>> -rw-r--r--. 1 root 9269 2013-05-2011:38:08.879810000 -0400
>> argus_11:00:00.gz
>> -rw-r--r--. 1 root 313 2013-05-2013:00:17.170958000 -0400
>> argus_12:00:00.gz
>> -rw-r--r--. 1 root 8965 2013-05-2014:00:17.540889000 -0400
>> argus_13:00:00.gz
>>
>>
>>
>> (early day over there)
>>
>>
>>
>>
>>
>>
>>
>> I have verified that the system time is correct and ntpd is running
>> properly.
>>
>>
>>
>> Clients are 3.0.7.9.
>>
>>
>>
>>
>>
>> Carter, do you have any ideas?
>>
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Matt
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130531/918992b4/attachment.bin>
More information about the argus
mailing list