Argus seems to stop writing data that ra can read.
Carter Bullard
carter at qosient.com
Thu Mar 27 07:47:11 EDT 2014
Hey Scott,
This reads like a corrupt output file. Any chance you could be running 2 argi, or same argus writing to the same output file twice ???
Can you share one of the files that exhibits the problem?? Does the client just spin or does eventually terminate / die ???
Sorry for the inconvenience !!!
Carter
> On Mar 26, 2014, at 7:28 PM, "Scott A. McIntyre" <s.a.mcintyre at gmail.com> wrote:
>
> Hi,
>
> I upgraded an Argus box of mine yesterday and am now running argus version 3.0.7.5 - I'm using the same configuration file that I was using from a slightly earlier version, but, I don't think that my issue is related to the configuration file.
>
> Symptom: After X amount of minutes (lowest 1, highest 20ish) argus clients are unable to read new data that is in argus.out.
>
> Example:
>
> -rw-r--r-- 1 root root 5149276 Mar 27 10:23 argus.out
>
> A few moments later:
>
> -rw-r--r-- 1 root root 5969972 Mar 27 10:27 argus.out
>
>
> So, the output is increasing, but, ra (Ra Version 3.0.7.23) shows the following with a simple ra -n -r argus.out
>
> 10:01:16.972396 e tcp 1.2.3.4.6714 -> 5.6.7.8.22 3 294 CON
> 10:01:17.065805 e tcp 1.2.3.4.8167 -> 5.6.7.8.22 3 294 CON
>
> And that's it - nothing more.
>
> tcpdump and tshark continue to report new data arriving.
>
> I must be missing something "obvious" here - but would appreciate someone pointing out what that obvious thing is.
>
> Regards,
> Scott
>
More information about the argus
mailing list