Question on Argus log file

[Raj Srinivasan via Argus-info]

Hello,

We are observing a situation which we don't understand. First, the details...

We run Argus on two different platforms, each with multiple instances of Argus. Incoming network traffic into the box is load-shared so that each instance receives a portion of the incoming traffic. The way the traffic is load-shared ensures that for a given flow (tcp or udp), both directions of the flow will be sent to the same argus instance.

Now, the two platforms use slightly different methods of load-sharing (IP/tcp/udp headers are hashed differently). In the low end platform, traffic is load-shared to 12 argii with each running in its own CPU, and in the high end platform, traffic is load-shared to 4 argii (with each instance bound to a specific core). In both cases, we use radium (running on the system) to collect data (over tcp) from the different argii and create logs. In both cases, the log files are rotated every 5 minutes.

The log files we see in the high end platform (with 4 argii) are consistently smaller. We have checked out the platform, and are of the belief that no packets or flows are being dropped.

Is it possible that because of the way flows are distributed, the platform with fewer argii is creating smaller log files? The discrepancy varies from around 10% to as much as 30% or higher, and seems to be independent of the volume of incoming traffic (peak and low traffic times both show this difference in log file sizes). We are using the same configuration for Argus and Radium in both systems.

Is this reasonable/expected? Would very much appreciate a response!

Thanks,
Raj

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160623/43d06e2f/attachment.html>