Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo
I came in the morning and I found that data/ stop data collection at a certain time (yesterday) and ipaudit processes aren't active anymore. When I try to force_run ./cron30min I get all kind of error messages such:
/local/ipaudit/ipaudit died prematurely
ipaudit: Trouble opening <bond0>, \
msg="socket: Operation not permitted" (Do you need root?)
It was perfectly runnig until then !!! do u see anything ?
This sounds like a problem with your interface <bond0>.
When this happens see if you can sniff the interface using another program like tcpdump or ethereal. My guess is that they will also fail. If not, then the fault is likely with ipaudit, so please let me know.
I've seen similar behaviour a couple of years ago when we used a particular brand of gig ethernet card. Either when traffic was too fast or too much traffic was read (I forget which) the card would look up - a problem I attribute to the driver actually, not the card. But whatever the root cause, changing to an Intel brand gig ethernet card fixed our problem.
I just have now the same problem. I have an Broadcom gig ethernet card. IPAudit was listen on it and when I hade much traffic IPAudit colapse and don't work anymore. After that IPAudit don't restart. Now I'm reinstall Debian and IPAudit.
I've changed to an Intel 100Mb ethernet card and I hope I don't have the problem anymore.
Next time ipaudit has this problem, it would be useful to see if tcpdump or wireshark share it, as all three programs use the libpcap library to read the network card. If this is a driver issue, all three programs will hang. Conversely, if only ipaudit crashes, it needs some debugging.
Sorry for the previous message. I did refresh and I post an identical message. ;-)
I did the first installation and I put my IPAudit server in my net. Next day IPAudit colapse and no traffic monitorized for several hours. I restart the pc and I try to analized the situation but is not possible for me to bring up IPAudit auto. Only manually.
I choose to reinstall all from the scratch.
I try now to explain my situation.
- I have a pc with 3 ethernet cards: one gig Broadcom and two Intel 100Mb.
- I install Debian 5.0.2: base pc, web server + desktop enviroment.
- After this, I install: php5, gcc, ntp, openssh-server (to access the server), gnuplot, libtime-modules-perl, auroconf, make, libcap0.8, libcap0.8-dev, libcap0.8-dbg, bison, flex.
- I install ipaudit-web 1.0BETA9
- I install for Apache2 UserDir module
- I change LOCALRANGE after my needs
- I change INTERFACE=eth1:eth2 (eth0 is the Broadcom gig ethernet card, and eth1 and eth2 are Intel 100Mb ethernet cards). I use eth0 for ssh only and this card have IPaddress.
- I change in /etc/network/interfaces: eth0 static with address, eth1 and eth2 manual without address (in promiscuous mode for safety resons). I'm not sure why I have two 100Mb ethernet cards but the person who work in my place previously have in this way. Maybe I need only one 100Mb ethernet card.
- I configure Apache2 server to use cgi-scripts (like in install file). I did that only in /etc/apache2/apache2.conf. Do I need to make the same change in the other file, like httpd.conf?
- I change in /etc/hosts.allow and /etc/hosts.deny after my needs.
- I've change in /home/ipaudit/public_html/index.html name on my IPAudit server and I add some links to other IPAudit servers.
All seams to works well for now. Tomorow I should take my server in drift.
Do I need to make something else? Something more?
Should to be possible to install an Intel gig ethernet card instead for my Broadcom ethernet card? Sometimes I have much traffic in my net and a 100Mb ethernet card is not enough.