Re: [Sguil-users] squil 0.8, ERROR: unable to set certificate file file /etc/nsm/server1/certs/sgu
Status: Beta
Brought to you by:
bamm
From: Stefan S. <Ste...@fe...> - 2011-03-23 12:34:34
|
Bamm, 24h passed now. I think it work. Stefan Am 16.03.11 23:11 schrieb "Bamm Visscher" unter <bam...@gm...>: >Sorry it took so long this time. Try the lastest update. > >Bamm > > >On Fri, Mar 11, 2011 at 9:03 AM, Stefan Sabolowitsch ><Ste...@fe...> wrote: >> Hi Bamm, >> Thank you for your time an fast bugfixing :) >> Which i can say , you on the correct way. The problem of "to many open >> files" is >> now away -> hooray ! >> Also the Client seems to have no more problem with the "transcript" >> (second click Problem). >> >> BUT from "to many open files" problem became now a "open network >> conection" problem. >> With this bugfix there are many "open network conection" (94) with >>status >> (CLOSE_WAIT) and this rises. >> I am sure me that sguild will die thereby. >> >> Stefan >> >> tclsh 17845 root 11u IPv4 223043 TCP *:7734 >>(LISTEN) >> tclsh 17845 root 12u IPv4 223044 TCP *:7736 >>(LISTEN) >> tclsh 17845 root 13u IPv4 223441 TCP >> 192.168.1.78:7736->192.168.1.97:36678 (ESTABLISHED) >> tclsh 17845 root 14u IPv4 223442 TCP >> 192.168.1.78:7736->192.168.1.97:36679 (ESTABLISHED) >> tclsh 17845 root 15u IPv4 223443 TCP >> 192.168.1.78:7736->192.168.1.97:36680 (ESTABLISHED) >> tclsh 17845 root 16u IPv4 223444 TCP >> 192.168.1.78:7736->192.168.1.97:36681 (ESTABLISHED) >> tclsh 17845 root 17u IPv4 223445 TCP >> 192.168.1.78:7736->192.168.1.97:36682 (ESTABLISHED) >> tclsh 17845 root 18u IPv4 223446 TCP >> 192.168.1.78:7736->192.168.1.97:36683 (ESTABLISHED) >> tclsh 17845 root 19u IPv4 223447 TCP >> 192.168.1.78:7736->192.168.1.97:36684 (CLOSE_WAIT) >> tclsh 17845 root 20u IPv4 223449 TCP >> 192.168.1.78:7736->192.168.1.97:36685 (CLOSE_WAIT) >> tclsh 17845 root 21u IPv4 223452 TCP >> 192.168.1.78:7736->192.168.1.97:36686 (CLOSE_WAIT) >> tclsh 17845 root 22u IPv4 223454 TCP >> 192.168.1.78:7736->192.168.1.97:36687 (CLOSE_WAIT) >> . >> >> . >> . >> . >> . >> tclsh 17845 root 93u IPv4 225633 TCP >> 192.168.1.78:7736->192.168.1.97:46699 (CLOSE_WAIT) >> tclsh 17845 root 94u IPv4 225686 TCP >> 192.168.1.78:7736->192.168.1.97:46700 (CLOSE_WAIT) >> tclsh 17845 root 95u IPv4 225688 TCP >> 192.168.1.78:7736->192.168.1.97:59591 (CLOSE_WAIT) >> tclsh 17845 root 96u IPv4 225724 TCP >> 192.168.1.78:7736->192.168.1.97:59592 (CLOSE_WAIT) >> tclsh 17845 root 97u IPv4 225726 TCP >> 192.168.1.78:7736->192.168.1.97:59593 (CLOSE_WAIT) >> >> >> >> >> Am 10.03.11 23:04 schrieb "Bamm Visscher" unter >><bam...@gm...>: >> >>>Potential fix in cvs for this. >>> >>> >>>On Thu, Mar 10, 2011 at 12:44 PM, Bamm Visscher >>><bam...@gm...> >>>wrote: >>>> I think I found the problem. I'll issue a fix tonight. >>>> >>>> Bamm >>>> >>>> PS >>>> >>>> Miss you in #snort-gui John ;) >>>> >>>> On Thu, Mar 10, 2011 at 11:15 AM, Stefan Sabolowitsch >>>> <Ste...@fe...> wrote: >>>>> OK, >>>>> I make a hard cut. >>>>> Complete new V0.8 Server, V0.8 Sensor and a clean sguil Server DB and >>>>> clean Data Folders (Sensor, Server). >>>>> But which i see however, does not make me hopeful. >>>>> >>>>> Within 10min there are already 84 open files, tendency increasing. >>>>> >>>>> #-snip-# >>>>> tclsh 11367 root 85w REG 253,0 8192 9502981 >>>>> >>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299772903.2 >>>>>01 >>>>>103 >>>>> 10 (deleted) >>>>> tclsh 11367 root 86w REG 253,0 8192 9502982 >>>>> >>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.129977292 >>>>>3. >>>>>201 >>>>> 10310 (deleted) >>>>> tclsh 11367 root 87w REG 253,0 8192 9502983 >>>>> >>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299772933.2 >>>>>01 >>>>>103 >>>>> 10 (deleted) >>>>> tclsh 11367 root 88w REG 253,0 8192 9502984 >>>>> >>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.129977295 >>>>>3. >>>>>201 >>>>> 10310 (deleted) >>>>> >>>>> #-snap-# >>>>> >>>>> Why V0.8 doesn't close these files? Why does V0.8 behave completely >>>>> differently than V0.7? >>>>> >>>>> Stefan >>>>> >>>>> PS: I switch back to V 0.7 >>>>> >>>>> >>>>> >>>>> Am 10.03.11 10:43 schrieb "John Curry" unter <joh...@me...>: >>>>> >>>>>>Stefan, >>>>>> >>>>>>Files may have queued on the sensor to the point that the agent >>>>>>cannot >>>>>>connect to the server. If this is the case, you can try moving the >>>>>>queued files to another directory to get the agent connected again. >>>>>> >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34756 >>>>>>>sock681 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) ERROR: unable to set certificate file >>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34757 >>>>>>>sock17 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34758 >>>>>>>sock17 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) ERROR: unable to set certificate file >>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:42284 >>>>>>>sock14 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>> >>>>>>Once you've confirmed the agent is connected and files are now >>>>>>moving from cache directory to the server, you can try moving the >>>>>>older >>>>>>files back to the queue directory a few at a time. >>>>>> >>>>>>-John >>>>>> >>>>>> >>>>>> >>>>>>On Thu, 10 Mar 2011 08:39:44 +0000 >>>>>>Stefan Sabolowitsch <Ste...@fe...> wrote: >>>>>> >>>>>>> Hi Bamm, John >>>>>>> >>>>>>> I accomplished the following test (Centos5.5 Server and Sensor): >>>>>>> >>>>>>> Because of the "Too many open files" problem changed these values. >>>>>>> >>>>>>> /etc/sysctl.conf >>>>>>> fs.file-max = 65536 >>>>>>> >>>>>>> >>>>>>> >>>>>>> /etc/security >>>>>>> * hard nofile 65536 >>>>>>> * soft nofile 5120 >>>>>>> >>>>>>> >>>>>>> sancp_agent.conf >>>>>>> set MAX_COPY 2 >>>>>>> >>>>>>> >>>>>>> Unfortunately these values (fs.file-max,nofile) for "Too many open >>>>>>> files" do not work. >>>>>>> It looks like that the value (fs.file-max,nofile) is hardcoded with >>>>>>> 1024 in the Kernel. >>>>>>> >>>>>>> But one can see, that the squil version V0.8 breaks off after >>>>>>> approximately 9h because max open file = 1024 was reached. >>>>>>> With "set MAX_COPY 10" this is already reached in ca. 5h (max open >>>>>>> file 1024). >>>>>>> >>>>>>> >>>>>>> >>>>>>> lsof -c tclsh >>>>>>> ##snip# >>>>>>> tclsh 3645 root 1021w REG 253,0 8192 9503972 >>>>>>> >>>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299708064 >>>>>>>.2 >>>>>>>011 >>>>>>>03 >>>>>>> 09 (deleted) >>>>>>> tclsh 3645 root 1022w REG 253,0 8192 9503973 >>>>>>> >>>>>>>/nsm/server_data/server1/load/parsed.Serrig-intern.stats.br0.1299708 >>>>>>>08 >>>>>>>3.2 >>>>>>>01 >>>>>>> 10309 (deleted) >>>>>>> tclsh 3645 root 1023w REG 253,0 8192 9503974 >>>>>>> >>>>>>>/nsm/server_data/server1/load/parsed.Serrig-DMZ.stats.br1.1299708094 >>>>>>>.2 >>>>>>>011 >>>>>>>03 >>>>>>> 09 (deleted) >>>>>>> tclsh 3694 root cwd DIR 253,0 4096 2 / >>>>>>> tclsh 3694 root rtd DIR 253,0 4096 2 / >>>>>>> >>>>>>> #snap# >>>>>>> >>>>>>> @Bamm >>>>>>> >>How many sensors do you have? >>>>>>> one Host with to Sensors >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> Stefan >>>>>>> >>>>>>> >>>>>>> Am 09.03.11 04:40 schrieb "John Curry" unter >>>>>>><joh...@me...>: >>>>>>> >>>>>>> >Hello Stefan, >>>>>>> > >>>>>>> >Keying in on the error "Too many open files", what does the >>>>>>>command >>>>>>> >'ulimit -a' show for 'open files' on your system? >>>>>>> > >>>>>>> >You can try increasing this number with the command 'ulimit -n >>>>>>><n>'. >>>>>>> >where <n> is the maximum number of open files >>>>>>> > >>>>>>> >-John >>>>>>> > >>>>>>> > >>>>>>> >On Tue, 8 Mar 2011 22:17:44 -0500 >>>>>>> >Bamm Visscher <bam...@gm...> wrote: >>>>>>> > >>>>>>> >> Stefan, >>>>>>> >> >>>>>>> >> How many sensors do you have? What happens if you set the >>>>>>> >> MAX_COPY to 1 in your sancp_agent.conf? >>>>>>> >> >>>>>>> >> Bamm >>>>>>> >> >>>>>>> >> >>>>>>> >> On Fri, Mar 4, 2011 at 11:48 AM, Stefan Sabolowitsch >>>>>>> >> <Ste...@fe...> wrote: >>>>>>> >> > OK, an i see this on the sensor Site. >>>>>>> >> > >>>>>>> >> > Error registering data agent: error writing "sock6": >>>>>>>connection >>>>>>> >> > reset by peer >>>>>>> >> > >>>>>>> >> > This was 5 hours ago after which sguild died. >>>>>>> >> > The bad one is that sancp_agent not tried a reconnection here. >>>>>>> >> > All the others "agents" are OK, only sancp_agnet makes no new >>>>>>> >> > connection. >>>>>>> >> > >>>>>>> >> > Stefan >>>>>>> >> > >>>>>>> >> > -----Ursprüngliche Nachricht----- >>>>>>> >> > Von: Bamm Visscher [mailto:bam...@gm...] >>>>>>> >> > Gesendet: Freitag, 4. März 2011 14:25 >>>>>>> >> > An: Stefan Sabolowitsch >>>>>>> >> > Cc: sgu...@li... >>>>>>> >> > Betreff: Re: [Sguil-users] squil 0.8, ERROR: unable to set >>>>>>> >> > certificate file file /etc/nsm/server1/certs/sguild.pem: Too >>>>>>>many >>>>>>> >> > open files >>>>>>> >> > >>>>>>> >> > Durn it. This is on the server side. Thanks for the bug >>>>>>>reports. >>>>>>> >> > >>>>>>> >> > Bamm >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > On Fri, Mar 4, 2011 at 8:21 AM, Stefan Sabolowitsch >>>>>>> >> > <Ste...@fe...> wrote: >>>>>>> >> >> Someone cheered too soon. :( >>>>>>> >> >> The "Too many open files" Problem cam back. >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34756 >>>>>>>sock681 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) ERROR: unable to set certificate file >>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34757 >>>>>>>sock17 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:34758 >>>>>>>sock17 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> pid(31597) ERROR: unable to set certificate file >>>>>>> >> >> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >> pid(31597) Sensor agent connect from 192.168.1.97:42284 >>>>>>>sock14 >>>>>>> >> >> pid(31597) Validating sensor access: 192.168.1.97 : >>>>>>> >> >> pid(31597) Valid sensor agent: 192.168.1.97 >>>>>>> >> >> Error: couldn't create output pipe for command: too many open >>>>>>> >> >> files couldn't create output pipe for command: too many open >>>>>>> >> >> files while executing >>>>>>> >> >> "open "| $P0F_PATH -q -s $fileName"" >>>>>>> >> >> (procedure "GenerateXscript" line 25) >>>>>>> >> >> invoked from within >>>>>>> >> >> "GenerateXscript >>>>>>> >> >> >>>>>>> >>>>>>>>>/nsm/server_data/server1/archive/2011-03-04/Serrig-intern/192.168. >>>>>>>>>1. >>>>>>>>>11 >>>>>>> >> >> 5:602 00_194.117.224.81:80-6.raw sock514 .serrig-intern_5231 >>>>>>>7" >>>>>>> >> >> ("eval" body line 1) >>>>>>> >> >> invoked from within >>>>>>> >> >> "eval $callback " >>>>>>> >> >> (procedure "BinCopyFinished" line 5) >>>>>>> >> >> invoked from within >>>>>>> >> >> "BinCopyFinished sock14 file17 >>>>>>> >> >> >>>>>>> >>>>>>>>>/nsm/server_data/server1/archive/2011-03-04/Serrig-intern/192.168. >>>>>>>>>1. >>>>>>>>>11 >>>>>>> >> >> 5:602 00_194.117.224.81:80-6.raw {GenerateXscript /..." >>>>>>> >> >> SGUILD: killing child procs... >>>>>>> >> >> SGUILD: Exiting... >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> Stefan >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> Am 04.03.11 03:18 schrieb "Bamm Visscher" unter >>>>>>> >> >> <bam...@gm...>: >>>>>>> >> >> >>>>>>> >> >>>I just committed a fix. It appears you had a large number of >>>>>>> >> >>>sancp files queued on the disk and sancp_agent tried to >>>>>>>upload >>>>>>> >> >>>them all at once. The sancp_agent.conf file now has an option >>>>>>> >> >>>for setting the max number of concurrent connections. Please >>>>>>> >> >>>test again if you can. >>>>>>> >> >>> >>>>>>> >> >>>Bamm >>>>>>> >> >>> >>>>>>> >> >>> >>>>>>> >> >>>On Sun, Feb 27, 2011 at 6:15 AM, Stefan Sabolowitsch >>>>>>> >> >>><Ste...@fe...> wrote: >>>>>>> >> >>>> Bamm, >>>>>>> >> >>>> thanks for your fast answer, i switch back to V0.7 (V0.8 is >>>>>>> >> >>>> not stable) If you need help, let me know. >>>>>>> >> >>>> >>>>>>> >> >>>> Stefan >>>>>>> >> >>>> >>>>>>> >> >>>> -----Ursprüngliche Nachricht----- >>>>>>> >> >>>> Von: Bamm Visscher [mailto:bam...@gm...] >>>>>>> >> >>>> Gesendet: Sonntag, 27. Februar 2011 12:06 >>>>>>> >> >>>> An: Stefan Sabolowitsch; sgu...@li... >>>>>>> >> >>>> Betreff: Re: [Sguil-users] squil 0.8, ERROR: unable to set >>>>>>> >> >>>>certificate file file /etc/nsm/server1/certs/sguild.pem: Too >>>>>>> >> >>>>many open files >>>>>>> >> >>>> >>>>>>> >> >>>> Stefan, >>>>>>> >> >>>> >>>>>>> >> >>>> Tks for testing CVS and the bug report. Those appear to be >>>>>>> >> >>>> directly >>>>>>> >> >>>>related to the new code for uploading sancp and pcap files >>>>>>>to >>>>>>> >> >>>>sguild and will try to get a bug fix in soon. >>>>>>> >> >>>> >>>>>>> >> >>>> Bamm >>>>>>> >> >>>> >>>>>>> >> >>>> >>>>>>> >> >>>> 2011/2/27 Stefan Sabolowitsch >>>>>>> >> >>>> <Ste...@fe...>: >>>>>>> >> >>>>> Bam, and i get this on the sensor side >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> Sensor Data Rcvd: >>>>>>> >> >>>>> >>>>>>> >> >>>>> Sending sguild (sock5) PING >>>>>>> >> >>>>> >>>>>>> >> >>>>> Socket sock5 closed >>>>>>> >> >>>>> >>>>>>> >> >>>>> Attempting to reconnect. >>>>>>> >> >>>>> >>>>>>> >> >>>>> Connected to 192.168.1.78 >>>>>>> >> >>>>> >>>>>>> >> >>>>> Sending sguild (sock5) RegisterAgent sancp Serrig-DMZ >>>>>>> >> >>>>> DMZ_Net_Serrig >>>>>>> >> >>>>> >>>>>>> >> >>>>> Sensor Data Rcvd: AgentInfo Serrig-DMZ sancp >>>>>>>DMZ_Net_Serrig >>>>>>> >> >>>>> 5 0 >>>>>>> >> >>>>> >>>>>>> >> >>>>> Error: error renaming "couldn't open >>>>>>> >> >>>>> "/nsm/sensor_data/Serrig-DMZ/sancp/stats.br1.1298776057": >>>>>>>too >>>>>>> >> >>>>> many open >>>>>>> >> >>>>> files": no such file or directory >>>>>>> >> >>>>> >>>>>>> >> >>>>> error renaming "couldn't open >>>>>>> >> >>>>> "/nsm/sensor_data/Serrig-DMZ/sancp/stats.br1.1298776057": >>>>>>>too >>>>>>> >> >>>>> many open >>>>>>> >> >>>>> files": no such file or directory >>>>>>> >> >>>>> >>>>>>> >> >>>>> while executing >>>>>>> >> >>>>> >>>>>>> >> >>>>> "file rename $newFiles FAILED-$newFiles " >>>>>>> >> >>>>> >>>>>>> >> >>>>> (procedure "CheckForSancpFiles" line 24) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "CheckForSancpFiles" >>>>>>> >> >>>>> >>>>>>> >> >>>>> ("after" script) >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> I think i switch back to V 0.7 >>>>>>> >> >>>>> >>>>>>> >> >>>>> Stefan >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> Von: Stefan Sabolowitsch >>>>>>> >> >>>>> [mailto:Ste...@fe...] >>>>>>> >> >>>>> Gesendet: Sonntag, 27. Februar 2011 09:15 >>>>>>> >> >>>>> An: sgu...@li... >>>>>>> >> >>>>> Betreff: [Sguil-users] squil 0.8, ERROR: unable to set >>>>>>> >> >>>>> certificate file file >>>>>>> >> >>>>> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> Hi Bamm, >>>>>>> >> >>>>> >>>>>>> >> >>>>> thank you for squil 0.8 >>>>>>> >> >>>>> >>>>>>> >> >>>>> I get this error Message after some time. >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- >>>>>>> >> >>>>> >>>>>>> >> >>>>> pid(2332) ERROR: unable to set certificate file >>>>>>> >> >>>>> /etc/nsm/server1/certs/sguild.pem: Too many open files >>>>>>> >> >>>>> >>>>>>> >> >>>>> Error: can not find channel named "sock13" >>>>>>> >> >>>>> >>>>>>> >> >>>>> can not find channel named "sock13" >>>>>>> >> >>>>> >>>>>>> >> >>>>> while executing >>>>>>> >> >>>>> >>>>>>> >> >>>>> "flush $pcapSocketID" >>>>>>> >> >>>>> >>>>>>> >> >>>>> (procedure "GetRawDataFromSensor" line 18) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "GetRawDataFromSensor $TRANS_ID $sensor $sensorID >>>>>>>$timestamp >>>>>>> >> >>>>> $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName >>>>>>>xscript" >>>>>>> >> >>>>> >>>>>>> >> >>>>> (procedure "XscriptRequest" line 26) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "XscriptRequest sock14 Serrig-intern 3 .serrig-intern_1477 >>>>>>> >> >>>>> {2011-02-26 21:58:42} 192.168.1.48 3389 192.168.50.15 >>>>>>>49929 >>>>>>> >> >>>>> 0" >>>>>>> >> >>>>> >>>>>>> >> >>>>> ("eval" body line 1) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "eval $clientCmd $socketID [lrange $data 1 end] " >>>>>>> >> >>>>> >>>>>>> >> >>>>> ("XscriptRequest" arm line 1) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "switch -exact $clientCmd { >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> DeleteEventIDList { $clientCmd $socketID [lindex >>>>>>> >> >>>>> $data 1] [lindex $data 2] [lindex $data 3] } >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> EventHistoryR..." >>>>>>> >> >>>>> >>>>>>> >> >>>>> (procedure "ClientCmdRcvd" line 46) >>>>>>> >> >>>>> >>>>>>> >> >>>>> invoked from within >>>>>>> >> >>>>> >>>>>>> >> >>>>> "ClientCmdRcvd sock14" >>>>>>> >> >>>>> >>>>>>> >> >>>>> SGUILD: killing child procs... >>>>>>> >> >>>>> >>>>>>> >> >>>>> SGUILD: Exiting... >>>>>>> >> >>>>> >>>>>>> >> >>>>> #-#-#-#-#-#-#-#-#-#-#-#-#-##-#-#-#-#-# >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> Possibly an idea? >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>>> PS: I noticed that there is not the option switch "-u" any >>>>>>> >> >>>>> longer (sguil start with nsmnow) . >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >>>>>>>>>------------------------------------------------------------------ >>>>>>>>>- >>>>>>> >> >>>>> --- >>>>>>> >> >>>>> -------- Free Software Download: Index, Search & Analyze >>>>>>>Logs >>>>>>> >> >>>>> and other IT data in Real-Time with Splunk. Collect, index >>>>>>> >> >>>>> and harness all the fast moving IT data generated by your >>>>>>> >> >>>>> applications, servers and devices whether physical, >>>>>>>virtual >>>>>>> >> >>>>> or in the cloud. Deliver compliance at lower cost and gain >>>>>>> >> >>>>> new business insights. http://p.sf.net/sfu/splunk-dev2dev >>>>>>> >> >>>>> _______________________________________________ >>>>>>> >> >>>>> Sguil-users mailing list >>>>>>> >> >>>>> Sgu...@li... >>>>>>> >> >>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>>>>> >> >>>>> >>>>>>> >> >>>>> >>>>>>> >> >>>> >>>>>>> >> >>>> >>>>>>> >> >>>> >>>>>>> >> >>>> -- >>>>>>> >> >>>> sguil - The Analyst Console for NSM >>>>>>> >> >>>> http://sguil.sf.net >>>>>>> >> >>>> >>>>>>> >> >>>> >>>>>>> >> >>>> >>>>>>> >> >>> >>>>>>> >> >>> >>>>>>> >> >>> >>>>>>> >> >>>-- >>>>>>> >> >>>sguil - The Analyst Console for NSM >>>>>>> >> >>>http://sguil.sf.net >>>>>>> >> >>> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > -- >>>>>>> >> > sguil - The Analyst Console for NSM >>>>>>> >> > http://sguil.sf.net >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> > >>>>>>> > >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>>---------------------------------------------------------------------- >>>>>-- >>>>>------ >>>>> Colocation vs. Managed Hosting >>>>> A question and answer guide to determining the best fit >>>>> for your organization - today and in the future. >>>>> http://p.sf.net/sfu/internap-sfd2d >>>>> _______________________________________________ >>>>> Sguil-users mailing list >>>>> Sgu...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>>>> >>>> >>>> >>>> >>>> -- >>>> sguil - The Analyst Console for NSM >>>> http://sguil.sf.net >>>> >>> >>> >>> >>>-- >>>sguil - The Analyst Console for NSM >>>http://sguil.sf.net >>> >> >> >> > > > >-- >sguil - The Analyst Console for NSM >http://sguil.sf.net > |