Re: [Sguil-users] Problems with sancp
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Problems with sancp
|
From: David J. B. <bi...@jl...> - 2005-03-23 13:00:25
|
It's the job of the sensor agent to take the files in the sancp directory and import them into the database. If they're piling up, it means sancp is still properly collecting them. This probably means that the sensor agent is probably not doing the right thing. If a simple restart of that process doesn't clear things up, you might need to run it with debugging output to see the problem. BTW, if you have a lot of sancp files, be patient after you restart sensor agent. It can easily take an hour or two to load a lot of files. The good news is that it loads and deletes one file at a time, so if the oldest files keep disappearing, you know it's working. David Paul Schmehl wrote: >> From time to time sancp events seem to stop getting entered into the db. > > If I check the directory on the sensor, the events are "piling up" > there, whereas they would normally not appear there. > > When I check max(start_time) of sancp, it corresponds with a time prior > to the first filetime in the sancp dir on the sensor. > > Has anyone seen this behavior? Have any idea what might cause it? And > finally, how do you "restart" the process? Sancp is running and writing > events to the logdir. Sguild is running, so is the db, and events are > still being written to the db. (max(timestamp) of event is current time.) > > Paul Schmehl (pa...@ut...) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu > > > ------------------------------------------------------- > This SF.net email is sponsored by: 2005 Windows Mobile Application Contest > Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones > for the chance to win $25,000 and application distribution. Enter today at > http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |