Re: [Nfsen-discuss] Upgrading plugins to nfsen-snapshot-20070110

Wed, 24 Jan 2007 23:58:29 -0800 

Hi Adrian,
I'm sorry for the delay. But I'm out of the office and I can only seldom
read my mail.

Looking into the code, there is a bug in the Plugin Loader, as it did not
take the profile group into account. Please apply the patch appended to
Nfcomm.pl and reload nfsen. You can check the loaded modules by searching
for the ModList entry in the log output, which lists all plugins,
registered for a profile. The bug resulted in only one plugin loaded.
Sorry for this.

As of the multiple call of the END function. This is still unclear to me
and can not be reproduced. I'm also a bit confused, as I have no
influence, when this END function is called, as it is PERLs internal
trigger to run BEGIN and END, when a module is loaded or unloaded. Further
more, once a Perl module is loaded, it can not be unloaded unless the Perl
Process ends. Therefore, you should see these log entries only, when
terminating NfSen.
Could you please apply the patch and report back to me, if you still see
these strange calls.

 - Peter

> Hello,
>
> I've just installed nfsen-snapshot-20070110 on a new server (I want to
> migrate the old collector box, because it couldn't handle the size of
> the netflow exports anymore), and I have to say: good job. The web
> interface is much easier to use and has some new nice features (like
> saving custom output formats and filters).
>
> I've installed the new nfsen on a new server, and I'm trying to get my
> backend plugins to work.
>
> I've modified the way the plugins take in parameters to be compliant
> with the new nfsen and they run.... sort of.
>
> I have 2 custom built plugins, one called 'floodsearch' and the second
> 'prefixStats'. prefixStats was derived from floodsearch at some point in
> their construction.
> I use custom logging for both of them, and both of them run beautifully
> with the previous version of nfsen.
>
> When I start nfsen with both plugins listed in etc/nfsen.conf, this is
> what I get in /var/log/messages:
>
> Jan 23 16:02:54 hail nfsen[6518]: Startup. Version: snapshot-20070110
> $Id: nfsend 60 2007-01-09 12:26:47Z peter $
> Jan 23 16:02:54 hail nfsen[6520]: Comm server started: [6520]
> Jan 23 16:02:54 hail nfsen[6519]: nfsend: [6519]
> Jan 23 16:02:54 hail nfsen[6519]: Update profile live in group .
> Jan 23 16:02:54 hail nfsen[6520]: floodsearch BEGIN
> Jan 23 16:02:54 hail floodsearch: Loading plugin 'floodsearch': Success
> Jan 23 16:02:54 hail floodsearch: floodsearch: Init
> Jan 23 16:02:54 hail floodsearch: Initializing plugin 'floodsearch':
> Success
> Jan 23 16:02:54 hail floodsearch: prefixStats BEGIN
> Jan 23 16:02:54 hail floodsearch: Loading plugin 'prefixStats': Success
> Jan 23 16:02:54 hail floodsearch: prefixStats: Init
> Jan 23 16:02:54 hail floodsearch: Initializing plugin 'prefixStats':
> Success
> Jan 23 16:02:54 hail floodsearch: ModList: ./live - prefixStats
>
>
> Incidentally, this is almost the same thing I get with the old version,
> too:
>
> Jan 21 04:02:42 hail nfsen[11597]: Startup. Version: snapshot-20060810
> $Id: nfsend 59 2006-08-10 17:47:53Z peter $
> Jan 21 04:02:42 hail nfsen[18406]: Comm server started: [18406]
> Jan 21 04:02:42 hail nfsen[18404]: nfsend: [18404]
> Jan 21 04:02:42 hail nfsen[18405]: floodsearch BEGIN
> Jan 21 04:02:42 hail floodsearch: Loading plugin 'floodsearch': Success
> Jan 21 04:02:42 hail floodsearch: floodsearch: Init
> Jan 21 04:02:42 hail floodsearch: Initializing plugin 'floodsearch':
> Success
> Jan 21 04:02:42 hail floodsearch: prefixStats BEGIN
> Jan 21 04:02:42 hail floodsearch: Loading plugin 'prefixStats': Success
> Jan 21 04:02:42 hail floodsearch: prefixStats: Init
> Jan 21 04:02:42 hail floodsearch: Initializing plugin 'prefixStats':
> Success
> Jan 21 04:02:42 hail floodsearch: ModList: live - floodsearch,prefixStats
>
>
> With this scenario, prefixStats works as expected (the logging prooves
> this), but floodsearch acts very strange - the run subroutine is never
> reached, and after 5 minutes, the END subroutine is executed 20+ times.
> Here's its log output:
>
> 2007/01/23 15:41:16 INFO> floodsearch.pm:1116 floodsearch::BEGIN -
> starting floodsearch (version 2.0.2)
> 2007/01/23 15:48:24 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:48:25 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:40 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:49:41 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:18 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
> 2007/01/23 15:50:19 INFO> floodsearch.pm:1124 floodsearch::END -
> stopping floodsearch
>
> I've noticed that in /var/log/messages, I see a message coming from
> floodsearch saying that prefixStats is ok, and apparently 'ModList:
> ./live - prefixStats' says only prefixStats is running correctly....
>
> I guess I made some mistakes when writing the backend scripts, but they
> ran fine on the older nfsen...
>
> However, starting nfsen with only floodsearch loaded, I can get
> floodsearch to run:
>
> 2007/01/23 16:09:31 INFO> floodsearch.pm:1134 floodsearch::BEGIN -
> starting floodsearch (version 2.0.2)
> 2007/01/23 16:09:31 DEBUG> floodsearch.pm:1115 floodsearch::Init -
> Running Init
> 2007/01/23 16:10:31 DEBUG> floodsearch.pm:199 floodsearch::run -
> Profile: live, Time: 200701231605
> 2007/01/23 16:10:31 DEBUG> floodsearch.pm:609 floodsearch::run - Nothing
> interesting left to do.
> 2007/01/23 16:10:31 INFO> floodsearch.pm:1142 floodsearch::END -
> stopping floodsearch
> 2007/01/23 16:15:31 DEBUG> floodsearch.pm:199 floodsearch::run -
> Profile: live, Time: 200701231610
> 2007/01/23 16:15:31 DEBUG> floodsearch.pm:609 floodsearch::run - Nothing
> interesting left to do.
> 2007/01/23 16:15:31 INFO> floodsearch.pm:1142 floodsearch::END -
> stopping floodsearch
>
>
> (however, the END function wasn't called in the older nfsen version
> every 5 minutes...)
>
> Do you have any idea why this is happening? Any tips on how I could fix
> it?
>
> Thank you a lot!
>
> Adrian Popa
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>


-- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
--- Nfcomm.pm.orig      2007-01-24 13:56:48.000000000 +0100
+++ Nfcomm.pm   2007-01-25 07:46:50.000000000 +0100
@@ -307,7 +307,7 @@
                                syslog('err', "Register plugin '$module' for 
profile '$profile' in profile group '$profilegroup' does not exists!");
                                next;
                        }
-                       if ( exists $plugin_table{$profile} ) {
+                       if ( exists $plugin_table{"$profilegroup/$profile"} ) {
                                $plugin_table{"$profilegroup/$profile"} .= 
",$module";
                        } else {
                                $plugin_table{"$profilegroup/$profile"} = 
"$module";
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to