Dear Eric,
As soon as you set some expire values ( time or size wise ) this file gets
created. You can also create/maintain this
file with nfexpire. The file is updated by nfcapd for the live feeds as well as
nfprofile for the profiles, which are
updated every 5 min. There are no processes other than these 3, which have
their finger on that file.
If you mention NFS, that rings a bell for locking. Concurrent access is
arbitrated with file locking using ioctl:
fcntl(fd, F_SETLKW, &fl);
Regards
- Peter
On 9/8/11 15:44, Eric Jacobsen wrote:
> This problem seems to come up now and again in the list and I'm trying to
> figure out why it's not working for me. I've set up a test box with
> nfsen-1.3.5 and nfdump-1.6.4 on RHEL5 with everything freshly compiled and
> on local disk (eliminating possible NFS problems). What I observe is that
> the size in the .nfstat file is never updated and therefore nfexpire never
> updates the size in profile.dat with the current size and never expires
> anything. This results in the disk filling up.
>
> I would be happy to debug my own problem but I'm stymied about what process
> is supposed to keep the .nfstat file current. nfexpire is capable of doing
> it, but the man page suggests that the -r flag is not meant for normal use,
> and indeed, it's expensive to recalculate every five minutes from scratch.
> As a workaround, I set up a cron job to do this hourly. One thread I found
> in this group from 2008 suggested that nfcapd is responsible for updating
> this file when it rotates the log file, but in my inspection of the source
> code the WriteStatInfo() function is only invoked when the parent nfcapd
> exits (at which point it does in fact write the statfile properly). The man
> page for nfcapd makes no mention of maintaining the nfstat file, and only
> references it for purposes of expiration. Should I be having nfcapd do the
> expiration instead of relying on nfexpire? [Note that this might fix my disk
> problem but wouldn't address the nfsen reporting the wrong information via
> the UI] Where nfsen and nfdump are maintained separately, is this just a
> divergence in the responsibility for this file between the projects? Is
> there a requirement to run a specific version of each together for proper
> functioning?
>
> If I knew how this file was supposed to be maintained it would make it
> easier to figure out what my problem is.
>
> Thanks!
>
> Eric
>
>
>
> This body part will be downloaded on demand.
>
>
>
> This body part will be downloaded on demand.
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
