We have the Trisul Running:
ii trisul 3.6.1610 Real time monitoring and forensics engine
ii trisul-badfellas 3.6.570 URL / Domain / IP blacklisting plugin
ii trisul-geo 3.6.566 GeoIP plugin for Trisul Network Metering and Forensics
ii webtrisul 3.6.1137 Web Interface for Trisul Network Analytics

Recently our main "listening" interface changed from eth1 to eth2.
In the default DashBoards->Overview page there is a module called "Trisul Server Health" which has great information like total bandwidth number, CPU usage, Total Bytes passed by.

This was working great until the interface change (it is actually an addition both eth1 and eth2 are our HA line for fail over, so one or the other will have traffic) it now only shows the "dead" interface traffic amount. All the other modules show correct amount. I have attached screenshot explaining which number I am talking about.

Well it looks like the forums won't let me add a png file :-/ so no screenshot

Hi,


Sounds like a bug in the module.

Are you listening on both eth1 and eth2 ? I mean are both adapters enabled in Customize -> Adapters.

Can you post the output of the following command :

Will get back to you in a bit on this.

Thanks

Yes I am listening to both interfaces: eth1 and eth2 (eth0 console/management interface, is enabled but not "listened" too), so Customize -> Adapters only eth1 and eth2 are "enabled".

Also as I mentioned before most (I haven't checked all of them) other dashboards are showing the correct information and byte count.

ls /usr/local/var/lib/trisul/CONTEXT0/run
frplaypipe_00 merged.log.1381436479 merged.log.1381938483 merged.log.1383684441 merged.log.1385558046 merged.log.1389624772 meterpipe_00
frplaypipe_01 merged.log.1381506518 merged.log.1382106712 merged.log.1383747369 merged.log.1385560715 merged.log.1389813545 redis.pid
ifilter.stats merged.log.1381507096 merged.log.1382359961 merged.log.1384193420 merged.log.1385996565 merged.log.1390410133 redis.socket
lpcappipe_00 merged.log.1381771388 merged.log.1382360270 merged.log.1384348322 merged.log.1386267554 merged.log.1390491259 rxringpipe_00
lpcappipe_01 merged.log.1381859032 merged.log.1382365758 merged.log.1384442945 merged.log.1386706361 merged.log.1390491561 rxringpipe_01
merged.log.1381427615 merged.log.1381859192 merged.log.1382617016 merged.log.1384541674 merged.log.1386708135 merged.log.1390491842 snort_alert
merged.log.1381427897 merged.log.1381866891 merged.log.1383073645 merged.log.1384789324 merged.log.1387217174 merged.log.1390492334 snort.log.1381427428
merged.log.1381428141 merged.log.1381927644 merged.log.1383236180 merged.log.1385049416 merged.log.1388422220 merged.log.1390493603 system.stats
merged.log.1381436311 merged.log.1381935016 merged.log.1383252410 merged.log.1385557714 merged.log.1389117308 merged.log.1390493630


UPDATE: While I was wrtiing this the trisul service died, I restarted it in the web-gui and now it is showing total!!! I will keep my eye on it and see if it does again. Is there a log you would like me to post as well?

Hello,

Trisul should never halt like that. Do you see that often?

Can you post the output of the following ? So we can see why it stopped.

and next

(if this is too voluminous, kindly send as email to info at unleashnetworks dot com).

Well it died over the weekend, and it is back to only showing traffic stats (as mentioned previously) on only one interfaces traffic.
here is the output of commands requested:

root@ism-tris-snrt:~# dmesg | grep trisul
root@ism-tris-snrt:~# grep ERROR /usr/local/var/log/trisul/ns*.log
/usr/local/var/log/trisul/ns-001.log:Fri Jan 24 13:25:06 2014.011455 ERROR DB Error flushing Resource Group : database is locked
/usr/local/var/log/trisul/ns-001.log:Fri Jan 24 13:26:06 2014.070544 ERROR DB Error flushing Resource Group : database is locked
/usr/local/var/log/trisul/ns-001.log:Fri Jan 24 13:27:05 2014.900159 ERROR DB Error flushing Resource Group : database is locked
/usr/local/var/log/trisul/ns-004.log:Thu Jan 23 11:06:02 2014.501954 ERROR Unable to open the adapter. eth2 : Err = eth2: That device is not up
/usr/local/var/log/trisul/ns-004.log:Thu Jan 23 11:06:18 2014.126391 ERROR Unable to open the adapter. eth2 : Err = eth2: That device is not up
/usr/local/var/log/trisul/ns-004.log:Thu Jan 23 11:06:45 2014.717918 ERROR Unable to open the adapter. eth2 : Err = eth2: That device is not up
/usr/local/var/log/trisul/ns-005.log:Thu Jan 23 11:26:06 2014.034602 ERROR DB Error flushing Resource Group : database is locked
root@ism-tris-snrt:~#


FYI the adapter is up now those adapter errors were older messages because I forgot to add them to network-scripts in unbutu (which I have since added and they are both up, so u can ignore the 23th because I successfully started and it kept running until 24th)

BTW we also have snort integrated/reporting to the trisul, and I dont have any problems re-installing/deleting trisul

Hi,

1. Could you zip and send me the ns-00*.log files that are located in /usr/local/var/log/trisul to info at unleashnetworks dot com ? It really should not halt like that!

2. I will check up on the adapter issue and get back to you shortly.


Thanks,