Location of "current" vs historical flow files

[gl89-at-cornell]

[Side note: I sent this to the address for the nfdump-discuss mailing list a week ago; I received no bounce message, but no response either, so I'm assuming the list is defunct or at least not the place for such a query anymore.]

Background: our server management folks are changing up the SAN available to us, such that there's more space
available, but the speed will be less than it's been before, and not comparable to the speed of a local disk.

That being the case, we're considering a model in which the "nfcapd.current.{####}" file is written to local
disk, but the rotation-interval roll - which currently includes "-S 7", i.e. moving the file into a "%Y-%m-%d"
subdirectory - would in the new model move it to a directory on the SAN.

I could do some magic with soft links and the scripting being invoked with "-x". If possible, though, I'd like
to be able to do this with nfcapd command line arguments or other config, rather than an integration wrapped
around the package.

Thoughts?

Thanks in advance for any insights and assistance.

Glenn Forbes Fleming Larratt
Cornell IT Security Office

[phaag]

The point is, that nfcapd uses rename() for the file. On the same file system for the temporary file as for the final file, (which is assumed) this results in a move and therefore is very fast (inode-change only). If you cross file systems from the temporary file to the final file, you need to copy/delete as move only works on the same file system. Copy files is slower than moves and therefore the tmp file needs to be on the same file system.
So if you would start nfcapd withe the path of the final flow storage on your SAN it should work again, but may need some tweaking of the layout perhaps.

[Yes - the mailing list is almost dead - I need to check, if it could get set to read only]

[gl89-at-cornell]

OK, I can work with that. Thank You!