argus monitoring scripts

David Brumley dbrumley at rtfm.stanford.edu
Fri Aug 4 16:02:24 EDT 2000


Sorry for not being specific.  I'm running argus on several DMZ's.  Every
night I rotate the argus file.  Then, the file from each DMZ is brought
over to a central machine.  There have been several times when disk space
problems, race conditions, etc have caused problems.

Basically, i was looking to see if anyone had a similar setup, and how
they were handling it.  It seems that there are several steps:
host 1:
1. Kill argus
2. restart with new logfile name
3. notify other host that yesterdays argus file is ready for xfer

host 2:
4. wait for notification
5. when received, pull over argus file
6. run various extracts

It's nothing difficult, but i hate reinventing the wheel.

-djb

On Fri, 4 Aug 2000, Peter Van Epp wrote:

> > 
> > Hey David,
> >    What kind of process monitoring are you looking for?
> > Is Argus still running? That kind of thing?
> > 
> > Carter
> 
> 	If so I have some partly done perl scripts (ripped of from shadow) 
> that will eventually do monitor the argus and gzip tasks from cron
> and restart them if they look to be dead, cycle log files from cron and
> at reboot time (in to the current logfile if one is already going). An
> early version is running on my systems now (simple log rolling and restart
> in a new log file) and there are partly finished versions with more checking
> around which I'm willing to part with if you have time to work on them. 
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -      dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121     PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......



More information about the argus mailing list