argus monitoring scripts

Peter Van Epp vanepp at sfu.ca
Fri Aug 4 16:43:54 EDT 2000 

	While I have dual dmzs (downtown campus) I haven't gotten orginized 
enough yet to automate the pull back from downtown, its currently manual.
This too is one of the things on my todo list (but not the top yet :-) ):
install rsa keys in SSH so that cron can trip scp to copy the files and then
a monitor script to compare MD5 checksums before issuing the remote delete.
	If you are interested in looking at the current simple perl scripts
for log rotation I ripped off shadow they are in the localbin.tar file in
/pub/argus/argus.config.tar.gz from ftp.sfu.ca. The root.crontab file installs
a crontab to run them at midnight and 6:30 AM. The rest of the stuff is a 
copy of argus and config files for building one on FreeBSD. I'm still working
on the files for a presentation next Wednesday but I don't expect the perl
stuff to change (although other things might).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> 
> Sorry for not being specific.  I'm running argus on several DMZ's.  Every
> night I rotate the argus file.  Then, the file from each DMZ is brought
> over to a central machine.  There have been several times when disk space
> problems, race conditions, etc have caused problems.
> 
> Basically, i was looking to see if anyone had a similar setup, and how
> they were handling it.  It seems that there are several steps:
> host 1:
> 1. Kill argus
> 2. restart with new logfile name
> 3. notify other host that yesterdays argus file is ready for xfer
> 
> host 2:
> 4. wait for notification
> 5. when received, pull over argus file
> 6. run various extracts
> 
> It's nothing difficult, but i hate reinventing the wheel.
> 
> -djb
> 
> On Fri, 4 Aug 2000, Peter Van Epp wrote:
> 
> > > 
> > > Hey David,
> > >    What kind of process monitoring are you looking for?
> > > Is Argus still running? That kind of thing?
> > > 
> > > Carter
> > 
> > 	If so I have some partly done perl scripts (ripped of from shadow) 
> > that will eventually do monitor the argus and gzip tasks from cron
> > and restart them if they look to be dead, cycle log files from cron and
> > at reboot time (in to the current logfile if one is already going). An
> > early version is running on my systems now (simple log rolling and restart
> > in a new log file) and there are partly finished versions with more checking
> > around which I'm willing to part with if you have time to work on them. 
> > 
> > Peter Van Epp / Operations and Technical Support 
> > Simon Fraser University, Burnaby, B.C. Canada
> > 
> 
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
> David Brumley - Stanford Computer Security -      dbrumley at Stanford.EDU
> Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
> Fax:   +1-650-725-9121     PGP: finger dbrumley-pgp at sunset.Stanford.EDU
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
> c:\winnt> secure_nt.exe
>   Securing NT.  Insert Linux boot disk to continue......
> 
>

More information about the argus mailing list