Argus-2.0 Update and ragator()

Carter Bullard carter at qosient.com
Wed Aug 30 09:29:37 EDT 2000 

Gentle People,
   Argus-2.0 is behaving rather well, and I have working
ports of ra(), racount(), and rasort().  I will make
an initial test version available tomorrow.  Its not
perfect, but its a good time to test things like signal
handling, file management and basic record accuracy.

One thing that I haven't mentioned, I've removed the
copyright restrictions on Argus-2.0, so the whole thing
will be open source.  Just seems like the right thing
to do ;o)

One problem that I won't have solved is legacy Argus
compatibility for ra(), racount(), and rasort().
This will come after the holiday, so if you want to
wait, I can put hold off until next Friday.

I'm working on a new function ragator() (Ra aggregator)
which will replace raconnections().  Ragator() is
the most interesting new thing to come up so far,
and I'd like to get your opinions on this new
client and its functions.

The basic idea is that Argus generates micro-flow
audit data, or per transaction audit data.  Most
applications will not need this much information,
and so to start addressing Argus data management
I've jumped into the 'data aggregation' fire.

Throwing away records is not a good solution, at
least for me, so the idea is to merge or aggregate
records together for those flows that you just
don't need per transaction information for.

As an example.  Pinging can generate a lot of
Argus data.  Why not compress all the ping data
together, into one record that also contains the statistics
you wanted in the first place, like mean transaction
duration, with standard deviation, along with the a min
and max, still keeping the packet and byte counts.

So in an attempt to solve this problem, ragator().
Ragator() aggregates like Argus Records together.
Through a configuration file, you specify which Argus
Records will be aggregated together, how they will
be aggregated and for how long a period they will be
aggregated before being reported.  This is going to be
very cool.

I've included the configuration file format that I'm
currently testing with.

Please take a look at it and if you see a better way,
please don't hesitate to send suggestions, comments,
opinions, reactions, flames.



Carter



Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ragator.conf.txt
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000830/bed19db7/attachment.txt>

More information about the argus mailing list