Multi file processing by clients

Carter Bullard carter at qosient.com
Fri Sep 8 11:54:13 EDT 2000 

Hey Peter,
   I'd like to get rid of special case files, so
here is my defense to your specific examples.

   Shell expansion is pretty powerful stuff as
I'm sure you know.  Your list is easily created
using regular expressions, ( *06_30* ), so maybe
its just a bad example.  Also, using our -t option,
you should be able to pick out the 6-12pm transactions
in multifile reads with the day wild carded.

   Does that handle with your example?

   If we have file based configuration, I'd like the
file to contain the entire configuration, so that we
don't have to deal with precedence issues, like the
same option on the command line and in the file.
Who wins.


Carter


-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Friday, September 08, 2000 10:33 AM
To: argus
Subject: Re: Multi file processing by clients


>
> Gentle people,
>    So I'd like to get an opinion about how to support
> multifile reads for argus clients.  This problem arises
> because of our switch strategy, part of which we borrowed
> from tcpdump(),  -r for file, -S for socket and if neither,
> read from stdin.
>
> An ideal way of dealing with multiple input files would
> be to use the shell expansion. An example would be:
>
>    ra -ncr *.gz

	For maximum flexability I'd rather see the capability to read the
argus files from a file. That way I can tailor (not that I necessarily know
why I might want to :-)) the exact set of files that are being read. For
example in this one that processes the entire months worth of log files:

dmz.argus.2000_08_01_00_00.gz
dmz.argus.2000_08_01_06_30.gz
dmz.argus.2000_08_02_00_00.gz
dmz.argus.2000_08_02_06_30.gz
dmz.argus.2000_08_03_00_00.gz
dmz.argus.2000_08_03_06_30.gz
dmz.argus.2000_08_04_00_00.gz
dmz.argus.2000_08_04_06_30.gz
...

Could be replaced by this one which only does the segments between 6:30 and
midnight if there was a reason I wanted too. Shell expansion would get the
list above (an ls is how I created the file in the first place) but couldn't
generate the one below unless I moved files around. The down side is
(although
I think its a minor one) unless we also allow command line expansion as we
do now with multiple -r commands you need to create a file of files to do
more
than one. I'd suggest the current multiple -r syntax with a command line
switch (is -f used? probably ...) that will switch the current internal -r
loop from reading argv to reading from a file which would give us the best
of both worlds at relatively little work. What do other folks think?

dmz.argus.2000_08_01_06_30.gz
dmz.argus.2000_08_02_06_30.gz
dmz.argus.2000_08_03_06_30.gz
dmz.argus.2000_08_04_06_30.gz
...

	As to the quietness of the list, start of semester has hit here and
I've been swamped. I haven't managed to load the latest tar file yet,
hopefully
this weekend (I'm typing this while I'm first in before the crisis have
found
me yet :-) ).

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list