Argus 2 question
Carter Bullard
carter at qosient.com
Fri Jan 4 11:37:25 EST 2002
Hey Jerry,
Thanks for the kind words. Hope you don't mind that I cc'd
your mail to the mailing list. Hmmm, I think your trying something
that isn't there, but you're the second person in a week or two
that has asked for this, so .... Right now, we don't parse a filter
for the output file(s) from the argus.conf file. Pretty dumb not
doing it, so I'll add it in, but it won't be in 2.0.4 which is
"official" today.
The work around is to use '-w file "filter"' on the command line.
I should have a fix for this one in next week or so.
What is ARGUSHOME set to? Well, you have to set this in your
environment, but we go looking for ra.conf files in a number of
places, and .rarc's in other places, so here's the strategy.
Any comments are of course welcome.
The concept is that there may be a hierarchy of ra* configs.
So, read in the heirarchy, using all of them to modify or
supplement the other configs. It will seem confusing, but
its there as a result of a lot of discussion about a year
ago.
The ra* programs all check to see if there is a system-wide
/etc/ra.conf file. If so it loads it in.
Next, if $ARGUSHOME is set, we'll load in any ra.conf file
that may be found in this directory. The idea is that one
of these will be available, but probably not both.
That would handle the system-wide configuration.
Now, to modify the system config, all the ra* programs seach
$ARGUSPATH looking for a .rarc. If there is no $ARGUSPATH
or no configs in the path, we'll look for $HOME/.rarc and
if there is nothing there, we'll finally look for a .rarc in
$ARGUSHOME. We'll only load one .rarc file.
This is done on initialization. The configuration you pass
using the '-F file.conf' option is used to modify any of these
system configurations.
Hope this helps. I know it seems confusing. I put my .rarc
in my home directory. That works pretty well.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Jerry.Terminiello at Sun.COM [mailto:Jerry.Terminiello at Sun.COM]
> Sent: Friday, January 04, 2002 10:44 AM
> To: carter at qosient.com
> Subject: Argus 2 question
>
>
> Hi Carter,
> I would first like to say that I love argus, and ra. I think
> it is a fantastic product that makes archiving and managing
> network data a very do-able task.
>
> If you have a moment I have two questions for you,
> (I do read documentation, and have been to the FAQ :) )
>
> 1. I set /etc/argus.conf to the max 5 files, with expressions
> on each, have tried what I think is every method, and all I
> get is parse errors in /var/adm/messages.
> Example:
> ARGUS_OUTPUT_FILE=/var/log/argus/argus.icmp "icmp"
> Dec 31 09:26:33 solaris-20 argus[17669]: [ID 352038
> daemon.error] ArgusInitClientProcess: client expression -
> icmp: parse error I can't seem to find any documentation
> except for "filter" I use solaris 8, and compiled it with gcc
> and GNU make.
>
> 2. This is the dump question, where is $ARGUSHOME set to ?
> I want to use a rarc conf file but am not sure where it
> should go ? Is this determined when you compile it ?
>
> Thanks you for your time,
>
> Jerry Terminiello
> Sun Microsystems
> jerry.terminiello at sun.com
>
>
>
More information about the argus
mailing list