Argus 2 question

Fri Jan 4 11:50:01 EST 2002

Hey Jerry,
   Hmmm, I misspoke on the filter.  I double checked the
code, and we are parsing the filter from the conf file.
Boy is my mind going!!

Try this:
ARGUS_OUTPUT_FILE=/var/log/argus/argus.icmp icmp

it should work, if not send mail, and include the list!!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Carter Bullard
> Sent: Friday, January 04, 2002 11:37 AM
> To: Jerry.Terminiello at Sun.COM
> Cc: Argus
> Subject: RE: Argus 2 question
> 
> 
> Hey Jerry,
>   Thanks for the kind words.  Hope you don't mind that I cc'd 
> your mail to the mailing list.  Hmmm, I think your trying 
> something that isn't there, but you're the second person in a 
> week or two that has asked for this, so ....  Right now, we 
> don't parse a filter for the output file(s) from the 
> argus.conf file.  Pretty dumb not doing it, so I'll add it 
> in, but it won't be in 2.0.4 which is "official" today.
> 
> The work around is to use '-w file "filter"' on the command 
> line. I should have a fix for this one in next week or so.
> 
> What is ARGUSHOME set to?  Well, you have to set this in your 
> environment, but we go looking for ra.conf files in a number 
> of places, and .rarc's in other places, so here's the 
> strategy. Any comments are of course welcome.
> 
> The concept is that there may be a hierarchy of ra* configs. 
> So, read in the heirarchy, using all of them to modify or 
> supplement the other configs.  It will seem confusing, but 
> its there as a result of a lot of discussion about a year ago.
> 
> The ra* programs all check to see if there is a system-wide 
> /etc/ra.conf file.  If so it loads it in.
> 
> Next, if $ARGUSHOME is set, we'll load in any ra.conf file
> that may be found in this directory.  The idea is that one
> of these will be available, but probably not both.
> 
> That would handle the system-wide configuration.
> 
> Now, to modify the system config, all the ra* programs seach 
> $ARGUSPATH looking for a .rarc.  If there is no $ARGUSPATH or 
> no configs in the path, we'll look for $HOME/.rarc and if 
> there is nothing there, we'll finally look for a .rarc in 
> $ARGUSHOME.  We'll only load one .rarc file.
> 
> This is done on initialization.  The configuration you pass 
> using the '-F file.conf' option is used to modify any of 
> these system configurations.
> 
> Hope this helps.  I know it seems confusing.  I put my .rarc
> in my home directory.  That works pretty well.
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
> 
> 
> 
> 
> > -----Original Message-----
> > From: Jerry.Terminiello at Sun.COM [mailto:Jerry.Terminiello at Sun.COM]
> > Sent: Friday, January 04, 2002 10:44 AM
> > To: carter at qosient.com
> > Subject: Argus 2 question
> > 
> > 
> > Hi Carter,
> > I would first like to say that I love argus, and ra. I think
> > it is a fantastic product that makes archiving and managing 
> > network data a very do-able task.
> > 
> > If you have a moment I have two questions for you,
> > (I do read documentation, and have been to the FAQ :) )
> > 
> > 1. I set /etc/argus.conf to the max 5 files, with expressions
> > on each, have tried what I think is every method, and all I 
> > get is parse errors in /var/adm/messages.
> > Example:
> > ARGUS_OUTPUT_FILE=/var/log/argus/argus.icmp "icmp"
> > Dec 31 09:26:33 solaris-20 argus[17669]: [ID 352038 
> > daemon.error] ArgusInitClientProcess: client expression - 
> > icmp: parse error I can't seem to find any documentation 
> > except for "filter" I use solaris 8, and compiled it with gcc 
> > and GNU make.
> > 
> > 2. This is the dump question, where is $ARGUSHOME set to ?
> > I want to use a rarc conf file but am not sure where it 
> > should go ? Is this determined when you compile it ?
> > 
> > Thanks you for your time,
> > 
> > Jerry Terminiello
> > Sun Microsystems
> > jerry.terminiello at sun.com
> > 
> > 
> > 
> 
> 
> 
> 