Reducing argus-2.x log files for archiving
Russell Fulton
R.FULTON at auckland.ac.nz
Tue Jan 29 21:39:19 EST 2002
On Wed, 2002-01-30 at 14:57, Carter Bullard wrote:
> Hey Russell,
> The question is what do you want to preserve.
i'm well aware of that ;-)
> Simple 1.8 info is pretty dense, and we can do a
> bit better if we've already gone through aggregation.
>
> The easiest way to do this is to create a tool that
> controls what TLV's to keep in a record. That will get
> you closer to 1.8, and then if needed we could create
> some new ones that are still more dense.
>
> Is this reasonable?
Very!
I had two thoughts on this, one was to simply have a tool that converted
log files to 1.8 format and threw away all the new attributes that 2.0
collects. Second was a full blown tool that allows you to specify which
TVLs to keep. This is certainly the more useful option even if the
resulting log files are not quite as dense.
Hmmmm... could this be implemented as an output option to ra*?
inconguction with -w <file> -x(?) <output-config-file> or, perhaps
better, an option in the config file. -w <file> -f <archive.conf>
It isn't very often I want to go further back than the month or so that
I can keep on disk but every now and then it is really useful.
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the argus
mailing list