[ARGUS] Question about ragraph
eric
eric at catastrophe.net
Thu Jul 1 13:34:09 EDT 2004
On Thu, 2004-07-01 at 11:24:32 -0400, John Nagro proclaimed...
> I'd love some advice. Currently i run argus on a snort sensor of mine.
> It works pretty well, but i want to change it so it sends the data off
> to another machine that actually does the logging, processing, etc.
> How stable is this feature? have you used it yourself?
The general concensus is that you shouldn't write to disk on the
capture host; write out to a socket, then connect to it. So on a
seperate host, we do `ra -nnw outfile` -- just nohup this.
The problem is when you get around 300Mbps or so, argus might kindly
decide it doesn't want to work and will either give you write errors
(search the archives for this) or just die off completely. These
times are very evident when you're on a busy network and along comes
a W32.Slammer host; this *will* cause problems.
Make sure you have enough memory allocated to both the listener and
the process on the archive host. Take special care in knowing that
you might need twice the amount of memory as there is data for any
given time (doing an rasort requires this, etc).
Lots of good things have been mentioned in the mailing list in the
past few months; search those archives. Also, I'm putting together a
draft document on how to build a high-performance collector and
archive host on FreeBSD and will share it when it's legible :)
- Eric
More information about the argus
mailing list