[ARGUS] log file roll-over

Peter Van Epp vanepp at sfu.ca
Wed Jun 23 16:06:31 EDT 2004 

	Ah, now it begins to make sense. We are talking two different things
here. I'm (because my volume is low enough) running argus and archiving on 
the same box, and not doing it in real time. So in my case 

argus_bpf -w argus.out

is running in the background and every hour argusachive swipes and archives
the data file. Then I run ra (or any of the other tools) against the saved
file as in  "ra -r argus.out -c -nn". It sounds like you are running argus
on a sensor machine (the best thing to do at high volumes for performance 
reasons) and writing the output data to a socket. On another machine you 
have ra (or the other tools) listening to that socket and processing the data 
in real time. In this instance you will get the current data that is coming
from the argus sensor in real time. It won't be archived anywhere. The usual
answer here is to run ra writing to a file and use argus archive to save the
data (you can also have another copy of ra reading the data from the socket
and processing it in real time if you have the horsepower and the need). It 
looks like this:

Machine 1 Sensor			Machine 2 

argus_bpf -P 950 (etc)		ra -S address_machine_1 -P950 -w argus.out 

which writes the argus		This machine accepts the data from the sensor
data to socket 950		machine and writes it to file argus.out. Here
				argusarchive is run out of cron to archive the
				argus data to disk without impacting the 
				sensor machine (the disk writes appear to cause
				packet loss on the sensor machine at high 
				speeds).

				ra -S address -P950 -c -nn 

				would process the data stream in real time 
				independent of the archive stream, and this 
				sounds like what you are doing now. This one
				is optional, you can chose to run 
				ra -r argus.out (or an archive file) -c -nn
				as long as you have the top ra reading the 
				data stream and storing it to disk.

Is this more on the lines of what you wanted to know?

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Wed, Jun 23, 2004 at 03:42:36PM -0400, John Nagro wrote:
> Ah yes, thank you, for some reason the debian package you get from apt
> doesnt install that part. But this still isnt roll-over, this simple
> swaps out the file once its reached a certain size. How does this
> effect my ability to analyze data? for example i run the server
> software on a system, and i intend on connecting to it using the
> client software (-S <computer> option in most tools). If cron has
> *just* swapped out the file, what sort of data will i get? none?
> 
> -John
>

More information about the argus mailing list