[ARGUS] log file roll-over

John Nagro john.nagro at gmail.com
Wed Jun 23 16:14:58 EDT 2004 

This information is very helpfull, thank you. Once i archive the data
using this script, can thinsg like ragraph still use the archived
data? as well as the current argus.out?

-John

On Wed, 23 Jun 2004 13:06:31 -0700, Peter Van Epp <vanepp at sfu.ca> wrote:
> 
>         Ah, now it begins to make sense. We are talking two different things
> here. I'm (because my volume is low enough) running argus and archiving on
> the same box, and not doing it in real time. So in my case
> 
> argus_bpf -w argus.out
> 
> is running in the background and every hour argusachive swipes and archives
> the data file. Then I run ra (or any of the other tools) against the saved
> file as in  "ra -r argus.out -c -nn". It sounds like you are running argus
> on a sensor machine (the best thing to do at high volumes for performance
> reasons) and writing the output data to a socket. On another machine you
> have ra (or the other tools) listening to that socket and processing the data
> in real time. In this instance you will get the current data that is coming
> from the argus sensor in real time. It won't be archived anywhere. The usual
> answer here is to run ra writing to a file and use argus archive to save the
> data (you can also have another copy of ra reading the data from the socket
> and processing it in real time if you have the horsepower and the need). It
> looks like this:
> 
> Machine 1 Sensor                        Machine 2
> 
> argus_bpf -P 950 (etc)          ra -S address_machine_1 -P950 -w argus.out
> 
> which writes the argus          This machine accepts the data from the sensor
> data to socket 950              machine and writes it to file argus.out. Here
>                                 argusarchive is run out of cron to archive the
>                                 argus data to disk without impacting the
>                                 sensor machine (the disk writes appear to cause
>                                 packet loss on the sensor machine at high
>                                 speeds).
> 
>                                 ra -S address -P950 -c -nn
> 
>                                 would process the data stream in real time
>                                 independent of the archive stream, and this
>                                 sounds like what you are doing now. This one
>                                 is optional, you can chose to run
>                                 ra -r argus.out (or an archive file) -c -nn
>                                 as long as you have the top ra reading the
>                                 data stream and storing it to disk.
> 
> Is this more on the lines of what you wanted to know?
> 
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> 
> On Wed, Jun 23, 2004 at 03:42:36PM -0400, John Nagro wrote:
> > Ah yes, thank you, for some reason the debian package you get from apt
> > doesnt install that part. But this still isnt roll-over, this simple
> > swaps out the file once its reached a certain size. How does this
> > effect my ability to analyze data? for example i run the server
> > software on a system, and i intend on connecting to it using the
> > client software (-S <computer> option in most tools). If cron has
> > *just* swapped out the file, what sort of data will i get? none?
> >
> > -John
> >
>

More information about the argus mailing list