Multiple argus sensors
Peter Van Epp
vanepp at sfu.ca
Fri Jan 21 12:30:11 EST 2005
I'm running multiple sensors but they are on disjoint networks. For a
while (but not right now) I had a sensor on our backbone link (seeing some
of the same traffic as our off campus link modulo switching) but used separate
ra / archives for each sensor. That is also what happens on the disjoint
sensors. Two of my sensors / archivers share the same machines (sensors writing
to ports 560 and 561 on the sensor, 2 copies of ra archiving via my modified
argusarchive script to two different archive directories and transferring via
scp to a third backup box for redundancy in the face of a disk failure).
I suspect this is a better plan than mixing more than on connection in a single
archive, since you have the option as traffic grows to move to expand the number
of boxes the traffic is spread across just by moving the archive files and ra
instance to a new box. Disk space should be about the same I expect.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Thu, Jan 20, 2005 at 12:47:24PM -0500, John Nagro wrote:
> Howdy Folks,
>
> A couple questrions concerning the use of multiple argus sensors. I
> want to monitor more of my network now, not just inbound/outbound to
> the world, but a lot of internal traffic too. Can one instance of ra
> listen to multiple sensors? Do the tools understand data-overlap? How
> will this effect the way i have to manage data to get usefull
> information from it?
>
> Has anyone on the list deployed multiple sensors that work together?
> What troubles did they run into?
>
> (this thread will probably make it into the docs i am working on for
> the project so the more info the better)
>
> -John
>
> --
> John Nagro
> john.nagro at gmail.com
More information about the argus
mailing list