Multiple argus sensors
Carter Bullard
carter at qosient.com
Mon Jan 24 12:10:13 EST 2005
Hey John,
you can have up to 5 remote connections for any ra* program, just
specify multiple -S options or put multiple servers in the
.rarc file that you use for your client startup.
There are 2 fundamental problems. Keeping the sources straight,
so having good source id's for your probes is important, and time
synchronization, so that the probes are in the same ball park in
time.
All the ra* programs can filter based on srcid, so as long as
you have good probe id's (different/consistent/same type), then
you can separate the data as it comes in by probe.
The time thing is important to finding records to compare and
using programs like rasort() can be used to open files from
different probes and interleaving the records so you
can make comparisons.
Keep the list up on anything that you run into, if you could
please!!!!!
Carter
> From: John Nagro <john.nagro at gmail.com>
> Reply-To: John Nagro <john.nagro at gmail.com>
> Date: Thu, 20 Jan 2005 12:47:24 -0500
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] Multiple argus sensors
>
> Howdy Folks,
>
> A couple questrions concerning the use of multiple argus sensors. I
> want to monitor more of my network now, not just inbound/outbound to
> the world, but a lot of internal traffic too. Can one instance of ra
> listen to multiple sensors? Do the tools understand data-overlap? How
> will this effect the way i have to manage data to get usefull
> information from it?
>
> Has anyone on the list deployed multiple sensors that work together?
> What troubles did they run into?
>
> (this thread will probably make it into the docs i am working on for
> the project so the more info the better)
>
> -John
>
> --
> John Nagro
> john.nagro at gmail.com
>
More information about the argus
mailing list