Multiple argus sensors

Carter Bullard carter at qosient.com
Mon Jan 31 12:45:32 EST 2005 

Hey John,
   In the argus.conf file its the ARGUS_MONITOR_ID= field, or you can
use the '-e value'  option.  Sometimes its more useful, if your using
an IP address as the ID, to put the actual address rather than the name.

Carter



> From: John Nagro <john.nagro at gmail.com>
> Reply-To: John Nagro <john.nagro at gmail.com>
> Date: Mon, 31 Jan 2005 12:31:05 -0500
> To: Carter Bullard <carter at qosient.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Multiple argus sensors
> 
> Carter,
> 
> How does one go about properly setting a source ID for each sensor? i
> looked in the config file and couldnt find it.
> 
> -John
> 
> 
> On Mon, 24 Jan 2005 12:10:13 -0500, Carter Bullard <carter at qosient.com> wrote:
>> Hey John,
>>    you can have up to 5 remote connections for any ra* program, just
>> specify multiple -S options or put multiple servers in the
>> .rarc file that you use for your client startup.
>> 
>>    There are 2 fundamental problems.  Keeping the sources straight,
>> so having good source id's for your probes is important, and time
>> synchronization, so that the probes are in the same ball park in
>> time.
>> 
>>    All the ra* programs can filter based on srcid, so as long as
>> you have good probe id's (different/consistent/same type), then
>> you can separate the data as it comes in by probe.
>> 
>>    The time thing is important to finding records to compare and
>> using programs like rasort() can be used to open files from
>> different probes and interleaving the records so you
>> can make comparisons.
>> 
>>    Keep the list up on anything that you run into, if you could
>> please!!!!!
>> 
>> Carter
>> 
>>> From: John Nagro <john.nagro at gmail.com>
>>> Reply-To: John Nagro <john.nagro at gmail.com>
>>> Date: Thu, 20 Jan 2005 12:47:24 -0500
>>> To: <argus-info at lists.andrew.cmu.edu>
>>> Subject: [ARGUS] Multiple argus sensors
>>> 
>>> Howdy Folks,
>>> 
>>> A couple questrions concerning the use of multiple argus sensors. I
>>> want to monitor more of my network now, not just inbound/outbound to
>>> the world, but a lot of internal traffic too. Can one instance of ra
>>> listen to multiple sensors? Do the tools understand data-overlap? How
>>> will this effect the way i have to manage data to get usefull
>>> information from it?
>>> 
>>> Has anyone on the list deployed multiple sensors that work together?
>>> What troubles did they run into?
>>> 
>>> (this thread will probably make it into the docs i am working on for
>>> the project so the more info the better)
>>> 
>>> -John
>>> 
>>> --
>>> John Nagro
>>> john.nagro at gmail.com
>>> 
>> 
>> 
> 
> 
> -- 
> John Nagro
> john.nagro at gmail.com
>

More information about the argus mailing list