ratail

[Karl Tatgenhorst]

Hi,

    My subject is not rat tail :-) One of my coworkers built a process
that monitors data from the argus stream and alerts on it for us (IDS
style), however we bumped into a problem. We run this process on the
same server that we collect data from our Argus sensors on. When we
start the process with the -S <server> switch the existing processes
using -S die. It seems as though each sensor can only have one ra -S
process on this box. The box is enormously scaled for this and is not
being overloaded. The code I am using is rc.30

here are the commands I keep running for storage:

ra -S argus-south.uchicago.edu:561 -s +suser +duser -
w /var/log/argus/unprocessed/tmp.argus_south

ra -S argus-north.uchicago.edu:561 -s +suser +duser -
w /var/log/argus/unprocessed/tmp.argus_north


This is the command that my coworker starts. When he does this for
whichever server, the other monitor for that server dies.

 ra -S argus-north.uchicago.edu:561 -s saddr sport daddr dport suser:128
duser:128


I seem to remember a thread about this before, so I suggested running ra
against my tmp files. These files are on a ram-san so IO wait is not an
issue. The problem then comes in that he uses ra and tail -f then tail
craps out because the last bit of the file is strange. Without tail the
file gets to the end and finishes instead of watching for growth. So I
was wondering if anyone out there was up to building an ra that would
open the file again every few seconds or so at the last known offset
much like tail -f or if someone knows another solution to our problem.


Thanks,

Karl