racluster request

Denton, Rick rick.denton at cybertrust.com
Thu Oct 26 18:17:38 EDT 2006


> 
> How about multiple sections in the racluster.conf file, with 
> separate rules and outputs? Each record is processed against 
> all the sections?

separate outputs sounds interesting but not neccessarily what one
wants.. you may want the separate aggregates in the same output for any
further processing.. but an option on the rule to specify an output
cuold be good thing..

> I also see how a simple fall through logic can be too simple, 
> but to do any other approach really begs for a programatic 
> like strategy, with "if then" like statements.  If your 
> interested in scoping this type of approach, we can do a 
> compiler for it!!!

possibly yes.. this is now becomming reminiscent of NeTraMet's err..
interesting.. language.. let's not use its ;)

racount is now just a special case of racluster (as i presume ramon is
also) but to racount and aggregate on separate things currently involves
multiple passes. Despite this i have never been able to figure out how
ramon 'folds' things together and have never managed to reproduce the
figures it produces by slicing and dicing anything else :\

a fall through with limitter and sensible arrangement of rules would
help a lot.. but defining a language / grammar for it would be more
entertaining (to my warped mind at least) :)

i'll have a think about a potential language and/or any other useful
approaches that may work.

... and it would be good if it's name was say.. 'ragator', the friendly
dragon ;) since it is still an aggregator .. 'racluster' sounds like it
is going to do something funky with multiple argii probes.. sort of like
radium i guess.. rather than 'cluster' flows..



More information about the argus mailing list