No user data field in rc 29
Carter Bullard
carter at qosient.com
Fri Sep 22 13:19:08 EDT 2006
Gentle people,
The reason we are removing "compound" keywords, (keywords that
refer to more than one column/object/metric) is mainly for consistency
in printing, filtering, stripping, graphing, where you need to work with
only one value at a time. As a result, keywords only correspond to one
object now.
Some keywords like 'pkts', 'bytes', 'rate', or 'loss' refer to combined
values, for both src and dst. For 'pkts', its the sum of the src and
dst pkt counts. 'rate', its the sum of the src and dst byte
values divided by the duration.
The ra.1 man page is up to date on this.
Carter
On Sep 22, 2006, at 11:29 AM, Peter Van Epp wrote:
> On Fri, Sep 22, 2006 at 10:08:47AM -0500, Karl Tatgenhorst wrote:
>> Hi,
>>
>> I am using argus rc 29 now on our network and having a strange
>> issue. I first got everything working with no special options,
>> that went
>> well. Then I added to the argus server "-U 128" to preserve 128
>> bytes of
>> user space in the record. That ran without a hitch. Then I set the
>> clients to "ra -S argus-north:561 -s +user:128 -
>> w /var/log/argus/processed/north/tmp.argus_north"
>>
>> There is no difference in the output. I am not catching any user
>> data.
>>
>>
>> Any thoughts? Feel free to ask for any more info that you need.
>>
>> Thank you,
>>
>> Karl Tatgenhorst
>> Network Security Officer
>> University of Chicago
>> 773-702-3956
>>
>
> For sorting reasons most of the combined print fields are gone (it
> breaks sorting or probably makes sorting too complex).
> Try -s +suser +duser I know that works and indeed some recent ra
> man page
> (probably not as late as rc.29 though) indicates suser and duser
> are the only
> two left :-).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
More information about the argus
mailing list