Taking Argus Source from Files Doesn't Ignore ~/.rarc options
Eric Pancer
epancer at pobox.com
Thu Apr 10 20:16:53 EDT 2008
On Thu, Apr 10, 2008 at 9:01 AM, Carter Bullard <carter at qosient.com> wrote:
> Yes I'm afraid that your ra* programs are doing the correct thing.
> You have this line in your .rarc:
>
> > RA_ARGUS_SERVER=radium:562
> OK, so why is this behavior in there to begin with? The idea of
> reading a file, before you start reading data from a real-time remote
> server, is to provide a "priming" of the pump, if you will. I have
> many clients that do this, where they read a file of 'expected' flows
> which are matched against the flows coming in from the real-time
> source. In the client source code, these records are the "STICKY"
> records, they are cached, but never timed out, so we have a set of
> flows as reference.
>
> OK, that is the rationale. I don't think having a "-r file" option should
> clear out the "-S host" option learned from a resource file.
> I usually have many ra.conf files around for my specific needs, and
> have the ~/.rarc for formating.
>
> Could you consider removing the entry?
Yes, I have; I guess I slightly understand the rationale, but I think
this should definitely be documented in each instance of "-r" in man
pages. Personally, I'd like an option to only read local data, but
.... I also would like world peace too!
- Eric
More information about the argus
mailing list