Argus 3.0 Client .rarc problems... Ra Version 3.0.0.rc.69

Mon Feb 18 10:56:53 EST 2008

Hey Bartola,
Maybe just a bit of confusion.

Getting the time format right for insertion into a DB is done through
defining a RA_TIME_FORMAT in your .rarc.  If you look in the
./support/Config/excel.rc, you'll see how we define the variables to
get the time setup for excel.   For you, it should be as straight- 
forward.

The RA_OUTPUT_FILE is there specifically to generate binary argus
record output and write it out to a file.  If you want ascii output,
just ">" the output into a file.
    ra -r file > outfile.txt

In your 3rd problem, you're telling ra() to generate a binary
argus record stream as output, and put the output in /tmp/argus2,
not what you're wanting, and your missing the command line delimiter
that indicates the start of the filter.

> ra -r argus.out -w /tmp/argus2 tcp or udp or icmp

should be:
    ra - argus.out  - tcp or udp or icmp > /tmp/argus2

Setting the RA_USEC_PRECISION, doesn't change the format of
the RA_TIME_FORMAT string, which is probably set to "%T.%f".
Change that value to "%T", to get rid of printing the fractional part
of time and leave the precision variable around 3-6.

The srcid right now is assumed to be an IP address, but it is only
the client programs that think that.  I'll fix that this week  
(hopefully tonight).

Carter

>
>
> I am having a few problems using the .rarc file on the Argus-Client  
> (3.0, Ra Version 3.0.0.rc.69 ).  (RUNNING ON CENTOS-4_6)
>
> Below are my settings from the .rarc file. (it's also attached),  
> everything else is still set to the default. And here is the command  
> line I am running:  ra -r argus.out - tcp or udp or icmp > /tmp/ 
> argus (I'll explain why I use this later)...
>
> Printing Labels....
> RA_PRINT_LABELS=0
>
>
> Using the Field Specifier Var...
> RA_FIELD_SPECIFIER="srcid stime ltime dur saddr daddr proto sport  
> dport bytes sbytes dbytes pkts spkts dpkts dir"
>
>
> Using the Delimiter Var...
> RA_FIELD_DELIMITER=','
>
> Not printing Names...
> RA_PRINT_NAMES=none
>
> Turning off fractional Time values (decimals)..
> RA_USEC_PRECISION=0
>
>
>
> Ok.. So I basically just want a flat file that I can import into a  
> DB that has the 'above' fields (delimited)..
>
> 1st Problem:
>
> stime, ltime do NOT contain the DATE just the TIME.. In the previous  
> release it looks like the date was 'part' of this field.  i don't  
> see it now, Is there another field for date?  can someone verify?
>
> 2nd Problem:
> If I use the RA_OUTPUT_FILE var. in the .rarc file like below, it  
> creates an 'encoded' output file..
>
> RA_OUTPUT_FILE="/tmp/test.out tcp or udp"
>
> Is there a problem with my syntax???
>
> 3rd Problem:
>
> If I run the following from the command line (with RA_OUTPUT_FILE  
> commented OUT in the .rarc file):
>
> ra -r argus.out -w /tmp/argus2 tcp or udp or icmp
>
> I get a syntax error:
> ra[3458]: 20:46:39. or udp or icmp filter syntax error
>
> But if I run this:
>
> ra -r argus.out - tcp or udp or icmp > /tmp/argus
>
> And send the data to a file.. It works...  ??
>
> 4th problem:
>
> When turning off the fractional time values in the .rarc file
> RA_USEC_PRECISION=0
>
> It produces a time but the . (decimal) is still on the end...
>
>
> 5th problem ARGUS SERVER PROBLEM:
>
> Just like Mr. Pancer posted about the srcid, I'm have the same issue  
> when setting a value in the ARGUS_MONITOR_ID= var...
>
> It prints an IP..
>
> Any help would be appreciated... Thanks...
>
> Cheers.
>
> Bartola

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080218/d9b350e5/attachment.html>