-S option

Carter Bullard carter at qosient.com
Sat Jul 5 11:32:42 EDT 2008


Hey Barry,
Lets keep these exchanges on the list, as it can help many and gets  
into the archive.
OK, the "-S argusSource" option assumes that there is an argus or radium
running on the designated machine, and because there is no port  
specified, it
will port 561, the default "experimental monitor" port.

So make sure there is an argus running on the machines your interested  
in,
and make sure that they are using the default port number.  If they  
are not
configured to use the default port, then you will need to specify  
their port.

    ra -S host:port

Usually this means that you are interested in real-time flow data, and  
connecting to
either argus or radium will give you a constant data, as it is being  
generated.
When argus and radium are used to playback historical data in a  
simulation
style of playback, (using the "-M realtime" option, and given a data  
source
from a file or set of files), you can still attach to either of them  
using this method.

If you want to read argus data from files, using ra(), you can only  
read them from
your local filesystem.  Of course, the files can be local or remote,  
depending on
how your host filesystem is configured, but the filesystem is  
providing the remote
access.

If you have an argus archive, radium() provides a method for you to  
access
the data.  If radium() is running on the archive machine you can  
simply provide
the pathname to the -S option, and get radium() to fetch the file for  
you.

Lets assume that radium() is running on host "host", using port 12345  
(so you don't
have to be root to provide this port access), and the archive is at / 
path/to/the/argus/data

    host%  radium -XP 12345 -d

Then on another host, you can read argus data files this way:

    host2%  ra -S host:12345/path/to/the/argus/data/file

The difference between this and say scp() or ftp() or some other file  
transfer
method, is that radium() guarantees that the only data that it will  
transfer is
argus data. (it parses the file as argus data, and resends it only as  
argus data).
Because radium() can be chroot'd and it can also provide strong  
authentication
and encryption for transport of data on the wire, you can build a  
secure archive
that no-one can get to except through the radium() interface, so you  
can audit
who gets what argus data.

I know this is more than you were expecting, but always nice to get  
this stuff
into the mail archive.

If I missed something, please send more mail.

Carter



On Jul 5, 2008, at 10:47 AM, Barry Kolts wrote:

> Hi Carter,
>
> Thanks for your response, raspilt() is just what I need for several  
> things on the to-do list. I do have one question though. I  
> understand I should be able to use rasplit() as the data comes in  
> and that the "-S" will allow me to get data from a remote machine. I  
> also gather I can use "-S" to get data from the local machine from  
> some of the posts I see on the mailing list. wikis, other posts and  
> blogs. How ever I don't seem to be doing it right. If I use "-S  
> localhost" I get "connection refused" and if I use "-S <local  
> machine IP>" I get "connection failed. What am I doing wrong or what  
> other information do you need to help me.
>
> Thanks for your time,
> Barry
> ----- Original Message -----
> From: Carter Bullard
> To: Barry Kolts
> Cc: Argus Mailing List
> Sent: Monday, June 30, 2008 9:17 AM
> Subject: Re: [ARGUS] -t Option in Racluster
>
> Hey Barry,
> The way that I do this is to use rasplit() to put data as it comes  
> in, into a data
> archive that is based on year/month/day, and then use cron to fire  
> up a report
> generator on the first day of the month.
>
>    rasplit -S argusSource -M time 5m -w /archivePath/%Y/%m/%d/argus. 
> %Y.%m.%d.%H.%M.%S
>
> The data from my argus source would be written into this file, right  
> now,
> as /path/2008/06/30/argus.2008.06.30.09.55.00 and starting at 10am  
> it would start
> writing data into /path/200806/30argus.2008.06.30.10.00.00.
>
> When its time to generate a report, you can just run a program like  
> ra() to feed data
> into your report generator (assuming it likes ascii input):
>
>    ra -R /path/2008/06 | reportScript
>
> This is not the most efficient way, but it highlights how you can  
> build a repository that
> fits your reporting strategy and how ra* programs can work off of  
> whole repositories
> at a time.
>
> Racluster will have some problems processing a whole months worth of  
> data at a time
> if you are a university, but for a small workgroup, a month is  
> usually no problem.
> However, you can usually generate daily intermediate reports, and if  
> you do it right,
> racluster only needs to process the daily intermediates to generate  
> weekly and monthly
> report data.
>
> But to get to your specific question,  the time filter can be  
> specific, wildcarded etc..... in
> a lot of ways.
>
> If you want to go back to the beginning of the previous month  
> (because -1M goes to the
> beginning of the current month):
>    racluster -t -2M+1M
>
> Its the same algorithm as
>    racluster -t -2d+1d
>
> Wildcards like this maybe more useful:
>    racluster -t 2008/06
>
> which should match any records that fall into June, of 2008.
>
> I didn't put in 'w'eeks, as that seems confusing for some people  
> (which week?),
> but filters like "-21w+10s" are useful in that they give you the  
> first 10 seconds
> of some week, (hard to know which one).  But its easy to put it in.
>
> Carter
>
> On Jun 27, 2008, at 11:36 PM, Barry Kolts wrote:
>
>> Hi,
>>
>> Using Racluster I would like to specify last month for the -t  
>> option. I have tried -t -1M but that gives me the current month.  
>> Since my data is less than a month old it is difficult for me to  
>> play around with -t. I wouldn't know if I got it right because I  
>> don't have data that old. My goal is to produce reports on the  
>> first of the month for the previous month automatically. Something  
>> like -t -1M would make life simple but if it isn't possible I can  
>> build the command from a script.
>>
>> Thanks in advance for any help,
>> Barry
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080705/93c94b19/attachment.html>


More information about the argus mailing list