rasort -m loss won't work
Barry Kolts
bhkolts at gotrain.org
Sun Jul 20 00:46:18 EDT 2008
Carter Bullard <carter <at> qosient.com> writes:
>
> Hey Barry,
> Sorry for the delayed response. We do have sorting on the "loss" field.
> Use the "-h" option on any ra* command, and you'll get the version
> number,
> if you think that you're using older code.
>
> If you have a file that doesn't sort using the argus-3.0.x
> distributions,
> send it and I'll take a look.
>
> Carter
>
> On Jul 17, 2008, at 4:01 PM, Barry Kolts wrote:
>
> > Peter Van Epp <vanepp <at> sfu.ca> writes:
> >
> >>
> >> On Wed, Jul 16, 2008 at 08:27:46PM -0500, Barry Kolts wrote:
> >>> Hi all,
> >>>
> >>> Rasort doesn't seem to sort on loss. It works on sloss and dloss.
> >>> I have all
> > the same symptoms mentioned in
> >> post http://thread.gmane.org/gmane.network.argus/4810 . Carter
> >> fixed this in post
> >> http://thread.gmane.org/gmane.network.argus/4824 . So I'm assuming
> >> my copy of
> > rasort is old. I'm
> >> using argus-client_3.0.0.rc.34-1_i386.deb pointed to by the
> >> download page of
> > the Argus website. Where
> >> can I find the latest version. Do I need to contact Andrew Pollock?
> >> I would
> > like to upgrade with apt-get if
> >> possible but if necessary I can teach myself how to compile the
> >> source, I
> > think. Any help and guidance will
> >> be appreciated.
> >>>
> >>> Barry
> >>
> >> 3.0 has now been released (and I think from discussion on the list
> >> there are rpms but apparantly not in /pub/argus which appear to be
> >> 2.0.5!)
> >> available somewhere (I build from the tar ball rather than rpms).
> >> Upgrading
> >> to the release version would probably be a good bet. For argus you
> >> probably
> >> want the bug fix beta in /dev/argus-3.0/argus-3.0.1.beta.1.tar.gz
> >> which
> >> corrects a couple of problems in argus (clients I think are the
> >> same as
> >> release).
> >>
> >> Peter Van Epp / Operations and Technical Support
> >> Simon Fraser University, Burnaby, B.C. Canada
> >>
> >>
> >
> > Peter,
> >
> > Thanks for your response. This will probably fix some other things
> > that didn't
> > seem to work right, but because of my 'new to Argus, new to Linux
> > status' I was
> > reluctant to point my figure at Argus thinking it was something I
> > was doing
> > wrong. I will download a C compiler and learn how to use it...time
> > to quit
> > testing the waters with my big toe and dive right in. ;)
> >
> > Thanks again,
> > Barry
> >
> >
>
>
Hi Carter,
Thanks for your response. As suspected I was using 3.0.0.rc34. I now have
3.0.1.beta.2 server and 3.0.0 clients. Peter Van Epp has been a great help in
helping get over the learning curve of compiling the source. Thanks Peter!! I
have one issue right now that might not be important. When I start the daemon
I get the following:
> cd /etc/init.d
> ./argus start
[: 49: no: unexpected operator
Starting argus: ./argus: 122: success: not found
./argus: 122: failure: not found
I am using the argus.conf file that came with the source:
#!/bin/sh
#
# Copyright (c) 2000-2008 QoSient, LLC
# All rights reserved.
#
# Permission to use, copy, modify, and distribute this software and
# its documentation for any purpose and without fee is hereby granted,
# provided that the above copyright notice appear in all copies and
# that both that copyright notice and this permission notice appear
# in supporting documentation, and that the name of QoSient not be
# used in advertising or publicity pertaining to distribution of the
# software without specific, written prior permission.
#
# QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
# SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
# RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
# CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# argus This shell script takes care of starting and stopping
# argus, on RH Linux. Should be useful for other versions.
#
# chkconfig: 2345 55 45
# description: argus-2.0 generates network transaction audit records.
# processname: argus
# config: /etc/argus.conf
#
# The assumption here is that /etc/argus.conf specifies ARGUS_DAEMON=yes.
# If not the system will hang running argus. If this is not set, change
# "daemon argus" below to "daemon argus -d"
#
# Source function library.
if [ -f /etc/init.d/functions ]; then
. /etc/init.d/functions
else
if [ -f /etc/rc.d/init.d/functions ]; then
. /etc/init.d/functions
fi
fi
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1
# Set argus path by defining $ARGUSHOME for this script.
# If argus was installed in another way, modify PATH to
# include the directory where the argus binary was installed.
ARGUSDIR=/usr/local/sbin
ARGUSHOME=$ARGUSDIR
export PATH=$ARGUSHOME:$PATH
[ -f $ARGUSHOME/argus ] || exit 1
RETVAL=0
start() {
# Start daemons.
echo -n "Starting argus: "
if [ ! -e /etc/argus.conf ]
then
if [ ! -d /var/log/argus ]
then
mkdir /var/log/argus
fi
argus -de `hostname` -w /var/log/argus/argus.log \
> /dev/null 2>&1
RETVAL=$?
else
argus > /dev/null 2>&1 && success || failure
RETVAL=$?
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/argus
echo
}
stop() {
# Stop daemons.
echo -n "Shutting down argus: "
killproc argus
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/argus
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/argus ]; then
stop
start
RETVAL=$?
fi
;;
status)
status argus
RETVAL=$?
;;
*)
echo "Usage: argus {start|stop|restart|condrestart|status}"
exit 1
;;
esac
exit $RETVAL
I think I understand it is looking for the variables success, failure and
networking but can't find them. Also "/etc/sysconfig/network" doesn't exist I
had to create it to get things going but what I created was just an empty file.
I'm sure this has something to do with Ubuntu. I have learned that the
different distros do things slightly different but I don't know how to fix it.
Argus seems to be running OK but I would like to tie this loose end up to
be on the safe side.
Carter, I noticed some new clients, I looking forward to playing with them to
see what I can do with them. I have been impressed with Argus, but more
importantly our technician is impressed. Every time I show him something new he
says "awesome and can you do this and this, wow this is great". So we both
appreciate all the time and effort that has been put into Argus, and I
appreciate all the help from everyone.
To Ubuntu users, I have noticed on the Ubuntu forum that a few have had trouble
with the Argus package in Ubuntu's repositories. I did to. It is an old
version, 2.x. There is no deb package of the latest version that I know of so
here is what I did to install a compiler and Argus.
sudo apt-get install build-essential # This gets the GNU gcc compiler and few
other necessary things.
sudo apt-get install libpcap-dev # Some of the Argus dependencies.
sudo apt-get install flex # Argus dependencies.
sudo apt-get install bison # Argus dependencies.
Now these packages are not the latest versions. But because I am a beginner at
this I prefer to use packages when I can. More experienced users can compile
the source. The INSTALL file in the root directory of the source files
explains where to get them. All that is left is get the source tarballs and
follow the instructions in the INSTALL file. I did not get tcp_wrappers
linked to Argus, it is on my system but in a form ./configure couldn't find.
I don't think I need right now, because we're not doing any remote clients, if I
do in the future I will compile it. Hope this is helpful to someone
new to this.
Cheers,
Barry
More information about the argus
mailing list