Cheat sheet premiere
Stewart Gray
Stewart.Gray at safecom.co.nz
Tue Mar 11 16:42:01 EDT 2008
awesome, That's a really good start. I've already been playing with a few of the options I hadn't toyed with before :)
Is there an easy way to generate a raw count of packets loss/retransmitted rather than having it graphed?
I figure we start with:
racluster -s loss -r argus.arg -w -
How are the figured totaled? Do we pipe it to rasort or ra?
Thanks,
Stewart
________________________________
From: Stéphane Peters [mailto:stephane.peters at forem.be]
Sent: Saturday, 8 March 2008 11:06 a.m.
To: Carter Bullard
Cc: Stewart Gray; Argus
Subject: Re: Re: [ARGUS] Cheat sheet premiere
Hi Carter,
I would love to see such a sheet in the distribution,
and I also was hoping that you could check,
if those examples made sense or were appropriate.
So please go on !
Some cosmetic work could be done too;
for example to use everywhere some "standard" parameters like this one :
file=argus-eth1.out
ra -r $file
so it is easy to paste the line "as is".
without forgetting the shell escapes ( \$srcid) like in:
rasplit -S $argushost -M 1d -w /path/argus-\$srcid.%Y.%m.%d.log
By the way, as another example given to the list, here are 3 scripts I use.
The PATH vars permit to have a nicer ps(1) output.
start-argus
#!/bin/sh
interf=eth1
PATH=/sbin ifconfig $interf | grep UP || PATH=/sbin ifconfig $interf up
PATH=/usr/local/sbin argus -d -i $interf -e `hostname` -P 561 -U128 -mRS 30 -w argus-eth1.out
rotate:
#!/bin/sh
# Rotates server log files, without affecting users who may be
# connected to the server.
# This can be run as a cron script
DATE=`date +%Y-%m%d-%H%M`
LOGS='argus-eth1.out'
for i in $LOGS; do
if [ -f $i ]; then
mv $i $i.$DATE
gzip -9 $i.$DATE
fi
done
rotate-daily
#!/bin/sh
./rotate
sleep 60 # sometimes the preceding command finishes too early
echo ./rotate-daily | at 0000 > /tmp/rotate-daily.log
I use at(1) instead of cron(8) to cut the files closer to midnight.,
but rastream(1)'s extended "-w" option seems promising.
A better solution could be to use argus(8) to preprocess the flows,
and rastream(1). to write, "rotate" and compress the files.
Another thread, perhaps.
Carter Bullard wrote :
Hey Stephane,
This is great!!!! I'll put this in the distribution, if you don't mind!!!!
And I'll also go through it to make sure that any changes in the
code actually don't break this, and I can add some of the ones
that I do.
So Russell is asking for a wiki, and we already have one at:
http://www.vorant.com/nsmwiki/index.php?title=Argus
Carter
On Mar 7, 2008, at 2:24 PM, Stéphane Peters wrote:
Hi Stewart,
I also think that a cheat sheet would be nice !
Here is a good occasion to show mine...
Please note, most of the stuff has been collected right from this argus list,
so hopefully, you shouldn't browse all the (numerous) past messages.
Any suggestions ?
________________________________
flow filtering on certain port range:
ra -r file - dst port \( gt 1024 and lt 2048 \)
(...)
________________________________
Stewart Gray a écrit :
awesome, that's more like what I was after :) Thanks for your help
again.
As I mentioned earlier, I reckon it'd be neat to have some sort of cheat
sheet for doing common tasks. I bet there's lot's of stuff you know that
others don't, having written the application yourself. I don't know what
I don't know!
Regards,
--
Stephane.Peters at forem.be, Postmaster at forem.be
Regards,
--
Stephane.Peters at forem.be
#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080312/536c5ce3/attachment.html>
More information about the argus
mailing list