Formatting Change with RA Output in Beta 5???
Daniel V. Klein
dvk at lonewolf.com
Mon Apr 13 12:16:36 EDT 2009
If you add
RA_FIELD_WIDTH=variable
to your .rarc, it'll work largely as before...
-Dan
On Apr 13, 2009, at 11:40 AM, Carter Bullard wrote:
> Hmmmm,
> Its not suppose to do that, so I'll take a look and try to have a
> response by tonight.
>
> Everything else working out ok?
>
> Carter
>
> On Apr 13, 2009, at 11:32 AM, Mark Bartlett wrote:
>
>> Hey Carter,
>>
>> Was there any format change in the 'new' Beta Release?? (Release
>> argus-clients-3.0.2.beta.5)
>>
>> when I run this command using the 3.0.0 release I get the following:
>>
>> /opt/ARGUS/SCRIPTS/TOOLS/ra -F /opt/ARGUS/CONF/excel.rarc -r
>> /tmp/argus_04-13-2009_1438_argus_server.out.gz - tcp or udp or icmp
>>
>> 8881,2009
>> -04
>> -13,14
>> :
>> 10
>> :
>> 13,2009
>> -04
>> -13,14
>> :
>> 10
>> :
>> 13,0.047441,172.31.100.100,10.10.50.22,6,36106,5666,3857,1951,1906,16,9,7
>> ,->,1,33431450,
>> e s
>>
>> If I run the 'same' command with 3.0.2 BETA 5 i get the following:
>>
>> 10544,2009-04-13,15:00:01,2009-04-13,15:00:02, 0.357279,
>> 192.168.50.139, 192.168.50.138, 6,32823,3366, 7851,
>> 3494, 4357, 47, 24, 23, ->, 1,
>> 135, e
>>
>> As you can see, there are more 'spaces' in the fields....
>>
>> here is my excel.rarc stuff:
>>
>> RA_FIELD_DELIMITER=','
>> RA_PRINT_NAMES=none
>> RA_FIELD_SPECIFIER="srcid stime ltime dur saddr daddr proto sport
>> dport bytes sbytes dbytes pkts spkts dpkts dir tra
>> ns seq flgs"
>> RA_TIME_FORMAT="%Y-%m-%d,%H:%M:%S"
>> RA_USEC_PRECISION=6
>> RA_FILTER="not man"
>>
>> Just wondering because with the 'extra' spaces it is now throwing off
>> some of the data in my DB, the saddr field is now missing the last
>> octet of the IP addy... I am using CHAR(15) for my saddr and daddr
>> fields...
>>
>> `saddr` char(15) NOT NULL DEFAULT '',
>> `daddr` char(15) NOT NULL DEFAULT '',
>>
>> Thanks... Great STUFF!!!!
>>
>> mab
>>
>
>
More information about the argus
mailing list