Formatting Change with RA Output in Beta 5???
Mark Bartlett
mabartle at gmail.com
Mon Apr 13 13:40:57 EDT 2009
The RA_FIELD_WIDTH=variable does fix the issue.. Thanks.
On Mon, Apr 13, 2009 at 12:16 PM, Daniel V. Klein <dvk at lonewolf.com> wrote:
> If you add
> RA_FIELD_WIDTH=variable
> to your .rarc, it'll work largely as before...
>
> -Dan
>
> On Apr 13, 2009, at 11:40 AM, Carter Bullard wrote:
>
>> Hmmmm,
>> Its not suppose to do that, so I'll take a look and try to have a
>> response by tonight.
>>
>> Everything else working out ok?
>>
>> Carter
>>
>> On Apr 13, 2009, at 11:32 AM, Mark Bartlett wrote:
>>
>>> Hey Carter,
>>>
>>> Was there any format change in the 'new' Beta Release?? (Release
>>> argus-clients-3.0.2.beta.5)
>>>
>>> when I run this command using the 3.0.0 release I get the following:
>>>
>>> /opt/ARGUS/SCRIPTS/TOOLS/ra -F /opt/ARGUS/CONF/excel.rarc -r
>>> /tmp/argus_04-13-2009_1438_argus_server.out.gz - tcp or udp or icmp
>>>
>>> 8881,2009
>>> -04
>>> -13,14
>>>
>>> :10:13,2009-04-13,14:10:13,0.047441,172.31.100.100,10.10.50.22,6,36106,5666,3857,1951,1906,16,9,7,->,1,33431450,
>>> e s
>>>
>>> If I run the 'same' command with 3.0.2 BETA 5 i get the following:
>>>
>>> 10544,2009-04-13,15:00:01,2009-04-13,15:00:02, 0.357279,
>>> 192.168.50.139, 192.168.50.138, 6,32823,3366, 7851,
>>> 3494, 4357, 47, 24, 23, ->, 1,
>>> 135, e
>>>
>>> As you can see, there are more 'spaces' in the fields....
>>>
>>> here is my excel.rarc stuff:
>>>
>>> RA_FIELD_DELIMITER=','
>>> RA_PRINT_NAMES=none
>>> RA_FIELD_SPECIFIER="srcid stime ltime dur saddr daddr proto sport
>>> dport bytes sbytes dbytes pkts spkts dpkts dir tra
>>> ns seq flgs"
>>> RA_TIME_FORMAT="%Y-%m-%d,%H:%M:%S"
>>> RA_USEC_PRECISION=6
>>> RA_FILTER="not man"
>>>
>>> Just wondering because with the 'extra' spaces it is now throwing off
>>> some of the data in my DB, the saddr field is now missing the last
>>> octet of the IP addy... I am using CHAR(15) for my saddr and daddr
>>> fields...
>>>
>>> `saddr` char(15) NOT NULL DEFAULT '',
>>> `daddr` char(15) NOT NULL DEFAULT '',
>>>
>>> Thanks... Great STUFF!!!!
>>>
>>> mab
>>>
>>
>>
>
>
More information about the argus
mailing list