how to use rastream properly
Jason Carr
jcarr at andrew.cmu.edu
Mon Aug 10 13:59:14 EDT 2009
Hello,
I'm using Rasplit Version 3.0.2.beta.11 on an amd64 architecture.
I'm trying to use rastream to capture all packets from an argus stream
into 5 minute files. This is my current command line:
rastream -S probe-01:561 -M time 5m -w "/data/argus/\$srcid/%Y/%m/%d/
%H/%Y.%m.%d.%H.%M.%S.argus" -f /scripts/compress.sh
Right now, very very small files are being produced, approximately
around 20k or so. It only has a few packets listed, most of the
packets are exactly at the 5 minute mark. If I try with rasplit:
rasplit -S probe-01:561 -M time 5m -w /data/argus/core/%Y/%m/%d/%H/%Y.
%m.%d.%H.%M.%S.argus
This works fine and produces 300MB files for each 5 minutes like it
should. I would prefer to use rastream because I want the ability to
split the stream out by source ID and the ability to run a script to
parse the file and compress it.
What am I doing wrong?
- Jason
More information about the argus
mailing list