n00b Questions

John Kennedy wilson.amajohn at gmail.com
Fri Aug 28 02:53:14 EDT 2009 

While reading the argus website for System Auditing, it got me thinking;
With multiple ways to collect analyze and store Argus data, I am curious how
some have tackled the collection, processing, management and storage of it?
I am always curious when it comes to how others do it because like
programming there is almost always more than one way to do it.  I would also
like to find out if there are ways in which I could be more efficient.

I use argus strictly for Network Security Monitoring.  In an ArcSight
webinar I attended the other day the presenter said "Your business paints a
picture everyday... is anyone watching" For me, argus helps connect the dots
in order to see the picture(s).  I could throw many more analogies here, but
I think you get the point.

It has come time for me to refresh some of the hardware that argus is
running on.  In order to effectively put together a proposal that will meet
the needs of my monitoring efforts for the enterprise, I would like to
understand a little about how those on this list are deploying argus.

For me processing the data is the hardest hurdle i have to overcome each
day.  The server in which I run the reporting from is on a dual core
processor with 2 gigs of ram and 500 Gigs of storage.  Is this typical?
Retention is also an issue.  On my sensors I run argus and write the data to
a file. Every hour I have a script that takes the file compresses it and
copies it to an archive. Every 4 hours I rsync it to the server.  On the
server I have some scripts that process the last four hours of files that
were just Rsynced.  I realize that I could use radium() to save files to my
server; however with only a 500 gig RAID it gets a little tight with 5
sensors. I keep archives on the sensors themselves to aid in some retention.
The sensors by-the-way have a 200 Gig RAID.  When I first was working with
argus and finding equipment to use. I was sure that 500 gig would be
plenty... It's 500 gig, for crying out loud.

So, give a n00b some feedback.

Thanks

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090828/0a06b399/attachment.html>

More information about the argus mailing list