updates for argus-2.x compatbility and database support
Carter Bullard
carter at qosient.com
Fri Feb 27 10:51:57 EST 2009
Hey Ken,
I've included the output of a simple run of what will be available
when we turn
this on in argus next month. This is a program, raevent(), that justs
prints the
contents of any ARGUS_EVENT record in the stream, connecting directly
to one of my Mac's argi. I let it run for a minute and got these
outputs.
The lsof() output on the mac has a flow description which can easliy be
mapped to the flows generated by argus. From these two data elements,
it is trivial to tag the network flow traffic with the application
name, pid, and
owner account name. I just need to figure out how to get lsof() to
not truncate
the names of programs.
Carter
thoth:ramysql carter$ raevent -S localhost
event[764]=
2009/02/27 10:44:28.456722:srcid=192.168.0.68:
<ArgusEventData>
<ArgusEvent Type = "Mach Virtual Memory Statistics" Comment =
"(page size of 4096 bytes)" >
< Label = "Pages free" Value = "2733035" />
< Label = "Pages active" Value = "476401" />
< Label = "Pages inactive" Value = "219094" />
< Label = "Pages wired down" Value = "237826" />
< Label = "Translation faults" Value = "188644272" />
< Label = "Pages copy-on-write" Value = "16831044" />
< Label = "Pages zero filled" Value = "89955906" />
< Label = "Pages reactivated" Value = "6" />
< Label = "Pageins" Value = "165467" />
< Label = "Pageouts" Value = "0" />
< Label = "Object cache" Value = "1181359 hits of 2704542
lookups (43% hit rate)" />
</ArgusEvent>
</ArgusEventData>
event[9979]=
2009/02/27 10:44:34.687421:srcid=192.168.0.68:
<ArgusEventData>
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE
NAME
launchd 1 root 13u IPv6 0x140f0be8 0t0 TCP
*:515 (LISTEN)
launchd 1 root 14u IPv4 0x144e0e64 0t0 TCP
*:515 (LISTEN)
launchd 1 root 15u IPv6 0x140f0984 0t0 TCP
[::1]:631 (LISTEN)
launchd 1 root 16u IPv4 0x144e0a68 0t0 TCP
127.0.0.1:631 (LISTEN)
launchd 1 root 56u IPv6 0x140f0720 0t0 TCP
*:548 (LISTEN)
launchd 1 root 58u IPv4 0x144e066c 0t0 TCP
*:548 (LISTEN)
launchd 1 root 63u IPv4 0x144e0270 0t0 TCP
*:139 (LISTEN)
launchd 1 root 64u IPv4 0x14991e64 0t0 TCP
*:445 (LISTEN)
launchd 1 root 66u IPv6 0x140f04bc 0t0 TCP
*:22 (LISTEN)
launchd 1 root 67u IPv4 0x14991a68 0t0 TCP
*:22 (LISTEN)
Directory 11 root 19u IPv4 0x286fca68 0t0 TCP
192.168.0.68:57524->192.168.0.66:106 (CLOSE_WAIT)
Directory 11 root 20u IPv4 0x286fde64 0t0 TCP
192.168.0.68:57525->192.168.0.66:106 (CLOSE_WAIT)
configd 14 root 8u IPv4 0x140edda0 0t0 UDP
*:*
configd 14 root 11u IPv6 0x1499de78 0t0 ICMPV6
*:*
configd 14 root 13u IPv6 0x1499dcc8 0t0 ICMPV6
*:*
mDNSRespo 16 _mdnsresponder 7u IPv4 0x140edbf0 0t0 UDP
*:5353
mDNSRespo 16 _mdnsresponder 8u IPv6 0x140edb18 0t0 UDP
*:5353
mDNSRespo 16 _mdnsresponder 15u IPv4 0x140eca38 0t0 UDP
*:59715
mDNSRespo 16 _mdnsresponder 16u IPv4 0x140ec7b0 0t0 UDP
*:5350
mDNSRespo 16 _mdnsresponder 17u IPv4 0x140ec6d8 0t0 UDP
*:5351
mDNSRespo 16 _mdnsresponder 18u IPv4 0x140ec450 0t0 UDP
*:54926
mDNSRespo 16 _mdnsresponder 25u IPv4 0x140ece70 0t0 UDP
*:54762
mDNSRespo 16 _mdnsresponder 26u IPv4 0x140ecd98 0t0 UDP
*:51507
mDNSRespo 16 _mdnsresponder 27u IPv4 0x140ed890 0t0 UDP
*:50142
mDNSRespo 16 _mdnsresponder 28u IPv4 0x140ed380 0t0 UDP
*:64697
mDNSRespo 16 _mdnsresponder 29u IPv4 0x140ed020 0t0 UDP
*:52935
mDNSRespo 16 _mdnsresponder 30u IPv4 0x140ed1d0 0t0 UDP
*:55516
mDNSRespo 16 _mdnsresponder 31u IPv4 0x140ec2a0 0t0 UDP
*:53829
mDNSRespo 16 _mdnsresponder 32u IPv4 0x140ec1c8 0t0 UDP
*:63682
mDNSRespo 16 _mdnsresponder 33u IPv4 0x140ec0f0 0t0 UDP
*:64863
mDNSRespo 16 _mdnsresponder 34u IPv4 0x140ec018 0t0 UDP
*:57731
mDNSRespo 16 _mdnsresponder 35u IPv4 0x140ebf40 0t0 UDP
*:53149
mDNSRespo 16 _mdnsresponder 36u IPv4 0x140ebe68 0t0 UDP
*:63672
mDNSRespo 16 _mdnsresponder 37u IPv4 0x140ebd90 0t0 UDP
*:49353
mDNSRespo 16 _mdnsresponder 38u IPv4 0x140ebcb8 0t0 UDP
*:55325
mDNSRespo 16 _mdnsresponder 39u IPv4 0x140ebbe0 0t0 UDP
*:65202
mDNSRespo 16 _mdnsresponder 40u IPv4 0x140ebb08 0t0 UDP
*:53037
mDNSRespo 16 _mdnsresponder 41u IPv4 0x140eba30 0t0 UDP
*:62970
mDNSRespo 16 _mdnsresponder 42u IPv4 0x140eb958 0t0 UDP
*:56631
mDNSRespo 16 _mdnsresponder 43u IPv4 0x140eb880 0t0 UDP
*:57052
mDNSRespo 16 _mdnsresponder 44u IPv4 0x140eb7a8 0t0 UDP
*:60965
mDNSRespo 16 _mdnsresponder 57u IPv4 0x140ea290 0t0 UDP
*:60529
mDNSRespo 16 _mdnsresponder 58u IPv4 0x140e9bd0 0t0 UDP
*:60237
mDNSRespo 16 _mdnsresponder 59u IPv4 0x140e9ca8 0t0 UDP
*:58041
mDNSRespo 16 _mdnsresponder 60u IPv4 0x140eaf38 0t0 UDP
*:60517
mDNSRespo 16 _mdnsresponder 61u IPv4 0x140ea878 0t0 UDP
*:54259
ntpd 25 root 20u IPv4 0x140edcc8 0t0 UDP
*:123
ntpd 25 root 21u IPv6 0x140eda40 0t0 UDP
*:123
ntpd 25 root 22u IPv6 0x140ed968 0t0 UDP
[fe80:1::1]:123
ntpd 25 root 23u IPv4 0x140eccc0 0t0 UDP
127.0.0.1:123
ntpd 25 root 24u IPv6 0x140ecbe8 0t0 UDP
[::1]:123
ntpd 25 root 25u IPv6 0x140ecb10 0t0 UDP
[fd48:f5c5:4551:bf46:223:32ff:fe2f:ac9c]:123
ntpd 25 root 26u IPv6 0x140ec960 0t0 UDP
[fe80:4::223:32ff:fe2f:ac9c]:123
ntpd 25 root 27u IPv4 0x140ec888 0t0 UDP
192.168.0.68:123
ntpd 25 root 28u IPv4 0x140ec528 0t0 UDP
172.16.235.1:123
ntpd 25 root 29u IPv4 0x140ec378 0t0 UDP
172.16.86.1:123
ntpd 25 root 30u IPv6 0x140ea6c8 0t0 UDP
[fe80:7::21d:4fff:feff:a6ad]:123
ntpd 25 root 31u IPv4 0x140ea1b8 0t0 UDP
192.168.2.65:123
cupsd 26 root 4u IPv6 0x140f0984 0t0 TCP
[::1]:631 (LISTEN)
cupsd 26 root 7u IPv4 0x144e0a68 0t0 TCP
127.0.0.1:631 (LISTEN)
cupsd 26 root 9u IPv6 0x140efff4 0t0 TCP
*:631 (LISTEN)
cupsd 26 root 10u IPv4 0x1499166c 0t0 TCP
*:631 (LISTEN)
cupsd 26 root 11u IPv4 0x140ec600 0t0 UDP
*:631
httpd 27 root 3u IPv6 0x140efb2c 0t0 TCP
*:80 (LISTEN)
httpd 27 root 4u IPv4 0x150c6e64 0t0 TCP
*:* (CLOSED)
ODSAgent 35 root 3u IPv6 0x140f0258 0t0 TCP
*:49152 (LISTEN)
krb5kdc 64 root 10u IPv6 0x140ed7b8 0t0 UDP
[fe80:1::1]:88
krb5kdc 64 root 11u IPv6 0x140ed2a8 0t0 UDP
[fd48:f5c5:4551:bf46:223:32ff:fe2f:ac9c]:88
krb5kdc 64 root 12u IPv6 0x140ed0f8 0t0 UDP
[fe80:4::223:32ff:fe2f:ac9c]:88
krb5kdc 64 root 13u IPv4 0x140ecf48 0t0 UDP
192.168.0.68:88
krb5kdc 64 root 14u IPv6 0x140efd90 0t0 TCP
*:88 (LISTEN)
krb5kdc 64 root 15u IPv4 0x14ec6a68 0t0 TCP
*:88 (LISTEN)
nmbd 68 root 6u IPv4 0x140ed6e0 0t0 UDP
*:137
nmbd 68 root 7u IPv4 0x140ed608 0t0 UDP
*:138
nmbd 68 root 8u IPv4 0x140ed530 0t0 UDP
192.168.0.68:137
nmbd 68 root 9u IPv4 0x140ed458 0t0 UDP
192.168.0.68:138
nmbd 68 root 13u IPv4 0x140eb448 0t0 UDP
172.16.86.1:137
nmbd 68 root 14u IPv4 0x140e9948 0t0 UDP
172.16.86.1:138
nmbd 68 root 15u IPv4 0x140eb370 0t0 UDP
172.16.235.1:137
nmbd 68 root 16u IPv4 0x140eb5f8 0t0 UDP
172.16.235.1:138
nmbd 68 root 17u IPv4 0x164eb0f0 0t0 UDP
192.168.2.65:137
nmbd 68 root 18u IPv4 0x164ecbf0 0t0 UDP
192.168.2.65:138
vmnet-nat 93 root 4u IPv4 0x1499dda0 0t0 ICMP
*:*
httpd 110 _www 3u IPv6 0x140efb2c 0t0 TCP
*:80 (LISTEN)
httpd 110 _www 4u IPv4 0x150c6e64 0t0 TCP
*:* (CLOSED)
p4d 114 root 3u IPv4 0x1515ce64 0t0 TCP
*:1666 (LISTEN)
mysqld 197 _mysql 10u IPv4 0x1515ca68 0t0 TCP
*:3306 (LISTEN)
AppleVNCS 243 carter 4u IPv6 0x140ef8c8 0t0 TCP
*:5900 (LISTEN)
Finder 255 carter 7u IPv4 0x28704270 0t0 TCP
192.168.0.68:56416->216.92.197.167:21 (ESTABLISHED)
Finder 255 carter 9u IPv4 0x28703a68 0t0 TCP
192.168.0.68:56436->168.100.185.123:21 (CLOSE_WAIT)
iChatAgen 270 carter 4u IPv4 0x164ebb10 0t0 UDP
127.0.0.1:49354->127.0.0.1:49354
iChatAgen 270 carter 5u IPv4 0x1515c66c 0t0 TCP
192.168.0.68:50663->64.12.24.238:5190 (ESTABLISHED)
SystemUIS 288 carter 9u IPv4 0x140eb298 0t0 UDP
*:*
Mail 311 carter 7u IPv4 0x1670166c 0t0 TCP
192.168.0.68:49219->17.148.16.39:993 (ESTABLISHED)
Mail 311 carter 9u IPv4 0x16701a68 0t0 TCP
192.168.0.68:49217->17.148.16.39:993 (ESTABLISHED)
Mail 311 carter 15u IPv4 0x27232e64 0t0 TCP
192.168.0.68:49216->17.148.16.39:993 (ESTABLISHED)
Mail 311 carter 20u IPv4 0x286ac270 0t0 TCP
192.168.0.68:56918->17.148.16.40:993 (ESTABLISHED)
Mail 311 carter 23u IPv4 0x14ec6e64 0t0 TCP
192.168.0.68:49237->17.250.248.77:80 (CLOSED)
Mail 311 carter 27u IPv4 0x27d4da68 0t0 TCP
192.168.0.68:54495->216.92.197.167:993 (ESTABLISHED)
Mail 311 carter 28u IPv4 0x14ec6270 0t0 TCP
192.168.0.68:49221->216.92.197.167:993 (ESTABLISHED)
Mail 311 carter 29u IPv4 0x286fda68 0t0 TCP
192.168.0.68:58818->216.92.197.167:993 (ESTABLISHED)
Mail 311 carter 31u IPv4 0x286ff270 0t0 TCP
192.168.0.68:57553->216.92.197.167:993 (ESTABLISHED)
argus 8998 root 4u IPv6 0x140ee0e0 0t0 TCP
*:561 (LISTEN)
argus 8998 root 6u IPv4 0x140eb0e8 0t0 UDP
*:*
argus 8998 root 8u IPv6 0x140eef38 0t0 TCP
[::1]:561->[::1]:58899 (ESTABLISHED)
iTunes 71704 carter 27u IPv4 0x27d6a270 0t0 TCP
*:3689 (LISTEN)
ra 77724 carter 3u IPv4 0x286f3a68 0t0 TCP
192.168.0.68:58689->192.168.0.82:561 (ESTABLISHED)
raevent 80973 carter 3u IPv6 0x140ee5a8 0t0 TCP
[::1]:58899->[::1]:561 (ESTABLISHED)
bash 80979 root 4u IPv6 0x140ee0e0 0t0 TCP
*:561 (LISTEN)
bash 80979 root 6u IPv4 0x140eb0e8 0t0 UDP
*:*
bash 80979 root 8u IPv6 0x140eef38 0t0 TCP
[::1]:561->[::1]:58899 (ESTABLISHED)
</ArgusEventData>
On Feb 27, 2009, at 10:33 AM, Ken A wrote:
> Carter Bullard wrote:
>> Hey Ken,
>> One of the features of the "new" argus that will come out in a
>> month or
>> so is the "ARGUS_EVENT" record, which I use to generate temperature,
>> processor load, SNMP data collection and lsof data collection.
>> Argus,
>> has an event queue that is configured from the argus.conf file.
>> Here is
>> one of mine below.
>> # Argus supports the generation of host originated processes
>> # to gather additional data and statistics. These include
>> # periodic processes to poll for SNMP data, as an example, or
>> # to collect host statistics through reading procfs(). Or
>> # single run programs that run at a specified time.
>> #
>> # These argus events, are generated from the complete list of
>> # ARGUS_EVENT_DATA directives that are specified here.
>> #
>> # The syntax is:
>> # Syntax is: "method:path|prog:interval[:postproc]"
>> # Where: method = [ "file" | "prog" ]
>> # pathname | program = "%s"
>> # interval = %d[smhd] [ zero means run once ]
>> # postproc = [ "compress" | "compress2" ]
>> #
>> ARGUS_EVENT_DATA="prog:/usr/local/bin/ravms:20s:compress"
>> ARGUS_EVENT_DATA="prog:/usr/local/bin/ratp:5m:compress"
>> ARGUS_EVENT_DATA="prog:/usr/local/bin/rasnmp:1m:compress"
>> ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
>> ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s"
>> ARGUS_EVENT_DATA="prog:/usr/local/bin/ralsof:10s:compress"
>> Here is the contents of my ralsof script, as a very simple example:
>> #!/bin/bash
>> #
>> # Gargoyle Software
>> # Copyright (c) 2006-2009 QoSient, LLC
>> # All rights reserved.
>> #
>> # ralsof - Report open inet sockets and provide application names
>> #
>> # Carter Bullard
>> # QoSient, LLC
>> #
>> output=`lsof -i -n -P`
>> #
>> #
>> echo "<ArgusEventData>"
>> echo "$output"
>> echo "</ArgusEventData>"
>> The output of these programs is simply put in a buffer, optionally
>> compressed, and then shipped out in the argus data stream, with an
>> Argus transport header on it. Radium will transport them, copy
>> them,
>> even label them if needed, and most of the ra* programs will do
>> something with the records. rasplit() and rastream() will put them
>> in the archive, so that the event data is commingled with the network
>> traffic data, and the source id of the event is the Argus source
>> id, so
>> scope is maintained.
>> Most of the programs that I use generate XML formatted data, so that
>> the ra* programs just need to print the buffers, and some analytic
>> can
>> do its thing later. I have not written many analytics yet, so I'm
>> not
>> graphing the data in ragraph() for instance.
>> That's as much support as I have now. If you would like to help me
>> expand on this functionality on the list, I'd love to hear your
>> opinion.
>> Such as how to minimize the lsof() data set, and how to read the
>> data on the other end ;o)
>
> Hi Carter,
>
> That's perfect. Getting the right script to extract the data I want
> is going to be a little tricky, but interesting! lsof with -F0 can
> be parsed to match pid,exe,owner (lsof -F0pLc) and then again to get
> any interesting pid or owner activity perhaps? - more thought needed
> here, since there might be a better ways to correlate & extract this
> info.
>
> The on-the-fly database creation is going to be helpful in testing a
> lot of possibilities! If I had more time, I'd definitely put it in
> this direction, but I wear all of the technical hats (except
> support) at a small ISP, so I'm tied up with other things on many
> days.
>
> Thanks,
> Ken
>
>> Carter
>> On Feb 26, 2009, at 9:20 AM, Ken A wrote:
>>> Carter Bullard wrote:
>>>> Gentle people,
>>>> I am working on a major release of the clients this week and I
>>>> should
>>>> have a package hopefully by Thurs/Fri (if nothing gets in the way).
>>>> The primary function is to get general bug fixes into the main
>>>> release.
>>>> And backward compatibility was the bug of the week, last week, so
>>>> I'm
>>>> working on that.
>>>> Many "standard" programs will have a number of tweaks to fix bugs
>>>> that
>>>> have come up, that have not hit the mailing list. While it will
>>>> be a lot of
>>>> changes, , these programs have been stable for quite some time,
>>>> so I'm
>>>> hoping that we won't have a lot of little problems. Testing will
>>>> need to
>>>> be done, however.
>>>> rabins(), rasplit() and rastream() have all had a lot of work
>>>> done to support
>>>> aggregations units smaller than 1 second. So that you can
>>>> specify bin
>>>> sizes down to a uSec. This is important in our high performance
>>>> stream
>>>> analysis work. Maybe not for everyone, but the code is doing
>>>> much better
>>>> with these changes.
>>>> And we will have support for flow labeling in radium(), where you
>>>> can
>>>> slip ascii metadata into the records to "pump up" the semantics.
>>>> This
>>>> is really cool, and will take some discussions on the list to use
>>>> it to the
>>>> fullest.
>>>> This major version release of the clients will have a lot of new
>>>> undocumented
>>>> programs, but I will try to start describing them on the mailing
>>>> list this week.
>>>> They cover two primary areas, user data analysis and database
>>>> support.
>>>> It maybe possible that I only have one of these ready, but I'm
>>>> working on both.
>>>> The database support causes one major change. We will need to
>>>> print
>>>> "sport" and "dport" values for ICMP flows. This is guarantee
>>>> that all flow
>>>> records will have a unique flow key, so we won't have trouble
>>>> stuffing
>>>> ICMP flows into an indexed database table of argus records.
>>>> I seem to be in my office this week, which is a real surprise, so
>>>> hopefully
>>>> I can make some progress.
>>>> A new release of argus will follow a month later, with support
>>>> for packet
>>>> size and interpacket arrival histogram reporting, as well as a new
>>>> ArgusEvent feature, where we can collect SNMP, /proc, and lsof()
>>>> data
>>>> and send them in the argus data stream.
>>>
>>> That sounds like a lot of data, and useful too. Will this enable
>>> me, with the proper query, to access lsof data, like 'open files'
>>> of a pid that also had an open network connection that is of
>>> interest? That would be quite helpful in a hosting environment.
>>> And I can stuff it all into mysql too? very nice! Or am I dreaming?
>>> Thanks,
>>> Ken
>>>
>>>
>>>> This is primarily to tag flows with the applications that
>>>> generated them.
>>>> Carter Bullard
>>>> CEO/President
>>>> QoSient, LLC
>>>> 150 E 57th Street Suite 12D
>>>> New York, New York 10022
>>>> +1 212 588-9133 Phone
>>>> +1 212 588-9134 Fax
>>>
>>>
>>> --
>>> Ken Anderson
>>> Pacific Internet - http://www.pacific.net
>>>
>
>
> --
> Ken Anderson
> Pacific Internet - http://www.pacific.net
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
More information about the argus
mailing list