argus-clients-3.0.2.tar.gz with mysql support

Carter Bullard carter at qosient.com
Mon Mar 2 18:12:00 EST 2009 

Gentle people,
First pass at the new argus-clients distribution is on the dev server.
    ftp:/qosient.com/dev/argus-3.0/argus-clients-3.0.2.tar.gz

First pass because there will be modifications before its released,
as the user data analysis programs still need a little tweak.

This version addresses many problems, particularly those
relating to backward compatibility to argus-2.x streams.
I have not had a chance to directly test the changes on
some of the bugs on the list but I suspect that this version
should fix those backward compatibility bugs.

If you try the code, and it doesn't have your issue fixed,
please, please, please, send email, so that I can get those
issues dealt with.

I am pleased to say that the database programs, rasqlinsert()
and rasql() are mostly ready to go.   I don't have a manpage yet,
so hopefully the "-h" option will give you guidance.

I will be sending out sometime this week detail on the use of
rasqlinsert(), the format of the database url that is needed to
access database data, and the concepts of rasql() and why
its needed.

If you want to give rasqlinsert a run, like loading tables from
files, try these types of commands:

    rasqlinsert -r file -w mysql://user@host/db/table -m none

This will load the table 'db.table' with the records, and the
fields will be those that you would expect to be printed if
you had run ra against the file.  To modify the schema, just
use the "-s field" command.

The "-m none" removes any keys that rasqlinsert() may have
wanted to use based on your .rarc file, so MySQL won't
complain about DUPLICATE inserts into the table.

If you then run these programs:

    rasql -r mysql://user@host/db/table

        or

    rasqlinsert -r mysql://user@host/db/table

rasqlinsert() will look like ratop(), but its data will come from
the MySQL tables.

rasqlinsert pokes the actual binary record into the database,
along with ascii representations of the attributes.  This is
so programs like rasql() can get argus records, rather
than ascii text out of the database.  If you want to get rid
of the binary BLOBs, use "-s -record".  rasql(), when reading
this type of table, will just return, without any data.

A set of programs I use a lot are:

    rabins -S localhost -M time 30s -B 5s -w - | \
       rasqlinsert -r - -w mysql://user@host/ratop/flowTable -m none

This reads data from a live stream, holds it for 30s, aggregating
common records together, and then pokes it into the database
table.  This table will grow forever with argus records, but you can
see how something very simple like this can be the base of
a large flow system.

Hope all is most excellent, and thanks for all the help!!!!

Carter

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

More information about the argus mailing list