New URL conventions
Carter Bullard
carter at qosient.com
Mon Mar 9 11:39:26 EDT 2009
Gentle people,
In the new clients distribution, there is support for accessing data
from
databases, and in the next wave, we will have additional transport
strategies for Argus, to support not only multiple unicast strategies
(tcp and udp),
but also multicasting of argus records to a group of collectors.
The idea is to modify the "-S" option to handle new transport
strategies, and
then to shift this strategy so that it is handled by the "-r" option,
so that we
don't have to continue to make a distinction between files or sockets.
Currently we support the '-S' option to read from remote servers. The
format
for this option is being extended to support additional transport
mechanisms,
and so the suggestion is to adopt a URI scheme that allows us to do
that. The
default should still be the same that we've been using.
The proposal is for the new format is:
-S [argus[-tcp | -udp]://]host[:port]
with these as examples:
-S localhost
-S argusServer:12345
-S argus://10.0.1.14
-S argus-tcp://10.1.1.4
(its amazing to realize that the IETF doesn't provide a means to
specify the transport strategy for protocols in a standard way using
URLs. I am
suggesting that we adopt a newest proposal from an internet-draft,
but its
not the best solution. that suggestion is to append the transport
as a "-proto"
after the service name).
The examples above specify the existing, TCP based transport strategy.
The examples below specify the UDP transport strategy. Our current
strategy for reading Cisco Netflow records can also be handled by this
scheme, and so I'll try to retire the "-C" option that we use for
cisco records.
-S argus-udp://10.3.5.46
-S argus-udp://any:561
-S argus-udp://224.1.34.4:23456
-S netflow://any:1669
The keyword 'any', allows us to receive multiple streams at the same
time,
or allow us to receive data for hosts that we are not configured for.
For argus and radium, to use these additional transport schemes, they
will
support 'writing' to remote sites using the '-w URI' option. The '-w'
option will
work the same as it does now, to write to files, but this will also
work:
-w argus-udp://224.1.34.4:23456
-w argus-udp://localhost
This is an extension of the new strategy to "write" and "read" to and
from
databases that use a mysql URI, "mysql://[user:pass@]host/db/table".
New options will be available to specify these target destinations in
the
/etc/argus.conf file.
# Argus can write its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
#
# The format is:
# ARGUS_OUTPUT_STREAM="URI [filter]"
# ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
#
# Most sites will have argus listen() for remote sites to request
# argus data, but for some sites and applications sending records
without
# registration is desired. This option will cause argus to transmit
records
# that match the optional filter, to the configured targets using UDP
as the
# transport mechanism.
#
# Commandline equivalent -w argus-udp://host:port
#
#ARGUS_OUTPUT_STREAM=argus-udp://10.4.5.16:561
This is a suggestion, proposal, based on our prior work.
Of course, if you have any opinions, I'd love to hear them,
and nothing in this is final, so ....
What do you think?
Carter
More information about the argus
mailing list