Radium to multiple Argi on the same host
Phillip Deneault
deneault at WPI.EDU
Thu Aug 26 09:33:46 EDT 2010
Sorry, replying to this got lost in The Pile.
On 8/5/2010 4:07 PM, Carter Bullard wrote:
> String support for the srcid is not fully implemented, so I'll put that on
> the list of stuff to do in the short term.
> [deletia]
> Ethernet address of an interface? Is there another automatic unique
> identifier that a host/probe can present to an argus daemon at startup?
I wouldn't mind adding the interface name as a srcid 'macro' so I could
make srcids that look like '<hostname>-<iface>' (that would be ideal in
my case), but I could see an argument being made for using the capture
filter as well (to organize flows by data being filtered). Maybe the
thing that makes the most sense is to just make srcid capable of taking
an arbitrary alphanumeric string and then making ra* clients which build
the file and directories structures transform anything not alphanumeric
into a safe character? That way, people can just set it themselves
using whatever criteria suits them.
> Until we find other methods, hard coding is the best way to do it.
> I allocate srcid's using a 10.0.0.0 network address space, and hardcode
> the address into the argus.conf file for each probe.
> For argus records that don't have srcid's, or you want to change them,
> you should be able to use ranonymize() to set the srcid of all the records
> in a file to a specific value. That maybe useful?
That 10.0.0.0 trick is a good one and the one I'll probably use in the
meantime. If I do that, I can 'overload' this value for sensors in my
/16 by making the last two octets of the sensor's IP equivalent to the
middle two octets in the 10/8 address, then using the interface value as
the last octet in the 10/8. That makes a unique IP and maintains
pairing between records and the sensors that generated them without
needing a separate reference table.
Thanks,
Phil
More information about the argus
mailing list