argus transport options

Carter Bullard carter at qosient.com
Fri Feb 12 11:06:36 EST 2010 

Gentle people,
in this next round of upgrades, I'm going to add UDP transport for argus
and radium, which allows us to provide connection-less transport, which
is good in wireless environments, and it provides for multicast for argus
records to many listeners in a single LAN.   This has been a very
successful strategy for us when deploying many analytic engines
against a single collection stream.

Configuring argus can be either on the command line, or the argus.conf.

# Argus can write its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
#
# The format is:
#      ARGUS_OUTPUT_STREAM="URI [filter]"
#      ARGUS_OUTPUT_STREAM="argus-udp://host:port ' filter ' "
#
# Most sites will have argus listen() for remote sites to request
# argus data, but for some sites and applications sending records without
# registration is desired.  This option will cause argus to transmit records
# that match the optional filter, to the configured targets using UDP as the
# transport mechanism.
#
# Commandline equivalent   -w argus-udp://host:port
#

#ARGUS_OUTPUT_STREAM=argus-udp://10.4.5.16:561



The support for radium involves both reading and writing support.
For reading, the support in an extension to the RADIUM_ARGUS_SERVER
directive.  Here is the proposed entry I have for radium.conf.

#
# Radium can attach to any number of remote argus data sources,
# argi or radii. The syntax for this variable is a URI that
# specifies the URI schema, with transport,  the hostname or a
# dot notation IP address, followed by an optional port value,
# separated by a ':'.  If the URI format is not specified,
# the URI schema and transport mechanism are the default, argus://
# If the port is not specified, the default value of 561 is used.
#
# Commandline equivalent   -S argus://host[:port]
# Commandline equivalent   -S argus-tcp://host[:port]
# Commandline equivalent   -S argus-udp://host[:port]
# Commandline equivalent   -S host[:port]
#

RADIUM_ARGUS_SERVER=argus://amon:561

With this strategy, reading netflow records could the -S option, with
something like:

# Commandline equivalent   -S <netflow-udp://[host:]port>

I'll add support for this syntax, and we'll see how it goes.

Some have suggested that the "-S" can be replaced with "-r".  I'll
look into that as well.



For writing:
# Radium can write its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
#
# The format is:
#      RADIUM_OUTPUT_STREAM="URI [filter]"
#      RADIUM_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
#
# Most sites will have argus listen() for remote sites to request
# argus data, but for some sites and applications sending records without
# registration is desired.  This option will cause argus to transmit records
# that match the optional filter, to the configured targets using UDP as the
# transport mechanism.
#
# Commandline equivalent   -w argus-udp://host:port
#

#RADIUM_OUTPUT_STREAM=argus-udp://224.0.23.40:561



Carter

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100212/00da003d/attachment.bin>

More information about the argus mailing list