Making rasplit apply interface-name prefixes to output files when reading from a radium instance that is hosting multiple argus sources

The Branches branchbunch at gmail.com
Thu Jun 9 16:48:33 EDT 2011 

Carter,

On a specific sensor host, I've been running multiple argus instances 
(one per sniffing interface) and then attaching a separate rasplit 
instance to each one to store hourly files on the local file system on a 
per-interface/per-hour basis (like /argus/06/12/eth3-10 for the June 
12th 10am file for the eth3 interface).  Due to some sporadic argus data 
file corruption issues I've been dealing with when attaching rasplit 
directly to an argus instance, I'm starting to wonder if it would be 
better to run a single argus instance that a single instance of radium 
attaches to, and then have a single rasplit instance attach to radium.   
I've figured out how to get one argus instance to monitor multiple 
interfaces and it doesn't look hard to get radium to attach to it.  The 
part I can't work out so far is how to get a single rasplit instance to 
prefix output filenames with the interface names.  I can see how to 
include the source identifier in the output filename by using \$srcid in 
the -w parameter of rasplit, but it appears that the source id is 
fundamentally an IP address and can't contain arbitrary text like "eth5".

What I'd like to do is something like this, where \$interface would 
expand to the interface name that argus collects each record on.  I'm 
not sure interface name data is actually stored in the argus record, though.
     rasplit -S 127.0.0.1:561 -M time 1h -w 
/argus/%m/%d/\$interface-%H-%M.arg

Or perhaps I could specify multiple filter and -w pairs, kind of like this
     rasplit -S 127.0.0.1:561 -M time 1h - "srcid 1.1.1.1" -w 
/argus/%m/%d/eth1-%H-%M.arg - "srcid 2.2.2.2" -w 
/argus/%m/%d/eth2-%H-%M.arg  - "srcid 3.3.3.3" -w 
/argus/%m/%d/eth3-%H-%M.arg
but that gives me a syntax error.

If what I am trying to do is not realistic or advisable to do with a 
single rasplit instance, I can certainly run one rasplit instance per 
interface, but I thought I'd ask first.  My primary goal is to eliminate 
argus data file corruption, and after that to keep things as simple as 
possible.

Kevin Branch

More information about the argus mailing list