Making rasplit apply interface-name prefixes to output files when reading from a radium instance that is hosting multiple argus sources

Carter Bullard carter at qosient.com
Fri Jun 10 08:27:21 EDT 2011


I suspect that if you go to argus-3.0.5 that this problem will go away, but did you get a chance to try the patch I sent?

Carter

On Jun 9, 2011, at 4:48 PM, The Branches <branchbunch at gmail.com> wrote:

> Carter,
> 
> On a specific sensor host, I've been running multiple argus instances (one per sniffing interface) and then attaching a separate rasplit instance to each one to store hourly files on the local file system on a per-interface/per-hour basis (like /argus/06/12/eth3-10 for the June 12th 10am file for the eth3 interface).  Due to some sporadic argus data file corruption issues I've been dealing with when attaching rasplit directly to an argus instance, I'm starting to wonder if it would be better to run a single argus instance that a single instance of radium attaches to, and then have a single rasplit instance attach to radium.   I've figured out how to get one argus instance to monitor multiple interfaces and it doesn't look hard to get radium to attach to it.  The part I can't work out so far is how to get a single rasplit instance to prefix output filenames with the interface names.  I can see how to include the source identifier in the output filename by using \$srcid in the -w parameter of rasplit, but it appears that the source id is fundamentally an IP address and can't contain arbitrary text like "eth5".
> 
> What I'd like to do is something like this, where \$interface would expand to the interface name that argus collects each record on.  I'm not sure interface name data is actually stored in the argus record, though.
>    rasplit -S 127.0.0.1:561 -M time 1h -w /argus/%m/%d/\$interface-%H-%M.arg
> 
> Or perhaps I could specify multiple filter and -w pairs, kind of like this
>    rasplit -S 127.0.0.1:561 -M time 1h - "srcid 1.1.1.1" -w /argus/%m/%d/eth1-%H-%M.arg - "srcid 2.2.2.2" -w /argus/%m/%d/eth2-%H-%M.arg  - "srcid 3.3.3.3" -w /argus/%m/%d/eth3-%H-%M.arg
> but that gives me a syntax error.
> 
> If what I am trying to do is not realistic or advisable to do with a single rasplit instance, I can certainly run one rasplit instance per interface, but I thought I'd ask first.  My primary goal is to eliminate argus data file corruption, and after that to keep things as simple as possible.
> 
> Kevin Branch
> 
> 
> 



More information about the argus mailing list