Making rasplit apply interface-name prefixes to output files when reading from a radium instance that is hosting multiple argus sources

Carter Bullard carter at qosient.com
Mon Jun 20 12:25:39 EDT 2011 

Hey Kevin,
A response specific to your email, and where we are on the resolution of this:

The preferred way of doing this in argus-3.0, is to have a single argus running against all the interfaces of interest,
and assigning unique srcid's to the output,  using the methods provided by argus.conf for "ARGUS_INTERFACE".

#  The syntax for specifying this either on the command line or in this file:
#     -i ind:all
#     -i dup:en0,en1/srcid
#     -i bond:en0,en1/srcid
#     -i dup:[bond:en0,en1],en2/srcid
#     -i en0/srcid -i en1/srcid  (equivalent '-i ind:en0/srcid,en1/srcid')
#     -i en0 en1     (equivalent '-i bond:en0,en1')

You assign unique srcid's for the separate streams of argus data that will be generated.
Srcid's can be IP addresses or integers, today, and I suggested a 4byte char srcid to help in this effort.

You would collect this single stream of argus output data using radium(), if you want a dedicated collection
thread, either on the sensor, or on a separate collection system.  A single rasplit() would then connect to either argus()
or radium(), if chose that route, and it would split the data appropriately.

Carter


On Jun 9, 2011, at 4:48 PM, The Branches wrote:

> Carter,
> 
> On a specific sensor host, I've been running multiple argus instances (one per sniffing interface) and then attaching a separate rasplit instance to each one to store hourly files on the local file system on a per-interface/per-hour basis (like /argus/06/12/eth3-10 for the June 12th 10am file for the eth3 interface).  Due to some sporadic argus data file corruption issues I've been dealing with when attaching rasplit directly to an argus instance, I'm starting to wonder if it would be better to run a single argus instance that a single instance of radium attaches to, and then have a single rasplit instance attach to radium.   I've figured out how to get one argus instance to monitor multiple interfaces and it doesn't look hard to get radium to attach to it.  The part I can't work out so far is how to get a single rasplit instance to prefix output filenames with the interface names.  I can see how to include the source identifier in the output filename by using \$srcid in the -w parameter of rasplit, but it appears that the source id is fundamentally an IP address and can't contain arbitrary text like "eth5".
> 
> What I'd like to do is something like this, where \$interface would expand to the interface name that argus collects each record on.  I'm not sure interface name data is actually stored in the argus record, though.
>    rasplit -S 127.0.0.1:561 -M time 1h -w /argus/%m/%d/\$interface-%H-%M.arg
> 
> Or perhaps I could specify multiple filter and -w pairs, kind of like this
>    rasplit -S 127.0.0.1:561 -M time 1h - "srcid 1.1.1.1" -w /argus/%m/%d/eth1-%H-%M.arg - "srcid 2.2.2.2" -w /argus/%m/%d/eth2-%H-%M.arg  - "srcid 3.3.3.3" -w /argus/%m/%d/eth3-%H-%M.arg
> but that gives me a syntax error.
> 
> If what I am trying to do is not realistic or advisable to do with a single rasplit instance, I can certainly run one rasplit instance per interface, but I thought I'd ask first.  My primary goal is to eliminate argus data file corruption, and after that to keep things as simple as possible.
> 
> Kevin Branch
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110620/161e307c/attachment.bin>

More information about the argus mailing list