Argus Filter Question
John Gerth
gerth at graphics.stanford.edu
Tue May 17 17:46:04 EDT 2011
On 5/17/2011 2:39 PM, Leif Tishendorf wrote:
> Carter,
>
> I'm at a bit of a loss for filtering here. I can't seem to get anything to stop logging no matter where I put it. Currently I'm running rasplit like
> this:
>
> rasplit -M time 10m -w /var/log/argus/%Y/%m/%d/argus.%Y.%m%d.%H.%M.%S -S localhost:565 -d - not man or not encaps gre or not ip proto gre
>
Look at your filter and think about the logic....you've basically set up mutually exclusive conditions and
so everything will pass. For example a "man" flow is "not encaps gre" and so will be included.
What you wanted I think was:
'not (man or encaps gre or ip proto gre)'
make sure to put in quotes to keep the shell from interpreting the ()'s.
--
John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273 fax 723-0033
More information about the argus
mailing list