Argus Filter Question
Leif Tishendorf
ltishend at gmail.com
Tue May 17 17:51:29 EDT 2011
I was afraid it was something like that. I never claimed to be smart.
Thanks for the help, John.
--Leif
On 05/17/2011 02:46 PM, John Gerth wrote:
> On 5/17/2011 2:39 PM, Leif Tishendorf wrote:
>> Carter,
>>
>> I'm at a bit of a loss for filtering here. I can't seem to get anything to stop logging no matter where I put it. Currently I'm running rasplit like
>> this:
>>
>> rasplit -M time 10m -w /var/log/argus/%Y/%m/%d/argus.%Y.%m%d.%H.%M.%S -S localhost:565 -d - not man or not encaps gre or not ip proto gre
>>
>
> Look at your filter and think about the logic....you've basically set up mutually exclusive conditions and
> so everything will pass. For example a "man" flow is "not encaps gre" and so will be included.
>
> What you wanted I think was:
>
> 'not (man or encaps gre or ip proto gre)'
>
> make sure to put in quotes to keep the shell from interpreting the ()'s.
>
>
--
--Leif
More information about the argus
mailing list