country and city code with ralabel and GeoIP (argus-client-3.0.6.2)

Carter Bullard carter at qosient.com
Mon Aug 13 11:04:52 EDT 2012 

Hey Harika,
The generic city related information is added to the flow record's label as an ascii metadata string,
so there aren't specific city, zip or state fields to print, at least not today.  To filter on the field contents,
you use the " -e <regex> " option to specify the field contents you're looking for.

We do have support for country codes, which can come from various databases, and support
for  AS numbers, which comes from the GEOIP library, right now (if you have the right databases
in place.  As a result, you should get values when you printout the sco, dco, sas, and das
independent of the extended city data.

What output are you getting when you print out these fields and the labels?

   ra -s sco dco sas das label:64

Carter



On Aug 13, 2012, at 10:50 AM, Harika Tandra wrote:

> Hi Carter,
> 
> I am using argus-clients-3.0.6.2. I see that ralabel is not working with GeoIPCity database. 
> I am able to get AS information but not City related information. I am using the 
> following commands: 
> 
> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost -s sas das sco dco scity dcity
> 
> and 
> 
> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost -w - | /usr/local/bin/ra -s sco dco sas das
> 
> 
> And my ralabel.conf file is :
> 
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> RALABEL_GEOIP_CITY="saddr,daddr:cco,cco3,city,lat,lon"
> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
> 
> 
> Please let me know if I you are observing the same or maybe something wrong at my end.
> 
> Thanks,
> Harika Tandra.
> 
> 
> 
> 
> ----------------------------------------------------------
> Harika Tandra
> Research Associate (Software Engineer)
> GLORIAD, ISSE
> 311 Conference Center Building
> University of Tennessee 
> htandra at gloriad.org
> htandra at utk.edu
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120813/0ade63bb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120813/0ade63bb/attachment.bin>

More information about the argus mailing list