Best way to use ARGUS_OUTPUT_STREAM

Carter Bullard carter at qosient.com
Fri Aug 24 09:50:39 EDT 2012


Hey Will,
The preferred way of collecting from multiple argi is to use radium(), regardless of whether
argus is pushing data using the argus-udp transport or if its being pulled using the argus-tcp
transport.   Then you use other ra* programs, like rasplit() or rastream(), to read the data from
radium() and say, generate an archive if that is what you want to do.

radium() is designed to act as the central collector.   It can read from a large number of
argus data servers, and it merges the streams and offers the single output stream to a large
number of ra* clients.  radium() can collect from any supported flow format concurrently,
so you can read pushed and pulled data, argus and netflow, jflow, flow-tools, at the same time.

The -S option is just the 'S'erver option, where you can specify the style of transport the remote
flow data server is using.  Do this (given your example):

   ra -S argus-udp://my.central.collector.net:561

to test if you can read your pushed argus flow.  Of course you need to be on my.central.collector.net
for this to work ;O)

You can specify on the command the multiple sources, or you can use the /etc/radium.conf strategy.
Configuring radium() to read the multiple sources should be straight forward using
the RADIUM_ARGUS_SERVER variables in the configuration file.  The sample
radium.conf file describes how to configure radium to read the argus-udp stream that your argi
are pushing.

Give radium() a try, and if you have any problems, don't hesitate to send to the list !!!!

Carter 

On Aug 23, 2012, at 3:45 PM, Will Urbanski <will.urbanski at gmail.com> wrote:

> Hello,
> 
> What is the best (preferred) method to use ARGUS_OUTPUT_STREAM in Argus? We have multiple remote argus installations that we would like to transmit argus flow-data to a central collector. It seems like this is feasible using the argus-udp option in -w on the remote argii, ie., argus -i eth1 -w argus-udp://my.central.collector.net:561. However when running an argus installation on my.central.collector.net w/ -B and -P561 it does not seem to collect the data. What would be the preferred way to "push" argus data from the sensors to a central location? it seems like the -S option is designed to "pull" information which we want to avoid.
> 
> Thanks in advance,
> 
> Will

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120824/a8f3518b/attachment.bin>


More information about the argus mailing list