Best way to use ARGUS_OUTPUT_STREAM

[Will Urbanski]

Thanks for the quick feedback Carter! In the example below you mentioned
that ra -S argus-udp://my.central.collector.net:561 can be used for RA to
remotely connect and read from an argus or radium service. Would the proper
configuration on the argus instance be:

argus -i eth0 -w argus-udp://my-ra-addr:561

or

argus -i eth0 -B -P561

It's still not clear to me what needs to be run to receive the output of
 "argus -w argus-udp://collector:561". When -B is used on radium or argus
it seems to open a TCP socket, not a UDP socket. Maybe I am not reading it
correctly but it seems like RADIUM_ARGUS_SERVER in radium.conf is designed
to read directly from the argus/radium install itself, not received
"pushed" data.

Thanks again, really appreciate the assistance.

Will



On Fri, Aug 24, 2012 at 9:50 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Will,
> The preferred way of collecting from multiple argi is to use radium(),
> regardless of whether
> argus is pushing data using the argus-udp transport or if its being pulled
> using the argus-tcp
> transport.   Then you use other ra* programs, like rasplit() or
> rastream(), to read the data from
> radium() and say, generate an archive if that is what you want to do.
>
> radium() is designed to act as the central collector.   It can read from a
> large number of
> argus data servers, and it merges the streams and offers the single output
> stream to a large
> number of ra* clients.  radium() can collect from any supported flow
> format concurrently,
> so you can read pushed and pulled data, argus and netflow, jflow,
> flow-tools, at the same time.
>
> The -S option is just the 'S'erver option, where you can specify the style
> of transport the remote
> flow data server is using.  Do this (given your example):
>
>    ra -S argus-udp://my.central.collector.net:561
>
> to test if you can read your pushed argus flow.  Of course you need to be
> on my.central.collector.net
> for this to work ;O)
>
> You can specify on the command the multiple sources, or you can use the
> /etc/radium.conf strategy.
> Configuring radium() to read the multiple sources should be straight
> forward using
> the RADIUM_ARGUS_SERVER variables in the configuration file.  The sample
> radium.conf file describes how to configure radium to read the argus-udp
> stream that your argi
> are pushing.
>
> Give radium() a try, and if you have any problems, don't hesitate to send
> to the list !!!!
>
> Carter
>
> On Aug 23, 2012, at 3:45 PM, Will Urbanski <will.urbanski at gmail.com>
> wrote:
>
> > Hello,
> >
> > What is the best (preferred) method to use ARGUS_OUTPUT_STREAM in Argus?
> We have multiple remote argus installations that we would like to transmit
> argus flow-data to a central collector. It seems like this is feasible
> using the argus-udp option in -w on the remote argii, ie., argus -i eth1 -w
> argus-udp://my.central.collector.net:561. However when running an argus
> installation on my.central.collector.net w/ -B and -P561 it does not seem
> to collect the data. What would be the preferred way to "push" argus data
> from the sensors to a central location? it seems like the -S option is
> designed to "pull" information which we want to avoid.
> >
> > Thanks in advance,
> >
> > Will
>
>


-- 
Will Urbanski
(540) 521-5646
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120824/2b86878d/attachment.html>