Best way to use ARGUS_OUTPUT_STREAM

Carter Bullard carter at qosient.com
Wed Aug 29 13:39:29 EDT 2012 

Hey Will,
Sorry for the delayed response.    OK, argus writes data, ra* programs " read argus " * data.

The " -B " option in argus and radium are Bind directives, which applies to socket listens.
You use the -B option to limit how ra* programs can read argus data.   Doesn't seem like you should
use this option, in the way you are trying to use it.  The -B option wants an argument, so argus
is taking the "-P561" as the bind address.  Interesting that its not complaining ….  This is what I get when
I run argus the way you are:

MeinTing:~ carter$ argus -B -P561
Aug 29 13:31:30 MeinTing.local argus[5923] <Error>: 29 Aug 12 13:31:30.633106 bind address -P561 unknown
 
To receive the " argus-udp " output do this:

   ra -S argus-udp://collector:561 

or in the radium.conf file:

   RADIUM_ARGUS_SERVER=argus-udp://collector:561


This will read from the UDP socket for packets headed to collector on port 561.
Normally you would have to be on the collector to read this data, unless collector
maps to a multicast address.


SO, argus writes the data, ra* programs read the data:

   argus -w argus-udp://collector:561
   ra -S argus-udp://collector:561

The only variation is that radium can also write data using the argus-udp transport:
   radium -S argus-udp://collector:561 -w argus-udp://other.collector:561

Hope this is helpful !!!!!

Carter

On Aug 24, 2012, at 6:50 PM, Will Urbanski <will.urbanski at gmail.com> wrote:

> Thanks for the quick feedback Carter! In the example below you mentioned that ra -S argus-udp://my.central.collector.net:561 can be used for RA to remotely connect and read from an argus or radium service. Would the proper configuration on the argus instance be:
> 
> argus -i eth0 -w argus-udp://my-ra-addr:561
> 
> or
> 
> argus -i eth0 -B -P561
> 
> It's still not clear to me what needs to be run to receive the output of  "argus -w argus-udp://collector:561". When -B is used on radium or argus it seems to open a TCP socket, not a UDP socket. Maybe I am not reading it correctly but it seems like RADIUM_ARGUS_SERVER in radium.conf is designed to read directly from the argus/radium install itself, not received "pushed" data. 
> 
> Thanks again, really appreciate the assistance.
> 
> Will
> 
> 
> 
> On Fri, Aug 24, 2012 at 9:50 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Will,
> The preferred way of collecting from multiple argi is to use radium(), regardless of whether
> argus is pushing data using the argus-udp transport or if its being pulled using the argus-tcp
> transport.   Then you use other ra* programs, like rasplit() or rastream(), to read the data from
> radium() and say, generate an archive if that is what you want to do.
> 
> radium() is designed to act as the central collector.   It can read from a large number of
> argus data servers, and it merges the streams and offers the single output stream to a large
> number of ra* clients.  radium() can collect from any supported flow format concurrently,
> so you can read pushed and pulled data, argus and netflow, jflow, flow-tools, at the same time.
> 
> The -S option is just the 'S'erver option, where you can specify the style of transport the remote
> flow data server is using.  Do this (given your example):
> 
>    ra -S argus-udp://my.central.collector.net:561
> 
> to test if you can read your pushed argus flow.  Of course you need to be on my.central.collector.net
> for this to work ;O)
> 
> You can specify on the command the multiple sources, or you can use the /etc/radium.conf strategy.
> Configuring radium() to read the multiple sources should be straight forward using
> the RADIUM_ARGUS_SERVER variables in the configuration file.  The sample
> radium.conf file describes how to configure radium to read the argus-udp stream that your argi
> are pushing.
> 
> Give radium() a try, and if you have any problems, don't hesitate to send to the list !!!!
> 
> Carter
> 
> On Aug 23, 2012, at 3:45 PM, Will Urbanski <will.urbanski at gmail.com> wrote:
> 
> > Hello,
> >
> > What is the best (preferred) method to use ARGUS_OUTPUT_STREAM in Argus? We have multiple remote argus installations that we would like to transmit argus flow-data to a central collector. It seems like this is feasible using the argus-udp option in -w on the remote argii, ie., argus -i eth1 -w argus-udp://my.central.collector.net:561. However when running an argus installation on my.central.collector.net w/ -B and -P561 it does not seem to collect the data. What would be the preferred way to "push" argus data from the sensors to a central location? it seems like the -S option is designed to "pull" information which we want to avoid.
> >
> > Thanks in advance,
> >
> > Will
> 
> 
> 
> 
> -- 
> Will Urbanski
> (540) 521-5646
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120829/c3807bca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120829/c3807bca/attachment.bin>

More information about the argus mailing list