Collecting multiple types of information at once
Martijn van Oosterhout
kleptog at gmail.com
Thu Aug 30 06:06:08 EDT 2012
On 30 August 2012 09:11, Martijn van Oosterhout <kleptog at gmail.com> wrote:
> On 30 August 2012 01:39, Carter Bullard <carter at qosient.com> wrote:
>> Hey Martijn,
>> One thing to consider is the " cont " directive that you can use in racluster.conf. It may do some of what you are interested in.
>
> Now that is interesting. I don't see "cont" mentioned in the man pages
> I found online but I will have to check if that works. Do you know
> from which version it is available?
Ok, so I've played with this and "cont" seems to work as advertised.
However, other bits not so much. For example, with rasplit I get an
error:
rasplit -M time 5m -r argus.2012.08.29.15.00.07.gz -w - | racluster
'-c|' -f /tmp/filtertest -s stime saddr dir daddr pkts bytes -nn
|less
Gives the error:
rasplit[1644]: 30 Aug 12 11:54:28
ArgusWriteNewLogfile(-.2012.08.29.14.05.00, 0xfcebb00c) fwrite error
Bad file descriptor
What I would have expected to happen is the clustering to break on
5minute intervals. From the documentation this is what I expect to
happen.
(By the way, the -c option seems to fix all problems with respect to
field widths).
Also, the documentation on the web site, specifically the man pages,
seem to be missing stuff. The racluster.conf has a paragraph that ends
with "These filters are" and then nothing.
Anyway, there doesn't appear to be a way to label the output flows, or
at least not in a way you can print. And it's a bit odd to try to
detect it like "if dest is 0.0.0.0 then is was the saddr flow".
Ralabel looks promising, but doesn't seem quite right.
Any more tips? It's seems almost within reach now.
Thanks in advance,
--
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
More information about the argus
mailing list