Quick question or two about Argus

Carter Bullard carter at qosient.com
Mon Jul 30 20:31:55 EDT 2012 

Hey Craig,
Answers in line.
Carter

On Jul 30, 2012, at 7:38 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Hi.  My name is Craig Merchant.  I’m in charge of implementing a security monitoring solution using Argus.  I’ve got a few questions for you if you’ve got a second…
>  
> 1.       The documentation says rabins supports time prefixes in the output file name (%Y,%m, etc.).  In my experience on CentOS, it writes those as a literal string.

Not sure how you're calling rabins, such that the strftime() directives in the output file are not being done.
Just in case, you do need to indicate the time period, so that the logic knows to do the substitution.

   rabins -M time 1d -w argus_%Y_%m_%d

> 2.       Is there any benefit to having rabins forward the data from the sensor to radium in a multi-sensor environment?

The preferred strategy would be to do the rabins() at the end of the data flow.  So it could be
argus -> radium -> .... -> rabins

> 3.       Ratop complains that it wasn’t compiled with ncurses support (ncurses-5.5-24.20060715 is installed).  –M nocurses works, but I get the impression that’s not very efficient…  I tried the “make clobber” step you recommended, but no luck.

When you run ./configure, the output will state if curses was found in the search paths.  You can search
the file ./include/argus-config.h to see what its saying about CURSES.  If its defined, then you won't get
the error message.   ratop without the curses window isn't really very gratifying, so try to figure out why
./configure isn't finding ncurses.

> 4.       What other ra commands/fields/switches does ratop support?

ratop is an aggregator, so it does everything that racluster() can do, it can sort, so it does all that rasort() does, and it can print every field that ra* programs support, and a few others.  Type ' :h ' and you'll get a help screen.  If that doesn't do it for you, send some more email, and we'll add to that screen.

> 5.       When I tried following the video for ratop, I see you specify “-M rmon”.  When I tried that, I get:  ArgusClientInit: ArgusNewAggregator error

When you report a bug, we need at least how it was called, to see what the issues might be.

> 6.       Using rasplit and specifying $saddr  in the output file path ends up with a directory named %T.00000.  Same with $daddr
>  

This error is sometimes caused by the shell, which wants to interpret the ' $ ' as special.  Escape the ' $ ' using ' \$ '.

> Thanks!
>  
Hopefully this is helpful!!


> Craig

Carter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120730/93c0380e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120730/93c0380e/attachment.bin>

More information about the argus mailing list