Request for improvement

Carter Bullard carter at qosient.com
Wed Oct 24 10:43:16 EDT 2012 

Hey Paul,
Don't do any more patching until you get a current version of the code  !!!
You should be working with argus[-clients]-3.0.6.x or 3.0.7.x.

There is no reason to use INET_ATON(), because you're inserting strings,
not actual IP addresses.  If you change the format, using something like
   "-s saddr:%d"

then all is done correctly.  I suggest that you don't spend a lot of time making
any more changes until you get a current release to work with.

Carter


On Oct 24, 2012, at 10:36 AM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:

> --On October 22, 2012 4:22:50 PM -0400 Carter Bullard <carter at qosient.com> wrote:
> 
>> 
>> If you would like to use the fastest time based searches, you should use
>> rasqltimeindex() to index
>> your files based on seconds, and then use rasql() to find the records.
>> See the manpage for rasqltimeindex.
>> Once you run rasqltimeindex(), you will find a " Seconds " table in your
>> database, with this schema:
>> 
> 
> There is no manpage because, unfortunately, the FreeBSD port doesn't build rasqltimeindex and install it.  {{sigh}}
> 
> Looks like I have more work to do....
> 
> Is there any reason you don't use INET_ATON() in your INSERTS?  Seems like that would be useful.
> 
> I'm going to play around with the code some and see what I can do.
> 
> One day's worth of our data (in the db - no payloads) is 9.1GB and the rasqlinsert creates over 120 million rows.  Without indexing that will be a joke to query.  Just getting a count of the rows takes over 2 minutes.
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121024/07f33ebf/attachment.bin>

More information about the argus mailing list