Starting out - rasplit at boot
John Gerth
gerth at graphics.stanford.edu
Thu Feb 7 18:07:54 EST 2013
rasplit doesn't need a daemon mode because it doesn't need to accept incoming connnections
as argus and radium do. Rather rasplit connects out to a live argus source (and it is
fault tolerant in that mode as it will attempt to reconnect after a drop).
You can easily start rasplit as a service from /etc/init.d in the normal way by simply cloning
the "radium" script and making the obvious changes internally.
Also it's often better in this kind of setup to use radium in conjunction with argus.
That is, (a) configure argus on non-default port; (b) put radium on the default port;
and (c) have rasplit connect on the default port. With radium in the middle you also
have the option of connecting to it independently and remotely. I use this all the time.
In my case rasplit is making the archive recording of all the flows while I can use
clients like "ra" and "ratop" with filters to look at the stream in realtime.
John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273 fax 725-6949
On 2/7/2013 2:48 PM, Paul Halliday wrote:
> What I am looking to do is have argus provide 5 (or 10 or 30) minute
> files in a structure like this: y/y-m/y-m-d/y-m-d.H.M.S
>
> So I thought I kinda knew what I was doing
>
> Calling argus like: argus -u argus -g argus -P 561 -d -i em0
> and rasplit like: rasplit -M time 5m -w
> /nsm/sessions/%Y/%Y-%m/%Y-%m-%d/%Y-%m-%d.%H%M%S
>
> Worked great. I then went to create an rc script to start the works on
> boot and noticed that rasplit didn't have a daemon mode. This led me
> to believe that this isn't how I should be going about things. Then I
> started reading about radium. Confused.
>
> I am a newb coming from flowtools where the structure I outlined above
> was pretty much how things played out.
>
> The sensors will be standalone and I am not interested in centralized
> collection/aggregation. I need as much historical data as possible
> (FIFO after the disk fills) and will be creating summary data for
> pretty much everything as well.
>
> How should I go about this with argus? Better ways?
>
> Thanks!
>
More information about the argus
mailing list