Possible bug(s) with labels and .rarc

Carter Bullard carter at qosient.com
Tue Jan 22 14:52:28 EST 2013 

Hey Craig,
If you specify an argus data source in your rarc, and you provide one on the command line, they are additive.
The rarc RA_ARGUS_SERVER variable is there for convenience for daemons like radium(), rasplit(), rastream()
like installations.

Not sure what is up with the labels, but I have enough info to see if I can replicate the error.

A few questions.  Is your radium running with a RADIUM_CLASSIFIER_FILE configured?
You should run with the ' -M dsrs="-label" ' instead of " + label ", in order to strip any previous labels
that maybe in the records.  Impossible to know what ralabel() is or isn't doing if there are already
labels in the records.  Your ralabel() may not be configured to extend existing labels, so if there are
already labels in the records, it may not add any additional labels.

The notion that the label is written when we output the records using the " -w … " option is a bug, so I'll
focus on fixing that,

Let me take a look today.

Carter


On Jan 22, 2013, at 1:56 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> I think I may have found a bug in ralabels…
>  
> If I run ralabels against radium with a properly configured ralabel.conf and label files, it works correctly (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")
>  
> If I run ralabels against argusd with a properly configured ralabel.conf and label files, no labels are printed when the –w switch isn’t used (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")
>  
> If I run ralabels against argusd and use the –w to either send the output to a file (-w filename) or standard out (-w -), the labels will show up when that file or standard out is read by ra (ra –r - -M dsrs="+label" -s "+label:200" OR ra –r filename.argus -M dsrs="+label" -s "+label:200")
>  
> I’ve also found some behavior with .rarc files that I’m not sure is by design or if it’s a bug.  I specified my radium host in my .rarc file.  But during some troubleshooting, I was using ra and ralabels to connect to argusd directly by using the –S argusd_host:561 switch.  When I tried to connect to argusd with the radium server configured in the .rarc file, I got two copies of all of the flows with timestamps that were milliseconds apart.
>  
> Is the –S switch supposed to override the setting in the .rarc file?  Or is it just additive?
>  
> I’ve sent a spreadsheet with all of the command that I ran and their results as well as the output from each offline…
>  
> Thanks
>  
> Craig
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130122/f6883e43/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130122/f6883e43/attachment.bin>

More information about the argus mailing list