Possible bug(s) with labels and .rarc

Craig Merchant cmerchant at responsys.com
Tue Jan 22 16:09:29 EST 2013 

Yeah, my radium.conf file has the following:

RADIUM_CLASSIFIER=yes
RADIUM_CLASSIFIER_FILE=/usr/local/argus/ralabel.conf

If I want to use something like rabins or rasplit to connect to radium and write binary flow records to disk, is it considered the best practice to have radium do it or is it better to add labels with ralabel when those files are going to be displayed or processed?

All I've done is done ./configure, make, make install for the 3.0.6 clients.  How can I control whether ralabel extends labels or not?

I put a copy of all the relevant config files in the spreadsheet I sent you if you need to reproduce my environment.

Thanks!

C

From: Carter Bullard [mailto:carter at qosient.com<http://qosient.com>]
Sent: Tuesday, January 22, 2013 11:52 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.edu>)
Subject: Re: [ARGUS] Possible bug(s) with labels and .rarc

Hey Craig,
If you specify an argus data source in your rarc, and you provide one on the command line, they are additive.
The rarc RA_ARGUS_SERVER variable is there for convenience for daemons like radium(), rasplit(), rastream()
like installations.

Not sure what is up with the labels, but I have enough info to see if I can replicate the error.

A few questions.  Is your radium running with a RADIUM_CLASSIFIER_FILE configured?
You should run with the ' -M dsrs="-label" ' instead of " + label ", in order to strip any previous labels
that maybe in the records.  Impossible to know what ralabel() is or isn't doing if there are already
labels in the records.  Your ralabel() may not be configured to extend existing labels, so if there are
already labels in the records, it may not add any additional labels.

The notion that the label is written when we output the records using the " -w ... " option is a bug, so I'll
focus on fixing that,

Let me take a look today.

Carter


On Jan 22, 2013, at 1:56 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:



I think I may have found a bug in ralabels...

If I run ralabels against radium with a properly configured ralabel.conf and label files, it works correctly (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")

If I run ralabels against argusd with a properly configured ralabel.conf and label files, no labels are printed when the -w switch isn't used (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")

If I run ralabels against argusd and use the -w to either send the output to a file (-w filename) or standard out (-w -), the labels will show up when that file or standard out is read by ra (ra -r - -M dsrs="+label" -s "+label:200" OR ra -r filename.argus -M dsrs="+label" -s "+label:200")

I've also found some behavior with .rarc files that I'm not sure is by design or if it's a bug.  I specified my radium host in my .rarc file.  But during some troubleshooting, I was using ra and ralabels to connect to argusd directly by using the -S argusd_host:561 switch.  When I tried to connect to argusd with the radium server configured in the .rarc file, I got two copies of all of the flows with timestamps that were milliseconds apart.

Is the -S switch supposed to override the setting in the .rarc file?  Or is it just additive?

I've sent a spreadsheet with all of the command that I ran and their results as well as the output from each offline...

Thanks

Craig


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130122/1f236ccf/attachment.html>

More information about the argus mailing list