Possible bug(s) with labels and .rarc
Craig Merchant
cmerchant at responsys.com
Tue Jan 22 16:27:59 EST 2013
My radium.conf, ralabel.conf, .rarc, and argusd.conf are all in separate tabs in that Excel spreadsheet I sent you yesterday. Let me know if you need it resent...
Thanks again for your help and thorough explanations!
Craig
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, January 22, 2013 1:26 PM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Possible bug(s) with labels and .rarc
Hey Craig,
Hmmm, well, I suspect that in you're examples, you're getting your labels from radium.
Radium is a great place to label flows, the only issue is that all reading clients will
receive the labels, maybe a big deal for some.
ralabel() is what we call, a data terminal node, while radium() is a data flow node.
If you want multiple analytics to get at the labels, radium is the place to do it.
The control for label extension is in the source code. I'll take a look and make sure
that argus-clients-3.0.7.5 has it turned on.
I could use a copy of your ralabel.conf if its different from what we use as an example.
Carter
On Jan 22, 2013, at 4:09 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
Yeah, my radium.conf file has the following:
RADIUM_CLASSIFIER=yes
RADIUM_CLASSIFIER_FILE=/usr/local/argus/ralabel.conf
If I want to use something like rabins or rasplit to connect to radium and write binary flow records to disk, is it considered the best practice to have radium do it or is it better to add labels with ralabel when those files are going to be displayed or processed?
All I've done is done ./configure, make, make install for the 3.0.6 clients. How can I control whether ralabel extends labels or not?
I put a copy of all the relevant config files in the spreadsheet I sent you if you need to reproduce my environment.
Thanks!
C
From: Carter Bullard [mailto:carter at qosient.com<http://qosient.com/>]
Sent: Tuesday, January 22, 2013 11:52 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.edu>)
Subject: Re: [ARGUS] Possible bug(s) with labels and .rarc
Hey Craig,
If you specify an argus data source in your rarc, and you provide one on the command line, they are additive.
The rarc RA_ARGUS_SERVER variable is there for convenience for daemons like radium(), rasplit(), rastream()
like installations.
Not sure what is up with the labels, but I have enough info to see if I can replicate the error.
A few questions. Is your radium running with a RADIUM_CLASSIFIER_FILE configured?
You should run with the ' -M dsrs="-label" ' instead of " + label ", in order to strip any previous labels
that maybe in the records. Impossible to know what ralabel() is or isn't doing if there are already
labels in the records. Your ralabel() may not be configured to extend existing labels, so if there are
already labels in the records, it may not add any additional labels.
The notion that the label is written when we output the records using the " -w ... " option is a bug, so I'll
focus on fixing that,
Let me take a look today.
Carter
On Jan 22, 2013, at 1:56 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
I think I may have found a bug in ralabels...
If I run ralabels against radium with a properly configured ralabel.conf and label files, it works correctly (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")
If I run ralabels against argusd with a properly configured ralabel.conf and label files, no labels are printed when the -w switch isn't used (ralabel -S radium_host:561 -c "," -f /usr/local/argus/ralabel.conf -M dsrs="+label" -s "+label:200")
If I run ralabels against argusd and use the -w to either send the output to a file (-w filename) or standard out (-w -), the labels will show up when that file or standard out is read by ra (ra -r - -M dsrs="+label" -s "+label:200" OR ra -r filename.argus -M dsrs="+label" -s "+label:200")
I've also found some behavior with .rarc files that I'm not sure is by design or if it's a bug. I specified my radium host in my .rarc file. But during some troubleshooting, I was using ra and ralabels to connect to argusd directly by using the -S argusd_host:561 switch. When I tried to connect to argusd with the radium server configured in the .rarc file, I got two copies of all of the flows with timestamps that were milliseconds apart.
Is the -S switch supposed to override the setting in the .rarc file? Or is it just additive?
I've sent a spreadsheet with all of the command that I ran and their results as well as the output from each offline...
Thanks
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130122/36e0db9d/attachment.html>
More information about the argus
mailing list