accepting data that is pushed with ARGUS_OUTPUT_STREAM

Ignas ignas.linux at gmail.com
Fri Mar 1 10:15:47 EST 2013


Thank you for a quick response.

Testing env:
c01 -  10.4.1.101 - pushes data with 
ARGUS_OUTPUT_STREAM=argus-udp://10.4.1.6:561
prod - 10.4.1.6   - should accept that data

Incoming data as seen on prod:
[root at prod ~]# tcpdump -nn -i any host 10.4.1.101
16:49:28.573395 IP 10.4.1.101.58883 > 10.4.1.6.561: UDP, length 112
16:49:28.573401 IP 10.4.1.6 > 10.4.1.101: ICMP 10.4.1.6 udp port 561 
unreachable, length 148
...

ra on prod quits instantly (tried multiple variations of this):
[root at prod ~]# ra -S argus-udp://10.4.1.6:561
[root at prod ~]# ra -S argus-udp://10.4.1.6:561 -D 1
ra[26899.0047ad5fcc7f0000]: 16:49:19.701982 main: reading files completed
ra[26899.0047ad5fcc7f0000]: 16:49:19.702147 Binding 10.4.1.6:561 
Expecting Argus records
ra[26899.0047ad5fcc7f0000]: 16:49:19.702200 receiving
ra[26899.0047ad5fcc7f0000]: 16:49:19.702210 ArgusGetServerSocket 
(0x7fcc5f92d010) returning 3
ra[26899.0047ad5fcc7f0000]: 16:49:19.985069 ArgusShutDown (0)
ra[26899.0047ad5fcc7f0000]: 16:49:19.985141 ArgusShutDown (0)
[root at prod ~]#

I'm a bit lost here.

-- 
Ignas


On 2013.03.01 15:15, Carter Bullard wrote:
> Hey Ignas,
> All clients can read the udp data.  This should work on your example
>     ra -S argus-udp://1.1.1.1:561
>
> So if B and C are configured to transmit to the same host and port, the ra() should see all the data.  Make sure that B and C have unique argus source IDs in their argus.conf file.
>
> We normally recommend a pull model, where your collector 'A' would connect to B and C to collect the data, using TCP.  Lots of reasons for this strategy, but the UDP support is there to be used, so go for it !!
>
> If you have any problems, do send email !!!!!
>
> Carter
>
> On Mar 1, 2013, at 7:59 AM, Ignas <ignas.linux at gmail.com> wrote:
>
>> Hello,
>>
>> I see that argus is able to push it's data with ARGUS_OUTPUT_STREAM=argus-udp://1.1.1.1:561
>>
>> I can't find what argus/client tool accepts this data. Or maybe this ARGUS_OUTPUT_STREAM is used only with custom applications? I'm new to this.
>>
>> Background:
>> I have a simple need to account udp/514 traffic on hosts B and C. It would be great if there is a possibility to push this accounting data to host A, where this data would be stored and analysed, without keeping it on B and C.
>>
>> Thank you,
>> --
>> Ignas
>>




More information about the argus mailing list