accepting data that is pushed with ARGUS_OUTPUT_STREAM

Carter Bullard carter at qosient.com
Fri Mar 1 11:53:57 EST 2013 

Hey Ignas,
Looks like a bug.  Why not run with -D12 or higher to see more info?
Carter

Sent from my iPad

On Mar 1, 2013, at 10:15 AM, Ignas <ignas.linux at gmail.com> wrote:

> Thank you for a quick response.
> 
> Testing env:
> c01 -  10.4.1.101 - pushes data with ARGUS_OUTPUT_STREAM=argus-udp://10.4.1.6:561
> prod - 10.4.1.6   - should accept that data
> 
> Incoming data as seen on prod:
> [root at prod ~]# tcpdump -nn -i any host 10.4.1.101
> 16:49:28.573395 IP 10.4.1.101.58883 > 10.4.1.6.561: UDP, length 112
> 16:49:28.573401 IP 10.4.1.6 > 10.4.1.101: ICMP 10.4.1.6 udp port 561 unreachable, length 148
> ...
> 
> ra on prod quits instantly (tried multiple variations of this):
> [root at prod ~]# ra -S argus-udp://10.4.1.6:561
> [root at prod ~]# ra -S argus-udp://10.4.1.6:561 -D 1
> ra[26899.0047ad5fcc7f0000]: 16:49:19.701982 main: reading files completed
> ra[26899.0047ad5fcc7f0000]: 16:49:19.702147 Binding 10.4.1.6:561 Expecting Argus records
> ra[26899.0047ad5fcc7f0000]: 16:49:19.702200 receiving
> ra[26899.0047ad5fcc7f0000]: 16:49:19.702210 ArgusGetServerSocket (0x7fcc5f92d010) returning 3
> ra[26899.0047ad5fcc7f0000]: 16:49:19.985069 ArgusShutDown (0)
> ra[26899.0047ad5fcc7f0000]: 16:49:19.985141 ArgusShutDown (0)
> [root at prod ~]#
> 
> I'm a bit lost here.
> 
> -- 
> Ignas
> 
> 
> On 2013.03.01 15:15, Carter Bullard wrote:
>> Hey Ignas,
>> All clients can read the udp data.  This should work on your example
>>    ra -S argus-udp://1.1.1.1:561
>> 
>> So if B and C are configured to transmit to the same host and port, the ra() should see all the data.  Make sure that B and C have unique argus source IDs in their argus.conf file.
>> 
>> We normally recommend a pull model, where your collector 'A' would connect to B and C to collect the data, using TCP.  Lots of reasons for this strategy, but the UDP support is there to be used, so go for it !!
>> 
>> If you have any problems, do send email !!!!!
>> 
>> Carter
>> 
>> On Mar 1, 2013, at 7:59 AM, Ignas <ignas.linux at gmail.com> wrote:
>> 
>>> Hello,
>>> 
>>> I see that argus is able to push it's data with ARGUS_OUTPUT_STREAM=argus-udp://1.1.1.1:561
>>> 
>>> I can't find what argus/client tool accepts this data. Or maybe this ARGUS_OUTPUT_STREAM is used only with custom applications? I'm new to this.
>>> 
>>> Background:
>>> I have a simple need to account udp/514 traffic on hosts B and C. It would be great if there is a possibility to push this accounting data to host A, where this data would be stored and analysed, without keeping it on B and C

More information about the argus mailing list