racluster issue

Carter Bullard carter at qosient.com
Tue Mar 5 13:10:58 EST 2013 

Hey Craig,
OK, looked into the " -T secs " problem you were having, and did find a bug,
so I've fixed that.  Will be in the argus-clients.3.0.7.6 that I'll put up this week.

Carter

On Mar 5, 2013, at 11:03 AM, Carter Bullard <carter at qosient.com> wrote:

> On Mar 4, 2013, at 11:05 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
>> Carter,
>> 
>> Here’s what I’m trying to do and I may not be going about it the smartest way…  I would like racluster, rabins, or rastream to output a csv file containing five minutes of flow data, aggregated using proto, saddr, daddr, sport, and dport.  That CSV file will be imported into Splunk for analysis every five minutes.  I would prefer for the CSV file to be overwritten each time the argus client outputs five minutes of aggregated flows.  I would also prefer to avoid writing to an argus binary file as an intermediary step.
>> 
>> The way I’ve been doing it is to set up an entry in the crontab file that looks like:
>> 
>> 00,05,10,15,20,25,30,35,40,45,55 * * * * /usr/local/bin/racluster -S 10.10.10.10:561 -T 300 -p 3 -u -Z b -w - | /usr/local/bin/ralabel -r - -f /usr/local/argus/ralabel.conf -c "," -M dsrs=+metric,+agr,+psize,+cocode -n -p 3 -u -Z b -s "+0ltime,+1stime,+trans,+dur,+runtime,+mean,+stddev,+sum,+sco,+dco,+pkts,+spkts,+dpkts,+bytes,+sbytes,+dbytes,+load,+sload,+dload,+loss,+sloss,+dloss,+ploss,+sploss,+dploss,+rate,+srate,+drate,+appbytes,+sappbytes,+dappbytes,+label:200" > /ssd/argus/splunk/racluster.csv
>> 
>> The problem is that when I’m checking the timestamp on the racluster.csv file, it’s always on the 01,06,11,… minute.  So, it looks like even though racluster is set to connect to radium for 300 seconds, it’s writing out the results after < 120 seconds.  I also tried just running the racluster part of the above command on the command-line and it is also writing the results out before the full five minutes has elapsed.
>> 
>> Is there a smarter way to accomplish my goal?  If not, how can I figure out why racluster isn’t connecting for the full length of time specified in the –T flag?
>> 
>> Thanks.
>> 
>> Craig
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130305/b88cd197/attachment.bin>

More information about the argus mailing list