rastream 3.0.7.8, no suser duser

Carter Bullard carter at qosient.com
Tue May 14 12:01:52 EDT 2013


Hey Matt,
Dave is right on.  You have to turn on user data capture at record generation.
… so argus needs to be configured to do so.  You can do that with the -U nnnnn 
option, on the command line, or you can set it in your /etc/argus.conf file,
using the ARGUS_CAPTURE_DATA_LEN=nnn variable setting.

To test that this is the case, you can connect to every component in your
data flow system, and print out your field of interest, to see where they
are, and where they aren't.  If you get back to the component that is
suppose to generate the data element,  and your object is not there,
then, you'll know what needs to be fixed.

When you have an argus data flow system that has a bunch of argi,
being collected and processed by a set of radii, that are labeling,
filtering, stripping, and correlating data, you may need to " debug "
the data train, to figure out what is going on.  So connecting to any
and all at the same time is a helpful way to debug your system.

 Carter


On May 14, 2013, at 11:50 AM, "Dave Edelman" <dedelman at iname.com> wrote:

> You need to tell argus to collect that data with the -U nnn option where nnn
> is the number of bytes of user data you want to keep for each flow.
> 
> --Dave
> 
>> -----Original Message-----
>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>> On Behalf Of Matt Brown
>> Sent: Tuesday, May 14, 2013 10:51 AM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: [ARGUS] rastream 3.0.7.8, no suser duser
>> 
>> Hello all/Carter,
>> 
>> I am using rastream to write argus data to files.
>> 
>> When I query these files using ra or racluster, suser and duser are
>> not returning any data.
>> 
>> I'm guessing it isn't being written by rastream which has been started
>> as follows:
>> 
>> rastream -S 127.0.0.1:561 -B 15s -M time 1h -w
>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh
>> 
>> How do I use rastream to record N bytes of suser and duser?
>> 
>> 
>> Thanks,
>> 
>> Matt
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130514/1adc1318/attachment.bin>


More information about the argus mailing list