Couple things...
Craig Merchant
cmerchant at responsys.com
Wed Sep 18 15:33:58 EDT 2013
Hey, Carter...
Just wanted to start off by saying the latest release has been awesome. Everything has been super stable and all our label issues have been solved. Thanks for all your hard work!
We've also been experimenting with the ABR and an anomaly detection tool for Splunk from a company called Prelert. I configured one of my servers to SSH into a remote host and run a script that does a recursive ls and then sleeps for a couple minutes. I then periodically SCP'd 100 MB of files up to that remote host. With around 2.5 million events over a couple days for that subnet, I got this:
[cid:image001.png at 01CEB469.9775F960]
Each one of those spikes when I drilled down represented one of the large SCP uploads. So, the signal-to-noise ratio for the ABR seems really good (at least for my simplistic test example).
Couple questions for you...
We're using rastream and racluster to aggregate our flows every five minutes. My understanding and from what I've seen in the data is that if a flow lasts for 15 minutes, I'll only get a single record when the flow closes. Am I incorrect? When I look at the aggregated argus records for the test flow in the example above, where the SSH session stayed open for days, I'm not seeing one event every five minutes. So, if somebody asked me "how much bandwidth are we using right now?", it would be tricky to divide bytes by duration and project that backwards in time.
Is there any way to make racluster write a summary record for flows that are longer than the aggregation interval that shows the summary statistics for that flow only in that window?
Also... I've seen you use "-M RMON" in several examples on the mailing list. What is the value of using RMON stats for analysis?
Thanks.
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/a070af00/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 15943 bytes
Desc: image001.png
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/a070af00/attachment.png>
More information about the argus
mailing list