Problem labeling with ASN numbers
Jesse Bowling
jessebowling at gmail.com
Tue Feb 25 14:22:46 EST 2014
I think the current setup is perfect; I simply didn't realize that these
had been moved from label into their own DSR...
This will remind me to use the ./config/Support/rarc.print.all.conf to
double check before posting. :)
'
Thanks and cheers!
Jesse
On Tue, Feb 25, 2014 at 2:17 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jessie,
> This action should populate the sas and das attribute fields in the record,
> so if you use:
>
> ralabel -D 3 -f /etc/ralabel.conf -r test.argus -s stime sas das -N 10
>
> You should see your AS numbers. We moved the result of the label into its
> own DSR so we could filter, sort, aggregate,, as well as combine
> data that had ASN values generated from Cisco netflow data.
>
> Once we moved the data into a separate asn dsr, putting the values into
> an ascii label seemed redundant.
>
> If you think its important to generate a "sas=XXX” and “das=XXX” labels,
> lets talk. There are a number of these that have cropped up, and I’m
> sure others will as well. We have geolocation DSRs that can handle stuff
> like lat and lon, as these are values you want to sort on, aggregate on,
> etc… which is hard to do when the values are buried in an ASCII label,
> but with GeoIP lats and lons, we still put them in the label.
> Need some consistency I suspect….
>
> What do you think ???!?!?!?!?!?
>
> Carter
>
>
>
> On Feb 25, 2014, at 2:04 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
> > Hello,
> >
> > I'm having issues labeling flows with their ASN numbers. I would
> appreciate any pointers on how to work through this issue. Using the
> following setup:
> >
> > # ralabel --version
> > RaLabeler Version 3.0.7.19
> >
> > # egrep -v '^#|^[ \t]*$' /etc/ralabel.conf
> > RALABEL_GEOIP_ASN=yes
> > RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> > RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
> >
> > # ralabel -D 3 -f /etc/ralabel.conf -r test.argus -s stime label -N 10
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.951989
> ArgusAddFileList (0x518ac010, test.argus, 1, -1, -1) returning 1
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955412
> RaLabelParseResourceFile (/etc/ralabel.conf) returning 0
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955498
> ArgusReadConnection() read 16 bytes
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955517
> ArgusReadConnection() read 112 bytes
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955877
> ArgusParseInit(0x7fb2518ac010 0x7fb25183b010
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955896
> ArgusReadConnection(0x5183b010, 1) returning 1
> > StartTime Label
> > 02/25/14 12:01:07.897347
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:01.231979
> > 02/25/14 13:00:00.491826
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:00.018068
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:00.000000
> > 02/25/14 13:00:00.000000
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956353
> ArgusCloseInput(0x5183b010) closing
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956377
> ArgusCloseInput(0x5183b010) done
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956385 main:
> ArgusReadFileStream (test.argus) done
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956408 main: reading
> files completed
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956415 ArgusShutDown
> (0)
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956421
> RaParseComplete (0) returning
> > ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956429
> RaParseComplete(caught signal 0)
> >
> >
> > --
> > Jesse Bowling
> >
>
>
>
>
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140225/083bee9d/attachment.html>
More information about the argus
mailing list