first time argus

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Sat Nov 5 07:52:33 EDT 2016 

Hey Ian,
That is a great way to do it.  The only issue is the size of the daily file, as some queries have to go through the complete file.  If daily files work for you, then you are good to go ...

Carter
> 
> On Nov 5, 2016, at 2:40 AM, Ian Smith via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
>>> Server side - how can it generate daily logs, with "argus -M time 
>>> 1h" is not working, if I start the server "argus" it makes one file 
>>> which becames bigger and bigger.
>> 
>> I'm only just starting with Argus myself, but I wanted just this, and 
>> this is how I've done it (ie, if there's a better way from someone 
>> that actually knows what they are doing I'd be happy to hear it):
>> 
>> Argus is tolerant of the log file going away, so you could simply move 
>> the log file each day.  When the argus process discovers the log file 
>> is missing it creates a new one.  However, unless you run that at 
>> midnight each day you'll have log files with part of two days in each.
>> 
>> I run a daily cron script.  Argus is running writing to argus.out.  
>> The script sets that log file aside (and argus makes a new one as soon 
>> as it wants to log something), then uses rasplit to split the set 
>> aside argus.out into new files named according to date.
>> 
>> Thus, at any time I have argus.YYYYmmdd files with whatever had 
>> occurred up to the last time the script ran, and a 'live' argus.out 
>> with what has happened since.  If I want to update the argus.YYYYmmdd 
>> files to as of now, I just manually run the script.  That is, since 
>> '-w' appends if the target file already exists, you can actually run 
>> this as often as you like.  Thus, I don't have a live 'today' file, 
>> but I can get one as of any time I want it.
>> 
>> ---------- ---------- ----------
>> #!/bin/sh
>> 
>> cd /var/log/argus
>> NEWLOG=argus.out.`/bin/date +%Y%m%d_%H%M%S`
>> 
>> # set aside current log file - note we just need to move it
>> # - argus copes and makes a new one when the old one disappears
>> /bin/mv argus.out $NEWLOG
>> 
>> # split by days and delete the source file assuming it went ok
>> /usr/bin/rasplit -M time 1d -r $NEWLOG -w argus.%Y%m%d && /bin/rm $NEWLOG
>> ---------- ---------- ----------
>> 
>> 
>> regards,   Ian SMith
>>

More information about the argus mailing list