Argus time field truncation
Mike Iglesias
iglesias at uci.edu
Tue Mar 27 13:06:55 EDT 2018
On 03/27/2018 08:22 AM, Drew Dixon wrote:
> Hi there,
>
> I have a need to add the date into the stime field with ra so I've done so
> using an ra.conf file:
>
> RA_TIME_FORMAT="%y-%m-%d %T"
>
> It appears to be picking up the customization in my ra.conf file but when I
> test it out reading a file with ra the stime field is truncated (18-03-27 14*)
> and negates the purpose of adding the date in with the time....I came across
> this part of the man page:
>
> "Field lengths are hard constraints, and field output that exceeds the field
> length will be truncated, and a '*' will be inserted as the last character.
> /When you see this, add more to the length specification for that specific
> field./"
>
> Which at first seems somewhat contradictory, with it stating these are hard
> constraints but then that you can modify them, I suppose I'm not sure how I
> would go about adding more to the length specification for that specific
> field? Is this indicating we would need to modify the field length value in
> the argus client tools source code and recompile to increase the length
> specification for this field?
>
> Any help on how I can increase the length specification for the time field
> would be greatly appreciated!
This is what we use
RA_TIME_FORMAT="%d %b %y %T"
RA_FIELD_WIDTH=fixed
RA_FIELD_SPECIFIER="stime:18,ltime:18,flgs,proto,saddr,sport,dir,daddr,dport,spkts,dpkts,sbytes,dbytes,state"
--
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Office of Information Technology FAX: 949-824-2270
More information about the argus
mailing list