[ARGUS] argus-clients JSON output
Darren S.
phatbuckett at gmail.com
Fri Aug 27 03:06:55 EDT 2021
OpenBSD 6.9 amd64
argus-3.0.8.2 (argus-3.0.8.2p2 OS package)
argus-clients-3.0.8.3
I'm interested in leveraging future JSON output from argus-clients to
support a streaming analytics workflow, and noted that
argus-clients-3.0.8.3 was in need of testing [1].
argus-clients build commands:
./configure --prefix=/usr/argus --with-libft=yes --without-mysql
--without-GeoIP --without-sasl
make CCOPT="-I/usr/local/include" COMPATLIB="-lm -lz -L/usr/local/lib -lft"
With these options I got a partially successful build, enough to
produce an ra(1) binary to test. (The complete output of the build is
at [2], if there are suggestions to complete a build without error. I
could have botched the options passed to configure script or make,
just trying to mimic the OS port [3]).
I did a little basic testing with ra(1) and got JSON output as expected:
$ /usr/argus/bin/ra -M json -nr test.argus -- 'dst port 443'
{ "type":"flow","stime":"06:01:03.612223","flgs":" e
","proto":"tcp","saddr":"x.x.97.55","sport":46984,"dir":"<?>","daddr":"44.234.221.91","dport":443,"pkts":"4","bytes":"295","state":"FIN"}
{ "type":"flow","stime":"06:01:03.616187","flgs":" e
","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
->","daddr":"44.234.221.91","dport":443,"pkts":"17","bytes":"9322","state":"CON"}
{ "type":"flow","stime":"06:01:08.991243","flgs":" e
","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
->","daddr":"44.234.221.91","dport":443,"pkts":"7","bytes":"4114","state":"CON"}
{ "type":"flow","stime":"06:01:14.546578","flgs":" e
","proto":"tcp","saddr":"x.x.97.55","sport":5862,"dir":"
->","daddr":"44.234.221.91","dport":443,"pkts":"20","bytes":"11358","state":"CON"}
{ "type":"flow","stime":"06:01:15.087293","flgs":" e
","proto":"tcp","saddr":"162.142.125.20","sport":50643,"dir":"
->","daddr":"x.x.97.55","dport":443,"pkts":"1","bytes":"58","state":"REQ"}
...and validated that it loaded/parsed correctly in jq(1), as an
example. If I'm not mistaken, the output of 'ra --help' doesn't yet
document the 'json' option. There's an unexpected space after the
opening '{' of the record. This seems promising!
[1] https://qosient.com/argus/src/argus-clients-3.0.8.3.tar.gz
[2] https://pastebin.com/raw/0uGTR7iv
[3] https://github.com/openbsd/ports/blob/master/net/argus-clients/Makefile
--
Darren Spruell
phatbuckett at gmail.com
More information about the argus
mailing list