[ARGUS] HA config?

Carter Bullard carter at qosient.com
Sat Sep 27 16:57:22 EDT 2025 

Hey Patrick,
To handle the data from radium1 or radium2 during radium3’s down time, you need to store the records on radium1 and radium2, and use them when needed, pruning when all is well.
The preferred method is to use rastream.1 on each of the radii, to store the data to a local argus archive.  Something like this (assuming all radii put a listen down on port 561)

On each remote Sensor:
    rastream -S localhost -M time 5m -w /usr/local/argus/archive/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S

This will generate 5 minute files of all the data that the radii would send.  This can act as a recovery cache if needed.

Maybe retain for a few days or so, and have the archive aggressively reconcile the data from radium1 and radium2 if it needs it ...
So for 2025/09/27 between 5:10 and 5:15am …

   rasort -m stime -r radium1.2025.09.27.05.10.00 radium2.2025.09.27.05.10.00 -w radium3.2025.09.27.05.10.00

What do you think ??

Carter


> On Sep 25, 2025, at 3:30 PM, Patrick Forsberg <fors at chalmers.se> wrote:
> 
> Retrying ascii-art using  fixed width
> 
>       Sensor1
> argus1 ---> radium1 ---+
>                        |     Archive
>                        | ---> radium3 ---> ?
>       Sensor2          |
> argus2 ---> radium2 ---+
> 
> On 2025-09-25 21:25, Patrick Forsberg wrote:
>> Hi,
>> 
>> We have two sensors listening in on our border routers that are configured as active-active.
>> 
>> We also have an archive host where we store our collected data.
>> 
>> Our current setup has the sensors write data directly from argus to a file and then that file is rotated every 5 minutes.
>> The rotated sensor files are then rsynced to the archive host where they are then merged into an archive using racluster.
>> 
>> The rsync setup means that it is possible to reboot the archive host without loosing any data collected during the reboot
>> 
>> It is now time to install new sensors and a new archive host and also migrate from 3.0.8.3 to 5.0.3 and I thought I should modernise things a bit and start using radium instead.
>> 
>> My idea for a setup is currently something like
>> 
>>            Sensor1
>> argus1 ---> radium1 ---+
>>                                          |           Archive
>>                                          | ---> radium3 ---> ?
>>            Sensor2                  |
>> argus2 ---> radium2 ---+
>> 
>> 
>> This setup should handle a reboot of a sensor node fairly well since radium3 should be able to reconnect to the sensor once it comes back up and we must accept that we won't have a complete picture of the network traffic during the time it took to reboot the sensor.
>> 
>> What I do not think it handles well is rebooting the Archive host. Once it has rebooted and started up radium3 it will receive the "current" data from radium1/radium2 but not the data collected while the Archive host rebooted. Is there a way to handle this or would I have to fall back to collecting files from the sensor nodes for the missing time?
>> 
>> Regards,
>> 
>> Patrick Forsberg
>> Chalmers University of Technology
>> 
> _______________________________________________
> argus mailing list
> argus at qosient.com
> https://pairlist1.pair.net/mailman/listinfo/argus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20250927/07ae6b76/attachment.bin>

More information about the argus mailing list