Hi all,
I need to run the following command "racluster -r
argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr
trans" but to display only events from 10:00am to 10:15am.
How can I accomplish this?
Thanks
Monah
Hi all,
I need to run the following command "racluster -r
argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr
trans" but to display only events from 10:00am to 10:15am.
How can I accomplish this?
Thanks
Monah
Hi Monah,
You probably meant to email the argus listserv, or possibly the security onion listserv...But since you asked, you should be able to:
racluster -r argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr trans -t 10h+15m
Much more detail can be found in the man page for ra...It’s quite a flexible option.
Cheers,
Jesse