ARGUS.CONF(1)ARGUS.CONF(1)NAMEargus.conf - argus resource file.
SYNOPSISargus.confCOPYRIGHT
Copyright (c) 2000-2008 QoSient, LLC All rights reserved.
DESCRIPTION
Argus will automatically open this argus.conf when its installed as
/etc/argus.conf. Argus will also search for this file as argus.conf in
directories specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, or
$HOME, $HOME/lib, and parse it to set common configuration options.
All values in this file can be overriden by command line options, or
other files of this format when read in using the -F option.
Variable Syntax
Variable assignments must be of the form:
VARIABLE=
with no white space between the VARIABLE and the '=' sign. Quotes are
optional for string arguments, but if you want to embed comments, then
quotes are required.
ARGUS_FLOW_TYPE / ARGUS_FLOW_KEY
The Argus can be configured to support a large number of flow types.
The Argus can provide either type, i.e. uni-directional or bi-direc‐
tional flow tracking and the flow can be further defined by specifying
the key. The argus supports a set of well known key strategies, such
as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', formulate key
strategies from a list of the specific objects that the Argus under‐
stands. See the man page for a complete description.
The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
There is no commandline equivalent.
ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
ARGUS_DAEMON
Argus is capable of running as a daemon, doing all the right things
that daemons do. When this configuration is used for the system daemon
process, say for /etc/argus.conf, this variable should be set to "yes".
The default value is to not run as a daemon.
This example is to support the ./support/Startup/argus script which
requires that this variable be set to "yes".
Commandline equivalent -d
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID
Argus Monitor Data is uniquely identifiable based on the source identi‐
fier that is included in each output record. This is to allow you to
work with Argus Data from multiple monitors at the same time. The ID
is 32 bits long, and so legitimate values are 0 - 4294967296 but argus
also supports IP addresses as values. The configuration allows for you
to use host names, however, do have some understanding how `hostname`
will be resolved by the nameserver before commiting to this strategy
completely.
Commandline equivalent -e
ARGUS_MONITOR_ID=`hostname`
ARGUS_ACCESS_PORT
Argus monitors can provide a real-time remote access port for collect‐
ing Argus data. This is a TCP based port service and the default port
number is tcp/561, the "experimental monitor" service. This feature is
disabled by default, and can be forced off by setting it to zero (0).
When you do want to enable this service, 561 is a good choice, as all
ra* clients are configured to try this port by default.
Commandline equivalent -P
ARGUS_ACCESS_PORT=561
ARGUS_BIND_IP
When remote access is enabled (see above), you can specify that Argus
should bind only to a specific IP address. This is useful, for exam‐
ple, in restricting access to the local host, or binding to a private
interface while capturing from another. The default is to bind to any
IP address.
Commandline equivalent -B
ARGUS_BIND_IP="127.0.0.1"
ARGUS_INTERFACE
By default, Argus will open the first appropriate interface on a system
that it encounters. For systems that have only one network interface,
this is a reasonable thing to do. But, when there are more than one
suitable interface, you should specify which interface(s) Argus should
read data from.
Argus can read packets from multiple interfaces at the same time,
although this is limited to 2 interfaces at this time. Specify this in
this file with multiple ARGUS_INTERFACE directives.
Commandline equivalent -i
ARGUS_INTERFACE=le0
ARGUS_GO_PROMISCUOUS
By default, Argus will put its interface in promiscuous mode in order
to monitor all the traffic that can be collected. This can put an undo
load on systems.
If the intent is to monitor only the network activity of the specific
system, say to measure the performance of an HTTP service or DNS ser‐
vice, you'll want to turn promiscuous mode off.
The default value is go into prmiscuous mode.
Commandline equivalent -p
ARGUS_GO_PROMISCUOUS=yes
ARGUS_COLLECTOR
By default, Argus will provide its own reliable output collection func‐
tions, which include writing out to multiple files, supporting multiple
concurrent remote clients, independent output filtering and strong
authentication and encryption. The support for each of these functions
increases the CPU requirements of argus, and as such, in high load
environments, may not be desireable.
When argus's collection functions are disabled, the only way to access
data is through a socket, and as a result the ARGUS_ACCESS_PORT and
ARGUS_BIND_ADDRESS mechanisms may need to be used.
Commandline equivalent -c
ARGUS_COLLECTOR=yes
ARGUS_CHROOT_DIR
Argus supports chroot(2) in order to control the file system that argus
exists in and can access. Generally used when argus is running with
privileges, this limits the negative impacts that argus could inflict
on its host machine.
This option will cause the output file names to be relative to this
directory, and so consider this when trying to find your output files.
Commandline equivalent -C
ARGUS_CHROOT_DIR=/chroot_dir
ARGUS_SETUSER_ID
Argus can be directed to change its user id using the setuid() system
call. This is can used when argus is started as root, in order to
access privileged resources, but then after the resources are opened,
this directive will cause argus to change its user id value to a
'lesser' capable account. Recommended when argus is running as daemon.
Commandline equivalent -u
ARGUS_SETUSER_ID=user
ARGUS_SETGROUP_ID
Argus can be directed to change its group id using the setgid() system
call. This is can used when argus is started as root, in order to
access privileged resources, but then after the resources are opened,
this directive can be used to change argu's group id value to a
'lesser' capable account. Recommended when argus is running as daemon.
Commandline equivalent -g
ARGUS_SETGROUP_ID=group
ARGUS_OUTPUT_FILE
Argus can write its output to one or a number of files, default limit
is 5 concurrent files, each with their own independant filters.
The format is:
ARGUS_OUTPUT_FILE=/full/path/file/name
ARGUS_OUTPUT_FILE=/full/path/file/name "filter"
Most sites will have argus write to a file, for reliablity and perfor‐
mance. The example file name is used here as supporting programs, such
as ./support/Archive/argusarchive are configured to use this file.
Commandline equivalent -w
ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
ARGUS_SET_PID
When Argus is configured to run as a daemon, with the -d option, Argus
can store its pid in a file, to aid in managing the running daemon.
However, creating a system pid file requires privileges that may not be
appropriate for all cases.
When configured to generate a pid file, if Argus cannot create the pid
file, it will fail to run. This variable, and the directory the pid is
written to, is available to override the default, in case this gets in
your way.
The default value is to generate a pid. The default path for the pid
file, is '/var/run'.
No Commandline equivalent
ARGUS_SET_PID=yes
ARGUS_PID_PATH=/var/run
ARGUS_FLOW_STATUS_INTERVAL
Argus will periodically report on a flow's activity every
ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on
the flow. This is so that you can get a view into the activity of very
long lived flows. The default is 60 seconds, but this number may be
too low or too high depending on your uses.
The default value is 60 seconds, but argus does support a minimum value
of 1. This is very useful for doing measurements in a controlled
experimental environment where the number of flows is < 1000.
Commandline equivalent -S
ARGUS_FLOW_STATUS_INTERVAL=60
ARGUS_MAR_STATUS_INTERVAL
Argus will periodically report on a its own health, providing interface
status, total packet and bytes counts, packet drop rates, and flow ori‐
ented statistics.
These records can be used as "keep alives" for periods when there is no
network traffic to be monitored.
The default value is 300 seconds, but a value of 60 seconds is very
common.
Commandline equivalent -M
ARGUS_MAR_STATUS_INTERVAL=300
ARGUS_DEBUG_LEVEL
If compiled to support this option, Argus is capable of generating a
lot of debug information.
The default value is zero (0).
Commandline equivalent -D
ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA
Argus can be configured to report on flows in a manner than provides
the best information for calculating application reponse times and net‐
work round trip times.
The default value is to not generate this data.
Commandline equivalent -R
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_JITTER_DATA
Argus can be configured to generate packet jitter information on a per
flow basis. The default value is to not generate this data.
Commandline equivalent -J
ARGUS_GENERATE_JITTER_DATA=no
ARGUS_GENERATE_MAC_DATA
Argus can be configured to not provide MAC addresses in it audit data.
This is available if MAC address tracking and audit is not a require‐
ment.
The default value is to not generate this data.
Commandline equivalent -m
ARGUS_GENERATE_MAC_DATA=no
ARGUS_GENERATE_APPBYTE_METRIC
Argus can be configured to generate metrics that include the applica‐
tion byte counts as well as the packet count and byte counters.
Commandline equivalent -A
ARGUS_GENERATE_APPBYTE_METRIC=no
ARGUS_GENERATE_TCP_PERF_METRIC
Argus by default, generates extended metrics for TCP that include the
connection setup time, window sizes, base sequence numbers, and
retransmission counters. You can suppress this detailed information
using this variable.
No commandline equivalent
ARGUS_GENERATE_TCP_PERF_METRIC=yes
ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS
Argus by default, generates a single pair of timestamps, for the first
and last packet seen on a given flow, during the obseration period.
For bi-directional flows, this results in loss of some information. By
setting this variable to 'yes', argus will store start and ending time‐
stamps for both directions of the flow.
No commandline equivalent
ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=no
ARGUS_CAPTURE_DATA_LEN
Argus can be configured to capture a number of user data bytes from the
packet stream.
The default value is to not generate this data.
Commandline equivalent -U
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_FILTER_OPTIMIZER
Argus uses the packet filter capabilities of libpcap. If there is a
need to not use the libpcap filter optimizer, you can turn it off here.
The default is to leave it on.
Commandline equivalent -O
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER
You can provide a filter expression here, if you like. It should be
limited to 2K in length. The default is to not filter.
No Commandline equivalent
ARGUS_FILTER=""
ARGUS_PACKET_CAPTURE_FILE
Argus allows you to capture packets in tcpdump() format if the source
of the packets is a tcpdump() formatted file or live packet source.
Specify the path to the packet capture file here.
ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
ARGUS_SSF
Argus supports the use of SASL to provide strong authentication and
confidentiality protection.
The policy that argus uses is controlled through the use of a minimum
and maximum allowable protection strength, which is standard for SASL
based appliations. Set these variable to control this policy. The
default is no security policy.
ARGUS_MIN_SSF=0 ARGUS_MAX_SSF=0
SEE ALSOargus(8)
07 November 2000 ARGUS.CONF(1)
