1RARC(5)                       File Formats Manual                      RARC(5)
2
3
4

NAME

6       rarc - ra client resource file.
7

SYNOPSIS

9       rarc
10

DESCRIPTION

12       Ra* clients will open this file if its in the users $HOME directory, or
13       in the $ARGUSHOME directory, and parse it to set  common  configuration
14       options.   All  of these values will be overriden by options set on the
15       command line, or in the file specified using the '-F conffile' option.
16
17       Values can be quoted to make string  denotation  easier,  however,  the
18       parser does not require that string values be quoted.  To support this,
19       the parse will remove " (double quote) characters from  input  strings,
20       so do not use this character in strings themselves.
21
22       Values specified as "" will be treated as a NULL string, and the parser
23       will ignore the variable setting.
24
25

RA_ARGUS_SERVER

27       All ra* clients can attach to a remote server, and collect  argus  data
28       in  real  time.   This  variable  can  be  a  name or a dot notation IP
29       address.  Optionally you can specify a port number using a ':' and then
30       providing the port number desired.
31
32       RA_ARGUS_SERVER=localhost:561
33
34

RA_SOURCE_PORT

36       You  can  change  the  default  source  port value that will be used on
37       remote TCP and UDP connections, using this variable.  When you  specify
38       the  remote  server  using the -S option, when you don't specify a port
39       number, this is the port number it will use.
40
41       The default port number is 561.
42
43       RA_SOURCE_PORT=561
44
45
46

PID FILE SUPPORT

48       Any ra* program can generate a pid file, which can be used  to  control
49       the number of instances that the system can support.
50
51       Creating  a  system  pid  file  may require priviledges that may not be
52       inappropriate for all cases.  By specifying RA_PID_PATH, you can create
53       personal  pid  files that will enforce your own policy for your own use
54       of the ra* programs.
55
56       When configured to generate a pid file for a ra*  program,  if  a  file
57       called  ra*.pid  (where  ra*  is  the  name of the program in question)
58       exists in the RA_PID_PATH directory, and a program exists  with  a  pid
59       that  matches  the one contained in the file, then the program will not
60       start.  If the pid does not exist, then the ra*  program  replaces  the
61       value  in  the  file, with its own pid.   If a pid file does not exist,
62       then the ra* program will create it in the RA_PID_PATH directory, if it
63       can.  The end result is that the system will support only one instanace
64       of the program, based on name, running at a time.
65
66       The default value is to not generate a pid.  The default path  for  the
67       pid file, is /var/run.
68
69       No Commandline equivalent
70
71       RA_SET_PID="no"
72       RA_PID_PATH="/var/run"
73
74
75
76

RA_OUTPUT_FILE

78       All ra* clients can support writing output as Argus Records into a file
79       or stdout.  Stdout is specified as '-'.
80
81       RA_OUTPUT_FILE="filename"
82
83

RA_TIMERANGE

85       All ra* clients can support input filtering on a time range. The format
86       is:
87            timeSpecification[-timeSpecification]
88
89       where the format of a timeSpecification can be:
90            [[[yy/]mm/]dd.]hh[:mm[:ss]]
91            [yy/]mm/dd
92
93       RA_TIMERANGE="55/12/04.00:00:01-55/12/04.23:59:59"
94       RA_TIMERANGE="12/04-12/05"
95
96
97

RA_RUN_TIME

99       All  ra*  clients  can  support  running for a number of seconds, while
100       attached to a remote source of argus data.  This is a type of  polling.
101       The default is zero (0), which means run indefinately.
102
103       RA_RUN_TIME=0
104
105
106

RA_PRINT_MAN_RECORDS

108       Specify  if  ra*  clients  should  print management records by default.
109       This does not affect management record processing, nor down stream man‐
110       agement record propagation.
111
112       Commandline equivalents: -M [no]man
113
114       RA_PRINT_MAN_RECORDS=no RA_PRINT_EVENT_RECORDS=no
115
116
117

RA_PRINT_LABELS

119       Most ra* clients are designed to print argus records out in ASCII, with
120       each client supporting its own output formats.  For ra() like  clients,
121       this  variable  will  generate column headers as labels.  The number is
122       the number of lines between repeated  header  labeling.   Setting  this
123       value  to  zero  (0)  will cause the labels to be printed once.  If you
124       don't want labels,  comment this line out, delete it or set  the  value
125       to -1.
126
127       RA_PRINT_LABELS=0
128
129
130

RA_FIELD_DELIMITER

132       Most ra* clients are designed to print argus records out in ASCII, with
133       each client supporting its own output formats.  For ra() like  clients,
134       this  variable can overide the default field delimiter, which are vari‐
135       able spans of space (' '), to be any character.  The  most  common  are
136       expected to be '' for tabs, and ',' for comma separated fields.
137
138       RA_FIELD_DELIMITER=','
139
140
141

RA_PRINT_NAMES

143       For  ra(1)  like clients, this variable will control the translation of
144       various numbers to names, such as address hostnames, port service names
145       and/or  protocol  names.   There  can be a huge performance impact with
146       name lookup, so the default is to not resolve hostnames.
147
148       RA_PRINT_NAMES=port
149
150       Other valid options are none to print no names, proto to translate  the
151       protocol  names, port to translate port names, and all to translate all
152       the fields.  An invalid option will default to port, silently.
153
154
155

RA_CIDR_ADDRESS_FORMAT

157       Use this variable  to  specify  whether  ra()  clients,  when  printing
158       numeric  IP addresses, will print them as CIDR addresses, or not.  CIDR
159       notation is constructed from the IP address and the  prefix  size,  the
160       latter being the number of leading 1 bits of the routing prefix. The IP
161       address is expressed according to the standards of IPv4 or IPv6. It  is
162       followed by a separator character, the forward slash (/) character, and
163       the prefix size expressed as a decimal number.
164
165       Argus IPv4 data contains the CIDR mask length, when its less  than  32,
166       and  ra*  programs  will by default provides the "/masklen" suffix when
167       the mask is less than 32.
168
169       This maybe confusing for some data processors, which would  rather  not
170       see  the "/masklen" never, or all the time.  Use this option to specify
171       changes in the default printing stratgy.
172
173       Accepatable values for this variable are:
174           "no"     -  do not provide  the  CIDR  mask  length  (legacy  mode)
175       [default]
176           "yes"    -  print CIDR mask length when less than 32
177           "strict" -  always print CIDR mask length
178
179       RA_CIDR_ADDRESS_FORMAT="no"
180
181
182

RA_ASN_PRINT_FORMAT

184       All  ra() clients can print and process AS Numbers that have been added
185       to the records through metadata labeling, or were a part of the  origi‐
186       nal Netflow to argus conversion process..
187
188       RFC 5396 specifies 3 formats for representing AS Numbers, and all 3 are
189       acceptable formats. These format are:
190           "asplain" - 2 and 4-byte ASNs are printed as decimal integers.
191           "asdot+"  - 2 and 4-byte ASNs are printed using a dot notation.
192           "asdot"   - 2 byte ASNs are printed as decimal, and 4-byte ASNs
193                       are printed using a dotted notation..
194
195       The default is 'asplain'.
196
197       No Commandline equivalent
198
199       RA_ASN_PRINT_FORMAT="asplain"
200
201
202

RA_PRINT_RESPONSE_DATA

204       For ra() like clients, this variable will  include  the  response  data
205       that is provided by Argus.  This is protocol and state specific.
206
207       RA_PRINT_RESPONSE_DATA=no
208
209

RA_PRINT_UNIX_TIME

211       For  ra() like clients, this variable will force the timestamp to be in
212       Unix time format, which  is  an  integer  representing  the  number  of
213       elapsed seconds since the epoch.
214
215       RA_PRINT_UNIX_TIME=no
216
217
218

RA_TIME_FORMAT

220       For  ra() like clients, the format that is used to print timestamps, is
221       based on the strftime() library call, with an extension to print  frac‐
222       tions  of  a  sec using "%f".  The default is "%T.%f".  You can overide
223       this default time format by setting this variable.   This  string  must
224       conform  to  the format specified in strftime().  Malformed strings can
225       generate interesting output, so be aware with this one, and don't  for‐
226       get the '.' when doing fractions of a second.
227
228       RA_TIME_FORMAT="%T.%f"
229
230
231

RA_TZ

233       The  timezone  used  for timestamps is specified by the tzset() library
234       routines, and is normally specified by factors such as the TZ  environ‐
235       ment variable found on most machines.  You can override the TZ environ‐
236       ment variable by specifying a time zone using this variable.  The  for‐
237       mat of this string must conform to the format specified by tzset(3).
238
239       RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02"
240       RA_TZ="PST8PDT"
241
242
243

RA_USEC_PRECISION

245       For  ra() like clients, this variable is used to override the time for‐
246       mat of the timestamp.  This variable specifies the  number  of  decimal
247       places  that will be printed as the fractional part of the time.  Argus
248       collects usec precision, and so a maximum value of 6 is supported.   To
249       not print the fractional part, specify the value zero (0).
250
251       RA_USEC_PRECISION=6
252
253
254

RA_USERDATA_ENCODE

256       Argus  can  capture  user data, and the argus clients can print, merge,
257       filter, and strip user data from argus records.  When printing out  the
258       user data contents, using tools such as ra.1, the type of encoding used
259       to print the buffers can be specified here. This is  available  because
260       many  user  data  buffers are not printable text, and other representa‐
261       tions may be more appropriate.
262
263       Supported  values  are  "Ascii",  "Obfuscate",  "Hex",  "Encode32"   or
264       "Encode64".  The default is "Ascii".
265
266       Obfuscate  is  an  extension to the Ascii print, that attempts to over-
267       write plain text passwords, encountered in the user data, with 'x's.
268
269       Commandline equivalent: -M printer=<printer>
270
271       RA_USERDATA_ENCODE=Ascii
272
273
274

RA_FILTER

276       You can provide a filter expression here, if you like.   It  should  be
277       limited  to 2K in length.  The default is to not filter.  See ra(1) for
278       the format of the filter expression.
279
280       RA_FILTER=""
281
282
283

RA_FILTER_TIMEOUT

285       The filter is compiled in a separate process, and all ra* programs need
286       to  wait  a  reasonable time for the filter compiler to finish, or time
287       out and return an error, in the case of a  fatal  error  in  compiling.
288       Many  systems  are  very  busy, and could benefit from a prolonged wait
289       period, however,  this  timeout  value  could  generate  a  significant
290       startup  wait  state for programs that have poor filter specifications,
291       if the timer is too long.
292
293       The current default is 1.5 seconds, but you can set this to any  amount
294       of time.
295
296       No Commandline equivalent
297
298       RA_FILTER_TIMEOUT=1.5
299
300
301

SASL SUPPPORT

303       When  argus  is compiled with SASL support, ra* clients may be required
304       to authenticate to the argus server before the argus  will  accept  the
305       connection.   This  variable  will allow one to set the user and autho‐
306       rization id's, if needed.  Although not the best practice, you can pro‐
307       vide a password through the RA_AUTH_PASS variable.  If you do this, you
308       should protect the contents of this file.  The format for this variable
309       is:
310
311       RA_USER_AUTH="user_id/authorization_id"
312       RA_AUTH_PASS="password"
313
314
315       The  clients can specify a part of the negotiation of the security pol‐
316       icy that argus uses. This is controlled through the use  of  a  minimum
317       and  maximum  allowable protection strength values.  Set these variable
318       to control this policy.
319
320       RA_MIN_SSF=0
321       RA_MAX_SSF=128
322
323
324

RA_DEBUG_LEVEL

326       If compiled to support this option, ra* clients are capable of generat‐
327       ing  a  lot  of  use  [full  | less | whatever] debug information.  The
328       default value is zero (0).
329
330       RA_DEBUG_LEVEL=0
331
332
333

RA_CONNECT_TIME

335       Some ra style clients use a non-blocking method to  connect  to  remote
336       data  sources,  so  the user many need to control how long to wait if a
337       remote source doesn't respond.  This variable sets the number  of  sec‐
338       onds  to  wait.   This  number should be set to a reasonable value (5 <
339       value < 60).  The default value is 10 seconds.
340
341       RA_CONNECT_TIME=10
342
343

RA_SORT_ALGORITHMS

345       Many ra* programs sort records as a part of their  function.   Programs
346       like  rasort.1,  providing explicit command-line options to specify the
347       sort algorithms and their order, using the
348
349       Use this configuration directive to specify the default  sorting  algo‐
350       rithm  table  for  your  ra*  programs.   The default sort algorithm is
351       record start time "stime".
352
353       RA_SORT_ALGORITHMS="stime "
354
355
356

RA_TIMEOUT_INTERVAL

358       Some ra* clients have a timeout based function.  Ratop, as an  example,
359       times  out  flows  and  removes  them from  screen at a fixed interval.
360       This variable can be set using the RA_TIMEOUT_INTERVAL variable,  which
361       is a float in seconds. 60.0 seconds is the default.
362
363       RA_TIMEOUT_INTERVAL=60.0
364
365
366

RA_UPDATE_INTERVAL

368       Some  ra*  clients have an interval based function.  Ratop, as an exam‐
369       ple, can refresh the screen at a fixed interval.  This variable can  be
370       set using the RA_UPDATE_INTERVAL variable, which is a float in seconds.
371       0.5 seconds is the default.
372
373       RA_UPDATE_INTERVAL=0.5
374
375
376

RA_PRINT_ETHERNET_VENDORS

378       All ra* clients have the ability to print vendor names for  the  vendor
379       part  of ethernet addresses that are in flow records.  ra* programs get
380       its strings for the ethernet vendors using Wireshark 'manuf' files. One
381       is provided with the distribution, and installed into /usr/local/argus.
382
383       No Commandline equivalent
384
385       RA_PRINT_ETHERNET_VENDORS="no"
386       RA_ETHERNET_VENDORS="/usr/local/argus/wireshark.manuf.txt"
387
388

RA_DELEGATED_IP

390       All  ra*  clients  have  the  ability to print country codes for the IP
391       addresses that are in a flow record.  Country codes are generated  from
392       the  ARIN  delegated address space files.  Specify the location of your
393       DELEGATED_IP file here.
394
395       No Commandline equivalent
396
397       RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
398
399
400

RA_RELIABLE_CONNECT

402       All ra* clients can reliably connect  to  remote  data  sources.   This
403       causes the ra* program to try to reconnect to lost remote sources every
404       5 seconds, indefinately. This causes ra* program to not  terminate  but
405       retry connection attempts when they fail.
406
407       This  feature is implemented using threads, and so threads support must
408       be compiled in.
409
410       No Commandline equivalent
411
412       RA_RELIABLE_CONNECT=no
413
414
415

MYSQL SUPPORT

417       Many ra* clients can connect and use a MySQL database,  either  reading
418       for  writing.   This  may require references to remotes database hosts,
419       databases, tables, and mysql account names and passwords.
420
421       Default values for these variables can be set here.   support  must  be
422       compiled in.
423
424       Commandline equivalents:
425         -r mysql://[username[:password]@]hostname[:port]/database/tablename
426         -w mysql://[username[:password]@]hostname[:port]/database/tablename
427         -u username:password
428
429       RA_DATABASE="argus"
430       RA_DB_TABLE="table"
431       RA_DB_USER="carter"
432       RA_DB_PASS="whatever"
433
434
435       Those ra* clients that can create database tables may need to specify a
436       table type or rather, a database engine other than the defaul, MyISAM.
437
438       Commandline equivalents:
439         -M mysql_engine=tableType
440            Current tableTypes are
441               MyISAM
442               InnoDB
443               Merge
444               Memory
445               Archive
446               NDB
447               Federated
448               CSV
449
450       MYSQL_DB_ENGINE="MyISAM"
451
452
453

COLOR SUPPORT

455       For ra* programs that use curses, these variables defined color schemes
456       and color assignments.
457
458       Argus  uses  a sixteen color palette, with 8 monotone and 8 accent col‐
459       ors, plus 16 colors of gray. Currently  these  color  values  are  hard
460       coded.   New versions should allow you to provide color definitions for
461       all internal values using a 256 Xterm color wheel, to assign foreground
462       and background colors. But we're not there yet
463
464       RA_COLOR_SUPPORT="yes"
465       RA_COLOR_CONFIG="/usr/carter/.racolor.conf"
466
467
468

DIRECTION SUPPORT

470       Many  ra*  clients process flow records based on source and destination
471       properties.  TCP and UDP ports values can be used to assign  direction,
472       and are best used for well-known ports (< 1024), values that are in the
473       /etc/services defintions, and the reserved ports (> 1023, < 49151).
474
475       The syntax is:
476           RA_PORT_DIRECTION="services"
477           RA_PORT_DIRECTION="services,wellknown"
478           RA_PORT_DIRECTION="services,wellknown,registered"
479
480       We recommend the wellknown and services options, as they are a bit more
481       discriminating.  If there are ports that you know are services that are
482       in the registered port range, we suggest that  you  add  them  to  your
483       /etc/services  file rather than include the registered port range; only
484       because the registered range is  so  large.  However,  this  option  is
485       applied  only to flow in which the direction is ambiguous, and as such,
486       corrections based on the logic should have minimum effect on analytics.
487
488       RA_PORT_DIRECTION="services,wellknown"
489
490
491
492       Sites use locality for a number of features, such as   access  control,
493       and this support is intended to support visualization, and analytics.
494
495       Currently, you can identify a collection of IP addresses that represent
496       RA_LOCAL, and are specified using an iana-address-file formatted  file.
497       (See ralabel.conf)
498
499       RA_LOCAL="/usr/local/argus/local.addrs"
500
501
502       When  locality information is available, programs like ra(), and as the
503       assignement of source when there is ambiguity in the flow record as  to
504       who is the actual initiator or receiver of the flow.
505
506       When locality information is available, programs like ra(), and ratop()
507       can use that information to make display decisions, such
508
509       RA_LOCAL_DIRECTION provides the logic for using the  locality  informa‐
510       tion  to  assign flow direction.  You can force the local address to be
511       either the source (src) or the destination (dst).
512
513       The syntax is:
514           RA_LOCAL_DIRECTION="local:src"
515           RA_LOCAL_DIRECTION="local:dst"
516
517       RA_LOCAL_DIRECTION="suggest:src"
518       RA_LOCAL_DIRECTION="force:src
519
520
522       Copyright (c) 2000-2016 QoSient. All rights reserved.
523

SEE ALSO

525       ra(1)
526
527
528
529
530
531rarc 3.0.8                     07 November 2000                        RARC(5)
Impressum