1RARC(5) File Formats Manual RARC(5)
2
6 rarc - ra client resource file.
7
9 rarc
10
12 Ra* clients will open this file if its in the users $HOME directory, or
13 in the $ARGUSHOME directory, and parse it to set common configuration
14 options. All of these values will be overriden by options set on the
15 command line, or in the file specified using the '-F conffile' option.
16 Values can be quoted to make string denotation easier, however, the
18 parser does not require that string values be quoted. To support this,
19 the parse will remove " (double quote) characters from input strings,
20 so do not use this character in strings themselves.
21 Values specified as "" will be treated as a NULL string, and the parser
23 will ignore the variable setting.
24
27 All ra* clients can attach to a remote server, and collect argus data
28 in real time. This variable can be a name or a dot notation IP
29 address. Optionally you can specify a port number using a ':' and then
30 providing the port number desired.
31 RA_ARGUS_SERVER=localhost:561
33
36 You can change the default source port value that will be used on
37 remote TCP and UDP connections, using this variable. When you specify
38 the remote server using the -S option, when you don't specify a port
39 number, this is the port number it will use.
40 The default port number is 561.
42 RA_SOURCE_PORT=561
44
48 Any ra* program can generate a pid file, which can be used to control
49 the number of instances that the system can support.
50 Creating a system pid file may require priviledges that may not be
52 inappropriate for all cases. By specifying RA_PID_PATH, you can create
53 personal pid files that will enforce your own policy for your own use
54 of the ra* programs.
55 When configured to generate a pid file for a ra* program, if a file
57 called ra*.pid (where ra* is the name of the program in question)
58 exists in the RA_PID_PATH directory, and a program exists with a pid
59 that matches the one contained in the file, then the program will not
60 start. If the pid does not exist, then the ra* program replaces the
61 value in the file, with its own pid. If a pid file does not exist,
62 then the ra* program will create it in the RA_PID_PATH directory, if it
63 can. The end result is that the system will support only one instanace
64 of the program, based on name, running at a time.
65 The default value is to not generate a pid. The default path for the
67 pid file, is /var/run.
68 No Commandline equivalent
70 RA_SET_PID="no"
72 RA_PID_PATH="/var/run"
73
78 All ra* clients can support writing output as Argus Records into a file
79 or stdout. Stdout is specified as '-'.
80 RA_OUTPUT_FILE="filename"
82
85 All ra* clients can support input filtering on a time range. The format
86 is:
87 timeSpecification[-timeSpecification]
88 where the format of a timeSpecification can be:
90 [[[yy/]mm/]dd.]hh[:mm[:ss]]
91 [yy/]mm/dd
92 RA_TIMERANGE="55/12/04.00:00:01-55/12/04.23:59:59"
94 RA_TIMERANGE="12/04-12/05"
95
99 All ra* clients can support running for a number of seconds, while
100 attached to a remote source of argus data. This is a type of polling.
101 The default is zero (0), which means run indefinately.
102 RA_RUN_TIME=0
104
108 Specify if ra* clients should print management records by default.
109 This does not affect management record processing, nor down stream man‐
110 agement record propagation.
111 Commandline equivalents: -M [no]man
113 RA_PRINT_MAN_RECORDS=no RA_PRINT_EVENT_RECORDS=no
115
119 Most ra* clients are designed to print argus records out in ASCII, with
120 each client supporting its own output formats. For ra() like clients,
121 this variable will generate column headers as labels. The number is
122 the number of lines between repeated header labeling. Setting this
123 value to zero (0) will cause the labels to be printed once. If you
124 don't want labels, comment this line out, delete it or set the value
125 to -1.
126 RA_PRINT_LABELS=0
128
132 Most ra* clients are designed to print argus records out in ASCII, with
133 each client supporting its own output formats. For ra() like clients,
134 this variable can overide the default field delimiter, which are vari‐
135 able spans of space (' '), to be any character. The most common are
136 expected to be '' for tabs, and ',' for comma separated fields.
137 RA_FIELD_DELIMITER=','
139
143 For ra(1) like clients, this variable will control the translation of
144 various numbers to names, such as address hostnames, port service names
145 and/or protocol names. There can be a huge performance impact with
146 name lookup, so the default is to not resolve hostnames.
147 RA_PRINT_NAMES=port
149 Other valid options are none to print no names, proto to translate the
151 protocol names, port to translate port names, and all to translate all
152 the fields. An invalid option will default to port, silently.
153
157 Use this variable to specify whether ra() clients, when printing
158 numeric IP addresses, will print them as CIDR addresses, or not. CIDR
159 notation is constructed from the IP address and the prefix size, the
160 latter being the number of leading 1 bits of the routing prefix. The IP
161 address is expressed according to the standards of IPv4 or IPv6. It is
162 followed by a separator character, the forward slash (/) character, and
163 the prefix size expressed as a decimal number.
164 Argus IPv4 data contains the CIDR mask length, when its less than 32,
166 and ra* programs will by default provides the "/masklen" suffix when
167 the mask is less than 32.
168 This maybe confusing for some data processors, which would rather not
170 see the "/masklen" never, or all the time. Use this option to specify
171 changes in the default printing stratgy.
172 Accepatable values for this variable are:
174 "no" - do not provide the CIDR mask length (legacy mode)
175 [default]
176 "yes" - print CIDR mask length when less than 32
177 "strict" - always print CIDR mask length
178 RA_CIDR_ADDRESS_FORMAT="no"
180
184 All ra() clients can print and process AS Numbers that have been added
185 to the records through metadata labeling, or were a part of the origi‐
186 nal Netflow to argus conversion process..
187 RFC 5396 specifies 3 formats for representing AS Numbers, and all 3 are
189 acceptable formats. These format are:
190 "asplain" - 2 and 4-byte ASNs are printed as decimal integers.
191 "asdot+" - 2 and 4-byte ASNs are printed using a dot notation.
192 "asdot" - 2 byte ASNs are printed as decimal, and 4-byte ASNs
193 are printed using a dotted notation..
194 The default is 'asplain'.
196 No Commandline equivalent
198 RA_ASN_PRINT_FORMAT="asplain"
200
204 For ra() like clients, this variable will include the response data
205 that is provided by Argus. This is protocol and state specific.
206 RA_PRINT_RESPONSE_DATA=no
208
211 For ra() like clients, this variable will force the timestamp to be in
212 Unix time format, which is an integer representing the number of
213 elapsed seconds since the epoch.
214 RA_PRINT_UNIX_TIME=no
216
220 For ra() like clients, the format that is used to print timestamps, is
221 based on the strftime() library call, with an extension to print frac‐
222 tions of a sec using "%f". The default is "%T.%f". You can overide
223 this default time format by setting this variable. This string must
224 conform to the format specified in strftime(). Malformed strings can
225 generate interesting output, so be aware with this one, and don't for‐
226 get the '.' when doing fractions of a second.
227 RA_TIME_FORMAT="%T.%f"
229
233 The timezone used for timestamps is specified by the tzset() library
234 routines, and is normally specified by factors such as the TZ environ‐
235 ment variable found on most machines. You can override the TZ environ‐
236 ment variable by specifying a time zone using this variable. The for‐
237 mat of this string must conform to the format specified by tzset(3).
238 RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02"
240 RA_TZ="PST8PDT"
241
245 For ra() like clients, this variable is used to override the time for‐
246 mat of the timestamp. This variable specifies the number of decimal
247 places that will be printed as the fractional part of the time. Argus
248 collects usec precision, and so a maximum value of 6 is supported. To
249 not print the fractional part, specify the value zero (0).
250 RA_USEC_PRECISION=6
252
256 Argus can capture user data, and the argus clients can print, merge,
257 filter, and strip user data from argus records. When printing out the
258 user data contents, using tools such as ra.1, the type of encoding used
259 to print the buffers can be specified here. This is available because
260 many user data buffers are not printable text, and other representa‐
261 tions may be more appropriate.
262 Supported values are "Ascii", "Obfuscate", "Hex", "Encode32" or
264 "Encode64". The default is "Ascii".
265 Obfuscate is an extension to the Ascii print, that attempts to over-
267 write plain text passwords, encountered in the user data, with 'x's.
268 Commandline equivalent: -M printer=<printer>
270 RA_USERDATA_ENCODE=Ascii
272
276 You can provide a filter expression here, if you like. It should be
277 limited to 2K in length. The default is to not filter. See ra(1) for
278 the format of the filter expression.
279 RA_FILTER=""
281
285 The filter is compiled in a separate process, and all ra* programs need
286 to wait a reasonable time for the filter compiler to finish, or time
287 out and return an error, in the case of a fatal error in compiling.
288 Many systems are very busy, and could benefit from a prolonged wait
289 period, however, this timeout value could generate a significant
290 startup wait state for programs that have poor filter specifications,
291 if the timer is too long.
292 The current default is 1.5 seconds, but you can set this to any amount
294 of time.
295 No Commandline equivalent
297 RA_FILTER_TIMEOUT=1.5
299
303 When argus is compiled with SASL support, ra* clients may be required
304 to authenticate to the argus server before the argus will accept the
305 connection. This variable will allow one to set the user and autho‐
306 rization id's, if needed. Although not the best practice, you can pro‐
307 vide a password through the RA_AUTH_PASS variable. If you do this, you
308 should protect the contents of this file. The format for this variable
309 is:
310 RA_USER_AUTH="user_id/authorization_id"
312 RA_AUTH_PASS="password"
313 The clients can specify a part of the negotiation of the security pol‐
316 icy that argus uses. This is controlled through the use of a minimum
317 and maximum allowable protection strength values. Set these variable
318 to control this policy.
319 RA_MIN_SSF=0
321 RA_MAX_SSF=128
322
326 If compiled to support this option, ra* clients are capable of generat‐
327 ing a lot of use [full | less | whatever] debug information. The
328 default value is zero (0).
329 RA_DEBUG_LEVEL=0
331
335 Some ra style clients use a non-blocking method to connect to remote
336 data sources, so the user many need to control how long to wait if a
337 remote source doesn't respond. This variable sets the number of sec‐
338 onds to wait. This number should be set to a reasonable value (5 <
339 value < 60). The default value is 10 seconds.
340 RA_CONNECT_TIME=10
342
345 Many ra* programs sort records as a part of their function. Programs
346 like rasort.1, providing explicit command-line options to specify the
347 sort algorithms and their order, using the
348 Use this configuration directive to specify the default sorting algo‐
350 rithm table for your ra* programs. The default sort algorithm is
351 record start time "stime".
352 RA_SORT_ALGORITHMS="stime "
354
358 Some ra* clients have a timeout based function. Ratop, as an example,
359 times out flows and removes them from screen at a fixed interval.
360 This variable can be set using the RA_TIMEOUT_INTERVAL variable, which
361 is a float in seconds. 60.0 seconds is the default.
362 RA_TIMEOUT_INTERVAL=60.0
364
368 Some ra* clients have an interval based function. Ratop, as an exam‐
369 ple, can refresh the screen at a fixed interval. This variable can be
370 set using the RA_UPDATE_INTERVAL variable, which is a float in seconds.
371 0.5 seconds is the default.
372 RA_UPDATE_INTERVAL=0.5
374
378 All ra* clients have the ability to print vendor names for the vendor
379 part of ethernet addresses that are in flow records. ra* programs get
380 its strings for the ethernet vendors using Wireshark 'manuf' files. One
381 is provided with the distribution, and installed into /usr/local/argus.
382 No Commandline equivalent
384 RA_PRINT_ETHERNET_VENDORS="no"
386 RA_ETHERNET_VENDORS="/usr/local/argus/wireshark.manuf.txt"
387
390 All ra* clients have the ability to print country codes for the IP
391 addresses that are in a flow record. Country codes are generated from
392 the ARIN delegated address space files. Specify the location of your
393 DELEGATED_IP file here.
394 No Commandline equivalent
396 RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
398
402 All ra* clients can reliably connect to remote data sources. This
403 causes the ra* program to try to reconnect to lost remote sources every
404 5 seconds, indefinately. This causes ra* program to not terminate but
405 retry connection attempts when they fail.
406 This feature is implemented using threads, and so threads support must
408 be compiled in.
409 No Commandline equivalent
411 RA_RELIABLE_CONNECT=no
413
417 Many ra* clients can connect and use a MySQL database, either reading
418 for writing. This may require references to remotes database hosts,
419 databases, tables, and mysql account names and passwords.
420 Default values for these variables can be set here. support must be
422 compiled in.
423 Commandline equivalents:
425 -r mysql://[username[:password]@]hostname[:port]/database/tablename
426 -w mysql://[username[:password]@]hostname[:port]/database/tablename
427 -u username:password
428 RA_DATABASE="argus"
430 RA_DB_TABLE="table"
431 RA_DB_USER="carter"
432 RA_DB_PASS="whatever"
433 Those ra* clients that can create database tables may need to specify a
436 table type or rather, a database engine other than the defaul, MyISAM.
437 Commandline equivalents:
439 -M mysql_engine=tableType
440 Current tableTypes are
441 MyISAM
442 InnoDB
443 Merge
444 Memory
445 Archive
446 NDB
447 Federated
448 CSV
449 MYSQL_DB_ENGINE="MyISAM"
451
455 For ra* programs that use curses, these variables defined color schemes
456 and color assignments.
457 Argus uses a sixteen color palette, with 8 monotone and 8 accent col‐
459 ors, plus 16 colors of gray. Currently these color values are hard
460 coded. New versions should allow you to provide color definitions for
461 all internal values using a 256 Xterm color wheel, to assign foreground
462 and background colors. But we're not there yet
463 RA_COLOR_SUPPORT="yes"
465 RA_COLOR_CONFIG="/usr/carter/.racolor.conf"
466
470 Many ra* clients process flow records based on source and destination
471 properties. TCP and UDP ports values can be used to assign direction,
472 and are best used for well-known ports (< 1024), values that are in the
473 /etc/services defintions, and the reserved ports (> 1023, < 49151).
474 The syntax is:
476 RA_PORT_DIRECTION="services"
477 RA_PORT_DIRECTION="services,wellknown"
478 RA_PORT_DIRECTION="services,wellknown,registered"
479 We recommend the wellknown and services options, as they are a bit more
481 discriminating. If there are ports that you know are services that are
482 in the registered port range, we suggest that you add them to your
483 /etc/services file rather than include the registered port range; only
484 because the registered range is so large. However, this option is
485 applied only to flow in which the direction is ambiguous, and as such,
486 corrections based on the logic should have minimum effect on analytics.
487 RA_PORT_DIRECTION="services,wellknown"
489 Sites use locality for a number of features, such as access control,
493 and this support is intended to support visualization, and analytics.
494 Currently, you can identify a collection of IP addresses that represent
496 RA_LOCAL, and are specified using an iana-address-file formatted file.
497 (See ralabel.conf)
498 RA_LOCAL="/usr/local/argus/local.addrs"
500 When locality information is available, programs like ra(), and as the
503 assignement of source when there is ambiguity in the flow record as to
504 who is the actual initiator or receiver of the flow.
505 When locality information is available, programs like ra(), and ratop()
507 can use that information to make display decisions, such
508 RA_LOCAL_DIRECTION provides the logic for using the locality informa‐
510 tion to assign flow direction. You can force the local address to be
511 either the source (src) or the destination (dst).
512 The syntax is:
514 RA_LOCAL_DIRECTION="local:src"
515 RA_LOCAL_DIRECTION="local:dst"
516 RA_LOCAL_DIRECTION="suggest:src"
518 RA_LOCAL_DIRECTION="force:src
519
522 Copyright (c) 2000-2016 QoSient. All rights reserved.
523
525 ra(1)
526rarc 3.0.8 07 November 2000 RARC(5)