NAME¶
argus.conf -
argus resource file.
SYNOPSIS¶
argus.conf
COPYRIGHT¶
Copyright (c) 2000-2004 QoSient. All rights reserved.
DESCRIPTION¶
Argus will open this argus.conf if its installed as /etc/argus.conf. It will
also search for this file as argus.conf in directories specified in
$ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, or $HOME, $HOME/lib, and parse it
to set common configuration options. All values in this file can be overriden
by command line options, or other files of this format that can be read in
using the -F option.
Variable Syntax¶
Variable assignments must be of the form:
VARIABLE=
with no white space between the VARIABLE and the '=' sign. Quotes are optional
for string arguments, but if you want to embed comments, then quotes are
required.
ARGUS_DAEMON¶
Argus is capable of running as a daemon, doing all the right things that daemons
do. When this configuration is used for the system daemon process, say for
/etc/argus.conf, this variable should be set to "yes".
The default value is to not run as a daemon.
This example is to support the ./support/Startup/argus script which requires
that this variable be set to "yes".
Commandline equivalent -d
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID¶
Argus Monitor Data is uniquely identifiable based on the source identifier that
is included in each output record. This is to allow you to work with Argus
Data from multiple monitors at the same time. The ID is 32 bits long, and so
legitimate values are 0 - 4294967296 but argus also supports IP addresses as
values. The configuration allows for you to use host names, however, do have
some understanding how `hostname` will be resolved by the nameserver before
commiting to this strategy completely.
Commandline equivalent -e
ARGUS_MONITOR_ID=`hostname`
ARGUS_ACCESS_PORT¶
Argus monitors can provide a real-time remote access port for collecting Argus
data. This is a TCP based port service and the default port number is tcp/561,
the "experimental monitor" service. This feature is disabled by
default, and can be forced off by setting it to zero (0).
When you do want to enable this service, 561 is a good choice, as all ra*
clients are configured to try this port by default.
Commandline equivalent -P
ARGUS_ACCESS_PORT=561
ARGUS_BIND_IP¶
When remote access is enabled (see above), you can specify that Argus should
bind only to a specific IP address. This is useful, for example, in
restricting access to the local host, or binding to a private interface while
capturing from another. The default is to bind to any IP address.
Commandline equivalent -B
ARGUS_BIND_IP="127.0.0.1"
ARGUS_INTERFACE¶
By default, Argus will open the first appropriate interface on a system that it
encounters. For systems that have only one network interface, this is a
reasonable thing to do. But, when there are more than one suitable interface,
you should specify which interface(s) Argus should read data from.
Argus can read packets from multiple interfaces at the same time, although this
is limited to 2 interfaces at this time. Specify this in this file with
multiple ARGUS_INTERFACE directives.
Commandline equivalent -i
ARGUS_INTERFACE=le0
ARGUS_OUTPUT_FILE¶
Argus can write its output to one or a number of files, default limit is 5
concurrent files, each with their own independant filters.
The format is:
ARGUS_OUTPUT_FILE=/full/path/file/name
ARGUS_OUTPUT_FILE=/full/path/file/name "filter"
Most sites will have argus write to a file, for reliablity and performance. The
example file name is used here as supporting programs, such as
./support/Archive/argusarchive are configured to use this file.
Commandline equivalent -w
ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
ARGUS_MAX_INSTANCES¶
There can be any number of Argus Monitors running on a single system. While this
is a blessing for some, this does cause some confusion in traditonal system
administration tasks, such as pid file creation and failure recover methods.
If you plan on having a more than one argus daemon running on your system,
say, monitoring different interfaces, then set this variable to the number of
daemons you expect to support.
Commandline equivalent -I
ARGUS_MAX_INSTANCES=1
ARGUS_SET_PID¶
When Argus is configured to run as a daemon, with the -d option, Argus can store
its pid in a file, to aid in managing the running daemon. Creating a system
pid file requires priviledges that may not be appropriate for all cases. To
assist in managing pid file creation and support, argus
When configured to generate a pid file, if Argus cannot create the pid file, it
will fail to run. This variable is available to override the default, in case
this gets in your way.
The default value is to generate a pid in /var/run if it exists, and if not in
$ARGUSHOME.
Commandline equivalent -c
ARGUS_SET_PID=yes
ARGUS_PID_FILENAME¶
Argus has a mechanism for generating pid filenames, but in some circumstances,
being able to specify the pid filename is required due to permission
restriction or just out of convenience. If this file exists, argus will read
the pid that the file contains, and test if that process is running. If not,
the old pid is replaced, and argus continues to run.
When this variable is set, argus assumes "-I 1" and "-c".
Commandline equivalent -n <pid file>
ARGUS_PID_FILENAME=/var/run/argus.pid
ARGUS_GO_PROMISCUOUS¶
By default, Argus will put its interface in promiscuous mode in order to monitor
all the traffic that can be collected. This can put an undo load on systems.
If the intent is to monitor only the network activity of the specific system,
say to measure the performance of an HTTP service or DNS service, you'll want
to turn promiscuous mode off.
The default value is go into prmiscuous mode.
Commandline equivalent -p
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL¶
Argus will periodically report on a flow's activity every
ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on the
flow. This is so that you can get a view into the activity of very long lived
flows. The default is 60 seconds, but this number may be too low or too high
depending on your uses.
The default value is 60 seconds, but argus does support a minimum value of 1.
This is very useful for doing measurements in a controlled experimental
environment where the number of flows is < 1000.
Commandline equivalent -S
ARGUS_FLOW_STATUS_INTERVAL=60
ARGUS_MAR_STATUS_INTERVAL¶
Argus will periodically report on a its own health, providing interface status,
total packet and bytes counts, packet drop rates, and flow oriented
statistics.
These records can be used as "keep alives" for periods when there is
no network traffic to be monitored.
The default value is 300 seconds, but a value of 60 seconds is very common.
Commandline equivalent -M
ARGUS_MAR_STATUS_INTERVAL=300
ARGUS_DEBUG_LEVEL¶
If compiled to support this option, Argus is capable of generating a lot of
debug information.
The default value is zero (0).
Commandline equivalent -D
ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA¶
Argus can be configured to report on flows in a manner than provides the best
information for calculating application reponse times and network round trip
times.
The default value is to not generate this data.
Commandline equivalent -R
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_JITTER_DATA¶
Argus can be configured to generate packet jitter information on a per flow
basis. The default value is to not generate this data.
Commandline equivalent -J
ARGUS_GENERATE_JITTER_DATA=no
ARGUS_GENERATE_MAC_DATA¶
Argus can be configured to not provide MAC addresses in it audit data. This is
available if MAC address tracking and audit is not a requirement.
The default value is to not generate this data.
Commandline equivalent -m
ARGUS_GENERATE_MAC_DATA=no
ARGUS_CAPTURE_DATA_LEN¶
Argus can be configured to capture a number of user data bytes from the packet
stream.
The default value is to not generate this data.
Commandline equivalent -U
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_FILTER_OPTIMIZER¶
Argus uses the packet filter capabilities of libpcap. If there is a need to not
use the libpcap filter optimizer, you can turn it off here. The default is to
leave it on.
Commandline equivalent -O
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER¶
You can provide a filter expression here, if you like. It should be limited to
2K in length. The default is to not filter.
No Commandline equivalent
ARGUS_FILTER=""
SEE ALSO¶
argus(8)