[packages/argus-clients.git] / argus-clients-racluster.conf

# 
#  Argus Software
#  Copyright (c) 2000-2007 QoSient, LLC
#  All rights reserved.
# 
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2, or (at your option)
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Racluster Aggregation Policy Configuration
#
# Carter Bullard
# QoSient, LLC
#
#   This configuration is a racluster(1) flow model configuration file.
#
#   The concept is to bind a traditional ra* filter with an
#   aggregation model.  Records are tested against the filter
#   specifications in "fall down" order, when they match, the
#   aggregation model is used to merge records together.  The model
#   supports hold and idle timers in order to control the holding
#   merging strategies.  If reading from a file, the times are
#   determined from timestamps in the input stream.  The system
#   works best if the input stream is somewhat sorted in time.
#
#   Here is a valid and simple configuration file.   It doesn't do
#   anything in particular, but it is one that is used at some sites.
#

#RACLUSTER_MODEL_NAME=Test Configuration
#RACLUSTER_PRESERVE_FIELDS=yes
#RACLUSTER_REPORT_AGGREGATION=no
#RACLUSTER_AUTO_CORRECTION=yes

filter="icmp"
filter="arp"           model="proto saddr"
filter="tcp or udp"    model="saddr daddr proto dport"  status=120 idle=3600  cont
filter="host 1.2.3.4"  model="saddr daddr proto"        status=0   idle=3600  
filter="dst port http" model="saddr daddr proto dport"  status=0   idle=3600  
filter=""              model="saddr daddr proto"        status=0   idle=3600
Commit	Line	Data
d31e0d15	1	#
	2	# Argus Software
	3	# Copyright (c) 2000-2007 QoSient, LLC
	4	# All rights reserved.
	5	#
	6	# This program is free software; you can redistribute it and/or modify
	7	# it under the terms of the GNU General Public License as published by
	8	# the Free Software Foundation; either version 2, or (at your option)
	9	# any later version.
	10	#
	11	# This program is distributed in the hope that it will be useful,
	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	# GNU General Public License for more details.
	15	#
	16	# You should have received a copy of the GNU General Public License
	17	# along with this program; if not, write to the Free Software
	18	# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	19	#
	20	# Racluster Aggregation Policy Configuration
	21	#
	22	# Carter Bullard
	23	# QoSient, LLC
	24	#
	25	# This configuration is a racluster(1) flow model configuration file.
	26	#
	27	# The concept is to bind a traditional ra* filter with an
	28	# aggregation model. Records are tested against the filter
	29	# specifications in "fall down" order, when they match, the
	30	# aggregation model is used to merge records together. The model
	31	# supports hold and idle timers in order to control the holding
	32	# merging strategies. If reading from a file, the times are
	33	# determined from timestamps in the input stream. The system
	34	# works best if the input stream is somewhat sorted in time.
	35	#
	36	# Here is a valid and simple configuration file. It doesn't do
	37	# anything in particular, but it is one that is used at some sites.
	38	#
	39
	40	#RACLUSTER_MODEL_NAME=Test Configuration
	41	#RACLUSTER_PRESERVE_FIELDS=yes
	42	#RACLUSTER_REPORT_AGGREGATION=no
	43	#RACLUSTER_AUTO_CORRECTION=yes
	44
	45	filter="icmp"
	46	filter="arp" model="proto saddr"
	47	filter="tcp or udp" model="saddr daddr proto dport" status=120 idle=3600 cont
	48	filter="host 1.2.3.4" model="saddr daddr proto" status=0 idle=3600
	49	filter="dst port http" model="saddr daddr proto dport" status=0 idle=3600
	50	filter="" model="saddr daddr proto" status=0 idle=3600