3 # Copyright (c) 2000-2007 QoSient, LLC
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2, or (at your option)
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 # Racluster Aggregation Policy Configuration
25 # This configuration is a racluster(1) flow model configuration file.
27 # The concept is to bind a traditional ra* filter with an
28 # aggregation model. Records are tested against the filter
29 # specifications in "fall down" order, when they match, the
30 # aggregation model is used to merge records together. The model
31 # supports hold and idle timers in order to control the holding
32 # merging strategies. If reading from a file, the times are
33 # determined from timestamps in the input stream. The system
34 # works best if the input stream is somewhat sorted in time.
36 # Here is a valid and simple configuration file. It doesn't do
37 # anything in particular, but it is one that is used at some sites.
40 #RACLUSTER_MODEL_NAME=Test Configuration
41 #RACLUSTER_PRESERVE_FIELDS=yes
42 #RACLUSTER_REPORT_AGGREGATION=no
43 #RACLUSTER_AUTO_CORRECTION=yes
46 filter="arp" model="proto saddr"
47 filter="tcp or udp" model="saddr daddr proto dport" status=120 idle=3600 cont
48 filter="host 1.2.3.4" model="saddr daddr proto" status=0 idle=3600
49 filter="dst port http" model="saddr daddr proto dport" status=0 idle=3600
50 filter="" model="saddr daddr proto" status=0 idle=3600
projects / packages / argus-clients.git / blob