[packages/argus.git] / argus.conf

# 
# Argus Software
# Copyright (c) 2000-2007 QoSient, LLC
# All rights reserved.
# 
# Example  argus.conf
#
# Argus will open this argus.conf if its installed as /etc/argus.conf.
# It will also search for this file as argus.conf in directories
# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
# or $HOME, $HOME/lib, and parse it to set common configuration
# options.  All values in this file can be overriden by command
# line options, or other files of this format that can be read in
# using the -F option.
#
#
# Variable Syntax
# 
# Variable assignments must be of the form:
#
#   VARIABLE=
#
# with no white space between the VARIABLE and the '=' sign.
# Quotes are optional for string arguements, but if you want
# to embed comments, then quotes are required.
#
#
# Variable Explanations
#
# The Argus can be configured to support a large number of
# flow types.  The Argus can provide either type, i.e.
# uni-directional or bi-directional flow tracking and
# the flow can be further defined by specifying the key.
# The argus supports a set of well known key strategies,
# such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX',
# 'MPLS', and/or 'VLAN', or the argus can be configured to
# formulate key strategies from a list of the specific
# objects that the Argus understands.  See the man page for
# a complete description.
#
# The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
#

ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"


# Argus is capable of running as a daemon, doing all the right things
# that daemons do.  When this configuration is used for the system
# daemon process, say for /etc/argus.conf, this variable should be
# set to "yes".
#
# The default value is to not run as a daemon.
#
# This example is to support the ./support/Startup/argus script
# which requires that this variable be set to "yes".
#
# Commandline equivalent   -d
#

ARGUS_DAEMON=yes


# Argus Monitor Data is uniquely identifiable based on the source
# identifier that is included in each output record.  This is to
# allow you to work with Argus Data from multiple monitors at the
# same time.  The ID is 32 bits long, and so legitimate values are
# 0 - 4294967296 but argus also supports IP addresses as values.
# The configuration allows for you to use host names, however, do
# have some understanding how `hostname` will be resolved by the
# nameserver before commiting to this strategy completely.
#
# Commandline equivalent   -e
#
                                          
ARGUS_MONITOR_ID=`hostname`
                                          

# Argus monitors can provide a real-time remote access port
# for collecting Argus data.  This is a TCP based port service and
# the default port number is tcp/561, the "experimental monitor"
# service.  This feature is disabled by default, and can be forced
# off by setting it to zero (0).
#
# When you do want to enable this service, 561 is a good choice,
# as all ra* clients are configured to try this port by default.
#
# Commandline equivalent   -P
#

ARGUS_ACCESS_PORT=561


# When remote access is enabled (see above), you can specify that Argus
# should bind only to a specific IP address. This is useful, for example,
# in restricting access to the local host, or binding to a private
# interface while capturing from another. The default is to bind to any
# IP address.
#
# Commandline equivalent  -B
#

#ARGUS_BIND_IP="127.0.0.1"


# By default, Argus will open the first appropriate interface on a
# system that it encounters.  For systems that have only one network
# interface, this is a reasonable thing to do.  But, when there are
# more than one suitable interface, you should specify which
# interface(s) Argus should read data from.
#
# Argus can read packets from multiple interfaces at the same time,
# although this is limited to 2 interfaces at this time.  Specify
# this in this file with multiple ARGUS_INTERFACE directives.
#
# Commandline equivalent   -i
#

#ARGUS_INTERFACE=


# By default, Argus will put its interface in promiscuous mode
# in order to monitor all the traffic that can be collected.
# This can put an undo load on systems. 
 
# If the intent is to monitor only the network activity of
# the specific system, say to measure the performance of
# an HTTP service or DNS service, you'll want to turn 
# promiscuous mode off.
#
# The default value is go into prmiscuous mode.
#
# Commandline equivalent   -p
#
 
#ARGUS_GO_PROMISCUOUS=yes


# By default, Argus will provide its own reliable output collection
# functions, which include writing out to multiple files, supporting
# multiple concurrent remote clients, independent output filtering and
# strong authentication and encryption. The support for each of these
# functions increases the CPU requirements of argus, and as such, in
# high load environments, may not be desireable.
# 
# When argus's collection functions are disabled, the only way to access
# data is through a socket, and as a result the ARGUS_ACCESS_PORT
# and ARGUS_BIND_ADDRESS mechanisms may need to be used.
#
# Commandline equivalent   -c
#
 
#ARGUS_COLLECTOR=yes


# Argus supports chroot(2) in order to control the file system that
# argus exists in and can access.  Generally used when argus is running
# with privileges, this limits the negative impacts that argus could
# inflict on its host machine. 
#
# This option will cause the output file names to be relative to this
# directory, and so consider this when trying to find your output files.
#
# Commandline equivalent   -C
#

#ARGUS_CHROOT_DIR=/chroot_dir


# Argus can be directed to change its user id using the setuid() system
# call.  This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive will cause argus to change its user id value to
# a 'lesser' capable account.  Recommended when argus is running as
# daemon.
#
# Commandline equivalent   -u
#

#ARGUS_SETUSER_ID=user


# Argus can be directed to change its group id using the setgid() system
# call.  This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive can be used to change argu's group id value to
# a 'lesser' capable account.  Recommended when argus is running as
# daemon.
#
# Commandline equivalent   -g
#

#ARGUS_SETGROUP_ID=group
 

# Argus can write its output to one or a number of files.
# The default limit is 5 concurrent files, each with their
# own independant filters.
#
# The format is:
#      ARGUS_OUTPUT_FILE=/full/path/file/name
#      ARGUS_OUTPUT_FILE="/full/path/file/name filter"
#
# Most sites will have argus write to a file, for reliablity.
# The example file name is used here as supporting programs,
# such as ./support/Archive/argusarchive are configured to use
# this file (with any chroot'd directory prepended).
#
# Commandline equivalent   -w
#

#ARGUS_OUTPUT_FILE=/var/log/argus/argus.out


# When Argus is configured to run as a daemon, with the -d
# option, Argus can store its pid in a file, to aid in
# managing the running daemon.  However, creating a system
# pid file requires priviledges that may not be appropriate
# for all cases.
#
# When configured to generate a pid file, if Argus cannot
# create the pid file, it will fail to run.  This variable
# is available to override the default, in case this gets
# in your way.
#
# The default value is to generate a pid.  The default
# path for the pid file, is '/var/run'.
#
# No Commandline equivalent   
#

ARGUS_SET_PID=yes
ARGUS_PID_PATH="/var/run"


# Argus will periodically report on a flow's activity every
# ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
# new activity on the flow.  This is so that you can get a
# multiple status reports into the activity of a flow.  The
# default is 5 seconds, but this number may be too low or
# too high depending on your uses.  Argus does suppport
# a minimum value of 0.000001 seconds.  Values under 1 sec
# are very useful for doing measurements in a controlled
# experimental environment where the number of flows is small.
# 
# Because the status interval affects the memory utilization
# of the monitor, find the minimum acceptable value is 
# recommended.
#
# Commandline equivalent   -S
#

ARGUS_FLOW_STATUS_INTERVAL=5


# Argus will periodically report on a its own health, providing
# interface status, total packet and bytes counts, packet drop
# rates, and flow oriented statistics.
#
# These records can be used as "keep alives" for periods when
# there is no network traffic to be monitored.
#
# The default value is 300 seconds, but a value of 60 seconds is
# very common.
#
# Commandline equivalent   -M
#

ARGUS_MAR_STATUS_INTERVAL=60


# If compiled to support this option, Argus is capable of
# generating a lot of debug information.
#
# The default value is zero (0).
#
# Commandline equivalent   -D
#

ARGUS_DEBUG_LEVEL=0


# Argus can be configured to report on flows in a manner than
# provides the best information for calculating application
# reponse times and network round trip times.
#
# The default value is to not generate this data.
#
# Commandline equivalent   -R
#
 
ARGUS_GENERATE_RESPONSE_TIME_DATA=no


# Argus can be configured to generate packet jitter information
# on a per flow basis.  The default value is to not generate
# this data.
#
# Commandline equivalent   -J
#
 
ARGUS_GENERATE_JITTER_DATA=no 


# Argus can be configured to provide MAC addresses in
# it audit data. The default value is to not generate
# this data.
#
# Commandline equivalent   -m
#
 
ARGUS_GENERATE_MAC_DATA=yes


# Argus can be configured to generate metrics that include
# the application byte counts as well as the packet count
# and byte counters.
#
# No commandline equivalent
#

ARGUS_GENERATE_APPBYTE_METRIC=no


# Argus by default, generates extended metrics for TCP
# that include the connection setup time, window sizes,
# base sequence numbers, and retransmission counters.
# You can suppress this detailed information using this
# variable.
# 
# No commandline equivalent
# 

#ARGUS_GENERATE_TCP_PERF_METRIC=yes


# Argus can be configured to capture a number of user data
# bytes from the packet stream.
#
# The default value is to not generate this data.
#
# Commandline equivalent   -U
#
 
ARGUS_CAPTURE_DATA_LEN=32


# Argus uses the packet filter capabilities of libpcap.  If
# there is a need to not use the libpcap filter optimizer,
# you can turn it off here.  The default is to leave it on.
#
# Commandline equivalent   -O
#

ARGUS_FILTER_OPTIMIZER=yes


# You can provide a filter expression here, if you like.
# It should be limited to 2K in length.  The default is to
# not filter.
#
# No Commandline equivalent
#

ARGUS_FILTER=""


# Argus allows you to capture packets in tcpdump() format
# if the source of the packets is a tcpdump() formatted
# file or live packet source.
#
# Specify the path to the packet capture file here.
#

#ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"


# Argus supports the use of SASL to provide strong 
# authentication and confidentiality protection.
#
# The policy that argus uses is controlled through
# the use of a minimum and maximum allowable protection
# strength.  Set these variable to control this policy.
#

#ARGUS_MIN_SSF=40
#ARGUS_MAX_SSF=128
Commit	Line	Data
f48b1c7c	1	#
	2	# Argus Software
	3	# Copyright (c) 2000-2007 QoSient, LLC
	4	# All rights reserved.
	5	#
	6	# Example argus.conf
	7	#
	8	# Argus will open this argus.conf if its installed as /etc/argus.conf.
	9	# It will also search for this file as argus.conf in directories
	10	# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
	11	# or $HOME, $HOME/lib, and parse it to set common configuration
	12	# options. All values in this file can be overriden by command
	13	# line options, or other files of this format that can be read in
	14	# using the -F option.
	15	#
	16	#
	17	# Variable Syntax
	18	#
	19	# Variable assignments must be of the form:
	20	#
	21	# VARIABLE=
	22	#
	23	# with no white space between the VARIABLE and the '=' sign.
	24	# Quotes are optional for string arguements, but if you want
	25	# to embed comments, then quotes are required.
	26	#
	27	#
	28	# Variable Explanations
	29	#
	30	# The Argus can be configured to support a large number of
	31	# flow types. The Argus can provide either type, i.e.
	32	# uni-directional or bi-directional flow tracking and
	33	# the flow can be further defined by specifying the key.
	34	# The argus supports a set of well known key strategies,
	35	# such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX',
	36	# 'MPLS', and/or 'VLAN', or the argus can be configured to
	37	# formulate key strategies from a list of the specific
	38	# objects that the Argus understands. See the man page for
	39	# a complete description.
	40	#
	41	# The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
	42	#
	43
	44	ARGUS_FLOW_TYPE="Bidirectional"
	45	ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
	46
	47
	48	# Argus is capable of running as a daemon, doing all the right things
	49	# that daemons do. When this configuration is used for the system
	50	# daemon process, say for /etc/argus.conf, this variable should be
	51	# set to "yes".
	52	#
	53	# The default value is to not run as a daemon.
	54	#
	55	# This example is to support the ./support/Startup/argus script
	56	# which requires that this variable be set to "yes".
	57	#
	58	# Commandline equivalent -d
	59	#
	60
	61	ARGUS_DAEMON=yes
	62
	63
	64	# Argus Monitor Data is uniquely identifiable based on the source
65	# identifier that is included in each output record. This is to
66	# allow you to work with Argus Data from multiple monitors at the
67	# same time. The ID is 32 bits long, and so legitimate values are
68	# 0 - 4294967296 but argus also supports IP addresses as values.
69	# The configuration allows for you to use host names, however, do
70	# have some understanding how `hostname` will be resolved by the
71	# nameserver before commiting to this strategy completely.
72	#
73	# Commandline equivalent -e
74	#
75
76	ARGUS_MONITOR_ID=`hostname`
77
78
79	# Argus monitors can provide a real-time remote access port
80	# for collecting Argus data. This is a TCP based port service and
81	# the default port number is tcp/561, the "experimental monitor"
82	# service. This feature is disabled by default, and can be forced
83	# off by setting it to zero (0).
84	#
85	# When you do want to enable this service, 561 is a good choice,
86	# as all ra* clients are configured to try this port by default.
87	#
88	# Commandline equivalent -P
89	#
90
91	ARGUS_ACCESS_PORT=561
92
93
94	# When remote access is enabled (see above), you can specify that Argus
95	# should bind only to a specific IP address. This is useful, for example,
96	# in restricting access to the local host, or binding to a private
97	# interface while capturing from another. The default is to bind to any
98	# IP address.
99	#
100	# Commandline equivalent -B
101	#
102
103	#ARGUS_BIND_IP="127.0.0.1"
104
105
106	# By default, Argus will open the first appropriate interface on a
107	# system that it encounters. For systems that have only one network
108	# interface, this is a reasonable thing to do. But, when there are
109	# more than one suitable interface, you should specify which
110	# interface(s) Argus should read data from.
111	#
112	# Argus can read packets from multiple interfaces at the same time,
113	# although this is limited to 2 interfaces at this time. Specify
114	# this in this file with multiple ARGUS_INTERFACE directives.
115	#
116	# Commandline equivalent -i
117	#
118
119	#ARGUS_INTERFACE=
120
121
122	# By default, Argus will put its interface in promiscuous mode
123	# in order to monitor all the traffic that can be collected.
124	# This can put an undo load on systems.
125
126	# If the intent is to monitor only the network activity of
127	# the specific system, say to measure the performance of
128	# an HTTP service or DNS service, you'll want to turn
129	# promiscuous mode off.
130	#
131	# The default value is go into prmiscuous mode.
132	#
133	# Commandline equivalent -p
134	#
135
136	#ARGUS_GO_PROMISCUOUS=yes
137
138
139	# By default, Argus will provide its own reliable output collection
140	# functions, which include writing out to multiple files, supporting
141	# multiple concurrent remote clients, independent output filtering and
142	# strong authentication and encryption. The support for each of these
143	# functions increases the CPU requirements of argus, and as such, in
144	# high load environments, may not be desireable.
145	#
146	# When argus's collection functions are disabled, the only way to access
147	# data is through a socket, and as a result the ARGUS_ACCESS_PORT
148	# and ARGUS_BIND_ADDRESS mechanisms may need to be used.
149	#
150	# Commandline equivalent -c
151	#
152
153	#ARGUS_COLLECTOR=yes
154
155
156	# Argus supports chroot(2) in order to control the file system that
157	# argus exists in and can access. Generally used when argus is running
158	# with privileges, this limits the negative impacts that argus could
159	# inflict on its host machine.
160	#
161	# This option will cause the output file names to be relative to this
162	# directory, and so consider this when trying to find your output files.
163	#
164	# Commandline equivalent -C
165	#
166
167	#ARGUS_CHROOT_DIR=/chroot_dir
168
169
170	# Argus can be directed to change its user id using the setuid() system
171	# call. This is can used when argus is started as root, in order to
172	# access privileged resources, but then after the resources are opened,
173	# this directive will cause argus to change its user id value to
174	# a 'lesser' capable account. Recommended when argus is running as
175	# daemon.
176	#
177	# Commandline equivalent -u
178	#
179
180	#ARGUS_SETUSER_ID=user
181
182
183	# Argus can be directed to change its group id using the setgid() system
184	# call. This is can used when argus is started as root, in order to
185	# access privileged resources, but then after the resources are opened,
186	# this directive can be used to change argu's group id value to
187	# a 'lesser' capable account. Recommended when argus is running as
188	# daemon.
189	#
190	# Commandline equivalent -g
191	#
192
193	#ARGUS_SETGROUP_ID=group
194
195
196	# Argus can write its output to one or a number of files.
197	# The default limit is 5 concurrent files, each with their
198	# own independant filters.
199	#
200	# The format is:
201	# ARGUS_OUTPUT_FILE=/full/path/file/name
202	# ARGUS_OUTPUT_FILE="/full/path/file/name filter"
203	#
204	# Most sites will have argus write to a file, for reliablity.
205	# The example file name is used here as supporting programs,
206	# such as ./support/Archive/argusarchive are configured to use
207	# this file (with any chroot'd directory prepended).
208	#
209	# Commandline equivalent -w
210	#
211
212	#ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
213
214
215	# When Argus is configured to run as a daemon, with the -d
216	# option, Argus can store its pid in a file, to aid in
217	# managing the running daemon. However, creating a system
218	# pid file requires priviledges that may not be appropriate
219	# for all cases.
220	#
221	# When configured to generate a pid file, if Argus cannot
222	# create the pid file, it will fail to run. This variable
223	# is available to override the default, in case this gets
224	# in your way.
225	#
226	# The default value is to generate a pid. The default
227	# path for the pid file, is '/var/run'.
228	#
229	# No Commandline equivalent
230	#
231
232	ARGUS_SET_PID=yes
233	ARGUS_PID_PATH="/var/run"
234
235
236	# Argus will periodically report on a flow's activity every
237	# ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
238	# new activity on the flow. This is so that you can get a
239	# multiple status reports into the activity of a flow. The
240	# default is 5 seconds, but this number may be too low or
241	# too high depending on your uses. Argus does suppport
242	# a minimum value of 0.000001 seconds. Values under 1 sec
243	# are very useful for doing measurements in a controlled
244	# experimental environment where the number of flows is small.
245	#
246	# Because the status interval affects the memory utilization
247	# of the monitor, find the minimum acceptable value is
248	# recommended.
249	#
250	# Commandline equivalent -S
251	#
252
253	ARGUS_FLOW_STATUS_INTERVAL=5
254
255
256	# Argus will periodically report on a its own health, providing
257	# interface status, total packet and bytes counts, packet drop
258	# rates, and flow oriented statistics.
259	#
260	# These records can be used as "keep alives" for periods when
261	# there is no network traffic to be monitored.
262	#
263	# The default value is 300 seconds, but a value of 60 seconds is
264	# very common.
265	#
266	# Commandline equivalent -M
267	#
268
269	ARGUS_MAR_STATUS_INTERVAL=60
270
271
272	# If compiled to support this option, Argus is capable of
273	# generating a lot of debug information.
274	#
275	# The default value is zero (0).
276	#
277	# Commandline equivalent -D
278	#
279
280	ARGUS_DEBUG_LEVEL=0
281
282
283	# Argus can be configured to report on flows in a manner than
284	# provides the best information for calculating application
285	# reponse times and network round trip times.
286	#
287	# The default value is to not generate this data.
288	#
289	# Commandline equivalent -R
290	#
291
292	ARGUS_GENERATE_RESPONSE_TIME_DATA=no
293
294
295	# Argus can be configured to generate packet jitter information
296	# on a per flow basis. The default value is to not generate
297	# this data.
298	#
299	# Commandline equivalent -J
300	#
301
302	ARGUS_GENERATE_JITTER_DATA=no
303
304
305	# Argus can be configured to provide MAC addresses in
306	# it audit data. The default value is to not generate
307	# this data.
308	#
309	# Commandline equivalent -m
310	#
311
312	ARGUS_GENERATE_MAC_DATA=yes
313
314
315	# Argus can be configured to generate metrics that include
316	# the application byte counts as well as the packet count
317	# and byte counters.
318	#
319	# No commandline equivalent
320	#
321
322	ARGUS_GENERATE_APPBYTE_METRIC=no
323
324
325	# Argus by default, generates extended metrics for TCP
326	# that include the connection setup time, window sizes,
327	# base sequence numbers, and retransmission counters.
328	# You can suppress this detailed information using this
329	# variable.
330	#
331	# No commandline equivalent
332	#
333
334	#ARGUS_GENERATE_TCP_PERF_METRIC=yes
335
336
337	# Argus can be configured to capture a number of user data
338	# bytes from the packet stream.
339	#
340	# The default value is to not generate this data.
341	#
342	# Commandline equivalent -U
343	#
344
345	ARGUS_CAPTURE_DATA_LEN=32
346
347
348	# Argus uses the packet filter capabilities of libpcap. If
349	# there is a need to not use the libpcap filter optimizer,
350	# you can turn it off here. The default is to leave it on.
351	#
352	# Commandline equivalent -O
353	#
354
355	ARGUS_FILTER_OPTIMIZER=yes
356
357
358	# You can provide a filter expression here, if you like.
359	# It should be limited to 2K in length. The default is to
360	# not filter.
361	#
362	# No Commandline equivalent
363	#
364
365	ARGUS_FILTER=""
366
367
368	# Argus allows you to capture packets in tcpdump() format
369	# if the source of the packets is a tcpdump() formatted
370	# file or live packet source.
371	#
372	# Specify the path to the packet capture file here.
373	#
374
375	#ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
376
377
378	# Argus supports the use of SASL to provide strong
379	# authentication and confidentiality protection.
380	#
381	# The policy that argus uses is controlled through
382	# the use of a minimum and maximum allowable protection
383	# strength. Set these variable to control this policy.
384	#
385
386	#ARGUS_MIN_SSF=40
387	#ARGUS_MAX_SSF=128
388