# # Argus Software # Copyright (c) 2000-2007 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE= # # with no white space between the VARIABLE and the '=' sign. # Quotes are optional for string arguements, but if you want # to embed comments, then quotes are required. # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', # 'MPLS', and/or 'VLAN', or the argus can be configured to # formulate key strategies from a list of the specific # objects that the Argus understands. See the man page for # a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # The default value is to not run as a daemon. # # This example is to support the ./support/Startup/argus script # which requires that this variable be set to "yes". # # Commandline equivalent -d # ARGUS_DAEMON=yes # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and so legitimate values are # 0 - 4294967296 but argus also supports IP addresses as values. # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # Commandline equivalent -e # ARGUS_MONITOR_ID=`hostname` # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # ARGUS_ACCESS_PORT=561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. The default is to bind to any # IP address. # # Commandline equivalent -B # #ARGUS_BIND_IP="127.0.0.1" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify which # interface(s) Argus should read data from. # # Argus can read packets from multiple interfaces at the same time, # although this is limited to 2 interfaces at this time. Specify # this in this file with multiple ARGUS_INTERFACE directives. # # Commandline equivalent -i # #ARGUS_INTERFACE= # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is go into prmiscuous mode. # # Commandline equivalent -p # #ARGUS_GO_PROMISCUOUS=yes # By default, Argus will provide its own reliable output collection # functions, which include writing out to multiple files, supporting # multiple concurrent remote clients, independent output filtering and # strong authentication and encryption. The support for each of these # functions increases the CPU requirements of argus, and as such, in # high load environments, may not be desireable. # # When argus's collection functions are disabled, the only way to access # data is through a socket, and as a result the ARGUS_ACCESS_PORT # and ARGUS_BIND_ADDRESS mechanisms may need to be used. # # Commandline equivalent -c # #ARGUS_COLLECTOR=yes # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -C # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # ARGUS_SET_PID=yes ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=60 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # ARGUS_GENERATE_RESPONSE_TIME_DATA=no # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # ARGUS_GENERATE_JITTER_DATA=no # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # No commandline equivalent # ARGUS_GENERATE_APPBYTE_METRIC=no # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # #ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # ARGUS_CAPTURE_DATA_LEN=32 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # No Commandline equivalent # ARGUS_FILTER="" # Argus allows you to capture packets in tcpdump() format # if the source of the packets is a tcpdump() formatted # file or live packet source. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128