Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ARGUS.CONF(5)		      File Formats Manual		 ARGUS.CONF(5)

NAME
       argus.conf - argus resource file.

SYNOPSIS
       argus.conf

COPYRIGHT
       Copyright (c) 2000-2015 QoSient,	LLC   All rights reserved.

DESCRIPTION
       This is the canonical argus configuration file.	All options that argus
       supports	can be turned on or modified using this	configuration  format.
       Argus  will  search  for	a system /etc/argus.conf file and will open it
       and use it to seed all configuration options.conf.   Previous  versions
       of  Argus supported searching for argus.conf in $ARGUSPATH, $ARGUSHOME,
       $ARGUSHOME/lib, $HOME, and $HOME/lib, but this support  is  deprecated.
       All  values  in	this file can be overriden by command line options, or
       other configuration files of this format	when specified in using	the -F
       option.

       Argus  will read	any number of configuration files using	the -F option,
       and command-line	order is very important.

Variable Syntax
       Variable	assignments must be of the form:
	 VARIABLE=
       with no white space between the VARIABLE	and the	'=' sign.  Quotes  are
       optional	 for string arguments, but if you want to embed	comments, then
       quotes are required.

ARGUS_FLOW_TYPE	/ ARGUS_FLOW_KEY
       The Argus can be	configured to support a	large number  of  flow	types.
       The  Argus  can provide either type, i.e.  uni-directional or bi-direc-
       tional flow tracking and	the flow can be	further	defined	by  specifying
       the  key.   The argus supports a	set of well known key strategies, such
       as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', formulate key
       strategies  from	 a  list of the	specific objects that the Argus	under-
       stands.	See the	man page for a complete	description.

       The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.

       There is	no commandline equivalent.

       ARGUS_FLOW_TYPE="Bidirectional"
       ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"

ARGUS_DAEMON
       Argus is	capable	of running as a	daemon,	doing  all  the	 right	things
       that daemons do.	 When this configuration is used for the system	daemon
       process,	say for	/etc/argus.conf, this variable should be set to	"yes".

       In the examples seen in the ./support/Startup/argus scripts, this value
       is set to "yes",	as the system startup strategy requires	the program to
       daemonize themselves,  returning	 a  value  to  the  system,  hopefully
       quickly.	  Some	systems,  however,  want  to daemonize the tasks them-
       selves, and those cases,	the value must be set to "no".

       which requires that this	variable be set	to "yes".

       The default value is to not run as a daemon.

       Commandline equivalent  -d

       ARGUS_DAEMON=no

ARGUS_MONITOR_ID
       Argus Monitor Data is uniquely identifiable based on the	source identi-
       fier  that  is included in each output record.  This is to allow	you to
       work with Argus Data from multiple monitors at the same time.   The  ID
       is  32  bits  long, and argus suppors a number of formats as legitimate
       values. Argus  support  unsigned	 ints,	IPv4  addresses	 and  4	 bytes
       strings,	as values.

       The formats are discerned from the values provided.  Double-quoted val-
       ues are treated as strings, and are truncated to	 4  characters.	  Non-
       quoted  values  are  tested for whether they are	hostnames, and if not,
       then they are tested wheter they	are numbers.

       The configuration allows	for you	to use host names,  however,  do  have
       some  understanding  how	 `hostname` will be resolved by	the nameserver
       before commiting	to this	strategy completely.

       For convenience,	argus supports the notion of "`hostname`" for  assign-
       ing  the	 probe's  id.	This is	to support management of large deploy-
       ments, so you can have one argus.conf file that	works  for  a  lot  of
       probes.

       For  security, argus does not rely on system programs, like hostname.1.
       It implements the logic of hostname itself, so don't try	to  run	 arbi-
       trary programs using this method, because it won't work.

       Commandline equivalent	-e

       ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
       ARGUS_MONITOR_ID=10.2.45.3     // IPv4 address
       ARGUS_MONITOR_ID=2435	      // Number
       ARGUS_MONITOR_ID="en0"	      // String

ARGUS_ACCESS_PORT
       Argus  monitors can provide a real-time remote access port for collect-
       ing Argus data.	This is	a TCP based port service and the default  port
       number is tcp/561, the "experimental monitor" service.  This feature is
       disabled	by default, and	can be forced off by setting it	to zero	(0).

       When you	do want	to enable this service,	561 is a good choice,  as  all
       ra* clients are configured to try this port by default.

       Commandline equivalent  -P

       ARGUS_ACCESS_PORT=561

ARGUS_BIND_IP
       When  remote  access is enabled (see above), you	can specify that Argus
       should bind only	to a specific IP address. This is useful, for example,
       in restricting access to	the local host,	or binding to a	private	inter-
       face while capturing from another.

       You can provide multiple	addresses, separated by	commas,	or on multiple
       lines.

       The default is to bind to any IP	address.

       Commandline equivalent  -B

       ARGUS_BIND_IP="::1,127.0.0.1"
       ARGUS_BIND_IP="127.0.0.1"
       ARGUS_BIND_IP="192.168.0.68"

ARGUS_INTERFACE
       By default, Argus will open the first appropriate interface on a	system
       that it encounters.  For	systems	that have only one network  interface,
       this  is	 a  reasonable thing to	do.  But, when there are more than one
       suitable	interface, you should specify the  interface(s)	 Argus	should
       use either on the command line or in this file.

       Argus  can track	packets	from any or all	interfaces, concurrently.  The
       interfaces can be tracked as:
	 1.  independant - this	is where argus tracks flows from each
		interface independant from the packets seen on any other
		interface.  This is useful for hosts/routers that
		have full-duplex interfaces, and you want to distinguish
		flows based on their interface.	There is an option to specify
		a distinct srcid to each independant modeler.

	 2.  duplex - where argus tracks packets from 2	interfaces
		as if they were	two half duplex	streams	of the same link.
		Because	there is a single modeler tracking the 2
		interfaces, there is a single srcid that can be	passed as
		an option.

	 3.  bonded - where argus tracks packets from multiple interfaces
		as if they were	from the same stream.  Because there is	a
		single modeler tracking	the 2 interfaces, there	is a single
		srcid that can be passed as an option.

	Interfaces can be specified as groups using '[',']' notation, to build
	flexible definitions of	packet sources.	 However, each interface
	should be referenced only once (this is	due to performance and OS
	limitations, so	if your	OS has no problem with this, go	ahead).

	The lo (loopback) interface will be included only if  it  is  specifi-
       cally
	indicated in the option.

	The  syntax  for specifying this either	on the command line or in this
       file:
	   -i ind:all
	   -i dup:en0,en1/srcid
	   -i bond:en0,en1/srcid
	   -i dup:[bond:en0,en1],en2/srcid
	   -i en0/srcid	-i en1/srcid   (equivalent  '-i	 ind:en0/srcid,en1/sr-
       cid')
	   -i en0 en1	  (equivalent '-i bond:en0,en1')

	In all cases, if there is a "-e	srcid" provided, this is used as the
	default.  If a srcid is	specified using	this option, it	overrides
	the default.

	Srcid's	 are  specified	using the notion used for ARGUS_MONITOR_ID, as
       above.

       Commandline equivalent	-i

       ARGUS_INTERFACE=any
       ARGUS_INTERFACE=ind:all
       ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1
       ARGUS_INTERFACE=ind:en0/"en0",en2/19234
       ARGUS_INTERFACE=en0

ARGUS_GO_PROMISCUOUS
       By default, Argus will put its interface	in promiscuous mode  in	 order
       to monitor all the traffic that can be collected.  This can put an undo
       load on systems.

       If the intent is	to monitor only	the network activity of	 the  specific
       system,	say  to	measure	the performance	of an HTTP service or DNS ser-
       vice, you'll want to turn promiscuous mode off.

       The default value goes into prmiscuous mode.

       Commandline equivalent  -p

       ARGUS_GO_PROMISCUOUS=yes

ARGUS_CHROOT_DIR
       Argus supports chroot(2)	in order to control the	file system that argus
       exists  in  and	can access.  Generally used when argus is running with
       privileges, this	limits the negative impacts that argus	could  inflict
       on its host machine.

       This option will	cause the output file names to be relative to this di-
       rectory,	and so consider	this when trying to find your output files.

       Commandline equivalent	-c dir

       ARGUS_CHROOT_DIR=/chroot_dir

ARGUS_SETUSER_ID
       Argus can be directed to	change its user	id using the  setuid()	system
       call.   This is can used	when argus is started as root, in order	to ac-
       cess privileged resources, but then after  the  resources  are  opened,
       this  directive	will  cause  argus  to	change	its user id value to a
       'lesser'	capable	account.  Recommended when argus is running as daemon.

       Commandline equivalent	-u user

       ARGUS_SETUSER_ID=user

ARGUS_SETGROUP_ID
       Argus can be directed to	change its group id using the setgid()	system
       call.   This is can used	when argus is started as root, in order	to ac-
       cess privileged resources, but then after  the  resources  are  opened,
       this  directive	can  be	 used  to  change  argu's  group id value to a
       'lesser'	capable	account.  Recommended when argus is running as daemon.

       Commandline equivalent	-g group

       ARGUS_SETGROUP_ID=group

ARGUS_OUTPUT_FILE
       Argus can write its output to one or a number of	files,	default	 limit
       is 5 concurrent files, each with	their own independant filters.

       The format is:
	    ARGUS_OUTPUT_FILE=/full/path/file/name
	    ARGUS_OUTPUT_FILE=/full/path/file/name "filter"

       Most  sites will	have argus write to a file, for	reliablity and perfor-
       mance.  The example file	name is	used here as supporting	programs, such
       as ./support/Archive/argusarchive are configured	to use this file.

       Commandline equivalent  -w

       ARGUS_OUTPUT_FILE=/var/log/argus/argus.out

ARGUS_OUTPUT_STREAM
       Argus can write its output to one or a number of	remote hosts.  The de-
       fault limit is 5	concurrent output streams, each	with their  own	 inde-
       pendant filters.

       The format is:
	    ARGUS_OUTPUT_STREAM="URI [filter]"
	    ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and	not udp'"

       Most  sites  will have argus listen() for remote	sites to request argus
       data, but for some sites	and applications sending records without  reg-
       istration is desired.  This option will cause argus to transmit records
       that match the optional filter, to the configured targets using UDP  as
       the transport mechanism.

       Commandline equivalent	-w argus-udp://host:port

       ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561

ARGUS_SET_PID
       When  Argus is configured to run	as a daemon, with the -d option, Argus
       can store its pid in a file, to aid in  managing	 the  running  daemon.
       However,	creating a system pid file requires privileges that may	not be
       appropriate for all cases.

       When configured to generate a pid file, if Argus	cannot create the  pid
       file, it	will fail to run.  This	variable, and the directory the	pid is
       written to, is available	to override the	default, in case this gets  in
       your way.

       The  default  value is to generate a pid.  The default path for the pid
       file, is	'/var/run'.

       No Commandline equivalent

       ARGUS_SET_PID=yes
       ARGUS_PID_PATH=/var/run

ARGUS_FLOW_STATUS_INTERVAL
       Argus  will  periodically  report  on  a	 flow's	 activity  every   AR-
       GUS_FLOW_STATUS_INTERVAL	 seconds,  as long as there is new activity on
       the flow.  This is so that you can get a	view into the activity of very
       long  lived  flows.   The default is 60 seconds,	but this number	may be
       too low or too high depending on	your uses.

       The default value is 60 seconds,	but argus does support a minimum value
       of  1.	This is	very useful for	doing measurements in a	controlled ex-
       perimental environment where the	number of flows	is < 1000.

       Commandline equivalent  -S

       ARGUS_FLOW_STATUS_INTERVAL=60

ARGUS_MAR_STATUS_INTERVAL
       Argus will periodically report on a its own health, providing interface
       status, total packet and	bytes counts, packet drop rates, and flow ori-
       ented statistics.

       These records can be used as "keep alives" for periods when there is no
       network traffic to be monitored.

       The  default  value  is	300 seconds, but a value of 60 seconds is very
       common.

       Commandline equivalent  -M

       ARGUS_MAR_STATUS_INTERVAL=300

ARGUS_DEBUG_LEVEL
       If compiled to support this option, Argus is capable  of	 generating  a
       lot of debug information.

       The default value is zero (0).

       Commandline equivalent  -D

       ARGUS_DEBUG_LEVEL=0

ARGUS_GENERATE_PACKET_SIZE
       Argus  can  be  configured to generate packet size information on a per
       flow basis, which provides the max and min packet size seen .  The  de-
       fault value is to not generate this data.

       Commandline equivalent	-Z

       ARGUS_GENERATE_PACKET_SIZE=yes

ARGUS_GENERATE_JITTER_DATA
       Argus  can be configured	to generate packet jitter information on a per
       flow basis.  The	default	value is to not	generate this data.

       Commandline equivalent  -J

       ARGUS_GENERATE_JITTER_DATA=no

ARGUS_GENERATE_MAC_DATA
       Argus can be configured to not provide MAC addresses in it audit	 data.
       This  is	 available if MAC address tracking and audit is	not a require-
       ment.

       The default value is to not generate this data.

       Commandline equivalent  -m

       ARGUS_GENERATE_MAC_DATA=no

ARGUS_GENERATE_APPBYTE_METRIC
       Argus can be configured to generate metrics that	include	 the  applica-
       tion byte counts	as well	as the packet count and	byte counters.

       Commandline equivalent  -A

       ARGUS_GENERATE_APPBYTE_METRIC=no

ARGUS_GENERATE_TCP_PERF_METRIC
       Argus  by  default, generates extended metrics for TCP that include the
       connection setup	time, window sizes, base  sequence  numbers,  and  re-
       transmission  counters.	You can	suppress this detailed information us-
       ing this	variable.

       No commandline equivalent

       ARGUS_GENERATE_TCP_PERF_METRIC=yes

ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS
       Argus by	default, generates a single pair of timestamps,	for the	 first
       and  last  packet  seen	on a given flow, during	the obseration period.
       For bi-directional flows, this results in loss of some information.  By
       setting this variable to	'yes', argus will store	start and ending time-
       stamps for both directions of the flow.

       No commandline equivalent

       ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=no

ARGUS_CAPTURE_DATA_LEN
       Argus can be configured to capture a number of user data	bytes from the
       packet stream.

       The default value is to not generate this data.

       Commandline equivalent  -U

       ARGUS_CAPTURE_DATA_LEN=0

ARGUS_FILTER_OPTIMIZER
       Argus  uses  the	 packet	filter capabilities of libpcap.	 If there is a
       need to not use the libpcap filter optimizer, you can turn it off here.
       The default is to leave it on.

       Commandline equivalent  -O

       ARGUS_FILTER_OPTIMIZER=yes

ARGUS_FILTER
       You  can	 provide  a filter expression here, if you like.  It should be
       limited to 2K in	length.	 The default is	to not filter.

       No Commandline equivalent

       ARGUS_FILTER=""

ARGUS_PACKET_CAPTURE_FILE
       Argus allows you	to capture packets in tcpdump()	format if  the	source
       of the packets is a tcpdump() formatted file or live packet source.

       Specify the path	to the packet capture file here.

       ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"

ARGUS_SSF
       Argus  supports	the  use  of SASL to provide strong authentication and
       confidentiality protection.

       The policy that argus uses is controlled	through	the use	of  a  minimum
       and  maximum  allowable protection strength, which is standard for SASL
       based appliations.  Set these variable to control this policy.  The de-
       fault is	no security policy.

       ARGUS_MIN_SSF=0
       ARGUS_MAX_SSF=0

ARGUS_PCAP_BUF_SIZE
       Argus supports setting the pcap buffer size.  You can use the abbrevia-
       tions K,	M, G to	specify	thousands, millions or billions	of bytes.

       ARGUS_PCAP_BUF_SIZE=1G

ARGUS_ENV
       Argus supports setting environment variables to	enable	functions  re-
       quired  by the kernel or	shared libraries.  This	feature	is intended to
       support libraries such as the net pf_ring support for libpcap  as  sup-
       ported by code at http://public.lanl.gov/cpw/

       Setting	environment variables in this way does not affect internal ar-
       gus variable in any way.	As a result, you can't	set  ARGUS_PATH	 using
       this feature.

       Care  should  must be taken to assure that the value given the variable
       conform's to your systems putenv.3 system call.	You can	have  as  many
       of these	directives as you like.

       The  example  below  is intended	to set a libpcap ring buffer length to
       300MB, if your system supports this feature.

       ARGUS_ENV="PCAP_MEMORY=300000"

ARGUS_TUNNEL_DISCOVERY
       Argus can be configured to discover tunneling protocols above  the  UDP
       transport  header,  specifically	Teredo (IPv6 over UDP).	 The algorithm
       is simple and so, having	this on	by default may generate	 false	tunnel
       matching.

       The default is to not turn this feature on.

       ARGUS_TUNNEL_DISCOVERY=no

ARGUS_EVENT_DATA
       Argus  supports	the  generation	of host	originated processes to	gather
       additional data and statistics.	These include  periodic	 processes  to
       poll  for  SNMP	data,  as  an  example,	 or to collect host statistics
       through reading procfs().  Or single run	programs that run at a	speci-
       fied time.

       These  argus  events,  are  generated  from  the	 complete  list	of AR-
       GUS_EVENT_DATA directives that are specified here.

       The syntax is:
	    Syntax is: "method:path|prog:interval[:postproc]"
		Where:	method = [ "file" | "prog" ]
		      pathname | program = "%s"
		      interval = %d[smhd] [ zero means run once	]
		      postproc = [ "compress" |	"compress2" ]

       ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
       ARGUS_EVENT_DATA="prog:/usr/local/bin/ralsof:30s:compress"

ARGUS_KEYSTROKE
       This version of Argus supports keystroke	detection and counting for TCP
       connections, with specific algorithmic support for SSH connections.

       The  ARGUS_KEYSTROKE  variable  turns  the  feature on. Values for this
       variable	are:
	     ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
	     ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
	     ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
	     ARGUS_KEYSTROKE="no"    [default]

       The algorithm uses a number of variables, all of	which can  be  modifed
       using  the  ARGUS_KEYSTROKE_CONF	descriptor, which is a semicolon (';')
       separated set of	variable assignments.  Here is the list	 of  supported
       variables:
	 DC_MIN	 -   (int) Minimum client datagram payload size	in bytes
	 DC_MAX	 -   (int) Maximum client datagram payload size	in bytes
	 GS_MAX	 -   (int) Maximum server packet gap
	 DS_MIN	 -   (int) Minimum server datagram payload size	in bytes
	 DS_MAX	 -   (int) Maximum server datagram payload size	in bytes
	 IC_MIN	 -   (int) Minimum client interpacket arrival time (microseconds)
	 LCS_MAX -   (int) Maximum something - Not sure	what this is
	 GPC_MAX -   (int) Maximum client packet gap
	 ICR_MIN - (float) Minimum client/server interpacket arrival ratio
	 ICR_MAX - (float) Maximum client/server interpacket arrival ratio

       All  variables  have  default values, this variable is used to override
       those values.  The syntax for the variable is:
	    ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20"

       ARGUS_KEYSTROKE="no"
       ARGUS_KEYSTROKE_CONF=""

SEE ALSO
       argus(8)

argus.conf 3.0.8	       07 November 2000			 ARGUS.CONF(5)

NAME | SYNOPSIS | COPYRIGHT | DESCRIPTION | Variable Syntax | ARGUS_FLOW_TYPE / ARGUS_FLOW_KEY | ARGUS_DAEMON | ARGUS_MONITOR_ID | ARGUS_ACCESS_PORT | ARGUS_BIND_IP | ARGUS_INTERFACE | ARGUS_GO_PROMISCUOUS | ARGUS_CHROOT_DIR | ARGUS_SETUSER_ID | ARGUS_SETGROUP_ID | ARGUS_OUTPUT_FILE | ARGUS_OUTPUT_STREAM | ARGUS_SET_PID | ARGUS_FLOW_STATUS_INTERVAL | ARGUS_MAR_STATUS_INTERVAL | ARGUS_DEBUG_LEVEL | ARGUS_GENERATE_PACKET_SIZE | ARGUS_GENERATE_JITTER_DATA | ARGUS_GENERATE_MAC_DATA | ARGUS_GENERATE_APPBYTE_METRIC | ARGUS_GENERATE_TCP_PERF_METRIC | ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS | ARGUS_CAPTURE_DATA_LEN | ARGUS_FILTER_OPTIMIZER | ARGUS_FILTER | ARGUS_PACKET_CAPTURE_FILE | ARGUS_SSF | ARGUS_PCAP_BUF_SIZE | ARGUS_ENV | ARGUS_TUNNEL_DISCOVERY | ARGUS_EVENT_DATA | ARGUS_KEYSTROKE | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=argus.conf&sektion=5&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help