Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
RARC(5)			      File Formats Manual		       RARC(5)

NAME
       rarc - ra client	resource file.

SYNOPSIS
       rarc

DESCRIPTION
       Ra* clients will	open this file if its in the users $HOME directory, or
       in the $ARGUSHOME directory, and	parse it to set	 common	 configuration
       options.	  All  of these	values will be overriden by options set	on the
       command line, or	in the file specified using the	'-F conffile' option.

       Values can be quoted to make string  denotation	easier,	 however,  the
       parser does not require that string values be quoted.  To support this,
       the parse will remove " (double quote) characters from  input  strings,
       so do not use this character in strings themselves.

       Values specified	as "" will be treated as a NULL	string,	and the	parser
       will ignore the variable	setting.

RA_ARGUS_SERVER
       All ra* clients can attach to a remote server, and collect  argus  data
       in  real	 time.	 This  variable	can be a name or a dot notation	IP ad-
       dress.  Optionally you can specify a port number	using a	':'  and  then
       providing the port number desired.

       RA_ARGUS_SERVER=localhost:561

RA_SOURCE_PORT
       You  can	 change	the default source port	value that will	be used	on re-
       mote TCP	and UDP	connections, using this	variable.   When  you  specify
       the  remote  server  using the -S option, when you don't	specify	a port
       number, this is the port	number it will use.

       The default port	number is 561.

       RA_SOURCE_PORT=561

PID FILE SUPPORT
       Any ra* program can generate a pid file,	which can be used  to  control
       the number of instances that the	system can support.

       Creating	 a system pid file may require priviledges that	may not	be in-
       appropriate for all cases.  By specifying RA_PID_PATH, you  can	create
       personal	 pid  files that will enforce your own policy for your own use
       of the ra* programs.

       When configured to generate a pid file for a ra*	 program,  if  a  file
       called  ra*.pid	(where ra* is the name of the program in question) ex-
       ists in the RA_PID_PATH directory, and a	program	exists with a pid that
       matches the one contained in the	file, then the program will not	start.
       If the pid does not exist, then the ra* program replaces	the  value  in
       the  file,  with	 its own pid.	If a pid file does not exist, then the
       ra* program will	create it in the RA_PID_PATH  directory,  if  it  can.
       The  end	 result	 is that the system will support only one instanace of
       the program, based on name, running at a	time.

       The default value is to not generate a pid.  The	default	path  for  the
       pid file, is /var/run.

       No Commandline equivalent

       RA_SET_PID="no"
       RA_PID_PATH="/var/run"

RA_OUTPUT_FILE
       All ra* clients can support writing output as Argus Records into	a file
       or stdout.  Stdout is specified as '-'.

       RA_OUTPUT_FILE="filename"

RA_TIMERANGE
       All ra* clients can support input filtering on a	time range. The	format
       is:
	    timeSpecification[-timeSpecification]

       where the format	of a timeSpecification can be:
	    [[[yy/]mm/]dd.]hh[:mm[:ss]]
	    [yy/]mm/dd

       RA_TIMERANGE="55/12/04.00:00:01-55/12/04.23:59:59"
       RA_TIMERANGE="12/04-12/05"

RA_RUN_TIME
       All  ra*	clients	can support running for	a number of seconds, while at-
       tached to a remote source of argus data.	 This is a  type  of  polling.
       The default is zero (0),	which means run	indefinately.

       RA_RUN_TIME=0

RA_PRINT_MAN_RECORDS
       Specify	if  ra*	 clients  should  print	management records by default.
       This does not affect management record processing, nor down stream man-
       agement record propagation.

       Commandline equivalents:	-M [no]man

       RA_PRINT_MAN_RECORDS=no RA_PRINT_EVENT_RECORDS=no

RA_PRINT_LABELS
       Most ra*	clients	are designed to	print argus records out	in ASCII, with
       each client supporting its own output formats.  For ra()	like  clients,
       this  variable  will  generate column headers as	labels.	 The number is
       the number of lines between repeated  header  labeling.	 Setting  this
       value  to  zero	(0)  will cause	the labels to be printed once.	If you
       don't want labels,  comment this	line out, delete it or set  the	 value
       to -1.

       RA_PRINT_LABELS=0

RA_FIELD_DELIMITER
       Most ra*	clients	are designed to	print argus records out	in ASCII, with
       each client supporting its own output formats.  For ra()	like  clients,
       this  variable can overide the default field delimiter, which are vari-
       able spans of space (' '), to be	any character.	The  most  common  are
       expected	to be '' for tabs, and ',' for comma separated fields.

       RA_FIELD_DELIMITER=','

RA_PRINT_NAMES
       For  ra(1)  like	clients, this variable will control the	translation of
       various numbers to names, such as address hostnames, port service names
       and/or  protocol	 names.	  There	 can be	a huge performance impact with
       name lookup, so the default is to not resolve hostnames.

       RA_PRINT_NAMES=port

       Other valid options are none to print no	names, proto to	translate  the
       protocol	 names,	port to	translate port names, and all to translate all
       the fields.  An invalid option will default to port, silently.

RA_CIDR_ADDRESS_FORMAT
       Use this	variable to specify whether ra() clients,  when	 printing  nu-
       meric  IP  addresses,  will print them as CIDR addresses, or not.  CIDR
       notation	is constructed from the	IP address and the  prefix  size,  the
       latter being the	number of leading 1 bits of the	routing	prefix.	The IP
       address is expressed according to the standards of IPv4 or IPv6.	It  is
       followed	by a separator character, the forward slash (/)	character, and
       the prefix size expressed as a decimal number.

       Argus IPv4 data contains	the CIDR mask length, when its less  than  32,
       and  ra*	 programs  will	by default provides the	"/masklen" suffix when
       the mask	is less	than 32.

       This maybe confusing for	some data processors, which would  rather  not
       see  the	"/masklen" never, or all the time.  Use	this option to specify
       changes in the default printing stratgy.

       Accepatable values for this variable are:
	   "no"	    -  do not provide the CIDR mask length (legacy mode)  [de-
       fault]
	   "yes"    -  print CIDR mask length when less	than 32
	   "strict" -  always print CIDR mask length

       RA_CIDR_ADDRESS_FORMAT="no"

RA_ASN_PRINT_FORMAT
       All  ra() clients can print and process AS Numbers that have been added
       to the records through metadata labeling, or were a part	of the	origi-
       nal Netflow to argus conversion process..

       RFC 5396	specifies 3 formats for	representing AS	Numbers, and all 3 are
       acceptable formats. These format	are:
	   "asplain" - 2 and 4-byte ASNs are printed as	decimal	integers.
	   "asdot+"  - 2 and 4-byte ASNs are printed using a dot notation.
	   "asdot"   - 2 byte ASNs are printed as decimal, and 4-byte ASNs
		       are printed using a dotted notation..

       The default is 'asplain'.

       No Commandline equivalent

       RA_ASN_PRINT_FORMAT="asplain"

RA_PRINT_RESPONSE_DATA
       For ra()	like clients, this variable will  include  the	response  data
       that is provided	by Argus.  This	is protocol and	state specific.

       RA_PRINT_RESPONSE_DATA=no

RA_PRINT_UNIX_TIME
       For  ra() like clients, this variable will force	the timestamp to be in
       Unix time format, which	is  an	integer	 representing  the  number  of
       elapsed seconds since the epoch.

       RA_PRINT_UNIX_TIME=no

RA_TIME_FORMAT
       For  ra() like clients, the format that is used to print	timestamps, is
       based on	the strftime() library call, with an extension to print	 frac-
       tions  of  a  sec using "%f".  The default is "%T.%f".  You can overide
       this default time format	by setting this	variable.   This  string  must
       conform	to  the	format specified in strftime().	 Malformed strings can
       generate	interesting output, so be aware	with this one, and don't  for-
       get the '.' when	doing fractions	of a second.

       RA_TIME_FORMAT="%T.%f"

RA_TZ
       The  timezone  used  for	timestamps is specified	by the tzset() library
       routines, and is	normally specified by factors such as the TZ  environ-
       ment variable found on most machines.  You can override the TZ environ-
       ment variable by	specifying a time zone using this variable.  The  for-
       mat of this string must conform to the format specified by tzset(3).

       RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02"
       RA_TZ="PST8PDT"

RA_USEC_PRECISION
       For  ra() like clients, this variable is	used to	override the time for-
       mat of the timestamp.  This variable specifies the  number  of  decimal
       places  that will be printed as the fractional part of the time.	 Argus
       collects	usec precision,	and so a maximum value of 6 is supported.   To
       not print the fractional	part, specify the value	zero (0).

       RA_USEC_PRECISION=6

RA_USERDATA_ENCODE
       Argus  can  capture  user data, and the argus clients can print,	merge,
       filter, and strip user data from	argus records.	When printing out  the
       user data contents, using tools such as ra.1, the type of encoding used
       to print	the buffers can	be specified here. This	is  available  because
       many  user  data	 buffers are not printable text, and other representa-
       tions may be more appropriate.

       Supported values	are "Ascii", "Obfuscate", "Hex",  "Encode32"  or  "En-
       code64".	 The default is	"Ascii".

       Obfuscate  is  an  extension to the Ascii print,	that attempts to over-
       write plain text	passwords, encountered in the user data, with 'x's.

       Commandline equivalent: -M printer=<printer>

       RA_USERDATA_ENCODE=Ascii

RA_FILTER
       You can provide a filter	expression here, if you	like.	It  should  be
       limited	to 2K in length.  The default is to not	filter.	 See ra(1) for
       the format of the filter	expression.

       RA_FILTER=""

RA_FILTER_TIMEOUT
       The filter is compiled in a separate process, and all ra* programs need
       to  wait	 a  reasonable time for	the filter compiler to finish, or time
       out and return an error,	in the case of a  fatal	 error	in  compiling.
       Many systems are	very busy, and could benefit from a prolonged wait pe-
       riod, however, this timeout value could generate	a significant  startup
       wait  state  for	 programs that have poor filter	specifications,	if the
       timer is	too long.

       The current default is 1.5 seconds, but you can set this	to any	amount
       of time.

       No Commandline equivalent

       RA_FILTER_TIMEOUT=1.5

SASL SUPPPORT
       When  argus  is compiled	with SASL support, ra* clients may be required
       to authenticate to the argus server before the argus  will  accept  the
       connection.   This  variable  will allow	one to set the user and	autho-
       rization	id's, if needed.  Although not the best	practice, you can pro-
       vide a password through the RA_AUTH_PASS	variable.  If you do this, you
       should protect the contents of this file.  The format for this variable
       is:

       RA_USER_AUTH="user_id/authorization_id"
       RA_AUTH_PASS="password"

       The  clients can	specify	a part of the negotiation of the security pol-
       icy that	argus uses. This is controlled through the use	of  a  minimum
       and  maximum  allowable protection strength values.  Set	these variable
       to control this policy.

       RA_MIN_SSF=0
       RA_MAX_SSF=128

RA_DEBUG_LEVEL
       If compiled to support this option, ra* clients are capable of generat-
       ing  a  lot of use [full	| less | whatever] debug information.  The de-
       fault value is zero (0).

       RA_DEBUG_LEVEL=0

RA_CONNECT_TIME
       Some ra style clients use a non-blocking	method to  connect  to	remote
       data  sources,  so  the user many need to control how long to wait if a
       remote source doesn't respond.  This variable sets the number  of  sec-
       onds  to	 wait.	 This  number should be	set to a reasonable value (5 <
       value < 60).  The default value is 10 seconds.

       RA_CONNECT_TIME=10

RA_SORT_ALGORITHMS
       Many ra*	programs sort records as a part	of their  function.   Programs
       like  rasort.1,	providing explicit command-line	options	to specify the
       sort algorithms and their order,	using the

       Use this	configuration directive	to specify the default	sorting	 algo-
       rithm  table  for  your	ra*  programs.	 The default sort algorithm is
       record start time "stime".

       RA_SORT_ALGORITHMS="stime "

RA_TIMEOUT_INTERVAL
       Some ra*	clients	have a timeout based function.	Ratop, as an  example,
       times  out  flows  and  removes	them from  screen at a fixed interval.
       This variable can be set	using the RA_TIMEOUT_INTERVAL variable,	 which
       is a float in seconds. 60.0 seconds is the default.

       RA_TIMEOUT_INTERVAL=60.0

RA_UPDATE_INTERVAL
       Some  ra*  clients have an interval based function.  Ratop, as an exam-
       ple, can	refresh	the screen at a	fixed interval.	 This variable can  be
       set using the RA_UPDATE_INTERVAL	variable, which	is a float in seconds.
       0.5 seconds is the default.

       RA_UPDATE_INTERVAL=0.5

RA_PRINT_ETHERNET_VENDORS
       All ra* clients have the	ability	to print vendor	names for  the	vendor
       part  of	ethernet addresses that	are in flow records.  ra* programs get
       its strings for the ethernet vendors using Wireshark 'manuf' files. One
       is provided with	the distribution, and installed	into /usr/local/argus.

       No Commandline equivalent

       RA_PRINT_ETHERNET_VENDORS="no"
       RA_ETHERNET_VENDORS="/usr/local/argus/wireshark.manuf.txt"

RA_DELEGATED_IP
       All  ra*	clients	have the ability to print country codes	for the	IP ad-
       dresses that are	in a flow record.  Country codes  are  generated  from
       the  ARIN  delegated address space files.  Specify the location of your
       DELEGATED_IP file here.

       No Commandline equivalent

       RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"

RA_RELIABLE_CONNECT
       All ra* clients can reliably connect  to	 remote	 data  sources.	  This
       causes the ra* program to try to	reconnect to lost remote sources every
       5 seconds, indefinately.	This causes ra*	program	to not	terminate  but
       retry connection	attempts when they fail.

       This  feature is	implemented using threads, and so threads support must
       be compiled in.

       No Commandline equivalent

       RA_RELIABLE_CONNECT=no

MYSQL SUPPORT
       Many ra*	clients	can connect and	use a MySQL database,  either  reading
       for  writing.   This  may require references to remotes database	hosts,
       databases, tables, and mysql account names and passwords.

       Default values for these	variables can be set here.   support  must  be
       compiled	in.

       Commandline equivalents:
	 -r mysql://[username[:password]@]hostname[:port]/database/tablename
	 -w mysql://[username[:password]@]hostname[:port]/database/tablename
	 -u username:password

       RA_DATABASE="argus"
       RA_DB_TABLE="table"
       RA_DB_USER="carter"
       RA_DB_PASS="whatever"

       Those ra* clients that can create database tables may need to specify a
       table type or rather, a database	engine other than the defaul, MyISAM.

       Commandline equivalents:
	 -M mysql_engine=tableType
	    Current tableTypes are
	       MyISAM
	       InnoDB
	       Merge
	       Memory
	       Archive
	       NDB
	       Federated
	       CSV

       MYSQL_DB_ENGINE="MyISAM"

COLOR SUPPORT
       For ra* programs	that use curses, these variables defined color schemes
       and color assignments.

       Argus  uses  a sixteen color palette, with 8 monotone and 8 accent col-
       ors, plus 16 colors of gray. Currently  these  color  values  are  hard
       coded.	New versions should allow you to provide color definitions for
       all internal values using a 256 Xterm color wheel, to assign foreground
       and background colors. But we're	not there yet

       RA_COLOR_SUPPORT="yes"
       RA_COLOR_CONFIG="/usr/carter/.racolor.conf"

DIRECTION SUPPORT
       Many  ra*  clients process flow records based on	source and destination
       properties.  TCP	and UDP	ports values can be used to assign  direction,
       and are best used for well-known	ports (< 1024),	values that are	in the
       /etc/services defintions, and the reserved ports	(> 1023, < 49151).

       The syntax is:
	   RA_PORT_DIRECTION="services"
	   RA_PORT_DIRECTION="services,wellknown"
	   RA_PORT_DIRECTION="services,wellknown,registered"

       We recommend the	wellknown and services options,	as they	are a bit more
       discriminating.	If there are ports that	you know are services that are
       in the registered port range, we	suggest	that  you  add	them  to  your
       /etc/services  file rather than include the registered port range; only
       because the registered range is so large. However, this option  is  ap-
       plied  only  to	flow in	which the direction is ambiguous, and as such,
       corrections based on the	logic should have minimum effect on analytics.

       RA_PORT_DIRECTION="services,wellknown"

       Sites use locality for a	number of features, such as   access  control,
       and this	support	is intended to support visualization, and analytics.

       Currently, you can identify a collection	of IP addresses	that represent
       RA_LOCAL, and are specified using an iana-address-file formatted	 file.
       (See ralabel.conf)

       RA_LOCAL="/usr/local/argus/local.addrs"

       When  locality information is available,	programs like ra(), and	as the
       assignement of source when there	is ambiguity in	the flow record	as  to
       who is the actual initiator or receiver of the flow.

       When locality information is available, programs	like ra(), and ratop()
       can use that information	to make	display	decisions, such

       RA_LOCAL_DIRECTION provides the logic for using the  locality  informa-
       tion  to	 assign	flow direction.	 You can force the local address to be
       either the source (src) or the destination (dst).

       The syntax is:
	   RA_LOCAL_DIRECTION="local:src"
	   RA_LOCAL_DIRECTION="local:dst"

       RA_LOCAL_DIRECTION="suggest:src"
       RA_LOCAL_DIRECTION="force:src

COPYRIGHT
       Copyright (c) 2000-2016 QoSient.	All rights reserved.

SEE ALSO
       ra(1)

rarc 3.0.8		       07 November 2000			       RARC(5)

NAME | SYNOPSIS | DESCRIPTION | RA_ARGUS_SERVER | RA_SOURCE_PORT | PID FILE SUPPORT | RA_OUTPUT_FILE | RA_TIMERANGE | RA_RUN_TIME | RA_PRINT_MAN_RECORDS | RA_PRINT_LABELS | RA_FIELD_DELIMITER | RA_PRINT_NAMES | RA_CIDR_ADDRESS_FORMAT | RA_ASN_PRINT_FORMAT | RA_PRINT_RESPONSE_DATA | RA_PRINT_UNIX_TIME | RA_TIME_FORMAT | RA_TZ | RA_USEC_PRECISION | RA_USERDATA_ENCODE | RA_FILTER | RA_FILTER_TIMEOUT | SASL SUPPPORT | RA_DEBUG_LEVEL | RA_CONNECT_TIME | RA_SORT_ALGORITHMS | RA_TIMEOUT_INTERVAL | RA_UPDATE_INTERVAL | RA_PRINT_ETHERNET_VENDORS | RA_DELEGATED_IP | RA_RELIABLE_CONNECT | MYSQL SUPPORT | COLOR SUPPORT | DIRECTION SUPPORT | COPYRIGHT | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rarc&sektion=5&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help