Provided by: argus-server_2.0.6.fixes.1-16.3_i386 bug


       argus.conf - argus resource file.




       Copyright (c) 2000-2004 QoSient. All rights reserved.


       Argus  will  open  this argus.conf if its installed as /etc/argus.conf.
       It will  also  search  for  this  file  as  argus.conf  in  directories
       specified  in  $ARGUSPATH,  or  $ARGUSHOME,  $ARGUSHOME/lib,  or $HOME,
       $HOME/lib, and parse it  to  set  common  configuration  options.   All
       values  in this file can be overriden by command line options, or other
       files of this format that can be read in using the -F option.

Variable Syntax

       Variable assignments must be of the form:
       with no white space between the VARIABLE and the '=' sign.  Quotes  are
       optional  for string arguments, but if you want to embed comments, then
       quotes are required.


       Argus is capable of running as a daemon, doing  all  the  right  things
       that daemons do.  When this configuration is used for the system daemon
       process, say for /etc/argus.conf, this variable should be set to "yes".

       The default value is to not run as a daemon.

       This example is to support  the  ./support/Startup/argus  script  which
       requires that this variable be set to "yes".

       Commandline equivalent  -d



       Argus  Monitor  Data  is  uniquely  identifiable  based  on  the source
       identifier that is included in each output record.  This  is  to  allow
       you  to  work  with Argus Data from multiple monitors at the same time.
       The ID is 32 bits long, and so legitimate values are 0 - 4294967296 but
       argus  also  supports IP addresses as values.  The configuration allows
       for you to use host names, however,  do  have  some  understanding  how
       `hostname`  will be resolved by the nameserver before commiting to this
       strategy completely.

       Commandline equivalent  -e



       Argus  monitors  can  provide  a  real-time  remote  access  port   for
       collecting  Argus  data.   This  is  a  TCP  based port service and the
       default port number is tcp/561,  the  "experimental  monitor"  service.
       This  feature  is disabled by default, and can be forced off by setting
       it to zero (0).

       When you do want to enable this service, 561 is a good choice,  as  all
       ra* clients are configured to try this port by default.

       Commandline equivalent  -P



       When  remote  access is enabled (see above), you can specify that Argus
       should bind only to a specific IP address. This is useful, for example,
       in  restricting  access  to  the  local  host,  or binding to a private
       interface while capturing from another. The default is to bind  to  any
       IP address.

       Commandline equivalent  -B



       By default, Argus will open the first appropriate interface on a system
       that it encounters.  For systems that have only one network  interface,
       this  is  a  reasonable thing to do.  But, when there are more than one
       suitable interface, you should specify which interface(s) Argus  should
       read data from.

       Argus  can  read  packets  from  multiple  interfaces at the same time,
       although this is limited to 2 interfaces at this time.  Specify this in
       this file with multiple ARGUS_INTERFACE directives.

       Commandline equivalent  -i



       Argus  can  write its output to one or a number of files, default limit
       is 5 concurrent files, each with their own independant filters.

       The format is:
            ARGUS_OUTPUT_FILE=/full/path/file/name "filter"

       Most sites will  have  argus  write  to  a  file,  for  reliablity  and
       performance.   The  example  file  name  is  used  here  as  supporting
       programs, such as ./support/Archive/argusarchive are configured to  use
       this file.

       Commandline equivalent  -w



       There  can  be any number of Argus Monitors running on a single system.
       While this is a blessing for some, this does cause  some  confusion  in
       traditonal  system  administration tasks, such as pid file creation and
       failure recover methods.  If you plan on having a more than  one  argus
       daemon  running  on  your system, say, monitoring different interfaces,
       then set this variable to the number of daemons you expect to support.

       Commandline equivalent   -I



       When Argus is configured to run as a daemon, with the -d option,  Argus
       can  store  its  pid  in a file, to aid in managing the running daemon.
       Creating a system  pid  file  requires  priviledges  that  may  not  be
       appropriate for all cases.  To assist in managing pid file creation and
       support, argus

       When configured to generate a pid file, if Argus cannot create the  pid
       file,  it will fail to run.  This variable is available to override the
       default, in case this gets in your way.

       The default value is to generate a pid in /var/run if it exists, and if
       not in $ARGUSHOME.

       Commandline equivalent   -c



       Argus  has  a  mechanism  for  generating  pid  filenames,  but in some
       circumstances, being able to specify the pid filename is  required  due
       to  permission  restriction  or  just out of convenience.  If this file
       exists, argus will read the pid that the file  contains,  and  test  if
       that  process  is  running.  If not, the old pid is replaced, and argus
       continues to run.

       When this variable is set, argus assumes "-I 1" and "-c".

       Commandline equivalent   -n <pid file>



       By default, Argus will put its interface in promiscuous mode  in  order
       to monitor all the traffic that can be collected.  This can put an undo
       load on systems.

       If the intent is to monitor only the network activity of  the  specific
       system,  say  to  measure  the  performance  of  an HTTP service or DNS
       service, you'll want to turn promiscuous mode off.

       The default value is go into prmiscuous mode.

       Commandline equivalent  -p



       Argus  will  periodically   report   on   a   flow's   activity   every
       ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on
       the flow.  This is so that you can get a view into the activity of very
       long  lived  flows.   The default is 60 seconds, but this number may be
       too low or too high depending on your uses.

       The default value is 60 seconds, but argus does support a minimum value
       of  1.   This  is  very  useful  for doing measurements in a controlled
       experimental environment where the number of flows is < 1000.

       Commandline equivalent  -S



       Argus will periodically report on a its own health, providing interface
       status,  total  packet  and  bytes  counts, packet drop rates, and flow
       oriented statistics.

       These records can be used as "keep alives" for periods when there is no
       network traffic to be monitored.

       The  default  value  is  300 seconds, but a value of 60 seconds is very

       Commandline equivalent  -M



       If compiled to support this option, Argus is capable  of  generating  a
       lot of debug information.

       The default value is zero (0).

       Commandline equivalent  -D



       Argus  can  be  configured to report on flows in a manner than provides
       the best information for  calculating  application  reponse  times  and
       network round trip times.

       The default value is to not generate this data.

       Commandline equivalent  -R



       Argus  can be configured to generate packet jitter information on a per
       flow basis.  The default value is to not generate this data.

       Commandline equivalent  -J



       Argus can be configured to not provide MAC addresses in it audit  data.
       This  is  available  if  MAC  address  tracking  and  audit  is  not  a

       The default value is to not generate this data.

       Commandline equivalent  -m



       Argus can be configured to capture a number of user data bytes from the
       packet stream.

       The default value is to not generate this data.

       Commandline equivalent  -U



       Argus  uses  the  packet filter capabilities of libpcap.  If there is a
       need to not use the libpcap filter optimizer, you can turn it off here.
       The default is to leave it on.

       Commandline equivalent  -O



       You  can  provide  a filter expression here, if you like.  It should be
       limited to 2K in length.  The default is to not filter.

       No Commandline equivalent




                               07 November 2000                  ARGUS.CONF(5)