Provided by: argus-server_2.0.6.fixes.1-16.3ubuntu1_amd64 bug


       argus.conf - argus resource file.




       Copyright (c) 2000-2004 QoSient. All rights reserved.


       Argus  will open this argus.conf if its installed as /etc/argus.conf.  It will also search
       for this file as  argus.conf  in  directories  specified  in  $ARGUSPATH,  or  $ARGUSHOME,
       $ARGUSHOME/lib,  or  $HOME,  $HOME/lib,  and parse it to set common configuration options.
       All values in this file can be overriden by command line options, or other files  of  this
       format that can be read in using the -F option.

Variable Syntax

       Variable assignments must be of the form:
       with no white space between the VARIABLE and the '=' sign.  Quotes are optional for string
       arguments, but if you want to embed comments, then quotes are required.


       Argus is capable of running as a daemon, doing all the right things that daemons do.  When
       this  configuration  is  used for the system daemon process, say for /etc/argus.conf, this
       variable should be set to "yes".

       The default value is to not run as a daemon.

       This example is to support the ./support/Startup/argus script  which  requires  that  this
       variable be set to "yes".

       Commandline equivalent  -d



       Argus  Monitor  Data  is  uniquely  identifiable  based  on  the source identifier that is
       included in each output record.  This is to  allow  you  to  work  with  Argus  Data  from
       multiple  monitors at the same time.  The ID is 32 bits long, and so legitimate values are
       0 - 4294967296 but argus also supports IP addresses as values.  The  configuration  allows
       for  you  to  use  host  names, however, do have some understanding how `hostname` will be
       resolved by the nameserver before commiting to this strategy completely.

       Commandline equivalent  -e



       Argus monitors can provide a real-time remote access port for collecting Argus data.  This
       is  a  TCP  based  port  service and the default port number is tcp/561, the "experimental
       monitor" service.  This feature is disabled by default, and can be forced off  by  setting
       it to zero (0).

       When  you  do  want  to  enable this service, 561 is a good choice, as all ra* clients are
       configured to try this port by default.

       Commandline equivalent  -P



       When remote access is enabled (see above), you can specify that Argus should bind only  to
       a  specific  IP  address.  This is useful, for example, in restricting access to the local
       host, or binding to a private interface while capturing from another. The  default  is  to
       bind to any IP address.

       Commandline equivalent  -B



       By  default,  Argus  will  open  the  first  appropriate  interface  on  a  system that it
       encounters.  For systems that have only one network interface, this is a reasonable  thing
       to  do.   But,  when  there are more than one suitable interface, you should specify which
       interface(s) Argus should read data from.

       Argus can read packets from multiple interfaces at the same time, although this is limited
       to  2  interfaces  at  this time.  Specify this in this file with multiple ARGUS_INTERFACE

       Commandline equivalent  -i



       Argus can write its output to one or a number of files,  default  limit  is  5  concurrent
       files, each with their own independant filters.

       The format is:
            ARGUS_OUTPUT_FILE=/full/path/file/name "filter"

       Most  sites  will have argus write to a file, for reliablity and performance.  The example
       file name is used here as supporting programs, such as ./support/Archive/argusarchive  are
       configured to use this file.

       Commandline equivalent  -w



       There  can  be  any  number of Argus Monitors running on a single system.  While this is a
       blessing for some, this does cause some  confusion  in  traditonal  system  administration
       tasks,  such  as  pid  file creation and failure recover methods.  If you plan on having a
       more than one argus daemon running on your system, say, monitoring  different  interfaces,
       then set this variable to the number of daemons you expect to support.

       Commandline equivalent   -I



       When  Argus  is configured to run as a daemon, with the -d option, Argus can store its pid
       in a file, to aid in managing the running daemon.  Creating a system   pid  file  requires
       priviledges  that  may  not  be appropriate for all cases.  To assist in managing pid file
       creation and support, argus

       When configured to generate a pid file, if Argus cannot create the pid file, it will  fail
       to  run.   This  variable  is available to override the default, in case this gets in your

       The default value is to generate a pid in /var/run if it exists, and if not in $ARGUSHOME.

       Commandline equivalent   -c



       Argus has a mechanism for generating pid filenames, but in some circumstances, being  able
       to  specify  the  pid  filename  is  required due to permission restriction or just out of
       convenience.  If this file exists, argus will read the pid that  the  file  contains,  and
       test  if that process is running.  If not, the old pid is replaced, and argus continues to

       When this variable is set, argus assumes "-I 1" and "-c".

       Commandline equivalent   -n <pid file>



       By default, Argus will put its interface in promiscuous mode in order to monitor  all  the
       traffic that can be collected.  This can put an undo load on systems.

       If  the  intent  is  to  monitor  only the network activity of the specific system, say to
       measure the performance of an HTTP service or DNS service, you'll want to turn promiscuous
       mode off.

       The default value is go into prmiscuous mode.

       Commandline equivalent  -p



       Argus  will  periodically  report  on  a  flow's activity every ARGUS_FLOW_STATUS_INTERVAL
       seconds, as long as there is new activity on the flow.  This is so that you can get a view
       into  the  activity  of very long lived flows.  The default is 60 seconds, but this number
       may be too low or too high depending on your uses.

       The default value is 60 seconds, but argus does support a minimum value  of  1.   This  is
       very  useful  for  doing  measurements  in a controlled experimental environment where the
       number of flows is < 1000.

       Commandline equivalent  -S



       Argus will periodically report on a its own  health,  providing  interface  status,  total
       packet and bytes counts, packet drop rates, and flow oriented statistics.

       These records can be used as "keep alives" for periods when there is no network traffic to
       be monitored.

       The default value is 300 seconds, but a value of 60 seconds is very common.

       Commandline equivalent  -M



       If compiled to support this option,  Argus  is  capable  of  generating  a  lot  of  debug

       The default value is zero (0).

       Commandline equivalent  -D



       Argus  can be configured to report on flows in a manner than provides the best information
       for calculating application reponse times and network round trip times.

       The default value is to not generate this data.

       Commandline equivalent  -R



       Argus can be configured to generate packet jitter information on a per  flow  basis.   The
       default value is to not generate this data.

       Commandline equivalent  -J



       Argus  can be configured to not provide MAC addresses in it audit data.  This is available
       if MAC address tracking and audit is not a requirement.

       The default value is to not generate this data.

       Commandline equivalent  -m



       Argus can be configured to capture a number of user data bytes from the packet stream.

       The default value is to not generate this data.

       Commandline equivalent  -U



       Argus uses the packet filter capabilities of libpcap.  If there is a need to not  use  the
       libpcap filter optimizer, you can turn it off here.  The default is to leave it on.

       Commandline equivalent  -O



       You  can  provide  a  filter  expression here, if you like.  It should be limited to 2K in
       length.  The default is to not filter.

       No Commandline equivalent




                                         07 November 2000                           ARGUS.CONF(5)