NAME

       argus.conf - argus resource file.

SYNOPSIS

       argus.conf

COPYRIGHT

       Copyright (c) 2000-2004 QoSient. All rights reserved.

DESCRIPTION

       Argus  will  open this argus.conf if its installed as /etc/argus.conf.  It will also search for this file
       as argus.conf in directories specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, or $HOME, $HOME/lib,
       and parse it to set common configuration options.  All values in this file can be  overriden  by  command
       line options, or other files of this format that can be read in using the -F option.

Variable Syntax

       Variable assignments must be of the form:
         VARIABLE=
       with no white space between the VARIABLE and the '=' sign.  Quotes are optional for string arguments, but
       if you want to embed comments, then quotes are required.

ARGUS_DAEMON

       Argus  is  capable  of  running  as  a  daemon,  doing  all  the right things that daemons do.  When this
       configuration is used for the system daemon process, say for /etc/argus.conf, this variable should be set
       to "yes".

       The default value is to not run as a daemon.

       This example is to support the ./support/Startup/argus script which requires that this variable be set to
       "yes".

       Commandline equivalent  -d

       ARGUS_DAEMON=yes

ARGUS_MONITOR_ID

       Argus Monitor Data is uniquely identifiable based on the source  identifier  that  is  included  in  each
       output  record.   This  is  to allow you to work with Argus Data from multiple monitors at the same time.
       The ID is 32 bits long, and so legitimate values are 0 - 4294967296 but argus also supports IP  addresses
       as  values.   The configuration allows for you to use host names, however, do have some understanding how
       `hostname` will be resolved by the nameserver before commiting to this strategy completely.

       Commandline equivalent  -e

       ARGUS_MONITOR_ID=`hostname`

ARGUS_ACCESS_PORT

       Argus monitors can provide a real-time remote access port for collecting Argus data.  This is a TCP based
       port service and the default port number is tcp/561, the "experimental monitor" service.  This feature is
       disabled by default, and can be forced off by setting it to zero (0).

       When you do want to enable this service, 561 is a good choice, as all ra* clients are configured  to  try
       this port by default.

       Commandline equivalent  -P

       ARGUS_ACCESS_PORT=561

ARGUS_BIND_IP

       When  remote  access is enabled (see above), you can specify that Argus should bind only to a specific IP
       address. This is useful, for example, in restricting access to the local host, or binding  to  a  private
       interface while capturing from another. The default is to bind to any IP address.

       Commandline equivalent  -B

       ARGUS_BIND_IP="127.0.0.1"

ARGUS_INTERFACE

       By  default, Argus will open the first appropriate interface on a system that it encounters.  For systems
       that have only one network interface, this is a reasonable thing to do.  But, when there  are  more  than
       one suitable interface, you should specify which interface(s) Argus should read data from.

       Argus  can  read  packets  from  multiple  interfaces  at  the  same  time, although this is limited to 2
       interfaces at this time.  Specify this in this file with multiple ARGUS_INTERFACE directives.

       Commandline equivalent  -i

       ARGUS_INTERFACE=le0

ARGUS_OUTPUT_FILE

       Argus can write its output to one or a number of files, default limit is 5 concurrent  files,  each  with
       their own independant filters.

       The format is:
            ARGUS_OUTPUT_FILE=/full/path/file/name
            ARGUS_OUTPUT_FILE=/full/path/file/name "filter"

       Most  sites  will  have  argus write to a file, for reliablity and performance.  The example file name is
       used here as supporting programs, such as ./support/Archive/argusarchive are configured to use this file.

       Commandline equivalent  -w

       ARGUS_OUTPUT_FILE=/var/log/argus/argus.out

ARGUS_MAX_INSTANCES

       There can be any number of Argus Monitors running on a single system.  While this is a blessing for some,
       this does cause some confusion in traditonal system administration tasks, such as pid file  creation  and
       failure recover methods.  If you plan on having a more than one argus daemon running on your system, say,
       monitoring different interfaces, then set this variable to the number of daemons you expect to support.

       Commandline equivalent   -I

       ARGUS_MAX_INSTANCES=1

ARGUS_SET_PID

       When  Argus  is  configured to run as a daemon, with the -d option, Argus can store its pid in a file, to
       aid in managing the running daemon.  Creating a system  pid file requires priviledges  that  may  not  be
       appropriate for all cases.  To assist in managing pid file creation and support, argus

       When  configured  to generate a pid file, if Argus cannot create the pid file, it will fail to run.  This
       variable is available to override the default, in case this gets in your way.

       The default value is to generate a pid in /var/run if it exists, and if not in $ARGUSHOME.

       Commandline equivalent   -c

       ARGUS_SET_PID=yes

ARGUS_PID_FILENAME

       Argus has a mechanism for generating pid filenames, but in some circumstances, being able to specify  the
       pid  filename is required due to permission restriction or just out of convenience.  If this file exists,
       argus will read the pid that the file contains, and test if that process is running.  If not, the old pid
       is replaced, and argus continues to run.

       When this variable is set, argus assumes "-I 1" and "-c".

       Commandline equivalent   -n <pid file>

       ARGUS_PID_FILENAME=/var/run/argus.pid

ARGUS_GO_PROMISCUOUS

       By default, Argus will put its interface in promiscuous mode in order to monitor all the traffic that can
       be collected.  This can put an undo load on systems.

       If the intent is to monitor only the network  activity  of  the  specific  system,  say  to  measure  the
       performance of an HTTP service or DNS service, you'll want to turn promiscuous mode off.

       The default value is go into prmiscuous mode.

       Commandline equivalent  -p

       ARGUS_GO_PROMISCUOUS=yes

ARGUS_FLOW_STATUS_INTERVAL

       Argus  will periodically report on a flow's activity every ARGUS_FLOW_STATUS_INTERVAL seconds, as long as
       there is new activity on the flow.  This is so that you can get a view into the  activity  of  very  long
       lived  flows.   The  default  is 60 seconds, but this number may be too low or too high depending on your
       uses.

       The default value is 60 seconds, but argus does support a minimum value of 1.  This is  very  useful  for
       doing measurements in a controlled experimental environment where the number of flows is < 1000.

       Commandline equivalent  -S

       ARGUS_FLOW_STATUS_INTERVAL=60

ARGUS_MAR_STATUS_INTERVAL

       Argus  will  periodically  report on a its own health, providing interface status, total packet and bytes
       counts, packet drop rates, and flow oriented statistics.

       These records can be used as "keep alives" for periods when there is no network traffic to be monitored.

       The default value is 300 seconds, but a value of 60 seconds is very common.

       Commandline equivalent  -M

       ARGUS_MAR_STATUS_INTERVAL=300

ARGUS_DEBUG_LEVEL

       If compiled to support this option, Argus is capable of generating a lot of debug information.

       The default value is zero (0).

       Commandline equivalent  -D

       ARGUS_DEBUG_LEVEL=0

ARGUS_GENERATE_RESPONSE_TIME_DATA

       Argus can be configured to report on flows in a manner than provides the best information for calculating
       application reponse times and network round trip times.

       The default value is to not generate this data.

       Commandline equivalent  -R

       ARGUS_GENERATE_RESPONSE_TIME_DATA=no

ARGUS_GENERATE_JITTER_DATA

       Argus can be configured to generate packet jitter information on a per flow basis.  The default value  is
       to not generate this data.

       Commandline equivalent  -J

       ARGUS_GENERATE_JITTER_DATA=no

ARGUS_GENERATE_MAC_DATA

       Argus  can be configured to not provide MAC addresses in it audit data.  This is available if MAC address
       tracking and audit is not a requirement.

       The default value is to not generate this data.

       Commandline equivalent  -m

       ARGUS_GENERATE_MAC_DATA=no

ARGUS_CAPTURE_DATA_LEN

       Argus can be configured to capture a number of user data bytes from the packet stream.

       The default value is to not generate this data.

       Commandline equivalent  -U

       ARGUS_CAPTURE_DATA_LEN=0

ARGUS_FILTER_OPTIMIZER

       Argus uses the packet filter capabilities of libpcap.  If there is a need to not use the  libpcap  filter
       optimizer, you can turn it off here.  The default is to leave it on.

       Commandline equivalent  -O

       ARGUS_FILTER_OPTIMIZER=yes

ARGUS_FILTER

       You  can  provide  a  filter  expression  here,  if you like.  It should be limited to 2K in length.  The
       default is to not filter.

       No Commandline equivalent

       ARGUS_FILTER=""

SEE ALSO

       argus(8)

                                                07 November 2000                                   ARGUS.CONF(5)