FreeBSD Manual Pages
RARC(5) File Formats Manual RARC(5) NAME rarc - ra client resource file. SYNOPSIS rarc DESCRIPTION Ra* clients will open this file if its in the users $HOME directory, or in the $ARGUSHOME directory, and parse it to set common configuration options. All of these values will be overriden by options set on the command line, or in the file specified using the '-F conffile' option. Values can be quoted to make string denotation easier, however, the parser does not require that string values be quoted. To support this, the parse will remove " (double quote) characters from input strings, so do not use this character in strings themselves. Values specified as "" will be treated as a NULL string, and the parser will ignore the variable setting. RA_ARGUS_SERVER All ra* clients can attach to a remote server, and collect argus data in real time. This variable can be a name or a dot notation IP ad- dress. Optionally you can specify a port number using a ':' and then providing the port number desired. RA_ARGUS_SERVER=localhost:561 RA_SOURCE_PORT You can change the default source port value that will be used on re- mote TCP and UDP connections, using this variable. When you specify the remote server using the -S option, when you don't specify a port number, this is the port number it will use. The default port number is 561. RA_SOURCE_PORT=561 PID FILE SUPPORT Any ra* program can generate a pid file, which can be used to control the number of instances that the system can support. Creating a system pid file may require priviledges that may not be in- appropriate for all cases. By specifying RA_PID_PATH, you can create personal pid files that will enforce your own policy for your own use of the ra* programs. When configured to generate a pid file for a ra* program, if a file called ra*.pid (where ra* is the name of the program in question) ex- ists in the RA_PID_PATH directory, and a program exists with a pid that matches the one contained in the file, then the program will not start. If the pid does not exist, then the ra* program replaces the value in the file, with its own pid. If a pid file does not exist, then the ra* program will create it in the RA_PID_PATH directory, if it can. The end result is that the system will support only one instanace of the program, based on name, running at a time. The default value is to not generate a pid. The default path for the pid file, is /var/run. No Commandline equivalent RA_SET_PID="no" RA_PID_PATH="/var/run" RA_OUTPUT_FILE All ra* clients can support writing output as Argus Records into a file or stdout. Stdout is specified as '-'. RA_OUTPUT_FILE="filename" RA_TIMERANGE All ra* clients can support input filtering on a time range. The format is: timeSpecification[-timeSpecification] where the format of a timeSpecification can be: [[[yy/]mm/]dd.]hh[:mm[:ss]] [yy/]mm/dd RA_TIMERANGE="55/12/04.00:00:01-55/12/04.23:59:59" RA_TIMERANGE="12/04-12/05" RA_RUN_TIME All ra* clients can support running for a number of seconds, while at- tached to a remote source of argus data. This is a type of polling. The default is zero (0), which means run indefinately. RA_RUN_TIME=0 RA_PRINT_MAN_RECORDS Specify if ra* clients should print management records by default. This does not affect management record processing, nor down stream man- agement record propagation. Commandline equivalents: -M [no]man RA_PRINT_MAN_RECORDS=no RA_PRINT_EVENT_RECORDS=no RA_PRINT_LABELS Most ra* clients are designed to print argus records out in ASCII, with each client supporting its own output formats. For ra() like clients, this variable will generate column headers as labels. The number is the number of lines between repeated header labeling. Setting this value to zero (0) will cause the labels to be printed once. If you don't want labels, comment this line out, delete it or set the value to -1. RA_PRINT_LABELS=0 RA_FIELD_DELIMITER Most ra* clients are designed to print argus records out in ASCII, with each client supporting its own output formats. For ra() like clients, this variable can overide the default field delimiter, which are vari- able spans of space (' '), to be any character. The most common are expected to be '' for tabs, and ',' for comma separated fields. RA_FIELD_DELIMITER=',' RA_PRINT_NAMES For ra(1) like clients, this variable will control the translation of various numbers to names, such as address hostnames, port service names and/or protocol names. There can be a huge performance impact with name lookup, so the default is to not resolve hostnames. RA_PRINT_NAMES=port Other valid options are none to print no names, proto to translate the protocol names, port to translate port names, and all to translate all the fields. An invalid option will default to port, silently. RA_CIDR_ADDRESS_FORMAT Use this variable to specify whether ra() clients, when printing nu- meric IP addresses, will print them as CIDR addresses, or not. CIDR notation is constructed from the IP address and the prefix size, the latter being the number of leading 1 bits of the routing prefix. The IP address is expressed according to the standards of IPv4 or IPv6. It is followed by a separator character, the forward slash (/) character, and the prefix size expressed as a decimal number. Argus IPv4 data contains the CIDR mask length, when its less than 32, and ra* programs will by default provides the "/masklen" suffix when the mask is less than 32. This maybe confusing for some data processors, which would rather not see the "/masklen" never, or all the time. Use this option to specify changes in the default printing stratgy. Accepatable values for this variable are: "no" - do not provide the CIDR mask length (legacy mode) [de- fault] "yes" - print CIDR mask length when less than 32 "strict" - always print CIDR mask length RA_CIDR_ADDRESS_FORMAT="no" RA_ASN_PRINT_FORMAT All ra() clients can print and process AS Numbers that have been added to the records through metadata labeling, or were a part of the origi- nal Netflow to argus conversion process.. RFC 5396 specifies 3 formats for representing AS Numbers, and all 3 are acceptable formats. These format are: "asplain" - 2 and 4-byte ASNs are printed as decimal integers. "asdot+" - 2 and 4-byte ASNs are printed using a dot notation. "asdot" - 2 byte ASNs are printed as decimal, and 4-byte ASNs are printed using a dotted notation.. The default is 'asplain'. No Commandline equivalent RA_ASN_PRINT_FORMAT="asplain" RA_PRINT_RESPONSE_DATA For ra() like clients, this variable will include the response data that is provided by Argus. This is protocol and state specific. RA_PRINT_RESPONSE_DATA=no RA_PRINT_UNIX_TIME For ra() like clients, this variable will force the timestamp to be in Unix time format, which is an integer representing the number of elapsed seconds since the epoch. RA_PRINT_UNIX_TIME=no RA_TIME_FORMAT For ra() like clients, the format that is used to print timestamps, is based on the strftime() library call, with an extension to print frac- tions of a sec using "%f". The default is "%T.%f". You can overide this default time format by setting this variable. This string must conform to the format specified in strftime(). Malformed strings can generate interesting output, so be aware with this one, and don't for- get the '.' when doing fractions of a second. RA_TIME_FORMAT="%T.%f" RA_TZ The timezone used for timestamps is specified by the tzset() library routines, and is normally specified by factors such as the TZ environ- ment variable found on most machines. You can override the TZ environ- ment variable by specifying a time zone using this variable. The for- mat of this string must conform to the format specified by tzset(3). RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02" RA_TZ="PST8PDT" RA_USEC_PRECISION For ra() like clients, this variable is used to override the time for- mat of the timestamp. This variable specifies the number of decimal places that will be printed as the fractional part of the time. Argus collects usec precision, and so a maximum value of 6 is supported. To not print the fractional part, specify the value zero (0). RA_USEC_PRECISION=6 RA_USERDATA_ENCODE Argus can capture user data, and the argus clients can print, merge, filter, and strip user data from argus records. When printing out the user data contents, using tools such as ra.1, the type of encoding used to print the buffers can be specified here. This is available because many user data buffers are not printable text, and other representa- tions may be more appropriate. Supported values are "Ascii", "Obfuscate", "Hex", "Encode32" or "En- code64". The default is "Ascii". Obfuscate is an extension to the Ascii print, that attempts to over- write plain text passwords, encountered in the user data, with 'x's. Commandline equivalent: -M printer=<printer> RA_USERDATA_ENCODE=Ascii RA_FILTER You can provide a filter expression here, if you like. It should be limited to 2K in length. The default is to not filter. See ra(1) for the format of the filter expression. RA_FILTER="" RA_FILTER_TIMEOUT The filter is compiled in a separate process, and all ra* programs need to wait a reasonable time for the filter compiler to finish, or time out and return an error, in the case of a fatal error in compiling. Many systems are very busy, and could benefit from a prolonged wait pe- riod, however, this timeout value could generate a significant startup wait state for programs that have poor filter specifications, if the timer is too long. The current default is 1.5 seconds, but you can set this to any amount of time. No Commandline equivalent RA_FILTER_TIMEOUT=1.5 SASL SUPPPORT When argus is compiled with SASL support, ra* clients may be required to authenticate to the argus server before the argus will accept the connection. This variable will allow one to set the user and autho- rization id's, if needed. Although not the best practice, you can pro- vide a password through the RA_AUTH_PASS variable. If you do this, you should protect the contents of this file. The format for this variable is: RA_USER_AUTH="user_id/authorization_id" RA_AUTH_PASS="password" The clients can specify a part of the negotiation of the security pol- icy that argus uses. This is controlled through the use of a minimum and maximum allowable protection strength values. Set these variable to control this policy. RA_MIN_SSF=0 RA_MAX_SSF=128 RA_DEBUG_LEVEL If compiled to support this option, ra* clients are capable of generat- ing a lot of use [full | less | whatever] debug information. The de- fault value is zero (0). RA_DEBUG_LEVEL=0 RA_CONNECT_TIME Some ra style clients use a non-blocking method to connect to remote data sources, so the user many need to control how long to wait if a remote source doesn't respond. This variable sets the number of sec- onds to wait. This number should be set to a reasonable value (5 < value < 60). The default value is 10 seconds. RA_CONNECT_TIME=10 RA_SORT_ALGORITHMS Many ra* programs sort records as a part of their function. Programs like rasort.1, providing explicit command-line options to specify the sort algorithms and their order, using the Use this configuration directive to specify the default sorting algo- rithm table for your ra* programs. The default sort algorithm is record start time "stime". RA_SORT_ALGORITHMS="stime " RA_TIMEOUT_INTERVAL Some ra* clients have a timeout based function. Ratop, as an example, times out flows and removes them from screen at a fixed interval. This variable can be set using the RA_TIMEOUT_INTERVAL variable, which is a float in seconds. 60.0 seconds is the default. RA_TIMEOUT_INTERVAL=60.0 RA_UPDATE_INTERVAL Some ra* clients have an interval based function. Ratop, as an exam- ple, can refresh the screen at a fixed interval. This variable can be set using the RA_UPDATE_INTERVAL variable, which is a float in seconds. 0.5 seconds is the default. RA_UPDATE_INTERVAL=0.5 RA_PRINT_ETHERNET_VENDORS All ra* clients have the ability to print vendor names for the vendor part of ethernet addresses that are in flow records. ra* programs get its strings for the ethernet vendors using Wireshark 'manuf' files. One is provided with the distribution, and installed into /usr/local/argus. No Commandline equivalent RA_PRINT_ETHERNET_VENDORS="no" RA_ETHERNET_VENDORS="/usr/local/argus/wireshark.manuf.txt" RA_DELEGATED_IP All ra* clients have the ability to print country codes for the IP ad- dresses that are in a flow record. Country codes are generated from the ARIN delegated address space files. Specify the location of your DELEGATED_IP file here. No Commandline equivalent RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest" RA_RELIABLE_CONNECT All ra* clients can reliably connect to remote data sources. This causes the ra* program to try to reconnect to lost remote sources every 5 seconds, indefinately. This causes ra* program to not terminate but retry connection attempts when they fail. This feature is implemented using threads, and so threads support must be compiled in. No Commandline equivalent RA_RELIABLE_CONNECT=no MYSQL SUPPORT Many ra* clients can connect and use a MySQL database, either reading for writing. This may require references to remotes database hosts, databases, tables, and mysql account names and passwords. Default values for these variables can be set here. support must be compiled in. Commandline equivalents: -r mysql://[username[:password]@]hostname[:port]/database/tablename -w mysql://[username[:password]@]hostname[:port]/database/tablename -u username:password RA_DATABASE="argus" RA_DB_TABLE="table" RA_DB_USER="carter" RA_DB_PASS="whatever" Those ra* clients that can create database tables may need to specify a table type or rather, a database engine other than the defaul, MyISAM. Commandline equivalents: -M mysql_engine=tableType Current tableTypes are MyISAM InnoDB Merge Memory Archive NDB Federated CSV MYSQL_DB_ENGINE="MyISAM" COLOR SUPPORT For ra* programs that use curses, these variables defined color schemes and color assignments. Argus uses a sixteen color palette, with 8 monotone and 8 accent col- ors, plus 16 colors of gray. Currently these color values are hard coded. New versions should allow you to provide color definitions for all internal values using a 256 Xterm color wheel, to assign foreground and background colors. But we're not there yet RA_COLOR_SUPPORT="yes" RA_COLOR_CONFIG="/usr/carter/.racolor.conf" DIRECTION SUPPORT Many ra* clients process flow records based on source and destination properties. TCP and UDP ports values can be used to assign direction, and are best used for well-known ports (< 1024), values that are in the /etc/services defintions, and the reserved ports (> 1023, < 49151). The syntax is: RA_PORT_DIRECTION="services" RA_PORT_DIRECTION="services,wellknown" RA_PORT_DIRECTION="services,wellknown,registered" We recommend the wellknown and services options, as they are a bit more discriminating. If there are ports that you know are services that are in the registered port range, we suggest that you add them to your /etc/services file rather than include the registered port range; only because the registered range is so large. However, this option is ap- plied only to flow in which the direction is ambiguous, and as such, corrections based on the logic should have minimum effect on analytics. RA_PORT_DIRECTION="services,wellknown" Sites use locality for a number of features, such as access control, and this support is intended to support visualization, and analytics. Currently, you can identify a collection of IP addresses that represent RA_LOCAL, and are specified using an iana-address-file formatted file. (See ralabel.conf) RA_LOCAL="/usr/local/argus/local.addrs" When locality information is available, programs like ra(), and as the assignement of source when there is ambiguity in the flow record as to who is the actual initiator or receiver of the flow. When locality information is available, programs like ra(), and ratop() can use that information to make display decisions, such RA_LOCAL_DIRECTION provides the logic for using the locality informa- tion to assign flow direction. You can force the local address to be either the source (src) or the destination (dst). The syntax is: RA_LOCAL_DIRECTION="local:src" RA_LOCAL_DIRECTION="local:dst" RA_LOCAL_DIRECTION="suggest:src" RA_LOCAL_DIRECTION="force:src COPYRIGHT Copyright (c) 2000-2016 QoSient. All rights reserved. SEE ALSO ra(1) rarc 3.0.8 07 November 2000 RARC(5)
NAME | SYNOPSIS | DESCRIPTION | RA_ARGUS_SERVER | RA_SOURCE_PORT | PID FILE SUPPORT | RA_OUTPUT_FILE | RA_TIMERANGE | RA_RUN_TIME | RA_PRINT_MAN_RECORDS | RA_PRINT_LABELS | RA_FIELD_DELIMITER | RA_PRINT_NAMES | RA_CIDR_ADDRESS_FORMAT | RA_ASN_PRINT_FORMAT | RA_PRINT_RESPONSE_DATA | RA_PRINT_UNIX_TIME | RA_TIME_FORMAT | RA_TZ | RA_USEC_PRECISION | RA_USERDATA_ENCODE | RA_FILTER | RA_FILTER_TIMEOUT | SASL SUPPPORT | RA_DEBUG_LEVEL | RA_CONNECT_TIME | RA_SORT_ALGORITHMS | RA_TIMEOUT_INTERVAL | RA_UPDATE_INTERVAL | RA_PRINT_ETHERNET_VENDORS | RA_DELEGATED_IP | RA_RELIABLE_CONNECT | MYSQL SUPPORT | COLOR SUPPORT | DIRECTION SUPPORT | COPYRIGHT | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rarc&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>