Provided by: argus-client_3.0.8.2-6.2ubuntu4_amd64 
NAME
rarc - ra client resource file.
SYNOPSIS
rarc
DESCRIPTION
Ra* clients will open this file if its in the users $HOME directory, or in the $ARGUSHOME directory, and
parse it to set common configuration options. All of these values will be overriden by options set on
the command line, or in the file specified using the '-F conffile' option.
Values can be quoted to make string denotation easier, however, the parser does not require that string
values be quoted. To support this, the parse will remove " (double quote) characters from input strings,
so do not use this character in strings themselves.
Values specified as "" will be treated as a NULL string, and the parser will ignore the variable setting.
RA_ARGUS_SERVER
All ra* clients can attach to a remote server, and collect argus data in real time. This variable can be
a name or a dot notation IP address. Optionally you can specify a port number using a ':' and then
providing the port number desired.
RA_ARGUS_SERVER=localhost:561
RA_SOURCE_PORT
You can change the default source port value that will be used on remote TCP and UDP connections, using
this variable. When you specify the remote server using the -S option, when you don't specify a port
number, this is the port number it will use.
The default port number is 561.
RA_SOURCE_PORT=561
PID FILE SUPPORT
Any ra* program can generate a pid file, which can be used to control the number of instances that the
system can support.
Creating a system pid file may require priviledges that may not be inappropriate for all cases. By
specifying RA_PID_PATH, you can create personal pid files that will enforce your own policy for your own
use of the ra* programs.
When configured to generate a pid file for a ra* program, if a file called ra*.pid (where ra* is the name
of the program in question) exists in the RA_PID_PATH directory, and a program exists with a pid that
matches the one contained in the file, then the program will not start. If the pid does not exist, then
the ra* program replaces the value in the file, with its own pid. If a pid file does not exist, then
the ra* program will create it in the RA_PID_PATH directory, if it can. The end result is that the
system will support only one instanace of the program, based on name, running at a time.
The default value is to not generate a pid. The default path for the pid file, is /var/run.
No Commandline equivalent
RA_SET_PID="no"
RA_PID_PATH="/var/run"
RA_OUTPUT_FILE
All ra* clients can support writing output as Argus Records into a file or stdout. Stdout is specified
as '-'.
RA_OUTPUT_FILE="filename"
RA_TIMERANGE
All ra* clients can support input filtering on a time range. The format is:
timeSpecification[-timeSpecification]
where the format of a timeSpecification can be:
[[[yy/]mm/]dd.]hh[:mm[:ss]]
[yy/]mm/dd
RA_TIMERANGE="55/12/04.00:00:01-55/12/04.23:59:59"
RA_TIMERANGE="12/04-12/05"
RA_RUN_TIME
All ra* clients can support running for a number of seconds, while attached to a remote source of argus
data. This is a type of polling. The default is zero (0), which means run indefinately.
RA_RUN_TIME=0
RA_PRINT_MAN_RECORDS
Specify if ra* clients should print management records by default. This does not affect management
record processing, nor down stream management record propagation.
Commandline equivalents: -M [no]man
RA_PRINT_MAN_RECORDS=no RA_PRINT_EVENT_RECORDS=no
RA_PRINT_LABELS
Most ra* clients are designed to print argus records out in ASCII, with each client supporting its own
output formats. For ra() like clients, this variable will generate column headers as labels. The number
is the number of lines between repeated header labeling. Setting this value to zero (0) will cause the
labels to be printed once. If you don't want labels, comment this line out, delete it or set the value
to -1.
RA_PRINT_LABELS=0
RA_FIELD_DELIMITER
Most ra* clients are designed to print argus records out in ASCII, with each client supporting its own
output formats. For ra() like clients, this variable can overide the default field delimiter, which are
variable spans of space (' '), to be any character. The most common are expected to be '' for tabs, and
',' for comma separated fields.
RA_FIELD_DELIMITER=','
RA_PRINT_NAMES
For ra(1) like clients, this variable will control the translation of various numbers to names, such as
address hostnames, port service names and/or protocol names. There can be a huge performance impact with
name lookup, so the default is to not resolve hostnames.
RA_PRINT_NAMES=port
Other valid options are none to print no names, proto to translate the protocol names, port to translate
port names, and all to translate all the fields. An invalid option will default to port, silently.
RA_CIDR_ADDRESS_FORMAT
Use this variable to specify whether ra() clients, when printing numeric IP addresses, will print them as
CIDR addresses, or not. CIDR notation is constructed from the IP address and the prefix size, the latter
being the number of leading 1 bits of the routing prefix. The IP address is expressed according to the
standards of IPv4 or IPv6. It is followed by a separator character, the forward slash (/) character, and
the prefix size expressed as a decimal number.
Argus IPv4 data contains the CIDR mask length, when its less than 32, and ra* programs will by default
provides the "/masklen" suffix when the mask is less than 32.
This maybe confusing for some data processors, which would rather not see the "/masklen" never, or all
the time. Use this option to specify changes in the default printing stratgy.
Accepatable values for this variable are:
"no" - do not provide the CIDR mask length (legacy mode) [default]
"yes" - print CIDR mask length when less than 32
"strict" - always print CIDR mask length
RA_CIDR_ADDRESS_FORMAT="no"
RA_ASN_PRINT_FORMAT
All ra() clients can print and process AS Numbers that have been added to the records through metadata
labeling, or were a part of the original Netflow to argus conversion process..
RFC 5396 specifies 3 formats for representing AS Numbers, and all 3 are acceptable formats. These format
are:
"asplain" - 2 and 4-byte ASNs are printed as decimal integers.
"asdot+" - 2 and 4-byte ASNs are printed using a dot notation.
"asdot" - 2 byte ASNs are printed as decimal, and 4-byte ASNs
are printed using a dotted notation..
The default is 'asplain'.
No Commandline equivalent
RA_ASN_PRINT_FORMAT="asplain"
RA_PRINT_RESPONSE_DATA
For ra() like clients, this variable will include the response data that is provided by Argus. This is
protocol and state specific.
RA_PRINT_RESPONSE_DATA=no
RA_PRINT_UNIX_TIME
For ra() like clients, this variable will force the timestamp to be in Unix time format, which is an
integer representing the number of elapsed seconds since the epoch.
RA_PRINT_UNIX_TIME=no
RA_TIME_FORMAT
For ra() like clients, the format that is used to print timestamps, is based on the strftime() library
call, with an extension to print fractions of a sec using "%f". The default is "%T.%f". You can overide
this default time format by setting this variable. This string must conform to the format specified in
strftime(). Malformed strings can generate interesting output, so be aware with this one, and don't
forget the '.' when doing fractions of a second.
RA_TIME_FORMAT="%T.%f"
RA_TZ
The timezone used for timestamps is specified by the tzset() library routines, and is normally specified
by factors such as the TZ environment variable found on most machines. You can override the TZ
environment variable by specifying a time zone using this variable. The format of this string must
conform to the format specified by tzset(3).
RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02"
RA_TZ="PST8PDT"
RA_USEC_PRECISION
For ra() like clients, this variable is used to override the time format of the timestamp. This variable
specifies the number of decimal places that will be printed as the fractional part of the time. Argus
collects usec precision, and so a maximum value of 6 is supported. To not print the fractional part,
specify the value zero (0).
RA_USEC_PRECISION=6
RA_USERDATA_ENCODE
Argus can capture user data, and the argus clients can print, merge, filter, and strip user data from
argus records. When printing out the user data contents, using tools such as ra.1, the type of encoding
used to print the buffers can be specified here. This is available because many user data buffers are not
printable text, and other representations may be more appropriate.
Supported values are "Ascii", "Obfuscate", "Hex", "Encode32" or "Encode64". The default is "Ascii".
Obfuscate is an extension to the Ascii print, that attempts to over-write plain text passwords,
encountered in the user data, with 'x's.
Commandline equivalent: -M printer=<printer>
RA_USERDATA_ENCODE=Ascii
RA_FILTER
You can provide a filter expression here, if you like. It should be limited to 2K in length. The
default is to not filter. See ra(1) for the format of the filter expression.
RA_FILTER=""
RA_FILTER_TIMEOUT
The filter is compiled in a separate process, and all ra* programs need to wait a reasonable time for the
filter compiler to finish, or time out and return an error, in the case of a fatal error in compiling.
Many systems are very busy, and could benefit from a prolonged wait period, however, this timeout value
could generate a significant startup wait state for programs that have poor filter specifications, if the
timer is too long.
The current default is 1.5 seconds, but you can set this to any amount of time.
No Commandline equivalent
RA_FILTER_TIMEOUT=1.5
SASL SUPPPORT
When argus is compiled with SASL support, ra* clients may be required to authenticate to the argus server
before the argus will accept the connection. This variable will allow one to set the user and
authorization id's, if needed. Although not the best practice, you can provide a password through the
RA_AUTH_PASS variable. If you do this, you should protect the contents of this file. The format for
this variable is:
RA_USER_AUTH="user_id/authorization_id"
RA_AUTH_PASS="password"
The clients can specify a part of the negotiation of the security policy that argus uses. This is
controlled through the use of a minimum and maximum allowable protection strength values. Set these
variable to control this policy.
RA_MIN_SSF=0
RA_MAX_SSF=128
RA_DEBUG_LEVEL
If compiled to support this option, ra* clients are capable of generating a lot of use [full | less |
whatever] debug information. The default value is zero (0).
RA_DEBUG_LEVEL=0
RA_CONNECT_TIME
Some ra style clients use a non-blocking method to connect to remote data sources, so the user many need
to control how long to wait if a remote source doesn't respond. This variable sets the number of seconds
to wait. This number should be set to a reasonable value (5 < value < 60). The default value is 10
seconds.
RA_CONNECT_TIME=10
RA_SORT_ALGORITHMS
Many ra* programs sort records as a part of their function. Programs like rasort.1, providing explicit
command-line options to specify the sort algorithms and their order, using the ยด-m field [field ...]'
option.
Use this configuration directive to specify the default sorting algorithm table for your ra* programs.
The default sort algorithm is record start time "stime".
RA_SORT_ALGORITHMS="stime "
RA_TIMEOUT_INTERVAL
Some ra* clients have a timeout based function. Ratop, as an example, times out flows and removes them
from screen at a fixed interval. This variable can be set using the RA_TIMEOUT_INTERVAL variable, which
is a float in seconds. 60.0 seconds is the default.
RA_TIMEOUT_INTERVAL=60.0
RA_UPDATE_INTERVAL
Some ra* clients have an interval based function. Ratop, as an example, can refresh the screen at a
fixed interval. This variable can be set using the RA_UPDATE_INTERVAL variable, which is a float in
seconds. 0.5 seconds is the default.
RA_UPDATE_INTERVAL=0.5
RA_PRINT_ETHERNET_VENDORS
All ra* clients have the ability to print vendor names for the vendor part of ethernet addresses that are
in flow records. ra* programs get its strings for the ethernet vendors using Wireshark 'manuf' files.
One is provided with the distribution, and installed into /usr/local/argus.
No Commandline equivalent
RA_PRINT_ETHERNET_VENDORS="no"
RA_ETHERNET_VENDORS="/usr/local/argus/wireshark.manuf.txt"
RA_DELEGATED_IP
All ra* clients have the ability to print country codes for the IP addresses that are in a flow record.
Country codes are generated from the ARIN delegated address space files. Specify the location of your
DELEGATED_IP file here.
No Commandline equivalent
RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
RA_RELIABLE_CONNECT
All ra* clients can reliably connect to remote data sources. This causes the ra* program to try to
reconnect to lost remote sources every 5 seconds, indefinately. This causes ra* program to not terminate
but retry connection attempts when they fail.
This feature is implemented using threads, and so threads support must be compiled in.
No Commandline equivalent
RA_RELIABLE_CONNECT=no
MYSQL SUPPORT
Many ra* clients can connect and use a MySQL database, either reading for writing. This may require
references to remotes database hosts, databases, tables, and mysql account names and passwords.
Default values for these variables can be set here. support must be compiled in.
Commandline equivalents:
-r mysql://[username[:password]@]hostname[:port]/database/tablename
-w mysql://[username[:password]@]hostname[:port]/database/tablename
-u username:password
RA_DATABASE="argus"
RA_DB_TABLE="table"
RA_DB_USER="carter"
RA_DB_PASS="whatever"
Those ra* clients that can create database tables may need to specify a table type or rather, a database
engine other than the defaul, MyISAM.
Commandline equivalents:
-M mysql_engine=tableType
Current tableTypes are
MyISAM
InnoDB
Merge
Memory
Archive
NDB
Federated
CSV
MYSQL_DB_ENGINE="MyISAM"
COLOR SUPPORT
For ra* programs that use curses, these variables defined color schemes and color assignments.
Argus uses a sixteen color palette, with 8 monotone and 8 accent colors, plus 16 colors of gray.
Currently these color values are hard coded. New versions should allow you to provide color definitions
for all internal values using a 256 Xterm color wheel, to assign foreground and background colors. But
we're not there yet
RA_COLOR_SUPPORT="yes"
RA_COLOR_CONFIG="/usr/carter/.racolor.conf"
DIRECTION SUPPORT
Many ra* clients process flow records based on source and destination properties. TCP and UDP ports
values can be used to assign direction, and are best used for well-known ports (< 1024), values that are
in the /etc/services defintions, and the reserved ports (> 1023, < 49151).
The syntax is:
RA_PORT_DIRECTION="services"
RA_PORT_DIRECTION="services,wellknown"
RA_PORT_DIRECTION="services,wellknown,registered"
We recommend the wellknown and services options, as they are a bit more discriminating. If there are
ports that you know are services that are in the registered port range, we suggest that you add them to
your /etc/services file rather than include the registered port range; only because the registered range
is so large. However, this option is applied only to flow in which the direction is ambiguous, and as
such, corrections based on the logic should have minimum effect on analytics.
RA_PORT_DIRECTION="services,wellknown"
Sites use locality for a number of features, such as access control, and this support is intended to
support visualization, and analytics.
Currently, you can identify a collection of IP addresses that represent RA_LOCAL, and are specified using
an iana-address-file formatted file. (See ralabel.conf)
RA_LOCAL="/usr/local/argus/local.addrs"
When locality information is available, programs like ra(), and as the assignement of source when there
is ambiguity in the flow record as to who is the actual initiator or receiver of the flow.
When locality information is available, programs like ra(), and ratop() can use that information to make
display decisions, such
RA_LOCAL_DIRECTION provides the logic for using the locality information to assign flow direction. You
can force the local address to be either the source (src) or the destination (dst).
The syntax is:
RA_LOCAL_DIRECTION="local:src"
RA_LOCAL_DIRECTION="local:dst"
RA_LOCAL_DIRECTION="suggest:src"
RA_LOCAL_DIRECTION="force:src
COPYRIGHT
Copyright (c) 2000-2016 QoSient. All rights reserved.
SEE ALSO
ra(1)
rarc 3.0.8 07 November 2000 RARC(5)