Content-type: text/html Manpage of RAMUX

RAMUX

Section: Maintenance Commands (8)
Updated: 21 October 2001
Index Return to Main Contents
 

NAME

ramux - argus record multiplexor  

SYNOPSIS

ramux [ options ] [ filter expression ]  

COPYRIGHT

Copyright (c) 2000-2001 QoSient, LLC All rights reserved.  

DESCRIPTION

RaMux is a real-time Argus Record multiplexor that processes Argus records which match the boolean expression. RaMux provides the same file writing and remote access capabilities as argus, however ramux read argus records in a fashion similar to the ra* set of argus clients.

Designed to run as a daemon, ramux generally reads argus records directly from a remote argus, and writes the transaction status information to a log file or open socket connected to an argus client (such as ra(1)). RaMux provides strong authenctication and confidentiality protection for its data through the use of SASL. Please refer to the INSTALL and README files for a complete description. In addition, ramux also provides access control for its socket connection facility using tcp_wrapper technology. Please refer to the tcp_wrapper distribution for a complete description.

RaMux can be completely configured from a system /etc/ramux.conf configuration file, or from a configuration file either in the $ARGUSHOME directory, or specified on the command line.

 

OPTIONS

-b
Dump the compiled packet-matching code to stdout and stop. This is used to debug filter expressions.
-B
<addr> Specify the bind interface address for remote access. Acceptable values are IP version 4 addresses. The default is to bind to INADDR_ANY address.
-d
Run ramux as a daemon. This will cause ramux to do the things that Unix daemons do and return, if there were no errors, with ramux running as a detached process.
-D
<level> Print debug messages to stderr. When compiled to support debug printing, the higher the <level> the more information printed. Acceptable levels are 1-8.
-e
<value> Specify the source identifier for this ramux. Acceptable values are numbers, hostnames or ip address.
-h
Print an explanation of all the arguments.
-F
Use conffile as a source of configuration information. Options set in this file override any other specification, and so this is the last word on option values.
-O
Turn off Berkeley Packet Filter optimizer. No reason to do this unless you think the optimizer generates bad code.
-p
Override the persistent connection facility. RaMux provides a fault tolerant feature for its remote argus data access facility. If the remote argus data source closes, ramux will maintain its client connections, and attempt to reestablish its connection with remote source. This option overrides this behavior, causing ramux to terminate if any of its remote sources closes.
-P
<portnum> Specifies the <portnum> for remote client connection. The default is to not support remote access. Setting the value to zero (0) will forceably turn off the facility.
-r
Read from argus(8) , data files. RaMux will read from only one input data file at a time. If the -r option is specified, ramux will not put down a listen(2) to support remote access.
-S
<host[:port]> Specify a remote argus-server <host>. Appending an port specifier is required to attach to a port different than the port value specified with the -P option, or the default.
-t
<timerange> Specify the <time range> for matching argus(5) records. The syntax for the <time range> is:

timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
                     [yyyy/]mm/dd

Examples are:
   -t 14             matches 2pm-3pm any day
   -t 23.11:10 - 14  11:10:00 - 2pm on the 23rd
   -t 11/23          all records on Nov 23rd
   -t 1999/01/23.10  10-11am on Jan, 23, 1999

-T
<secs> Read argus(5) from remote server for <secs> of time.
-w
<file ["filter"] Write transaction status records to output-file. An output-file of '-' directs ramux to write the resulting ramux-file output to stdout.
-X
Clear existing ramux configuration. This removes any initialization done prior to encountering this flag. Allows you to eliminate the effects of the /etc/ramux.conf file, or any ramux.conf files that may have been loaded.
expression
This tcpdump(1) expression specifies which transactions will be selected. If no expression is given, all transactions are selected. Otherwise, only transactions for which expression is `true' will be dumped. For a complete expression format description, please refer to the tcpdump(1) man page.

 

SIGNALS

RaMux catches a number of signal(3) events. The three signals SIGHUP, SIGINT, and SIGTERM cause ramux to exit, writing TIMEDOUT status records for all currently active transactions. The signal SIGUSR1 will turn on debug reporting, and subsequent SIGUSR1 signals, will increment the debug-level. The signal SIGUSR2 will cause ramux to turn off all debug reporting.

 

ENVIRONMENT

$ARGUSHOME - RaMux Root directory
$ARGUSPATH - RaMux.conf search path (/etc:$RAMUXHOME:$HOME)

 

FILES

/etc/ramux.conf         - ramux daemon configuration file 
/var/run/ramux.#.#.pid  - PID file 

 

EXAMPLES

Run ramux as a daemon, reading records from a remote host, using port 561, and writing all its transaction status reports to output-file. This is a typical mode.

ramux -S remotehost:561 -d -e `hostname` -w output-file

Collect records from multiple argi, using port 561 on one and port 430 on the other, and make all of these records available to other programs on port 562.

ramux -S host1:561 -S host2:430 -de `hostname` -P 562

Collect records from multiple Cisco Netflow sources, using the default port, and make the resulting argus records available on port 562.

ramux -C -S host1 -S host2 -de `hostname` -P 562

RaMux supports both input filtering and output filtering, and ramux supports multiple output streams, each with their own independant filters.

If you are interested in tracking IP traffic only (input filter) and want to report ICMP traffic in one output file, and all other IP traffic in another file.

ramux -w file1 "icmp" -w file2 "not icmp" - ip

Audit the network activity that is flowing between the two gateway routers, whose ethernet addresses are 00:08:03:2D:42:01 and 00:00:0C:18:29:F1. Make records available to other programs through port 430/tcp.

ramux ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &

Process argus records from a remote source only between 9am and 5pm every day and provide access to this stream on port 562.

ramux -S remotehost -t 9-17 -P 562

 

AUTHORS

Carter Bullard (carter@qosient.com)
 

SEE ALSO

ramux.conf(5), argus(8), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)


 

Index

NAME
SYNOPSIS
COPYRIGHT
DESCRIPTION
OPTIONS
SIGNALS
ENVIRONMENT
FILES
EXAMPLES
AUTHORS
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 14:01:11 GMT, October 25, 2001