Content-type: text/html
Manpage of RAMUX
RAMUX
Section: Maintenance Commands (8)
Updated: 21 October 2001
Index
Return to Main Contents
NAME
ramux - argus record multiplexor
SYNOPSIS
ramux
[
options
] [
filter expression
]
COPYRIGHT
Copyright (c) 2000-2001 QoSient, LLC All rights reserved.
DESCRIPTION
RaMux
is a real-time Argus Record multiplexor that processes Argus records
which match the boolean
expression.
RaMux
provides the same file writing and remote access capabilities as argus,
however ramux read argus records in a fashion similar to the ra* set
of argus clients.
Designed to run as a daemon,
ramux
generally reads argus records directly from a remote argus, and writes the
transaction status information to a log file or open socket connected to an
argus
client (such as
ra(1)).
RaMux
provides strong authenctication and confidentiality protection
for its data through the use of SASL. Please refer to the INSTALL
and README files for a complete description. In addition,
ramux
also provides access control for its socket connection facility using
tcp_wrapper
technology. Please refer to the tcp_wrapper distribution
for a complete description.
RaMux
can be completely configured from a system /etc/ramux.conf configuration file,
or from a configuration file either in the $ARGUSHOME directory, or specified
on the command line.
OPTIONS
- -b
-
Dump the compiled packet-matching code to stdout and stop. This is
used to debug filter expressions.
- -B
-
<addr>
Specify the bind interface address for remote access. Acceptable values
are IP version 4 addresses. The default is to bind to INADDR_ANY
address.
- -d
-
Run ramux as a daemon. This will cause ramux to do the things that
Unix daemons do and return, if there were no errors, with ramux
running as a detached process.
- -D
-
<level>
Print debug messages to stderr. When compiled to support debug printing,
the higher the <level> the more information printed. Acceptable
levels are 1-8.
- -e
-
<value>
Specify the source identifier for this ramux. Acceptable values are
numbers, hostnames or ip address.
- -h
-
Print an explanation of all the arguments.
- -F
-
Use conffile as a source of configuration information.
Options set in this file override any other specification, and so
this is the last word on option values.
- -O
-
Turn off Berkeley Packet Filter optimizer. No reason to do this unless
you think the optimizer generates bad code.
- -p
-
Override the persistent connection facility.
RaMux
provides a fault tolerant feature for its remote argus data access
facility. If the remote argus data source closes,
ramux
will maintain its client connections, and attempt to reestablish
its connection with remote source. This option overrides this behavior,
causing
ramux
to terminate if any of its remote sources closes.
- -P
-
<portnum>
Specifies the <portnum> for remote client connection.
The default is to not support remote access.
Setting the value to zero (0) will forceably turn off the
facility.
- -r
-
Read from
argus(8) ,
data files.
RaMux
will read from only one input data file at a time.
If the
-r
option is specified,
ramux
will not put down a
listen(2)
to support remote access.
- -S
-
<host[:port]>
Specify a remote argus-server <host>. Appending an
port specifier is required to attach to a port different than
the port value specified with the -P option, or the default.
- -t
-
<timerange>
Specify the <time range> for matching argus(5) records. The syntax
for the <time range> is:
timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
[yyyy/]mm/dd
Examples are:
-t 14 matches 2pm-3pm any day
-t 23.11:10 - 14 11:10:00 - 2pm on the 23rd
-t 11/23 all records on Nov 23rd
-t 1999/01/23.10 10-11am on Jan, 23, 1999
- -T
-
<secs>
Read argus(5) from remote server for <secs> of time.
- -w
-
<file ["filter"]
Write transaction status records to output-file. An output-file
of '-' directs ramux to write the resulting ramux-file output
to stdout.
- -X
-
Clear existing ramux configuration. This removes any initialization done prior
to encountering this flag. Allows you to eliminate the effects of the
/etc/ramux.conf file, or any ramux.conf files that may have been loaded.
- expression
-
This
tcpdump(1)
expression
specifies which transactions will be selected. If no expression
is given, all transactions are selected. Otherwise,
only transactions for which expression is `true' will be dumped.
For a complete expression format description, please refer to the
tcpdump(1)
man page.
SIGNALS
RaMux catches a number of signal(3) events.
The three signals SIGHUP, SIGINT, and SIGTERM
cause ramux to exit, writing TIMEDOUT status records for
all currently active transactions. The signal SIGUSR1
will turn on debug reporting, and subsequent SIGUSR1
signals, will increment the debug-level. The signal SIGUSR2
will cause ramux to turn off all debug reporting.
ENVIRONMENT
$ARGUSHOME - RaMux Root directory
$ARGUSPATH - RaMux.conf search path (/etc:$RAMUXHOME:$HOME)
FILES
/etc/ramux.conf - ramux daemon configuration file
/var/run/ramux.#.#.pid - PID file
EXAMPLES
Run ramux as a daemon, reading records from a remote host,
using port 561, and writing all its transaction status reports to
output-file. This is a typical mode.
-
ramux -S remotehost:561 -d -e `hostname` -w output-file
Collect records from multiple argi, using port 561 on one and port
430 on the other, and make all of these records available to other
programs on port 562.
-
ramux -S host1:561 -S host2:430 -de `hostname` -P 562
Collect records from multiple Cisco Netflow sources, using
the default port, and make the resulting argus records available
on port 562.
-
ramux -C -S host1 -S host2 -de `hostname` -P 562
RaMux supports both input filtering and output filtering,
and ramux supports multiple output streams, each with their
own independant filters.
If you are interested in tracking IP traffic only (input
filter) and want to report ICMP traffic in one output file,
and all other IP traffic in another file.
-
ramux -w file1 "icmp" -w file2 "not icmp" - ip
Audit the network activity that is flowing between the two
gateway routers, whose ethernet addresses are 00:08:03:2D:42:01 and
00:00:0C:18:29:F1. Make records available to other programs through
port 430/tcp.
-
ramux ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &
Process argus records from a remote source only between 9am and 5pm every day
and provide access to this stream on port 562.
-
ramux -S remotehost -t 9-17 -P 562
AUTHORS
Carter Bullard (carter@qosient.com)
SEE ALSO
ramux.conf(5),
argus(8),
hosts_access(5),
hosts_options(5),
tcpd(8),
tcpdump(1)
Index
- NAME
-
- SYNOPSIS
-
- COPYRIGHT
-
- DESCRIPTION
-
- OPTIONS
-
- SIGNALS
-
- ENVIRONMENT
-
- FILES
-
- EXAMPLES
-
- AUTHORS
-
- SEE ALSO
-
This document was created by
man2html,
using the manual pages.
Time: 14:01:11 GMT, October 25, 2001