radium.conf man page

radium.confradium resource file.

Description

Radium will open this radium.conf if its installed as /etc/radium.conf. It will also search for this file as radium.conf in directories specified in $RADIUMPATH, or $RADIUMHOME, $RADIUMHOME/lib, or $HOME, $HOME/lib, and parse it to set common configuration options. All values in this file can be overriden by command line options, or other files of this format that can be read in using the -F option.

Variable Syntax

Variable assignments must be of the form:

VARIABLE=

with no white space between the VARIABLE and the '=' sign. Quotes are optional for string arguments, but if you want to embed comments, then quotes are required.

Radium_daemon

Radium is capable of running as a daemon, doing all the right things that daemons do. When this configuration is used for the system daemon process, say for /etc/radium.conf, this variable should be set to "yes".

The default value is to not run as a daemon.

This example is to support the ./support/Startup/radium script which requires that this variable be set to "yes".

Commandline equivalent -d

Radium_daemon=no

Radium_monitor_id

Radium Monitor Data is uniquely identifiable based on the source identifier that is included in each output record. This is to allow you to work with Argus Data from multiple monitors at the same time. The ID is 32 bits long, and supports a number of formats as legitimate values. Radium supports unsigned ints, IPv4 addresses and 4 bytes strings, as values.

The formats are discerned from the values provided. Double-quoted values are treated as strings, and are truncated to 4 characters. Non-quoted values are tested for whether they are hostnames, and if not, then they are tested wheter they are numbers.

The configuration allows for you to use host names, however, do have some understanding how `hostname` will be resolved by the nameserver before commiting to this strategy completely.

For convenience, argus supports the notion of "`hostname`" for assigning the probe's id. This is to support management of large deployments, so you can have one argus.conf file that works for a lot of probes.

For security, argus does not rely on system programs, like hostname.1. It implements the logic of hostname itself, so don't try to run arbitrary programs using this method, because it won't work.

Commandline equivalent -e

Radium_monitor_id=`hostname` // IPv4 address returned Radium_monitor_id=10.2.45.3 // IPv4 address Radium_monitor_id=2435 // Number Radium_monitor_id="en0" // String

Radium_argus_server

Radium can attach to any number of remote argus servers, and collect argus data in real time. The syntax for this variable is a hostname or a dot notation IP address, followed by an optional port value, separated by a ':'. If the port is not specified, the default value of 561 is used.

Commandline equivalent -S <host[:port]>

Radium_argus_server=localhost:561

Radium_cisconetflow_port

Radium can read Cicso Netflow records directly from Cisco routers. Specifying this value will alert Radium to open a UDP based socket listening for data from this name or address.

Commandline equivalent -C

Radium_cisconetflow_port=9996

Radium_user_auth, Radium_auth_pass

When argus is compiled with SASL support, ra* clients may be required to authenticate to the argus server before the argus will accept the connection. This variable will allow one to set the user and authorization id's, if needed. Although not recommended you can provide a password through the RADIUM_AUTH_PASS variable. The format for this variable is:

Commandline equivalent -U

RADIUM_USER_AUTH=user_id/authorization_id RADIUM_AUTH_PASS=the_password

Radium_access_port

Radium monitors can provide a real-time remote access port for collecting Radium data. This is a TCP based port service and the default port number is tcp/561, the "experimental monitor" service. This feature is disabled by default, and can be forced off by setting it to zero (0).

When you do want to enable this service, 561 is a good choice, as all ra* clients are configured to try this port by default.

Commandline equivalent -P

Radium_access_port=561

Radium_bind_ip

When remote access is enabled (see above), you can specify that Radium should bind only to a specific IP address. This is useful, for example, in restricting access to the local host, or binding to a private interface while capturing from another. The default is to bind to any IP address.

Commandline equivalent -B

Radium_bind_ip="127.0.0.1"

Radium_output_file

Radium can write its output to one or a number of files, default limit is 5 concurrent files, each with their own independant filters.

The format is:

RADIUM_OUTPUT_FILE=/full/path/file/name
RADIUM_OUTPUT_FILE=/full/path/file/name "filter"

Most sites will have radium write to a file, for reliablity and performance. The example file name is used here as supporting programs, such as ./support/Archive/radiumarchive are configured to use this file.

Commandline equivalent -w

Radium_output_file=/var/log/radium/radium.out

Radium_set_pid

When Radium is configured to run as a daemon, with the -d option, Radium can store its pid in a file, to aid in managing the running daemon. However, creating a system pid file requires priviledges that may not be appropriate for all cases.

When configured to generate a pid file, if Radium cannot create the pid file, it will fail to run. This variable is available to override the default, in case this gets in your way.

The default value is to generate a pid.

No Commandline equivalent

Radium_set_pid=yes

Radium_adjust_time

Radium can correct for time synchronization problems that may exist between data sources. If configured to do so, radium will adjust all the timestamps in records by the calculated drift between radium and its many data sources. Records whose timevalues have been 'corrected' are marked so that subsequent readers can differentiate between true primitive time and modified time.

Commandline equivalent -T
Radium_adjust_time=no

Radium_mar_status_interval

Radium will periodically report on a its own health, providing interface status, total packet and bytes counts, packet drop rates, and flow oriented statistics.

These records can be used as "keep alives" for periods when there is no network traffic to be monitored.

The default value is 300 seconds, but a value of 60 seconds is very common.

Commandline equivalent -M

Radium_mar_status_interval=60

Radium_debug_level

If compiled to support this option, Radium is capable of generating a lot of debug information.

The default value is zero (0).

Commandline equivalent -D

Radium_debug_level=0

Radium_filter_optimizer

Radium uses the packet filter capabilities of libpcap. If there is a need to not use the libpcap filter optimizer, you can turn it off here. The default is to leave it on.

Commandline equivalent -O

Radium_filter_optimizer=yes

Radium_filter

You can provide a filter expression here, if you like. It should be limited to 2K in length. The default is to not filter.

No Commandline equivalent

Radium_filter=""

Radium_chroot_dir

Radium supports chroot(2) in order to control the file system that radium exists in and can access. Generally used when radium is running with privleges, this limits the negative impacts that radium could inflict on its host machine.

This option will cause the output file names to be relative to this directory, and so consider this when trying to find your output files.

Commandline equivalent -C

Radium_chroot_dir=""

Radium_setuser_id

Radium can be directed to change its user id using the setuid() system call. This is can used when radium is started as root, in order to access privleged resources, but then after the resources are opened, this directive will cause radium to change its user id value to a 'lesser' capable account. Recommended when radium is running as a daemon.

Commandline equivalent -u

Radium_setuser_id="user"

Radium_setgroup_id

Radium can be directed to change its group id using the setgid() system call. This is can used when radium is started as root, in order to access privleged resources, but then after the resources are opened, this directive can be used to change argu's group id value to a 'lesser' capable account. Recommended when radium is running as a daemon.

Commandline equivalent -g

Radium_setgroup_id="group"

Radium_classifier_file

Radium can be used to label records as they are distributed. This can be used to classify flow records, or simply to mark them for post processing purposes.

When provided with a ralabel.conf formatted file, radium will label all matching records.

Commandline equivalent none

Radium_classifier_file=/usr/local/argus/ralabel.conf

Radium_correlate

Radium has a correlation function, where flow data from multiple source's can be compared and 'correlateda.

This function is enabled with a single radium configuration keyword Radium_correlate="yes". With this variable set, radium(). will buffer incoming data to generate delay, and will correlate data from multiple sources with an event window of about 3 seconds. Data that is matchable, which means that it has the same flow identifiers, or the same hints, will treated as if they were "observed" by multiple probes, and merged.

Commandline equivalent none

Radium_correlate="no"

See Also

radium(8)

Referenced By

radium(8).

07 November 2000 radium.conf 3.0.8