radium - Man Page

argus record multiplexor

Synopsis

radium [ options ] [ raoptions ]

Description

Radium is a real-time Argus Record multiplexor that processes Argus records and Netflow records and outputs them to any number of client programs and files. Radium is a combination of the features of ra.1 and argus.8, supporting access for upto 128 client programs to argus records originating from remote data sources and/or local managed argus data files.  Using radium you can construct complex distribution networks for collecting and processing argus data, and providing a single point of access to archived argus data.

Designed to run as a daemon, radium generally reads argus records directly from a remote argus, and writes the transaction status information to a log file or open socket connected to an argus client (such as ra(1)). Radium provides the same data access controls as argus.8, including remote filtering, source address based access control, indivual oriented strong authentication and confidentiality protection for the distributed data, using SASL and tcp_wrapper technology.  Please refer to the INSTALL and README files for each distribution for a complete description.

Radium is normally configured from a system /etc/radium.conf configuration file, or from a configuration file either in the $RADIUMHOME directory, or specified on the command line.

Radium Specific Options

Radium, like all ra based clients, supports a number of ra options including remote data access, reading from multiple files and filtering of input argus records through a terminating filter expression. radium(8) specific options are:

Options

-B <addr>

Specify the bind interface address for remote access.  Acceptable values are IP version 4 addresses.  The default is to bind to INADDR_ANY address.

-d

Run radium as a daemon.  This will cause radium to do the things that Unix daemons do and return, if there were no errors, with radium running as a detached process.

-e <value>

Specify the source identifier for this radium.  Acceptable values are numbers, hostnames or ip address.

-f <radium.conf>

Use radium.conf as a source of configuration information. Options set in this file override any other specification, and so  this is the last word on option values. This file is read after the system /etc/radium.conf file is processed. See radium.conf.5 for the configuration file format.

-O

Turn off Berkeley Packet Filter optimizer.  No reason to do this unless you think the optimizer generates bad code.

-p

Override the persistent connection facility. Radium provides a fault tolerant feature for its remote argus data access  facility.  If the remote argus data source closes, radium will maintain its client connections, and attempt to reestablish its connection with remote source.  This option overrides this behavior, causing radium to terminate if any of its remote sources closes.

-P <portnum>

Specifies the <portnum> for remote client connection. The default is to not support remote access. Setting the value to zero (0) will forceably turn off the facility.

-S

<host[:port][//full/path/to/argus.data.file]> Attach to a specific remote host to receive argus records. Append an optional port specifier to attach to a port value other than the default 561. Without the optional full pathname, radium will continuously transmit a stream of real-time flow records as they are received. With the optional filename, radium will open the argus datafile specified, and stream the contents, closing the connection with the file EOF.

-T threshold[smh] (secs)

Indicate that radium should correct the timestamps of received argus records, if they are out of sync by threshold secconds.  Threshold can be specified with the extensions s, m, or h for seconds, minutes or hours. -X Clear existing radium configuration.  This removes any initialization done prior to encountering this flag.  Allows you to eliminate the effects of the /etc/radium.conf file, or any radium.conf files that may have been loaded.

Signals

Radium catches a number of signal(3) events. The three signals SIGHUP, SIGINT, and SIGTERM cause radium to exit, writing TIMEDOUT status records for all currently active transactions.  The signal SIGUSR1 will turn on debug reporting, and subsequent SIGUSR1 signals, will increment the debug-level. The signal SIGUSR2 will cause radium to turn off all debug reporting.

Environment

$RADIUMHOME - Radium Root directory
$RADIUMPATH - Radium.conf search path (/etc:$RADIUMHOME:$HOME)

Files

/etc/radium.conf         - radium daemon configuration file 
/var/run/radium.#.#.pid  - PID file

Examples

Run radium as a daemon, reading records from a remote host, using port 561, and writing all its transaction status reports to output-file.  This is a typical mode.

radium -S remotehost:561 -d -e `hostname` -w output-file

Collect records from multiple argi, using port 561 on one and port 430 on the other, and make all of these records available to other programs on port 562.

radium -S host1:561 -S host2:430 -de `hostname` -P 562

Collect records from multiple Cisco Netflow sources, using the default port, and make the resulting argus records available on port 562.

radium -C -S host1 -S host2 -de `hostname` -P 562

Radium supports both input filtering and output filtering, and radium supports multiple output streams, each with their own independant filters.

If you are interested in distributing IP traffic only (input filter) and want to separate traffic into differing files based on traffic type, this simple example separates ICMP traffic from other traffic.

radium -w file1 "icmp" -w file2 "not icmp" - ip

Audit the network activity that is flowing between the two gateway routers, whose ethernet addresses are 00:08:03:2D:42:01 and 00:00:0C:18:29:F1.  Make records available to other programs through port 430/tcp.

radium -S source -P 430 - ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &

Process argus records from a remote source only between 9am and 5pm every day and provide access to this stream on port 562.

radium -S remotehost -t 9-17 -P 562

Authors

Carter Bullard (carter@qosient.com)

See Also

radium.conf(5), argus(8), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)

Referenced By

racluster(5), radium.conf(5).

21 October 2001 radium 3.0.8