RADIUM(8)RADIUM(8)NAMEradium - argus record multiplexor
SYNOPSISradium [ options ] [ filter expression ]
COPYRIGHT
Copyright (c) 2000-2008 QoSient, LLC All rights reserved.
DESCRIPTION
Radium is a real-time Argus Record multiplexor that processes Argus
records and Netflow records and outputs them to any number of client
programs and files. Radium is a combination of the features of ra.1
and argus.8, supporting access for upto 128 client programs to argus
records originating from remote data sources and/or local managed argus
data files. Using radium you can construct complex distribution net‐
works for collecting and processing argus data, and providing a single
point for accessing archived argus data, as well.
Designed to run as a daemon, radium generally reads argus records
directly from a remote argus, and writes the transaction status infor‐
mation to a log file or open socket connected to an argus client (such
as ra(1)). Radium provides the same data access controls as argus.8,
including remote filtering, source address based access control, indi‐
vual oriented strong authentication and confidentiality protection for
the distributed data, using SASL and tcp_wrapper technology. Please
refer to the INSTALL and README files for each distribution for a com‐
plete description.
Radium is normally configured from a system /etc/radium.conf configura‐
tion file, or from a configuration file either in the $RADIUMHOME
directory, or specified on the command line.
OPTIONS-b Dump the compiled packet-matching code to stdout and stop. This
is used to debug filter expressions.
-B <addr> Specify the bind interface address for remote access.
Acceptable values are IP version 4 addresses. The default is to
bind to INADDR_ANY address.
-d Run radium as a daemon. This will cause radium to do the things
that Unix daemons do and return, if there were no errors, with
radium running as a detached process.
-D <level> Print debug messages to stderr. When compiled to support
debug printing, the higher the <level> the more information
printed. Acceptable levels are 1-8.
-e <value> Specify the source identifier for this radium. Acceptable
values are numbers, hostnames or ip address.
-h Print an explanation of all the arguments.
-F Use conffile as a source of configuration information. Options
set in this file override any other specification, and so this is
the last word on option values.
-O Turn off Berkeley Packet Filter optimizer. No reason to do this
unless you think the optimizer generates bad code.
-p Override the persistent connection facility. Radium provides a
fault tolerant feature for its remote argus data access facility.
If the remote argus data source closes, radium will maintain its
client connections, and attempt to reestablish its connection with
remote source. This option overrides this behavior, causing
radium to terminate if any of its remote sources closes.
-P <portnum> Specifies the <portnum> for remote client connection.
The default is to not support remote access. Setting the value to
zero (0) will forceably turn off the facility.
-r Read from argus(8) , data files. Radium will read from only one
input data file at a time. If the -r option is specified, radium
will not put down a listen(2) to support remote access.
-S <host[:port]> Specify a remote argus-server <host>. Appending an
port specifier is required to attach to a port different than the
port value specified with the -P option, or the default.
-T threshold[smh] (secs)
Indicate that radium should correct the timestamps of received
argus records, if they are out of sync by threshold secconds.
Threshold can be specified with the extensions s, m, or h for sec‐
onds, minutes or hours.
-w <file ["filter"] Write transaction status records to output-file.
An output-file of '-' directs radium to write the resulting
radium-file output to stdout.
-X Clear existing radium configuration. This removes any initializa‐
tion done prior to encountering this flag. Allows you to elimi‐
nate the effects of the /etc/radium.conf file, or any radium.conf
files that may have been loaded.
expression
This tcpdump(1) expression specifies which transactions will be
selected. If no expression is given, all transactions are
selected. Otherwise, only transactions for which expression is
`true' will be dumped. For a complete expression format descrip‐
tion, please refer to the tcpdump(1) man page.
SIGNALS
Radium catches a number of signal(3) events. The three signals SIGHUP,
SIGINT, and SIGTERM cause radium to exit, writing TIMEDOUT status
records for all currently active transactions. The signal SIGUSR1 will
turn on debug reporting, and subsequent SIGUSR1 signals, will increment
the debug-level. The signal SIGUSR2 will cause radium to turn off all
debug reporting.
ENVIRONMENT
$RADIUMHOME - Radium Root directory
$RADIUMPATH - Radium.conf search path (/etc:$RADIUMHOME:$HOME)
FILES
/etc/radium.conf - radium daemon configuration file
/var/run/radium.#.#.pid - PID file
EXAMPLES
Run radium as a daemon, reading records from a remote host, using port
561, and writing all its transaction status reports to output-file.
This is a typical mode.
radium-S remotehost:561 -d -e `hostname` -w output-file
Collect records from multiple argi, using port 561 on one and port 430
on the other, and make all of these records available to other programs
on port 562.
radium-S host1:561 -S host2:430 -de `hostname` -P 562
Collect records from multiple Cisco Netflow sources, using the default
port, and make the resulting argus records available on port 562.
radium-C -S host1 -S host2 -de `hostname` -P 562
Radium supports both input filtering and output filtering, and radium
supports multiple output streams, each with their own independant fil‐
ters.
If you are interested in distributing IP traffic only (input filter)
and want to separate traffic into differing files based on traffic
type, this simple example separates ICMP traffic from other traffic.
radium-w file1 "icmp" -w file2 "not icmp" - ip
Audit the network activity that is flowing between the two gateway
routers, whose ethernet addresses are 00:08:03:2D:42:01 and
00:00:0C:18:29:F1. Make records available to other programs through
port 430/tcp.
radium-S source -P 430 - ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &
Process argus records from a remote source only between 9am and 5pm
every day and provide access to this stream on port 562.
radium-S remotehost -t 9-17 -P 562
AUTHORS
Carter Bullard (carter@qosient.com)
SEE ALSOradium.conf(5), argus(8), hosts_access(5), hosts_options(5), tcpd(8),
tcpdump(1)
21 October 2001 RADIUM(8)