Man page - ragrep(1)

Packages contains this manual

Package:  argus-client
apt-get install argus-client

Manuals in package:
• rasort(1)
• ra(1)
• radium.conf(5)
• rapolicy(1)
• racompare(1)
• ralabel.conf(5)
• rafilteraddr(1)
• rastrip(1)
• racolor.conf(5)
• rahisto(1)
• rasplit(1)
• rasql(1)
• ragrep(1)
• rabins(1)
• ratop(1)
• ranonymize(1)
• racluster(1)
• raevent(1)
• rasqlinsert(1)
• racount(1)
• radump(1)
• raconvert(1)
• radecode(1)
• ra.conf(5)
• rarc(5)
• rastream(1)
• rasqltimeindex(1)
• radns.conf(1)
• ratrace(1)
• ramanage.conf.5(5)
• ragen(1)
• radium(8)
• ramanage(1)
• racluster.conf(1)
• ralabel(1)
• rapath(1)
• ranonymize(5)
• radns(1)
• ragraph(1)
• rasqlcheckconf(1)
Documentations in package:
• argus-client

Manual

RAGREP

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
DIAGNOSTICS
INVOCATION
SEE ALSO
COPYRIGHT
AUTHORS
BUGS

---

NAME

ragrep - grep argus(8) user captured data.

SYNOPSIS

ragrep [ options ] -e pattern [ raoptions ] [ -- filter-expression ]
ragrep [ options ] -f file [ raoptions ] [ - filter-expression ]

DESCRIPTION

Ragrep reads argus data from an argus-data source, greps the records based on the regexp specified on the command line, and outputs a valid argus-stream .

Ragrep works only on the fields for user captured data. Argus must be started with the configration option ARGUS_CAPTURE_DATA_LEN set to a value greater than 0, to have these data captured. See argus.conf(5) for detail.

Ragrep is based on GNU grep(1) , so the regexp syntax is the same as for grep(1) .

OPTIONS

Ragrep, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression. See ra(1) for a complete description of ra options . ragrep(1) specific options are:

-c

Suppress normal output; instead print a count of matching lines for each input file. With the -v , --invert-match option (see below), count non-matching lines.

-e <regex>

Match regular expression in flow user data fields. Prepend the regex with either "s:" or "d:" to limit the match to either the source or destination user data fields. Examples include:
"ˆSSH-" - Look for ssh connections on any port.
"s:ˆGET" - Look for HTTP GET requests in the source buffer.
"d:ˆHTTP.*Unauth" - Find unauthorized http response.

-f FILE

Obtain patterns from FILE , one per line. The empty file contains zero patterns, and therefore matches nothing.

	-i		Ignore case distinctions in both the PATTERN and the input files.
	-L		Suppress normal output; instead print the name of each input file from which no output would normally have been printed. The scanning will stop on the first match.
	-l		Suppress normal output; instead print the name of each input file from which output would normally have been printed. The scanning will stop on the first match.
	-q		Quiet; do not write anything to standard output. Exit immediately with zero status if any match is found, even if an error was detected.
	-R		Read all files under each directory, recursively; this is equivalent to the -d recurse option.
	-v		Reverse the expression matching logic.

DIAGNOSTICS

Normally, exit status is 0 if selected records are found and 1 otherwise. But the exit status is 2 if an error occurred, unless the -q option is used and a selected line is found.

INVOCATION

A sample invocation of ragrep(1) . This call reads argus(8) data from inputfile and greps all http transactions that generated a "404 Not Found" error.
ragrep -r inputfile -e "HTTP.*404"

SEE ALSO

ra(1), rarc(5), argus(8),

COPYRIGHT

Copyright (c) 2000-2024 QoSient. All rights reserved.

AUTHORS

Carter Bullard (carter@qosient.com).

BUGS

---